Gerne, die könnten teilweise etwas kryptisch sein, ich habe die noch nicht weiter aufbereitet:
# Exchange prüft die Server Version
# Hierfür müssen die Werte gesetzt werden
ldbedit -H /var/lib/samba/private/sam.ldb cn=$(hostname)
# Diese Werte sollten ersetzt / gesetzt werden:
operatingSystemVersion: 5.2 (3790)
operatingSystemServicePack: Service Pack 2
# Danach startet die Installation, es gibt dann folgende Fehlermeldung
# Hintergrund ist, dass das Schema so konfiguriert ist, dass direkt das eigene Attribut als possSuperiors
# gesetzt werden soll. Dies ist aktuell in Samba 4 nicht erlaubt.
--------------------------------------------------------------------------------------------
Error:
The following error was generated when "$error.Clear();
install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema84.ldf")
" was run: "There was an error while running 'ldifde.exe' to import the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostWindows2003_schema84.ldf'. The error code is: 8203. More details can be found in the error file: 'C:\Users\administrator.EXCHANGE\AppData\Local\Temp\ldif.err'".
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
Entry DN: CN=ms-Exch-Config-Settings,CN=Schema,CN=Configuration,DC=exchange,DC=intranet
Fehler f�r Eintrag mit Beginn in Zeile 336: Ung�ltige Syntax
Serverseitiger Fehler: 0x200b Die Attributsyntax, die dem Verzeichnisdienst �bergeben wurde, ist ung�ltig.
Erweiterter Serverfehler:
0000200B: objectclass_attrs: attribute 'possSuperiors' on entry 'CN=ms-Exch-Config-Settings,CN=Schema,CN=Configuration,DC=exchange,DC=intranet' contains at least one invalid value!
Fehler im Programm
--------------------------------------------------------------------------------------------
# Das kann folgendermaßen gelöst werden:
--------------------------------------------------------------------------------------------
root@master131:/home/Administrator/Fehlermeldungen# cat PostExchange2003_schema84.ldf.modified1
dn: CN=ms-Exch-Config-Settings,<SchemaContainerDN>
changetype: add
adminDescription: ms-Exch-Config-Settings
adminDisplayName: ms-Exch-Config-Settings
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.5.7000.62.50204
lDAPDisplayName: msExchConfigSettings
name: ms-Exch-Config-Settings
objectCategory: CN=Class-Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: OMxJOHgcG06XediNJpMwAQ==
subClassOf: top
auxiliaryClass: msExchBaseClass
possSuperiors: msExchContainer
mayContain: msExchConfigurationXML
root@master131:/home/Administrator/Fehlermeldungen# cat PostExchange2003_schema84.ldf.modified1 | sed -e 's|<SchemaContainerDN>|CN=Schema,CN=Configuration,'$(ucr get samba4/ldap/base)'|' | ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Modified 1 records successfully
root@master131:/home/Administrator/Fehlermeldungen#
root@master131:/home/Administrator/Fehlermeldungen# cat PostExchange2003_schema84.ldf.modified2
dn: CN=ms-Exch-Config-Settings,<SchemaContainerDN>
changetype: modify
add: possSuperiors
possSuperiors: msExchConfigSettings
root@master131:/home/Administrator/Fehlermeldungen# cat PostExchange2003_schema84.ldf.modified2 | sed -e 's|<SchemaContainerDN>|CN=Schema,CN=Configuration,'$(ucr get samba4/ldap/base)'|' | ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Modified 1 records successfully
root@master131:/home/Administrator/Fehlermeldungen#
--------------------------------------------------------------------------------------------
# In Step 8 von 15 tritt der folgende Fehler auf:
--------------------------------------------------------------------------------------------
Error:
The following error was generated when "$error.Clear();
if ($server -eq $null)
{
set-ExchangeServerRole -Identity $RoleNetBIOSName -IsProvisionedServer:$true -DomainController $RoleDomainController
}
" was run: "Active Directory operation failed on master131.exchange.intranet. This error is not retriable. Additional information: Es liegt eine Namensverletzung vor.
Active directory response: 00002037: structural objectClass msExchExchangeTransportCfgContainer is not a valid child class for CN=WIN-DUA7EARHMN9,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange,DC=intranet".
--------------------------------------------------------------------------------------------
# Die Lösung sieht folgendermaßen aus:
--------------------------------------------------------------------------------------------
root@master131:/home/Administrator/Fehlermeldungen/2# cat schema-update.ldif
Dn: CN=ms-Exch-Exchange-Transport-Cfg-Container,CN=Schema,CN=Configuration,DC=exchange,DC=intranet
changetype: modify
add: possSuperiors
possSuperiors: msExchExchangeServer
root@master131:/home/Administrator/Fehlermeldungen/2# cat schema-update.ldif | ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Modified 1 records successfully
root@master131:/home/Administrator/Fehlermeldungen/2#
--------------------------------------------------------------------------------------------
# Dann Step 4 von 8:
--------------------------------------------------------------------------------------------
Fehler:
Der folgende Fehler wurde generiert, als "$error.Clear();
if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
{
if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
{
# upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
if ( $mbxs.length -eq 0)
{
$dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
if($dbs.Length -ne 0)
{
$mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
if ($mbxUser.Length -ne 0)
{
enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
}
}
}
}
else
{
write-exchangesetuplog -info "Skipping creating Discovery Search Mailbox because of insufficient permission."
}
}
" ausgef�hrt wurde: "Fehler bei Active Directory-Vorgang mit master131.exchange.intranet. Bei diesem Fehler ist kein Wiederholungsversuch m�glich. Zus�tzliche Informationen: Die Attributsyntax, die dem Verzeichnisdienst �bergeben wurde, ist ung�ltig.
Active Directory-Antwort: 0000200B: objectclass_attrs: attribute 'authOrig' on entry 'CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=exchange,DC=intranet' contains at least one invalid value!".
--------------------------------------------------------------------------------------------
# Ursache ist scheinbar das Schema:
root@master131:~# univention-s4search --cross-ncs ldapdisplayname=authOrig
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
# record 1
dn: CN=ms-Exch-Auth-Orig,CN=Schema,CN=Configuration,DC=exchange,DC=intranet
objectClass: top
objectClass: attributeSchema
cn: ms-Exch-Auth-Orig
instanceType: 4
whenCreated: 20150515121130.0Z
uSNCreated: 4150
attributeID: 1.2.840.113556.1.2.129
attributeSyntax: 2.5.5.7
isSingleValued: FALSE
mAPIID: 36056
linkID: 110
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-Exch-Auth-Orig
oMObjectClass:: VgYBAgULHQ==
adminDescription: ms-Exch-Auth-Orig
oMSyntax: 127
searchFlags: 16
lDAPDisplayName: authOrig
name: ms-Exch-Auth-Orig
objectGUID: 218044d5-881d-46a1-81ae-6a755f7959ee
schemaIDGUID: a8df7397-c5ea-11d1-bbcb-0080c76670c0
isMemberOfPartialAttributeSet: TRUE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=exchange,DC=
intranet
msDS-IntId: -1953774294
attributeSecurityGUID: 1f298a89-de98-47b8-b5cd-572ad53d267e
whenChanged: 20150515124208.0Z
uSNChanged: 10364
distinguishedName: CN=ms-Exch-Auth-Orig,CN=Schema,CN=Configuration,DC=exchange
,DC=intranet
--------------------------------------------------------------------------------------------
# Der LDAP Modify Befehl:
--------------------------------------------------------------------------------------------
root@master131:/home/Administrator/Fehlermeldungen/3# grep -A 160 '15:53:29.024687, 10, pid=24407, effective(0, 0), real(0, 0), class=ldb]' /var/log/samba/log.samba
[2015/05/15 15:53:29.024687, 10, pid=24407, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_request: MODIFY
dn: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=exchange,DC=intranet
changetype: modify
replace: msExchUMDtmfMap
msExchUMDtmfMap: firstNameLastName:6739243472683796245269391922054626415380237
30933422852
msExchUMDtmfMap: lastNameFirstName:6739243472683796245269391922054626415380237
30933422852
msExchUMDtmfMap: emailAddress:7624828373283248422
-
replace: displayName
displayName: Discoverysuchpostfach
-
replace: authOrig
authOrig: <GUID=16f141c3-4782-437a-ba0e-1d5f6ede7671>
-
replace: dLMemSubmitPerms
-
replace: showInAddressBook
showInAddressBook: <GUID=a8322b98-e34e-489d-8379-5a14bfb858c2>
showInAddressBook: <GUID=a40900e1-f662-4f91-9da6-76736e92156d>
-
replace: mailNickname
mailNickname: SM_c48c8e73a8ea4842b
-
replace: msExchExtensionCustomAttribute1
-
replace: msExchExtensionCustomAttribute2
-
replace: msExchExtensionCustomAttribute3
-
replace: msExchExtensionCustomAttribute4
-
replace: msExchExtensionCustomAttribute5
-
add: proxyAddresses
proxyAddresses: SMTP:SM_c48c8e73a8ea4842b@exchange.intranet
-
replace: publicDelegates
-
replace: msExchHideFromAddressLists
msExchHideFromAddressLists: TRUE
-
replace: internetEncoding
-
replace: legacyExchangeDN
legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDI
BOHF23SPDLT)/cn=Recipients/cn=92beeae198944c1fa8eb3b34f5c7a56d-Disco
-
replace: msExchPoliciesIncluded
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded: bac74c86-6437-4383-8402-5b7ed320769c
-
replace: msExchPoliciesExcluded
-
replace: unauthOrig
-
replace: dLMemRejectPerms
-
replace: mail
mail: SM_c48c8e73a8ea4842b@exchange.intranet
-
replace: msExchRecipientTypeDetails
msExchRecipientTypeDetails: 536870912
-
replace: submissionContLength
submissionContLength: 102400
-
replace: delivContLength
delivContLength: 102400
-
replace: msExchMasterAccountSid
msExchMasterAccountSid: S-1-5-10
-
replace: msExchResourceMetaData
-
replace: msExchResourceSearchProperties
-
replace: msExchRBACPolicyLink
msExchRBACPolicyLink: <GUID=6a2fa801-1844-4d68-8c72-311b2d77b24a>
-
replace: msExchELCMailboxFlags
msExchELCMailboxFlags: 4
-
replace: msExchHomeServerName
msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (
FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=WIN-DUA7EARHMN9
-
replace: homeMDB
homeMDB: <GUID=a39f9e4d-834b-4b86-80a5-f66d522dab50>
-
replace: msExchMailboxGuid
msExchMailboxGuid:: Eqm2XjkLDE6heLQ9z7qGnQ==
-
replace: msExchMailboxSecurityDescriptor
msExchMailboxSecurityDescriptor: O:PSG:PSD:(A;CI;CCRC;;;PS)
-
replace: garbageCollPeriod
-
replace: mDBOverQuotaLimit
mDBOverQuotaLimit: 52428800
-
replace: mDBOverHardQuotaLimit
mDBOverHardQuotaLimit: 52428800
-
replace: mDBUseDefaults
mDBUseDefaults: FALSE
-
replace: msExchMDBRulesQuota
-
replace: msExchUserAccountControl
msExchUserAccountControl: 2
-
replace: msExchDumpsterQuota
msExchDumpsterQuota: 31457280
-
replace: msExchDumpsterWarningQuota
msExchDumpsterWarningQuota: 20971520
-
replace: msExchCalendarLoggingQuota
msExchCalendarLoggingQuota: 6291456
-
replace: securityProtocol
-
replace: msExchArchiveName
-
replace: msExchArchiveQuota
msExchArchiveQuota: 104857600
-
replace: msExchArchiveWarnQuota
msExchArchiveWarnQuota: 94371840
-
replace: msExchWhenMailboxCreated
msExchWhenMailboxCreated: 20150519060337.0Z
-
control: 1.2.840.113556.1.4.1338 crit:1 data:yes
control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no
--------------------------------------------------------------------------------------------
# Kann folgendermaßen behoben werden:
--------------------------------------------------------------------------------------------
root@master131:/home/Administrator/Fehlermeldungen/3# cat modify.ldif
dn: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=exchange,DC=intranet
changetype: modify
replace: msExchUMDtmfMap
msExchUMDtmfMap: firstNameLastName:6739243472683796245269391922054626415380237
30933422852
msExchUMDtmfMap: lastNameFirstName:6739243472683796245269391922054626415380237
30933422852
msExchUMDtmfMap: emailAddress:7624828373283248422
-
replace: displayName
displayName: Discoverysuchpostfach
-
replace: dLMemSubmitPerms
-
replace: showInAddressBook
showInAddressBook: <GUID=a8322b98-e34e-489d-8379-5a14bfb858c2>
showInAddressBook: <GUID=a40900e1-f662-4f91-9da6-76736e92156d>
-
replace: mailNickname
mailNickname: SM_c48c8e73a8ea4842b
-
replace: msExchExtensionCustomAttribute1
-
replace: msExchExtensionCustomAttribute2
-
replace: msExchExtensionCustomAttribute3
-
replace: msExchExtensionCustomAttribute4
-
replace: msExchExtensionCustomAttribute5
-
add: proxyAddresses
proxyAddresses: SMTP:SM_c48c8e73a8ea4842b@exchange.intranet
-
replace: publicDelegates
-
replace: msExchHideFromAddressLists
msExchHideFromAddressLists: TRUE
-
replace: internetEncoding
-
replace: legacyExchangeDN
legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDI
BOHF23SPDLT)/cn=Recipients/cn=92beeae198944c1fa8eb3b34f5c7a56d-Disco
-
replace: msExchPoliciesIncluded
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded: bac74c86-6437-4383-8402-5b7ed320769c
-
replace: msExchPoliciesExcluded
-
replace: unauthOrig
-
replace: dLMemRejectPerms
-
replace: mail
mail: SM_c48c8e73a8ea4842b@exchange.intranet
-
replace: msExchRecipientTypeDetails
msExchRecipientTypeDetails: 536870912
-
replace: submissionContLength
submissionContLength: 102400
-
replace: delivContLength
delivContLength: 102400
-
replace: msExchMasterAccountSid
msExchMasterAccountSid: S-1-5-10
-
replace: msExchResourceMetaData
-
replace: msExchResourceSearchProperties
-
replace: msExchRBACPolicyLink
msExchRBACPolicyLink: <GUID=6a2fa801-1844-4d68-8c72-311b2d77b24a>
-
replace: msExchELCMailboxFlags
msExchELCMailboxFlags: 4
-
replace: msExchHomeServerName
msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (
FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=WIN-DUA7EARHMN9
-
replace: homeMDB
homeMDB: <GUID=a39f9e4d-834b-4b86-80a5-f66d522dab50>
-
replace: msExchMailboxGuid
msExchMailboxGuid:: Eqm2XjkLDE6heLQ9z7qGnQ==
-
replace: msExchMailboxSecurityDescriptor
msExchMailboxSecurityDescriptor: O:PSG:PSD:(A;CI;CCRC;;;PS)
-
replace: garbageCollPeriod
-
replace: mDBOverQuotaLimit
mDBOverQuotaLimit: 52428800
-
replace: mDBOverHardQuotaLimit
mDBOverHardQuotaLimit: 52428800
-
replace: mDBUseDefaults
mDBUseDefaults: FALSE
-
replace: msExchMDBRulesQuota
-
replace: msExchUserAccountControl
msExchUserAccountControl: 2
-
replace: msExchDumpsterQuota
msExchDumpsterQuota: 31457280
-
replace: msExchDumpsterWarningQuota
msExchDumpsterWarningQuota: 20971520
-
replace: msExchCalendarLoggingQuota
msExchCalendarLoggingQuota: 6291456
-
replace: securityProtocol
-
replace: msExchArchiveName
-
replace: msExchArchiveQuota
msExchArchiveQuota: 104857600
-
replace: msExchArchiveWarnQuota
msExchArchiveWarnQuota: 94371840
-
replace: msExchWhenMailboxCreated
msExchWhenMailboxCreated: 20150519060337.0Z
-
root@master131:/home/Administrator/Fehlermeldungen/3# ldbmodify -H /var/lib/samba/private/sam.ldb modify.ldif
--------------------------------------------------------------------------------------------
# Als nächstes gibt es folgende Fehlermeldung:
--------------------------------------------------------------------------------------------
Fehler:
Der folgende Fehler wurde generiert, als "$error.Clear();
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
{
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
{
Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
{
Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
mount-database $dismbx.Database;
}
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
trap [Exception]
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
continue;
}
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
" ausgef�hrt wurde: "Der Benutzer oder die Gruppe exchange.intranet/Microsoft Exchange Security Groups/Discovery Management konnte nicht aufgel�st werden. Wenn es sich dabei um einen Prinzipal einer fremden Gesamtstruktur handelt, ben�tigen Sie entweder eine birektionale oder eine ausgehende Vertrauensstellung."
--------------------------------------------------------------------------------------------
# Lösung:
--------------------------------------------------------------------------------------------
root@master131:/home/Administrator/Fehlermeldungen/4# ldbadd -H /var/lib/samba/private/sam.ldb discovery-management.ldif
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Added 1 records successfully
root@master131:/home/Administrator/Fehlermeldungen/4# cat discovery-management.ldif
Dn: CN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=exchange,DC=intranet
cn: Discovery Management
description: Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.
groupType: -2147483640
instanceType: 4
internetEncoding: 0
managedBy: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=exchange,DC=intranet
msExchAddressBookFlags: 1
msExchBypassAudit: FALSE
msExchGroupDepartRestriction: 0
msExchGroupExternalMemberCount: 0
msExchGroupJoinRestriction: 0
msExchGroupMemberCount: 0
msExchLocalizationFlags: 0
msExchMailboxAuditEnable: FALSE
msExchMailboxAuditLogAgeLimit: 7776000
msExchModerationFlags: 6
msExchProvisioningFlags: 0
msExchRecipientSoftDeletedStatus: 0
msExchRecipientTypeDetails: 1073741824
msExchRoleGroupType: 8
msExchTransportRecipientSettingsFlags: 0
msExchVersion: 44220983382016
name: Discovery Management
objectClass: top
objectClass: group
sAMAccountName: Discovery Management
root@master131:/home/Administrator/Fehlermeldungen/4#
--------------------------------------------------------------------------------------------Es ist noch nicht ganz das, was man sich unter einfach vorstellt. 
Das eigentlich Problem nach der Exchange Installation ist das fehlende LDAP Control. Wir sind an der Thema dran, aber das muss halt noch implementiert werden oder jemand weiß wie Exchange umkonfiguriert werden kann:
lists.samba.org/archive/samba-t … 07887.html