RE: [ActiveDir] Move FSMO Roles Affect Permissions?

[Eric Fleischman]

Replmon doesn’t monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, April 05, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions?   No FRS problems. I say that from event logs and the output from replmon...   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, April 03, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange.   The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesn’t get SYSVOL properly, the rights added by the Exchange domain prep won’t replicate to that dc and exchange won’t start properly.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, April 03, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions?   Thanks for your comments/questions. I had given up hope. J   Nothing else changed. This is my production hosted Unity domain. I’m the enterprise admin; no one else has that password.   Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldn’t log in anymore, the service began logging errors:   An attempt to access the Exchange Private Store has failed: 8004011d.  The MAPI subsystem returned the following error: You do not have permission to log on.   There are no failures in the security log.   I didn’t take a network trace.  L  As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasn’t answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it.   Since I wrote the original email, I’ve poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldn’t access the mailbox and began generating errors.   Moving the FSMO roles definitely had some security impact; one I’ve never heard of before; and it worries me.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 03, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions?   Interesting.   I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o)   So anyway, did anything ELSE change and are you sure and how do you know?   I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace?     joe     ------------- http://www.joeware.net   (download joeware) http://www.cafeshops.com/joewarenet  (wear joeware)         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Friday, April 02, 2004 7:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site.   DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28), DC1 holds all FSMO roles. Both DC1 and DC2 are GCs.   DC2 runs a service, under localsystem, that logs into an Exchange mailbox, which is explicitly set to allow "Domain Admins" to have "Full Mailbox Access".   Everything works fine.   Two Wednesdays ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there for five days to ensure no problems happened.   Last Sunday (3/28), all FSMO roles were moved to DC3.   This Wednesday (3/31) the service running on DC2 suddenly reports that it can't log into the Exchange mailbox anymore. After a restart it reports the same thing. After a reboot it reports the same thing.   It took changing the service account to a domain admin account for the service to start operating again.   Two questions:   1) Just WTF?  :-)   2) Should I have expected that transferring FSMO roles would affect how permissions of localsystem on a DC were applied?   3) Why the 3 day delay?   (yeah yeah, I know that was three, not two, but the first one was really specious.)   Thanks, Michael