我正在尝试将 Exchange 更新至最新的 CU。
我们与 O365 采用混合设置,由于我们几乎不使用服务器,因此我们的更新已经落后。
上次更新是在我来这里之前,所以我没有直接更新的经验。
我已阅读完文档但出现以下错误。
我们没有过于复杂的多域 AD 基础设施,所以我相信我们应该能够仅使用向导来完成更新,而不需要提前准备 AD,但我可能是错的。
该错误表明它指的是Install-UserAccount -Name $federatedMailboxId -LastName $federatedMailboxId;
但我不确定它具体指的是哪个联合邮箱。
希望有经验的人可以给我指明正确的方向,因为我正在尝试确保服务器能够抵御微软刚刚宣布的最新零日攻击。
以下是完整错误:
Error:
The following error was generated when "$error.Clear();
if (!$RoleIsDatacenter)
{
$federatedMailboxId = [Microsoft.Exchange.Management.Deployment.UpdateRmsSharedIdentity]::SharedIdentityCommonName;
$federatedEmailUsers = @(Get-User -Filter {LastName -eq $federatedMailboxId} -IgnoreDefaultScope -ResultSize 1);
if ($federatedEmailUsers.Length -eq 0)
{
$federatedEmailUsers = @(Get-User -Arbitration -Filter {LastName -eq $federatedMailboxId} -IgnoreDefaultScope -ResultSize 1);
}
if ($federatedEmailUsers.Length -eq 0)
{
Install-UserAccount -Name $federatedMailboxId -LastName $federatedMailboxId;
}
}
" was run: "Microsoft.Exchange.Data.Directory.ADConstraintViolationException: An Active Directory Constraint Violation error occurred on XX-XX-XXXX.xxxxxxxx.com. Additional information: The operation failed because UPN value provided for addition/modification is not unique forest-wide.
Active directory response: 000021C8: AtrErr: DSID-03200BE9, #1:
0: 000021C8: DSID-03200BE9, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
---> System.DirectoryServices.Protocols.DirectoryOperationException: A value in the request is invalid.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientObjectSession.Save(ADRecipient instanceToSave, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.Management.Deployment.InstallUserAccount.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
答案1
该错误告诉您它正在尝试修改 AD 用户 OU 中的 federatedEmail 内置用户。它无法执行此操作,但它也不是一个唯一名称,因此无法添加它。这可能是因为它不在应在的位置,或者可能已被禁用。
请参阅本文以获取有关这些帐户的更多信息。
答案2
运行以下命令来检查具有相同 UPN 的对象:
Get-ADObject -LdapFilter "(userPrincipalName=<UPN>)" -IncludeDeletedObjects
这是有关错误的博客“附加信息:操作失败,因为提供的添加/修改的 UPN 值在整个林范围内不唯一。”检查以了解更多详细信息:SPN 和 UPN 唯一性