WinRM problem on new Exchange 2010 server

I recently upgraded to Exchange 2010 on my home network. Everything went well, but when I started the Exchange Management Console for the first time I got this error when trying to open the Server Configuration\Client Access node:
—————————
Microsoft Exchange
—————————
Connecting to remote server failed with the following error message : The WinRM client received an HTTP server error status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.
—————————
OK  
—————————

After looking at the various settings for WinRM, firewall etc, I noticed that the WinRM IIS Extension was missing from my features list. I added it through Server Manager:

 
I could have used ServerManagerCMD.exe as well, but it has been depricated. The command would be:
servermanagercmd.exe -install WinRM-IIS-Ext
Or the PowerShell Server Manager cmdlets:
Import-Module ServerManager
Add-WindowsFeature WinRM-IIS-Ext
 
After the feature had been installed the error disappeared and Exchange Management Console worked without incident.
 
I had originally followed the steps outlined in this article on TechNet to install the prerequisites for Exchange on Windows Server 2008 R2, but those instructions do not mention the WinRM IIS Extension.

Exchange group relationships in a multi-domain forest

In a multi-domain forest with Exchange 2000/2003 installed there are some special group relationships.
Each domain for which DomainPrep has been run, has the following Exchange related groups:
  • Exchange Domain Servers (Global Group)
  • Exchange Enterprise Servers (Domain Local Group)

Exchange Enterprise Servers
Purpose: Group all Exchange servers in a specific Enterprise (organization/forest)
This group has the follwing members:
– The computer account of all Exchange servers in the organization
– The Exchange Domain Servers group from all domains where DomainPrep has been run
 
Exchange Domain Servers
Purpose: Group all Exchange Servers in a specified domain
This group has the following members:
– The computer account of all Exchange servers in the domain where the group exists
 
Errors
When adding a new Recipient Update Serveice to a domain in a multi-domain forest, that previously has not had Exchange, it is quite usual to get the following errors in the application log on the Exchange server (Exchange server is usually located in another domain):
 
Source:  MSExchangeAL
Category: LDAP Operations
Event ID: 8270
Description: LDAP returned the error [32] Insufficient Rights when importing the transaction
  dn: <GUID=A907D19B-18F7-4098-95AB-A8E029C1634C>
  changetype: Modify
  member:add:<GUID=E480D07A-1A37-4D43-BC52-9A59958F3DD9>
 
In this event the dn: <GUID> is the GUID of the ‘Exchange Enterprise Servers’ group in the domain specified in the event. The member:add:<GUID> is the GUID of the ‘Exchange Domain servers group’ from another domain.
Probably a domain that was recently added to the forest. You will see this error for each of the other domains in the forest. The event will be repeated but with a different GUID in the member:add field.
 
You will also see this error:
 
Source:  MSExchangeAL
Category: LDAP Operations
Event ID: 8270
Description: LDAP returned the error [32] Insufficient Rights when importing the transaction
  dn: <SID=0102000000000005200000002A020000>
  changetype: Modify
  member:add:<GUID=E480D07A-1A37-4D43-BC52-9A59958F3DD9>
 
In this event the <SID> is the SID of the ‘Pre-Windows 2000 Compatible Access’ group in the domain that is specified in the event (dc=xxx,dc=xxx),and the member:add:<GUID> is the GUID of the ‘Exchange Domain Servers’ group in one of the other domains in the forest. You will see this error for each of the other domains in the forest. The event will be repeated but with a different GUID in the member:add field.
These errors are most likely due to incorrect permissions in the target domain’s Active Directory.
The permissions are not correctly set or all information in not yet replicated.
 
Thus we can deduce the follwing member relationships:
Group Name:                          Memebership:
Exchange Domain Servers         All Exchange Servers in the group’s domain
Exchange Enterprise Servers      Exchange Domain Servers from each additional domain in the forest
Pre-Windows 2000 Compatible    Access Exchange Domain Servers from each additional domain in the forest

There is also a KB article that deals with this here:

Missing permissions cause the Recipient Update Service not to process accounts in Exchange 2000 Server and Exchange Server 2003