Running POLICYTEST says !!! right NOT found !!! for all DCs. regards
Elmer > -----Original Message----- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 10:22 AM > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > I believe it's a special built-in group like Authenticated > Users. It may well not be present in a single domain... I'll > see if I can find out more about that one. > > To check your DOMAINPREP ran ok... run POLICYTEST on the > domain controller from the \Support\Utils\Platform folder on > the Exchange 2000 Ent. Edition CD-ROM to make sure all domain > controllers have the Manage Auditing and Security logs > privilege. You'll need to be a domain admin to run this.... > all domain controllers will report their settings. You'll > also find this tool under the \SUPPORT folder in SP2, so > preferably run this version. What does it say ? > > -----Original Message----- > From: Elmer Stöwer [mailto:[EMAIL PROTECTED]] > Sent: 05 June 2002 19:47 > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > > Enterprise Domain Controllers (built-in group) should have > Is this something I schould worry about? The group does not > exist in our domain. We do have the domain controller group, > but not Enterprise Domain Controller... > > regards > > Elmer > > > > -----Original Message----- > > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, June 05, 2002 11:29 AM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Ouch.. what a mess.. > > > > Check through your event logs... the symptoms you are > > describing suggest an underlying problem, e.g. DNS... the > > enviable situation you're in, I suspect, is a byproduct of > > that (machine account/kerberos/security problems etc), > > together with some new ones you may have introduced trying to > > fix the problem. > > > > This little chestnut was interesting...... > > > > Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER ORGANISATION > doesn't have > > Replicating Directory Changes > > Replication Syncronization > > Manage Replication Topology > > > > Have you been changed any AD/OU security or turned off AD > > inheritance within your domain tree ???? Click on Advanced in > > ADUC, go to the root of your domain and click on the Security > > tab.. what do you see ? > > > > Enterprise Domain Controllers (built-in group) should have > > Manage Replication Topology, Replicating directory changes > > and Replication Synchronization Allow permissions. Exchange > > Enterprise Servers (built-in) should have Manage Replication > > Topology. > > > > How are you applying group policy within your organisation ? > > If you're using some of the Microsoft GPO Templates (e.g. > > SECUREDC.INF)and applying those on your Exchange Server, you > > may experience *ahem* some loss of functionality, killing > > Exchange in the process. > > > > For problems with machine accounts, have a look at Technet > > Q260575.. this deals with machine account 'Access Denied' > > errors. Also, if you've moved the machine accounts for your > > DC's out of the built-in domain controllers OU and not > > re-linked in the default domain controllers group policy back > > to the new OU, you'll get lots of SceCli messages in the > > event log (although you're event id does not suggest this). > > > > Leave SYSVOL alone... the SYSVOL\SYSVOL path/junction is > > normal... don't touch! Use GPOTOOL on the Reskit and NTFRSUTL > > to troubleshoot general GPO/SYSVOL/FRS issues. > > > > In short, don't go making big changes to things which are > > unlikely to be the cause of the problem. Make sure DNS is > > working.. and check out that security problem mentioned earlier. > > > > Seeing as it's rather hard to see what chain of events have > > occurred to get you into this situation, if you're still in > > the mire, get out your wallet and give Micrsoft PSS a call. > > > > Regards > > Mylo > > > > -----Original Message----- > > From: Elmer Stöwer [mailto:[EMAIL PROTECTED]] > > Sent: 04 June 2002 20:14 > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Single local domain, single site two servers (einstein DC > > fileserver, platon DC exchangeserver). > > > > no event log failures, but the seems to stand for almost a > > minute at the same time as SceCli applies security policy on > > the exchange server (event 1704). > > > > netdiag is not very helpful. > > DCdiag was a good hint. I put the output of both servers > > here, cause I don't know what to do anymore (maybe 12h work > > is to much for one day) > > > > output of DCdiag on einstein: > > ------------------------------ > > Doing primary tests > > > > Testing server: Alt-Moabit\EINSTEIN > > Starting test: Replications > > [Replications Check,EINSTEIN] A recent replication > > attempt failed: > > From PLATON to EINSTEIN > > Naming Context: DC=cyberconsult,DC=lan > > The replication generated an error (8453): > > Der Replikationszugriff wurde verweigert. > > The failure occurred at 2002-06-04 19:48.21. > > The last success occurred at 2002-05-23 17:02.11. > > 3115 failures have occurred since the last success. > > The machine account for the destination EINSTEIN. > > is not configured properly. > > Check the userAccountControl field. > > Kerberos Error. > > The machine account is not present, or does not > > match on the. > > destination, source or KDC servers. > > Verify domain partition of KDC is in sync with > > rest of enterprise. > > The tool repadmin/syncall can be used for this purpose. > > ......................... EINSTEIN passed test Replications > > Starting test: NCSecDesc > > --------------------- > > > > output of DCdiag on platon: > > Doing primary tests > > > > Testing server: Alt-Moabit\PLATON > > Starting test: Replications > > ......................... PLATON passed test Replications > > Starting test: NCSecDesc > > Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER > > ORGANISATION doesn't have > > Replicating Directory Changes > > Replication Syncronization > > Manage Replication Topology > > access rights for the naming context: > > DC=cyberconsult,DC=lan > > ......................... PLATON failed test NCSecDesc > > --------------------- > > > > > > Using replmon.exe to determine the status of replication > > I get the following: > > --------------------- > > Directory Partition: DC=cyberconsult,DC=lan > > > > Partner Name: Alt-Moabit\PLATON > > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > > Last Attempted Replication: 6/4/2002 4:31:46 > PM (local) > > Last Successful Replication: 5/23/2002 5:02:11 > > PM (local) > > Number of Failures: 3077 > > Failure Reason Error Code: 8453 > > Failure Description: Der Replikationszugriff wurde > > verweigert. > > Synchronization Flags: > > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > > USN of Last Property Updated: 337656 > > USN of Last Object Updated: 337656 > > Transport: Intra-Site RPC > > > > Change Notifications for this Directory Partition > > ------------------------------------------------- > > Server Name: Alt-Moabit\PLATON > > Object GUID: > DBE24D70-EE08-479C-9129-D048C1A6CD91 > > Time Added: 12.02.2002 15:20:29 > > Flags: DRS_WRIT_REP > > Transport: RPC > > --------------------- > > > > "Der Replikationszugriff wurde verweigert" means "replication > > access was denied". There are no errors for other partitions > > or into the other direction. > > > > What is also strange to me: > > under .\sysvol I have the shared directory .\sysvol\sysvol > > including the .\sysvol\sysvol\'domain_name' directory in it > > (last change 5/23/2002). But I also have an .\sysvol\domain > > directory with the same content as > > .\sysvol\sysvol\'domain_name'. I found a registry key from > > frs which is pointing there. > > > > So if someone has the hint to fix that replication issue it > > would be just great... I know that I can not expect people > > from a mailing list to go through a lot of text and > > log-files. But maybe one is interested in that issue... > > > > regards > > > > elmer > > > > > -----Original Message----- > > > From: Kevin Miller [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, June 04, 2002 6:51 PM > > > To: Exchange Discussions > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > minutes (Active > > > Direct ory issue?) > > > > > > > > > Event log entries.. DCdiag report, Netdiag report. Get some > > > information > > > before you do something. > > > > > > --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond > > > http://www.daughtry.ca/ For Graphics and WebDesign, GO here! > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > Elmer Stöwer > > > Sent: Tuesday, June 04, 2002 9:41 AM > > > To: Exchange Discussions > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > minutes (Active > > > Direct ory issue?) > > > > > > > > > Exchange hangs every ten minutes because the AD replication > > > doesn't work > > > (single domain, two DCs with exchange on one of them). > > > > > > Now I wonder if it is a very bad Idea to use dcpromo to change the > > > server from DC to a member server. > > > > > > regards > > > > > > Elmer > > > > > > > -----Original Message----- > > > > From: Elmer Stöwer > > > > Sent: Wednesday, May 29, 2002 3:22 PM > > > > To: Exchange Discussions > > > > Subject: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > > > Direct ory issue?) > > > > > > > > > > > > I already posted this one to W2K diskussion group. Nobody > > > > replied. I think > > > > it is an AD issue but it affects mainly our E2K-Server. So > > > > maybe someone > > > > here has an idea. This really drives me crazy... > > > > > > > > Situation: > > > > ---------- > > > > Two 2K-AD-Servers (one of them Exchange and global catalogue > > > > server). Both > > > > upgraded from NT half a year ago, > > > > One Site, one Domain. > > > > 15 W2K and one XP clients. > > > > > > > > Problem: > > > > -------- > > > > The Exchange/global catalogue server stands about every 10 > > > > minutes for about > > > > 45 seconds. No response on any click, nor it is possible to > > > work with > > > > outlook 'on' that server for the 45 seconds. > > > > > > > > According to the event log I had a couple of issues with user > > > > rights in > > > > local security (power user etc.) (SceCli every 8 minutes). I > > > > followed the > > > > Microsoft guides and removed the group entries from local > > > > security policy. > > > > > > > > No I don't have any event log entries anymore, but the > > > > problem persists. > > > > > > > > speculation of Cause/Solution? > > > > ------------------------------ > > > > I guess that there is still a problem with AD. On the second > > > > server I can > > > > see issues in the AD replication monitor for the first > > > > server. Objects could > > > > not be replicated due to access failure. > > > > > > > > On the Exchange/global catalogue server in the registry in > > > > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtFrs\Paramet > > > > ers\Replica > > > > Sets\d5c32359-0ee1-42a9-8bac72a28682a096 I found a > wrong path for > > > > ...\sysvol\domain. It points to an non existing directory. > > > > So it seems that active directory is not able to find active > > > > directory. > > > > > > > > I did not want to correct it via the registry. There must be > > > > a better way to > > > > correct wrong path settings for the active directory container. > > > > > > > > Here is the main question > > > > ------------------------- > > > > I appreciate any hint how to fix the ntfrs/AD settings on > > > > that machine. > > > > Where are path settings stored? Is it necessary to use DC > > > > promo to remove > > > > and add the server from/to the domain or is there an easier > > > > way to fix it? > > > > > > > > Best Regards > > > > > > > > Elmer [glad that the machines are still running under these > > > > circumstances] > > > > -- > > > > Elmer Stöwer > > > > System- und Netzwerkadministration > > > > CyberConsult GmbH > > > > mailto:[EMAIL PROTECTED] > > > > www.cyberconsult.de > > > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
