I would agree that it looks like your permissions at some
level have been dorked up, possibly someone added a handy dandy Everyone Deny
FC.
You shouldn't have to use localsystem to bail this out, by
default the owner of the structure there should be Enterprise Admins I believe
and that should be enough. Unfortunately ADSIEDIT sucks to work with when the
permissions are dorked up. You will want to pull out dsacls out of the ADAM
R2/SP1 install and use that as it has some fixes around handling ACLs.
Log into Ent Admins account and then get a
feel for what objects you have had perms dorked up on, something like
this would work
adfind -b "CN=Address Lists
Container,CN=ORGNAME,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=joe,DC=com" cn
You should see the DN and cn of every object you have
permissions to. If you don't see the cn then you have found an object you don't
have access to.
Take that DN and plug it into the version of dsacls
mentioned above and look at the perms. If you can't, that means that either you
aren't logged in with an ID that currently has enterpise admin membership or
someone changed the ownership on the object. If that is the case, then you need
to take ownership. You can do that with the new /takeownership switch of dsacls.
Once you do that, try to enumerate the ACL again.
One you have it enumerated, the problem should be
relatively obvious so you can either remove the DENY or add the appropriate
grants.
Repeat that for any of the objects you don't have
access under the Address Lists Container.
Alternatively if you are comfortable with LDP then you can
use the new version of LDP which comes with ADAM R2/SP1 to pull up a tree view
and dig in and clean this up as well, the ACL editor in the new LDP is one of
the better GUI ones available.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Monday, February 06, 2006 10:05 AM
To: [email protected]
Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
I had the chance to look at the actual problem today and
hereunder I will describe the problem and what I have tried to resolve
it:
Problem: The All Address Lists container has dissapeared
from ESM, as well as the All Global Address Lists container.
From within Outlook it is as iff you can display the
All Address List but you are presented with an error message when you actually
select it, the same error message is displayed when clicking "check name" when
creating a new Outlook profile.
I know what happened, what has caused this;
somebody had denied Everyone and Authenticated Users acces to this
list.
I found a MS article which deals with exactly this, if I am
right:
When I try this in a command prompt:
DSACLS "CN=Default Global Address List,CN=All Global Address
Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Example,DC=com"
I get the following error
message:
"Object path is not valid, please correct
it"
When I try this in a command
prompt:
DSACLS
"CN=All Global Address Lists,CN=Address Lists Container,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Example,DC=com"
/N /G "Authenticated Users":SDRCWDWOWPRPCALO
I get the following error message:
"The
system cannot find the file specified".
From within Adsi Edit I can see In the right hand pane:
"CN=All Address Lists" and "CN=All Globall Address
Lists"
They are at the following location:
CN=Configuration,CN=Services,CN=Microsoft
Exchange,CN=Domain,CN=AddressListContainer
When I right click either of those two and ask for properties, I get
the message that an invalid directory was passed.
When I try to delete either of those two I get the message that there are
other property sheets opened and that need to close first.
It is as if the objects are visible but arent really there any
more.
As suggested I tried running setup: /forestprep
but I get an error almost at the end of
forestprep:
"Setup failed while installing sub-component Microsoft Exchange
Organization-Level Container Children with error code 0x80071392 (please
consult the installation logs for a detailed description). You may cancel the
installation or try the failed step again".
I took the relevant piece from the Exchange Server
Setup Progress Log:
"[09:30:39] Creating organization address books
[09:30:39] Entering CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs
[09:30:39] CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:1815)
Error code 0X80071392 (5010): The object already exists.
[09:30:39] Leaving CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs
[09:30:39] CAtomOrgCtChildren::ScAddDSObjects (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:192)
Error code 0X80071392 (5010): The object already exists.
[09:30:39] Leaving CAtomOrgCtChildren::ScAddDSObjects
[09:30:39] mode = 'ForestPrep' (61965) CBaseAtom::ScSetup (f:\titanium\admin\src\udog\setupbase\basecomp\baseatom.cxx:842)
Error code 0X80071392 (5010): The object already exists.
[09:31:23] >>>>>>>>>> Setup encountered a fatal error during Microsoft Exchange Forest Preparation of ForestPrep component task. -- ID:62237 -- CBaseComponent::ScSetup (f:\titanium\admin\src\udog\exsetdata\components\forprep\compforprep.cxx:513)
Error code 0X80071392 (5010): The object already exists.
[09:31:23] Entering CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup
[09:31:23] Leaving CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup
[09:31:23] CCompForestPrep::ScSetup"
[09:30:39] Entering CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs
[09:30:39] CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:1815)
Error code 0X80071392 (5010): The object already exists.
[09:30:39] Leaving CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs
[09:30:39] CAtomOrgCtChildren::ScAddDSObjects (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:192)
Error code 0X80071392 (5010): The object already exists.
[09:30:39] Leaving CAtomOrgCtChildren::ScAddDSObjects
[09:30:39] mode = 'ForestPrep' (61965) CBaseAtom::ScSetup (f:\titanium\admin\src\udog\setupbase\basecomp\baseatom.cxx:842)
Error code 0X80071392 (5010): The object already exists.
[09:31:23] >>>>>>>>>> Setup encountered a fatal error during Microsoft Exchange Forest Preparation of ForestPrep component task. -- ID:62237 -- CBaseComponent::ScSetup (f:\titanium\admin\src\udog\exsetdata\components\forprep\compforprep.cxx:513)
Error code 0X80071392 (5010): The object already exists.
[09:31:23] Entering CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup
[09:31:23] Leaving CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup
[09:31:23] CCompForestPrep::ScSetup"
I found an MS article that address the error 0x80071392
message, but I wonder if this is relevant for my case.
That article talks about Domain prep and domain prep runs
just fine (I ran domain prep anyway but it doesnt resolve the
problem).
The article also talks about renaming the Exchange System
Objects OU and the fact that renaming it isnt possible if the Objectclass
attribute of that OU has the value msExchSystemObjectsContainer. Even though in
my case the OU has indeed got an Objectclass attribute, I can rename it
anyway. I tried renaming this OU and ran forestprep again but still the same
stop error. I wunder if I really renamed this OU, I mean I can right click it
and rename it but the article says that it isnt possible, so I was wondering if
it had really been renamed. I tried to remove the value of the Objectclass
attribute but this gave me an errormessage telling me that this was an
invalid operation, so I stopped there, not wanting to mess up
anything.
The System State backup the firm has, is one from last
night and the problem occured a week ago so restoring AD in that sense is
unfortunately not an option.
I hope anybody can help
me further with this. It should at least be possible to run forestprep or
perhaps there are even other suggestions about handling this
problem.
Cheers and many thanks
in advance,
Victor
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: vrijdag 3 februari 2006 10:12
To: [email protected]
Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Hi Victor,
I just had this
issue last week !
The All Address Lists has disapeared from ESM
!!!
In fact "someone"
(saw in security event log of my DC) who has the full exchange admin on the
organisation has made an error and deleted the "All Address Lists", then he
tried to recreate it but could not due to some replication issues, and a
collision occured !
So i wanted to
confirm this by I opening ADSIEDIT, go to
"CN=LostAndFoundConfig,CN=Configuration,DC=mydomain,,DC=fr", i saw that the List
was there but suffixed with a CNF as this:
"CN=All Address
ListsCNF;feffgee....", same as all chid lists and my personnal @
lists.
So that telling
that the lists was duped, and due replication issue, a collision
occured.
So I deleted
the the duped lists, ran forestprep, and the "All Address Lists" appeared
in ESM.
For your issue, you
have also lost the GAL, so do not forget to check:
1) that the GAL is
associated to the Offline GAL in ESM.
2) rebuild the
Offline GAL.
One issue i had is
for Outlook 2k3 in cache mode:
1) For those
clients that are configured in cache mode (.ost and .oab), you must force your
client to download the GAL + All Address Lists +GAL.
2) For those that
are configured in cache mode (only .ost), you also must to force the download of
the GAL.
Hope that
helps.
Yann
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.
Envoyé : vendredi 3 février 2006 09:11
À : [email protected]
Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Thanks Michael and Tony, I will try it and will let you
know the outcome.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: vrijdag 3 februari 2006 2:04
To: [email protected]
Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
As Tony said, if they are deleted and you need the specific
contents back, an authoritative restore is your appropriate
response.
If the defaults work for you, you might just try rerunning
forestprep and domainprep, then touching each store setting the GAL for the
store.
I have seen security changes make them "appear" to
disappear. adsiedit.msc is where you go to deal with that....(although, again,
rerunning forestprep and domainprep will probably take care of it for
you)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Thursday, February 02, 2006 4:26 PM
To: [email protected]
Subject: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
What if the
containers mentioned in the subject title are 'suddenly' missing in
ESM?
I have not checked
(via adsiedit) if they are still in the Config.Nam.Context cause I just heard
this and have not had the chance to actually look at it.
If they are gone
from the conf.nam.cont. how can I get these folders back and what if they are
visible there but not in ESM.
Any help is greatly
appreciated.
