I believe it's a special built-in group like Authenticated Users. It may well not be present in a single domain... I'll see if I can find out more about that one.
To check your DOMAINPREP ran ok... run POLICYTEST on the domain controller from the \Support\Utils\Platform folder on the Exchange 2000 Ent. Edition CD-ROM to make sure all domain controllers have the Manage Auditing and Security logs privilege. You'll need to be a domain admin to run this.... all domain controllers will report their settings. You'll also find this tool under the \SUPPORT folder in SP2, so preferably run this version. What does it say ? -----Original Message----- From: Elmer St�wer [mailto:[EMAIL PROTECTED]] Sent: 05 June 2002 19:47 To: Exchange Discussions Subject: RE: slightly OT: ExchangeServer stops every 10 minutes (Active Direct ory issue?) > Enterprise Domain Controllers (built-in group) should have Is this something I schould worry about? The group does not exist in our domain. We do have the domain controller group, but not Enterprise Domain Controller... regards Elmer > -----Original Message----- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 05, 2002 11:29 AM > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > Ouch.. what a mess.. > > Check through your event logs... the symptoms you are > describing suggest an underlying problem, e.g. DNS... the > enviable situation you're in, I suspect, is a byproduct of > that (machine account/kerberos/security problems etc), > together with some new ones you may have introduced trying to > fix the problem. > > This little chestnut was interesting...... > > Error NT-AUTORIT�T\DOM�NENCONTROLLER DER ORGANISATION doesn't have > Replicating Directory Changes > Replication Syncronization > Manage Replication Topology > > Have you been changed any AD/OU security or turned off AD > inheritance within your domain tree ???? Click on Advanced in > ADUC, go to the root of your domain and click on the Security > tab.. what do you see ? > > Enterprise Domain Controllers (built-in group) should have > Manage Replication Topology, Replicating directory changes > and Replication Synchronization Allow permissions. Exchange > Enterprise Servers (built-in) should have Manage Replication > Topology. > > How are you applying group policy within your organisation ? > If you're using some of the Microsoft GPO Templates (e.g. > SECUREDC.INF)and applying those on your Exchange Server, you > may experience *ahem* some loss of functionality, killing > Exchange in the process. > > For problems with machine accounts, have a look at Technet > Q260575.. this deals with machine account 'Access Denied' > errors. Also, if you've moved the machine accounts for your > DC's out of the built-in domain controllers OU and not > re-linked in the default domain controllers group policy back > to the new OU, you'll get lots of SceCli messages in the > event log (although you're event id does not suggest this). > > Leave SYSVOL alone... the SYSVOL\SYSVOL path/junction is > normal... don't touch! Use GPOTOOL on the Reskit and NTFRSUTL > to troubleshoot general GPO/SYSVOL/FRS issues. > > In short, don't go making big changes to things which are > unlikely to be the cause of the problem. Make sure DNS is > working.. and check out that security problem mentioned earlier. > > Seeing as it's rather hard to see what chain of events have > occurred to get you into this situation, if you're still in > the mire, get out your wallet and give Micrsoft PSS a call. > > Regards > Mylo > > -----Original Message----- > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > Sent: 04 June 2002 20:14 > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > Single local domain, single site two servers (einstein DC > fileserver, platon DC exchangeserver). > > no event log failures, but the seems to stand for almost a > minute at the same time as SceCli applies security policy on > the exchange server (event 1704). > > netdiag is not very helpful. > DCdiag was a good hint. I put the output of both servers > here, cause I don't know what to do anymore (maybe 12h work > is to much for one day) > > output of DCdiag on einstein: > ------------------------------ > Doing primary tests > > Testing server: Alt-Moabit\EINSTEIN > Starting test: Replications > [Replications Check,EINSTEIN] A recent replication > attempt failed: > From PLATON to EINSTEIN > Naming Context: DC=cyberconsult,DC=lan > The replication generated an error (8453): > Der Replikationszugriff wurde verweigert. > The failure occurred at 2002-06-04 19:48.21. > The last success occurred at 2002-05-23 17:02.11. > 3115 failures have occurred since the last success. > The machine account for the destination EINSTEIN. > is not configured properly. > Check the userAccountControl field. > Kerberos Error. > The machine account is not present, or does not > match on the. > destination, source or KDC servers. > Verify domain partition of KDC is in sync with > rest of enterprise. > The tool repadmin/syncall can be used for this purpose. > ......................... EINSTEIN passed test Replications > Starting test: NCSecDesc > --------------------- > > output of DCdiag on platon: > Doing primary tests > > Testing server: Alt-Moabit\PLATON > Starting test: Replications > ......................... PLATON passed test Replications > Starting test: NCSecDesc > Error NT-AUTORIT�T\DOM�NENCONTROLLER DER > ORGANISATION doesn't have > Replicating Directory Changes > Replication Syncronization > Manage Replication Topology > access rights for the naming context: > DC=cyberconsult,DC=lan > ......................... PLATON failed test NCSecDesc > --------------------- > > > Using replmon.exe to determine the status of replication > I get the following: > --------------------- > Directory Partition: DC=cyberconsult,DC=lan > > Partner Name: Alt-Moabit\PLATON > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > Last Attempted Replication: 6/4/2002 4:31:46 PM (local) > Last Successful Replication: 5/23/2002 5:02:11 > PM (local) > Number of Failures: 3077 > Failure Reason Error Code: 8453 > Failure Description: Der Replikationszugriff wurde > verweigert. > Synchronization Flags: > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > USN of Last Property Updated: 337656 > USN of Last Object Updated: 337656 > Transport: Intra-Site RPC > > Change Notifications for this Directory Partition > ------------------------------------------------- > Server Name: Alt-Moabit\PLATON > Object GUID: DBE24D70-EE08-479C-9129-D048C1A6CD91 > Time Added: 12.02.2002 15:20:29 > Flags: DRS_WRIT_REP > Transport: RPC > --------------------- > > "Der Replikationszugriff wurde verweigert" means "replication > access was denied". There are no errors for other partitions > or into the other direction. > > What is also strange to me: > under .\sysvol I have the shared directory .\sysvol\sysvol > including the .\sysvol\sysvol\'domain_name' directory in it > (last change 5/23/2002). But I also have an .\sysvol\domain > directory with the same content as > .\sysvol\sysvol\'domain_name'. I found a registry key from > frs which is pointing there. > > So if someone has the hint to fix that replication issue it > would be just great... I know that I can not expect people > from a mailing list to go through a lot of text and > log-files. But maybe one is interested in that issue... > > regards > > elmer > > > -----Original Message----- > > From: Kevin Miller [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, June 04, 2002 6:51 PM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Event log entries.. DCdiag report, Netdiag report. Get some > > information > > before you do something. > > > > --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond > > http://www.daughtry.ca/ For Graphics and WebDesign, GO here! > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Elmer St�wer > > Sent: Tuesday, June 04, 2002 9:41 AM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Exchange hangs every ten minutes because the AD replication > > doesn't work > > (single domain, two DCs with exchange on one of them). > > > > Now I wonder if it is a very bad Idea to use dcpromo to change the > > server from DC to a member server. > > > > regards > > > > Elmer > > > > > -----Original Message----- > > > From: Elmer St�wer > > > Sent: Wednesday, May 29, 2002 3:22 PM > > > To: Exchange Discussions > > > Subject: slightly OT: ExchangeServer stops every 10 > minutes (Active > > > Direct ory issue?) > > > > > > > > > I already posted this one to W2K diskussion group. Nobody > > > replied. I think > > > it is an AD issue but it affects mainly our E2K-Server. So > > > maybe someone > > > here has an idea. This really drives me crazy... > > > > > > Situation: > > > ---------- > > > Two 2K-AD-Servers (one of them Exchange and global catalogue > > > server). Both > > > upgraded from NT half a year ago, > > > One Site, one Domain. > > > 15 W2K and one XP clients. > > > > > > Problem: > > > -------- > > > The Exchange/global catalogue server stands about every 10 > > > minutes for about > > > 45 seconds. No response on any click, nor it is possible to > > work with > > > outlook 'on' that server for the 45 seconds. > > > > > > According to the event log I had a couple of issues with user > > > rights in > > > local security (power user etc.) (SceCli every 8 minutes). I > > > followed the > > > Microsoft guides and removed the group entries from local > > > security policy. > > > > > > No I don't have any event log entries anymore, but the > > > problem persists. > > > > > > speculation of Cause/Solution? > > > ------------------------------ > > > I guess that there is still a problem with AD. On the second > > > server I can > > > see issues in the AD replication monitor for the first > > > server. Objects could > > > not be replicated due to access failure. > > > > > > On the Exchange/global catalogue server in the registry in > > > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtFrs\Paramet > > > ers\Replica > > > Sets\d5c32359-0ee1-42a9-8bac72a28682a096 I found a wrong path for > > > ...\sysvol\domain. It points to an non existing directory. > > > So it seems that active directory is not able to find active > > > directory. > > > > > > I did not want to correct it via the registry. There must be > > > a better way to > > > correct wrong path settings for the active directory container. > > > > > > Here is the main question > > > ------------------------- > > > I appreciate any hint how to fix the ntfrs/AD settings on > > > that machine. > > > Where are path settings stored? Is it necessary to use DC > > > promo to remove > > > and add the server from/to the domain or is there an easier > > > way to fix it? > > > > > > Best Regards > > > > > > Elmer [glad that the machines are still running under these > > > circumstances] > > > -- > > > Elmer St�wer > > > System- und Netzwerkadministration > > > CyberConsult GmbH > > > mailto:[EMAIL PROTECTED] > > > www.cyberconsult.de > > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
