When you’re upgrading Exchange 2010 to a higher Service Pack or when installing Exchange 2013, you can find yourself getting the following error when the mailbox role is being installed. This can be during any of the Exchange 2010 Service Pack installations, so Exchange 2010 SP1, Exchange 2010 SP2, Exchange 2010 SP3 or during an installation of Exchange 2013 CU1 .
The following error is generated, this is the full error displayed on screen:
“$error.Clear();
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
{
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like “$srvname.*” )
{
Write-ExchangeSetupLog -info “Setup DiscoverySearchMailbox Permission.”;
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
{
Write-ExchangeSetupLog -info “Mounting database before stamp DiscoverySearchMailbox Permission…”;
mount-database $dismbx.Database;
}$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
” was run: “Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.”.The trust relationship between the primary domain and the trusted domain failed.
The installation fails and you cannot continue at this moment.
Resolution
There are 2 ways to resolve this issue:
- Disable the Discovery Search mailbox and re-enable it after installation.
Disable-Mailbox “DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}”
Install Exchange
Enable-Mailbox “DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}” -ArbitrationAdd-MailboxPermission -Identity:”domain.local/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}” -User:”Discovery Management” -AccessRights:”FullAccess” 
Delete the Discovery Search mailbox user from Active Directory. Start your Active Directory Users and Computers mmc and look for your Discovery Search Mailbox user. Default this user will be placed in the Users organizational unit. It will be named something like: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}. After deletion you can restart the installation of your Exchange Service Pack. It will not show the error anymore.
To recreate the user use: setup /PrepareAD /IAcceptExchangeServerLicenseTerms
http://www.fots.nl/index.php/exchange-2010-or-exchange-2013-couldnt-resolve-the-user-or-group/
