the administrator account isn't assigned to any management roles

i'm testing out exchange 2003 to 2010 upgrade in a lab... successfully got ad prep'd, and ca & ht roles installed, but the install failed while adding the mailbox role:

setup /role:mb

Welcome to Microsoft Exchange Server 2010 Unattended Setup

By continuing the installation process, you agree to the license terms of
Microsoft Exchange Server 2010. If you don't accept these license terms,
please cancel the installation. To review these license terms, please go to
http://go.microsoft.com/fwlink/?LinkId=150127&clcid=0x409/

Press any key to cancel setup................
No key presses were detected.  Setup will continue.
Preparing Exchange Setup

    Copying Setup Files              ......................... COMPLETED

The following server roles will be installed
    Languages
    Management Tools
    Mailbox Role

Performing Microsoft Exchange Server Prerequisite Check

    Language Pack Checks             ......................... COMPLETED
    Mailbox Role Checks              ......................... COMPLETED
 If Microsoft Outlook 2003 is in use, you should replicate the free/busy folder on this server to every other free/busy server in the organization. This step should be performed once Setup completes.
 This computer requires the 2007 Office System Converter: Microsoft Filter Pack. Please install the software from http://go.microsoft.com/fwlink/?LinkId=123380.

Configuring Microsoft Exchange Server

    Preparing Setup                  ......................... COMPLETED
    Stopping Services                ......................... COMPLETED
    Copying Exchange Files           ......................... COMPLETED
    Language Files                   ......................... COMPLETED
    Restoring Services               ......................... COMPLETED
    Languages                        ......................... COMPLETED
    Exchange Management Tools        ......................... COMPLETED
    Mailbox Server Role              ......................... FAILED
     The following error was generated when "$error.Clear(); start-SetupService -ServiceName MSExchangeIS -MaximumWaitTime "unlimited"" was run: "Service 'MSExchangeIS' failed to start. Check the event log for possible reasons for the service start failure.".

The Exchange Server setup operation did not complete. Visit http://support.microsoft.com and enter the Error ID to find more information.

Exchange Server setup encountered an error.

below are the events i discovered in the event log of the server i'd hoped to use as the mb role:

Log Name:      System
Source:        Service Control Manager
Date:          3/11/2010 4:17:14 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EXMBX1.domain.local
Description:
The Microsoft Exchange Information Store service terminated with service-specific error %%-2147221233.

Log Name:      Application
Source:        MSExchangeIS
Date:          3/11/2010 4:17:14 PM
Event ID:      1121
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EXMBX1.domain.local
Description:
Error 0x8004010f connecting to Active Directory.

Log Name:      Application
Source:        MSExchangeIS
Date:          3/11/2010 4:17:14 PM
Event ID:      5000
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EXMBX1.domain.local
Description:
Unable to initialize the Microsoft Exchange Information Store service.   - Error 0x8004010f.
 

but now, what's more concerning is that i can't even start the exchange management console or shell on any of the 2010 servers in the org:

VERBOSE: Connecting to EXHUB1.domain.local
[exhub1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXCAS1.domain.local
[excas1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXMBX1.domain.local
[exmbx1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXHUB1.domain.local
[exhub1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXCAS1.domain.local
[excas1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXMBX1.domain.local
[exmbx1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
VERBOSE: Connecting to EXHUB1.domain.local
[exhub1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
Failed to connect to any Exchange Server in the current site.
Please enter the Server FQDN where you want to connect:

i found this error in the exchangesetup.log file on the ws08r2 dc in the test forest:

[03/23/2010 15:18:18.0218] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

i thought i might need to run the Install-CannedRbacRoleAssignments cmdlet manually, but alas that didn't help...

[PS] C:\Windows\system32>Add-PSSnapin *setup
[PS] C:\Windows\system32>Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose
[PS] C:\Windows\system32>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exhub1.domain.local/PowerShell/ -Authentication Kerberos
[exhub1.domain.local] Processing data from remote server failed with the following error message: The user "DOMAIN\Administrator" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
[PS] C:\Windows\system32>Import-PSSession $Session
Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
At line:1 char:17
+ Import-PSSession <<<<  $Session
    + CategoryInfo          : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

[PS] C:\Windows\system32>Get-ManagementRoleAssignment
The term 'Get-ManagementRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:29
+ Get-ManagementRoleAssignment <<<<
    + CategoryInfo          : ObjectNotFound: (Get-ManagementRoleAssignment:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

i then checked adsiedit, and found exchange servers already have list contents, read all properties, and read permissions on microsoft exchange container as well as child containers such as the first organization and ad connections, so i tried deleting the administrator account from the organization management group, and adding back, but... again, no change in behavior.

i verified that no credentials have been stored in credential manager, and that the kerbauth and wsman modules are not enabled on the default web site... they're both local only to the powershell virtual directory. also, http bindings are still present with no hostname for port 80.

the exchange installation path looks good:

C:\>echo %ExchangeInstallPath%
C:\Program Files\Microsoft\Exchange Server\V14\

i confirmed that the physical path for the powershell virtual directory is correct, and that ssl is not required on the powershell virtual directory. also, the msexchangepowershellapppool is started, but... restarting yields an application event error. looks like maybe we've got a permissions problem:

Log Name:      Application
Source:        MSExchange Configuration Cmdlet - Management Shell
Date:          4/5/2010 1:33:05 PM
Event ID:      17
Task Category: RBAC
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EXHUB1.domain.local
Description:
(Process w3wp.exe, PID 2592) "RBAC authorization returns Access Denied for user Administrator@domain.local. Reason: No role assignments associated with the specified user were found on Domain Controller EXDC1.domain.local"

am i up a creek? how do i fix if the administrator account if it is the only privileged user in the forest?

C:\>dsquery user -name administrator | dsget user -memberof
"CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=local"
"CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local"
"CN=Domain Admins,CN=Users,DC=domain,DC=local"
"CN=Enterprise Admins,CN=Users,DC=domain,DC=local"
"CN=Schema Admins,CN=Users,DC=domain,DC=local"
"CN=Administrators,CN=Builtin,DC=domain,DC=local"
"CN=Domain Users,CN=Users,DC=domain,DC=local"

maybe it's a remote management issue:

C:\>winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
WinRM firewall exception enabled.

nope... even after enabling winrm through the firewall, there's still no change! do i need to upgrade with a 2007 installation before going to 2010?