You can run GPOTOOL and GPRESULT straight away.. they're non-destructive :)
-----Original Message----- From: Elmer St�wer [mailto:[EMAIL PROTECTED]] Sent: 06 June 2002 17:03 To: Exchange Discussions Subject: RE: slightly OT: ExchangeServer stops every 10 minutes (Active Direct ory issue?) All right... "Good luck" sounds like weekend fun. I will do all this on Saturday after running the weekend backup on our servers. I will probably run GPResult and GPOTool again tomorrow on _all_ DCs. Thank you very much so far... All the best Elmer > -----Original Message----- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 4:52 PM > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > OK... seeing as it's seeming to hang during application of > group policy, try the following: > > 1. Run GPRESULT on each domain controller and compare the output > 2. Run GPOTOOL on the errant domain controller and check for errors > > If there are no errors, you could do a number of additional > things, although there is some risk involved ... I trust you > have backups... check out Point 3 first before doing any of > the others ... maybe I should have made that point one :) > > 1. Move the Exchange Server out of the built-in Domain > Controllers OU into a fresh OU. Don't link the Default Domain > Controllers Policy to the GPO yet... wait for the next SceCli > cycle and see if you still get the hanging problem. > > 2. If you're not getting any replication errors on the two > DC's and there are NO dns errors, consider running DCPROMO on > the Exchange server and removing it as a domain controller.. > this is risky if you do have any outstanding replication > issues, so I'd do this as a last resort...! > > 3. Try this one first... POLICYTEST is saying that the > Exchange Enterprise Servers group does not have the > SeSecurity Privilege .. there is a caveat in the POLICYTEST > help that says you shouldn't apply any policy changes on your > DC's until this change has been replicated, so I suspect this > is creating problems for you. Run SETUP /DOMAINPREP again .. > it's not unheard of for SP2 to trash domainprep permissions > (seem to recall a previous post here to that effect)... > > Good luck. > > -----Original Message----- > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > Sent: 06 June 2002 16:25 > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > Exchane is running for about 6 month now on the new server > and I can hardly find log-files. We had an 5.5 Server which > had some problems. I upgraded the old NT PDC to W2K and set > up a new 2K Server for E2K. Then I used the Ed Crowley method > do move the content from the 5.5 Server to E2K. I encountered > a _lot_ of problems during that 'upgrade'. > > But after that Exchange 'worked fine' for some month. Later I > found SceCli and UserEnv Errors every 5 minutes in the event > log. I tried to fix that following the according ms docs. I > think since then we have the Exchange Problems. > > Btw. I also installed a new dat streamer about the time we > ran into the Exchange problems, but I never considered this > as the cause. > > So far, thank you very much for you help. I was able to fix > some issues and learned a lot. > > regards > > Elmer > > > -----Original Message----- > > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 3:44 PM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Did you encounter any errors when you did your initial > > Exchange server install ? Check back through the logs.. if > > you're getting POLICYTEST errors then it looks like > > DOMAINPREP didn't run right... you did the run the SP2 > > version of policytest btw? > > > > -----Original Message----- > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > Sent: 06 June 2002 12:48 > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Running POLICYTEST says !!! right NOT found !!! for all DCs. > > > > regards > > > > Elmer > > > > > -----Original Message----- > > > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 10:22 AM > > > To: Exchange Discussions > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > minutes (Active > > > Direct ory issue?) > > > > > > > > > I believe it's a special built-in group like Authenticated > > > Users. It may well not be present in a single domain... I'll > > > see if I can find out more about that one. > > > > > > To check your DOMAINPREP ran ok... run POLICYTEST on the > > > domain controller from the \Support\Utils\Platform folder on > > > the Exchange 2000 Ent. Edition CD-ROM to make sure all domain > > > controllers have the Manage Auditing and Security logs > > > privilege. You'll need to be a domain admin to run this.... > > > all domain controllers will report their settings. You'll > > > also find this tool under the \SUPPORT folder in SP2, so > > > preferably run this version. What does it say ? > > > > > > -----Original Message----- > > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > > Sent: 05 June 2002 19:47 > > > To: Exchange Discussions > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > minutes (Active > > > Direct ory issue?) > > > > > > > > > > Enterprise Domain Controllers (built-in group) should have > > > Is this something I schould worry about? The group does not > > > exist in our domain. We do have the domain controller group, > > > but not Enterprise Domain Controller... > > > > > > regards > > > > > > Elmer > > > > > > > > > > -----Original Message----- > > > > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, June 05, 2002 11:29 AM > > > > To: Exchange Discussions > > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > > minutes (Active > > > > Direct ory issue?) > > > > > > > > > > > > Ouch.. what a mess.. > > > > > > > > Check through your event logs... the symptoms you are > > > > describing suggest an underlying problem, e.g. DNS... the > > > > enviable situation you're in, I suspect, is a byproduct of > > > > that (machine account/kerberos/security problems etc), > > > > together with some new ones you may have introduced trying to > > > > fix the problem. > > > > > > > > This little chestnut was interesting...... > > > > > > > > Error NT-AUTORIT�T\DOM�NENCONTROLLER DER ORGANISATION > > > doesn't have > > > > Replicating Directory Changes > > > > Replication Syncronization > > > > Manage Replication Topology > > > > > > > > Have you been changed any AD/OU security or turned off AD > > > > inheritance within your domain tree ???? Click on Advanced in > > > > ADUC, go to the root of your domain and click on the Security > > > > tab.. what do you see ? > > > > > > > > Enterprise Domain Controllers (built-in group) should have > > > > Manage Replication Topology, Replicating directory changes > > > > and Replication Synchronization Allow permissions. Exchange > > > > Enterprise Servers (built-in) should have Manage Replication > > > > Topology. > > > > > > > > How are you applying group policy within your organisation ? > > > > If you're using some of the Microsoft GPO Templates (e.g. > > > > SECUREDC.INF)and applying those on your Exchange Server, you > > > > may experience *ahem* some loss of functionality, killing > > > > Exchange in the process. > > > > > > > > For problems with machine accounts, have a look at Technet > > > > Q260575.. this deals with machine account 'Access Denied' > > > > errors. Also, if you've moved the machine accounts for your > > > > DC's out of the built-in domain controllers OU and not > > > > re-linked in the default domain controllers group policy back > > > > to the new OU, you'll get lots of SceCli messages in the > > > > event log (although you're event id does not suggest this). > > > > > > > > Leave SYSVOL alone... the SYSVOL\SYSVOL path/junction is > > > > normal... don't touch! Use GPOTOOL on the Reskit and NTFRSUTL > > > > to troubleshoot general GPO/SYSVOL/FRS issues. > > > > > > > > In short, don't go making big changes to things which are > > > > unlikely to be the cause of the problem. Make sure DNS is > > > > working.. and check out that security problem > mentioned earlier. > > > > > > > > Seeing as it's rather hard to see what chain of events have > > > > occurred to get you into this situation, if you're still in > > > > the mire, get out your wallet and give Micrsoft PSS a call. > > > > > > > > Regards > > > > Mylo > > > > > > > > -----Original Message----- > > > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > > > Sent: 04 June 2002 20:14 > > > > To: Exchange Discussions > > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > > minutes (Active > > > > Direct ory issue?) > > > > > > > > > > > > Single local domain, single site two servers (einstein DC > > > > fileserver, platon DC exchangeserver). > > > > > > > > no event log failures, but the seems to stand for almost a > > > > minute at the same time as SceCli applies security policy on > > > > the exchange server (event 1704). > > > > > > > > netdiag is not very helpful. > > > > DCdiag was a good hint. I put the output of both servers > > > > here, cause I don't know what to do anymore (maybe 12h work > > > > is to much for one day) > > > > > > > > output of DCdiag on einstein: > > > > ------------------------------ > > > > Doing primary tests > > > > > > > > Testing server: Alt-Moabit\EINSTEIN > > > > Starting test: Replications > > > > [Replications Check,EINSTEIN] A recent replication > > > > attempt failed: > > > > From PLATON to EINSTEIN > > > > Naming Context: DC=cyberconsult,DC=lan > > > > The replication generated an error (8453): > > > > Der Replikationszugriff wurde verweigert. > > > > The failure occurred at 2002-06-04 19:48.21. > > > > The last success occurred at 2002-05-23 17:02.11. > > > > 3115 failures have occurred since the last success. > > > > The machine account for the destination EINSTEIN. > > > > is not configured properly. > > > > Check the userAccountControl field. > > > > Kerberos Error. > > > > The machine account is not present, or does not > > > > match on the. > > > > destination, source or KDC servers. > > > > Verify domain partition of KDC is in sync with > > > > rest of enterprise. > > > > The tool repadmin/syncall can be used for > > this purpose. > > > > ......................... EINSTEIN passed test > > Replications > > > > Starting test: NCSecDesc > > > > --------------------- > > > > > > > > output of DCdiag on platon: > > > > Doing primary tests > > > > > > > > Testing server: Alt-Moabit\PLATON > > > > Starting test: Replications > > > > ......................... PLATON passed test > Replications > > > > Starting test: NCSecDesc > > > > Error NT-AUTORIT�T\DOM�NENCONTROLLER DER > > > > ORGANISATION doesn't have > > > > Replicating Directory Changes > > > > Replication Syncronization > > > > Manage Replication Topology > > > > access rights for the naming context: > > > > DC=cyberconsult,DC=lan > > > > ......................... PLATON failed test NCSecDesc > > > > --------------------- > > > > > > > > > > > > Using replmon.exe to determine the status of replication > > > > I get the following: > > > > --------------------- > > > > Directory Partition: DC=cyberconsult,DC=lan > > > > > > > > Partner Name: Alt-Moabit\PLATON > > > > Partner GUID: > FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > > > > Last Attempted Replication: 6/4/2002 4:31:46 > > > PM (local) > > > > Last Successful Replication: 5/23/2002 5:02:11 > > > > PM (local) > > > > Number of Failures: 3077 > > > > Failure Reason Error Code: 8453 > > > > Failure Description: Der > Replikationszugriff wurde > > > > verweigert. > > > > Synchronization Flags: > > > > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > > > > USN of Last Property Updated: 337656 > > > > USN of Last Object Updated: 337656 > > > > Transport: Intra-Site RPC > > > > > > > > Change Notifications for this Directory Partition > > > > ------------------------------------------------- > > > > Server Name: Alt-Moabit\PLATON > > > > Object GUID: > > > DBE24D70-EE08-479C-9129-D048C1A6CD91 > > > > Time Added: 12.02.2002 15:20:29 > > > > Flags: DRS_WRIT_REP > > > > Transport: RPC > > > > --------------------- > > > > > > > > "Der Replikationszugriff wurde verweigert" means "replication > > > > access was denied". There are no errors for other partitions > > > > or into the other direction. > > > > > > > > What is also strange to me: > > > > under .\sysvol I have the shared directory .\sysvol\sysvol > > > > including the .\sysvol\sysvol\'domain_name' directory in it > > > > (last change 5/23/2002). But I also have an .\sysvol\domain > > > > directory with the same content as > > > > .\sysvol\sysvol\'domain_name'. I found a registry key from > > > > frs which is pointing there. > > > > > > > > So if someone has the hint to fix that replication issue it > > > > would be just great... I know that I can not expect people > > > > from a mailing list to go through a lot of text and > > > > log-files. But maybe one is interested in that issue... > > > > > > > > regards > > > > > > > > elmer > > > > > > > > > -----Original Message----- > > > > > From: Kevin Miller [mailto:[EMAIL PROTECTED]] > > > > > Sent: Tuesday, June 04, 2002 6:51 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > > > minutes (Active > > > > > Direct ory issue?) > > > > > > > > > > > > > > > Event log entries.. DCdiag report, Netdiag report. Get some > > > > > information > > > > > before you do something. > > > > > > > > > > --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond > > > > > http://www.daughtry.ca/ For Graphics and WebDesign, GO here! > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > > Elmer St�wer > > > > > Sent: Tuesday, June 04, 2002 9:41 AM > > > > > To: Exchange Discussions > > > > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > > > > minutes (Active > > > > > Direct ory issue?) > > > > > > > > > > > > > > > Exchange hangs every ten minutes because the AD replication > > > > > doesn't work > > > > > (single domain, two DCs with exchange on one of them). > > > > > > > > > > Now I wonder if it is a very bad Idea to use dcpromo to > > change the > > > > > server from DC to a member server. > > > > > > > > > > regards > > > > > > > > > > Elmer > > > > > > > > > > > -----Original Message----- > > > > > > From: Elmer St�wer > > > > > > Sent: Wednesday, May 29, 2002 3:22 PM > > > > > > To: Exchange Discussions > > > > > > Subject: slightly OT: ExchangeServer stops every 10 > > > > minutes (Active > > > > > > Direct ory issue?) > > > > > > > > > > > > > > > > > > I already posted this one to W2K diskussion group. Nobody > > > > > > replied. I think > > > > > > it is an AD issue but it affects mainly our E2K-Server. So > > > > > > maybe someone > > > > > > here has an idea. This really drives me crazy... > > > > > > > > > > > > Situation: > > > > > > ---------- > > > > > > Two 2K-AD-Servers (one of them Exchange and global catalogue > > > > > > server). Both > > > > > > upgraded from NT half a year ago, > > > > > > One Site, one Domain. > > > > > > 15 W2K and one XP clients. > > > > > > > > > > > > Problem: > > > > > > -------- > > > > > > The Exchange/global catalogue server stands about every 10 > > > > > > minutes for about > > > > > > 45 seconds. No response on any click, nor it is possible to > > > > > work with > > > > > > outlook 'on' that server for the 45 seconds. > > > > > > > > > > > > According to the event log I had a couple of issues > with user > > > > > > rights in > > > > > > local security (power user etc.) (SceCli every 8 > minutes). I > > > > > > followed the > > > > > > Microsoft guides and removed the group entries from local > > > > > > security policy. > > > > > > > > > > > > No I don't have any event log entries anymore, but the > > > > > > problem persists. > > > > > > > > > > > > speculation of Cause/Solution? > > > > > > ------------------------------ > > > > > > I guess that there is still a problem with AD. On the second > > > > > > server I can > > > > > > see issues in the AD replication monitor for the first > > > > > > server. Objects could > > > > > > not be replicated due to access failure. > > > > > > > > > > > > On the Exchange/global catalogue server in the registry in > > > > > > > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtFrs\Paramet > > > > > > ers\Replica > > > > > > Sets\d5c32359-0ee1-42a9-8bac72a28682a096 I found a > > > wrong path for > > > > > > ...\sysvol\domain. It points to an non existing directory. > > > > > > So it seems that active directory is not able to > find active > > > > > > directory. > > > > > > > > > > > > I did not want to correct it via the registry. There must be > > > > > > a better way to > > > > > > correct wrong path settings for the active directory > > container. > > > > > > > > > > > > Here is the main question > > > > > > ------------------------- > > > > > > I appreciate any hint how to fix the ntfrs/AD settings on > > > > > > that machine. > > > > > > Where are path settings stored? Is it necessary to use DC > > > > > > promo to remove > > > > > > and add the server from/to the domain or is there an easier > > > > > > way to fix it? > > > > > > > > > > > > Best Regards > > > > > > > > > > > > Elmer [glad that the machines are still running under these > > > > > > circumstances] > > > > > > -- > > > > > > Elmer St�wer > > > > > > System- und Netzwerkadministration > > > > > > CyberConsult GmbH > > > > > > mailto:[EMAIL PROTECTED] > > > > > > www.cyberconsult.de > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
