MsExchange Blog Spot Telnet25

October 9, 2013

A universal group cannot have a local group as a member.

Filed under: General — telnet25 @ 3:24 am

Issue: Unable to convert Mail Enabled Groups from EMC in Exchange 2010.

Microsoft Exchange Error
Action ‘Convert to Universal Group’ could not be performed on object ‘IT Managers’.

IT Managers
Active Directory operation failed on This error is not retriable. Additional information: A universal group cannot have a local group as a member.
Active directory response: 00002146: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

The server cannot handle directory requests.


Exchange 2010 and Group Scope

  • To refresh your knowledge here is Active Directory Group Scope and Group Types
Group Scope Group Type
Domain Local Security
Global Distribution

Exchange 2007 and Exchange 2010 wants all mail enabled groups Scope to be “Universal” regardless of the Group type. This is almost the other way around in Exchange 2003 world, as Exchange 2003 did not care about this much.

Lets take a look at our problem Group and try to understand the issue.


This Group Type is “Domain local” it is a Distribution Group, Exchange 2010 is not happy with this group scope type,  as you can see from the picture even Icon for this group is faded out (-:


How to solve this problem? We could perfectly locate this group with ADUC and change .the Group Scope to “Universal” and click apply.


Now we go back to EMC and take a look at same Group, to see if  Exchange is happy with new Group Type “ Universal” , the answer is yes.As you can see the Icon is changed.


Why Exchange forces Mail enabled group Types to be “Universal” ONLY!!!?

Here is the reason Universal group membership is replicated to all Global Catalogs , ALL DC/GC Servers, unlike Global and Domain local Scope type. The Universal groups replication boundaries and expansion capabilities FOREST Wide, thus Exchange 2007 and 2010 wants mail enabled groups and their Group Scope only to be “Universal” This is the case when it comes to Exchange and unfortunately Exchange does not care even you have single Label Domain name space.

Please note that there is no other reason or limitations any other functions goes. So if you are in the middle of the migration and finding this out do not freak out , This is fairly simple to deal with and it has no other side effects to existing functioning Distribution groups goes, since changing Group scope Type does not make any changes on the group membership, ACL’s permissions and etc.

One thing is to remember it could increase the network traffic when it wants to expand if it has forest wide members, but this ensures all members gets the e-mail (-: so give and take thing (-:

Now if you have many of these how to convert them?

Get-DistributionGroup | where { $_.Grouptype -Like "Global*" } | Set-Group -Universal


Get-DistributionGroup | where { $_.Grouptype -Like "Domain*" } | Set-Group -Universal


*Note you might be getting errors when you run this script , if a mail enabled group has another mail enabled group as its member, and both Group Scope are not Universal , if you persistently keep running these scripts, you will be able to take care of them and  and when Exchange server is happy you get all these nice futures with the mail enabled groups


Oz Casey, Dedeal

( Exchange Server North America MVP)

MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)


October 2, 2013

Exchange 2010, An Active Manager operation failed, content index catalog files in the following state: ‘Failed’.

Filed under: General — telnet25 @ 11:16 pm

Running “Move-ActiveMailboxDatabase  fails with fallowing errors”

$Sname1 = E1
$Sname1 = E2
Get-mailboxdatabase -server $Sname1 -status | where {$_.mounted -eq $true} | Move-ActiveMailboxDatabase -ActivateOnServer $Sname2 -Confirm:$False

An Active Manager operation failed. Error The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activat
on. Error: Database copy ‘db01’ on server ‘’ has content index catalog files in the following state: ‘Failed’.. [Database: db01, Server:]
    + CategoryInfo          : InvalidOperation: (db01:ADObjectId) [Move-ActiveMailboxDatabase], AmDbActionWrapperException
    + FullyQualifiedErrorId : 52C54005,Microsoft.Exchange.Management.SystemConfigurationTasks.MoveActiveMailboxDatabase




Get-MailboxDatabaseCopyStatus | fl name, ContentIndexState


$DBstatus = Get-MailboxDatabaseCopyStatus

$DBstatus | fl name,*Content*


Now if we are dealing with single Database this would work

Update-MailboxDatabaseCopy "db60ssc\E1" -CatalogOnly


Now if we have many Databases

Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq "Failed"}


To fix all

$DBstatus = Get-MailboxDatabaseCopyStatus

$DBstatus | where {$_.ContentIndexState -eq "Failed"}


Now we will use Fallowing Command and append it to above command to fix content index issues

Update-MailboxDatabaseCopy –CatalogOnly

To Update all

Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq "Failed"} | Update-MailboxDatabaseCopy –CatalogOnly


Reseed the Search Catalog

Enjoy !!


Oz Casey, Dedeal

( Exchange Server North America MVP)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server + (Blog) (Blog)

Blog at