Exchange 2010 / 2013 – Couldn’t resolve the user or group 19

exchange2013_discoverysearchmailboxWhen you’re upgrading Exchange 2010 to a higher Service Pack  or when installing Exchange 2013, you can find yourself getting the following error when the mailbox role is being installed. This can be during any of the Exchange 2010 Service Pack installations, so Exchange 2010 SP1, Exchange 2010 SP2, Exchange 2010 SP3 or during an installation of Exchange 2013 CU1 .

The following error is generated, this is the full error displayed on screen:

$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like “$srvname.*” )
Write-ExchangeSetupLog -info “Setup DiscoverySearchMailbox Permission.”;
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
Write-ExchangeSetupLog -info “Mounting database before stamp DiscoverySearchMailbox Permission…”;
mount-database $dismbx.Database;

$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
” was run: “Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.”.

The trust relationship between the primary domain and the trusted domain failed.

The installation fails and you cannot continue at this moment.


There are 2 ways to resolve this issue:

  1. Disable the Discovery Search mailbox and re-enable it after installation.
    Disable-Mailbox “DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}”
    Install Exchange
    Enable-Mailbox “DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}” -Arbitration
    Add-MailboxPermission -Identity:”domain.local/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}” -User:”Discovery Management” -AccessRights:”FullAccess”
  2. Delete DiscoverysearchmailboxDelete the  Discovery Search mailbox user from Active Directory.  Start your Active Directory Users and Computers mmc and look for your Discovery Search Mailbox user. Default this user will be placed in the Users organizational unit. It will be named something like: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}. After deletion you can restart the installation of your Exchange Service Pack. It will not show the error anymore.
    To recreate the user use: setup /PrepareAD /IAcceptExchangeServerLicenseTerms


Hans Sleurink

Hans Sleurink works as a Consultant at Wortell in the Netherlands where he designs and deploys Unified Communications solutions. His main focus is on, but not limited to, Microsoft Teams (migrations), including Enterprise Voice, contact center solutions, AudioCodes, Direct Routing, Exchange, Office 365, Active Directory and other UC related topics.

More Posts - Website

Follow Me:

19 thoughts on “Exchange 2010 / 2013 – Couldn’t resolve the user or group

  1. Reply MJL Aug 9,2013 19:51

    Resolution 1 worked perfectly for me, thanks!

  2. Reply Rich Sep 6,2013 16:31

    Resolution 1 also worked for me. Had the issue installing the first Exchange 2013 server into an Exchange 2007 environment. Had to run the Powershell commands from the 2013 Exchange server.


  3. Reply Andrea Ottonello Dec 9,2013 18:03

    I tried both methods and to install sp3 on Exchange 2010 sp2 I simply launch setup, but every time I get this same error. If I go to AD and/or open Exchange management UI I find that user has been automatically created again with his discovery mailbox… getting crazy about this, I must install properly to migrate to Exchange 2013. Anyway it seems from Exchange logs that AD schema has been already updated, could I migrate to Exchange 2013 without sp3 being properly installed for Mailbox Role? All other roles upgraded well…

  4. Reply Barak Jan 24,2014 17:38

    Resolution 1 worked for me. Thanks a lot!!!

  5. Reply Jamie Feb 7,2014 20:51

    Thanks for this article you saved me a lot of head scratching. I would recommend Resolution 1 as well and using command line rather than the GUI like I did. If you do go with the 2nd option like i ended up doing then just to make it a little clearer for those who like me need things spelt out sometimes.

    You run the command setup /PrepareAD /IAcceptExchangeServerLicenseTerms from the folder with the unpacked Service Pack eg c:Exch-SP3setup /PrepareAD /IAcceptExchangeServerLicenseTerms

    Also in my case the /IAcceptExchangeServerLicenseTerms option wasn’t necessary and I kept getting an “unknown command” error when i tried to run it. Removing it everything worked fine.

  6. Reply Jarmo Apr 9,2014 21:17


    Thanks so much for posting this – really helpful and fixed the issue.

    I am somewhat amazed that the error message itself is erroneous, you would think that 5 years after the release of Exchange 2010 MS would have fixed this.

    All the best,


  7. Reply Dilshan May 6,2014 17:13

    Thanks a lot for the post… you saved my time… this worked for me

  8. Reply Nimesha May 6,2014 17:18

    Thanks a lot, Resolution 1 worked for us !! 😀

  9. Reply Rick May 13,2014 23:20

    Option 2 worked for me. Thanks Guys

  10. Pingback: Error upgrading from Exchange 2007/2010 to 2013 | mavboss

  11. Reply Albert Jul 22,2014 22:28

    Option 1 worked for me. Thanks

  12. Reply Shehan Sep 24,2014 11:47

    The option 1 gave me the same issue in my Test lab. But the option 2 worked for me. Much appreciated!!

  13. Reply David Oct 29,2014 13:21

    I had to remove domain.local/Users/ from the last command in option 1, so:-
    Add-MailboxPermission -Identity:”DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}” -User:”Discovery Management” -AccessRights:”FullAccess”

  14. Reply Nico Feb 2,2015 09:51

    Hello Hans,

    Option 1 worked for me.
    It have saved me many Hours Work. 🙂

    Best greetings from Germany

  15. Reply Wynand Jun 30,2015 17:25

    Thanks Hans, option 2 worked 100%

  16. Reply Bill Jul 28,2015 21:15

    Option 1 worked for me,


  17. Reply N1Md4 Sep 9,2015 00:59

    first one didn’t work
    second one did work, just deleted and readded the user afterwards worked like a charm

  18. Reply Gerard Forcada Nov 4,2015 08:21

    It worked, thank you very much

  19. Reply Marc O'Connor Feb 13,2017 13:12

    Hans, I have spent the last 8 hours, and yes they were overnight, trying to figure this out. Thank you for posting this!!

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.