If you are having trouble running New-RoleGroup from a child domain on Exchange 2010 you have two choices:
- run the command from the root domain or
- run the following PowerShell cmdlet before running New-RoleGroup – Set-ADServerSettings -ViewEntireForest $True
This will change the scope of the data that New-RoleGroup is able to look at. It will now be able to see and access what it needs to create the new Universal Security Group that is the basis for the RoleGroup.