|
Any chance you have a lab for this that you can mock up and
try to duplicate? Obviously you can't back the DC into the old config unless you
have maintenance windows you can play in.
What kind of log files did it say it couldn't
access?
What FSMO roles was DC2 holding before the
switch?
Is Exchange running on the DCs or as a
member?
Can you install this service on say DC1 with another
mailbox in the old way to see if you can duplicate the problem there (Assuming
no lab)?
At this point, I would probably
1. Check to make sure that the mailbox still has the access
of dc2 with full mailbox access.
2. Check the policy (fully - all settings -
secpol.msc) on the new DC as Eric is suggesting. It shouldn't prevent accessing
of the mailbox but is still good to doublecheck in case there is a delta between
that DC and the others. Very carefully checking replication of FRS/AD.
3. Check what DC that the Exchange server is using for the
various pieces (GC, DC, Config).
4. If you can get a chance to switch it back to local
system, get a network trace of the failure which may give some sort of
clue.
Sorry for vagueness, you are doing something way outside
what we do and just trying to guess what I would try to do to troubleshoot that.
Having a lab even if in VM would be a great plus.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, April 03, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your
comments/questions. I had given up hope. J Nothing else changed.
This is my production hosted Unity domain. I’m the enterprise admin; no one else
has that password. Yes, the DC2 machine
account had full mailbox access. The only errors in the event log were when the
service suddenly couldn’t log in anymore, the service began logging
errors: An attempt to access the
Exchange Private Store has failed: 8004011d. The MAPI subsystem returned
the following error: You do not have permission to log
on. There are no failures
in the security log. I didn’t take a network
trace. L As soon as I
restarted the service, a couple of dozen small companies suddenly found their
telephone service wasn’t answering calls and I had to resolve it, ASAP. I did
that by throwing permissions at it. Since I wrote the
original email, I’ve poured hours into investigation of this. As soon as the
FSMO roles were moved (within 15 minutes), the mailbox service started
generating warnings about not being to access certain log files. But it was 2.5
days later until it couldn’t access the mailbox and began generating
errors. Moving the FSMO roles
definitely had some security impact; one I’ve never heard of before; and it
worries me. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Interesting. I can't think of
anything that a FSMO role move would have changed that would have caused that
behavior. However, my love of exchange is not unknown on this list nor is it, in
my opinion, unfounded. There are many things in Exchange that aren't quite
logical. :o) So anyway, did anything
ELSE change and are you sure and how do you know? I would assume that you
set up the mailbox so that DC2 machine account had full mailbox access? If not,
how was it accessing the mailbox? Any errors in the event log? What do you see
in a network trace?
joe ------------- http://www.joeware.net (download
joeware) http://www.cafeshops.com/joewarenet (wear
joeware) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Michael B.
Smith Windows 2000 Native Mode, flat
(single) domain, single site. DC1 and DC2 are both Windows 2000
servers w/sp3 plus all current hotfixes. Until last Sunday (3/28), DC1
holds all FSMO roles. Both DC1 and DC2 are
GCs. DC2 runs a service, under
localsystem, that logs into an Exchange mailbox, which is explicitly set to
allow "Domain Admins" to have "Full Mailbox
Access". Everything works
fine. Two Wednesdays ago (3/24), a
Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there
for five days to ensure no problems happened. Last Sunday (3/28), all FSMO roles
were moved to DC3. This Wednesday (3/31) the service
running on DC2 suddenly reports that it can't log into the Exchange mailbox
anymore. After a restart it reports the same thing. After a reboot it reports
the same thing. It took changing the service account
to a domain admin account for the service to start operating
again. Two
questions: 1) Just WTF?
:-) 2) Should I have expected that
transferring FSMO roles would affect how permissions of localsystem on a DC were
applied? 3) Why the 3 day
delay? (yeah yeah, I know that was three,
not two, but the first one was really
specious.) Thanks, Michael |
- [ActiveDir] Move FSMO Roles Affect Permissions? Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... joe
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Eric Fleischman
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Eric Fleischman
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permi... Ulf B. Simon-Weidner
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... jack . eales
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Eric Fleischman
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Michael B. Smith
- RE: [ActiveDir] Move FSMO Roles Affect Permissio... Eric Fleischman
