There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different.
Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange "view only admin" is delegated directly to the bb acount on our admin group. the other delegation is "full exchange admin" to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no "now suddenly", but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
