> Enterprise Domain Controllers (built-in group) should have Is this something I schould worry about? The group does not exist in our domain. We do have the domain controller group, but not Enterprise Domain Controller...
regards Elmer > -----Original Message----- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 05, 2002 11:29 AM > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > Ouch.. what a mess.. > > Check through your event logs... the symptoms you are > describing suggest an underlying problem, e.g. DNS... the > enviable situation you're in, I suspect, is a byproduct of > that (machine account/kerberos/security problems etc), > together with some new ones you may have introduced trying to > fix the problem. > > This little chestnut was interesting...... > > Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER ORGANISATION doesn't have > Replicating Directory Changes > Replication Syncronization > Manage Replication Topology > > Have you been changed any AD/OU security or turned off AD > inheritance within your domain tree ???? Click on Advanced in > ADUC, go to the root of your domain and click on the Security > tab.. what do you see ? > > Enterprise Domain Controllers (built-in group) should have > Manage Replication Topology, Replicating directory changes > and Replication Synchronization Allow permissions. Exchange > Enterprise Servers (built-in) should have Manage Replication > Topology. > > How are you applying group policy within your organisation ? > If you're using some of the Microsoft GPO Templates (e.g. > SECUREDC.INF)and applying those on your Exchange Server, you > may experience *ahem* some loss of functionality, killing > Exchange in the process. > > For problems with machine accounts, have a look at Technet > Q260575.. this deals with machine account 'Access Denied' > errors. Also, if you've moved the machine accounts for your > DC's out of the built-in domain controllers OU and not > re-linked in the default domain controllers group policy back > to the new OU, you'll get lots of SceCli messages in the > event log (although you're event id does not suggest this). > > Leave SYSVOL alone... the SYSVOL\SYSVOL path/junction is > normal... don't touch! Use GPOTOOL on the Reskit and NTFRSUTL > to troubleshoot general GPO/SYSVOL/FRS issues. > > In short, don't go making big changes to things which are > unlikely to be the cause of the problem. Make sure DNS is > working.. and check out that security problem mentioned earlier. > > Seeing as it's rather hard to see what chain of events have > occurred to get you into this situation, if you're still in > the mire, get out your wallet and give Micrsoft PSS a call. > > Regards > Mylo > > -----Original Message----- > From: Elmer Stöwer [mailto:[EMAIL PROTECTED]] > Sent: 04 June 2002 20:14 > To: Exchange Discussions > Subject: RE: slightly OT: ExchangeServer stops every 10 > minutes (Active > Direct ory issue?) > > > Single local domain, single site two servers (einstein DC > fileserver, platon DC exchangeserver). > > no event log failures, but the seems to stand for almost a > minute at the same time as SceCli applies security policy on > the exchange server (event 1704). > > netdiag is not very helpful. > DCdiag was a good hint. I put the output of both servers > here, cause I don't know what to do anymore (maybe 12h work > is to much for one day) > > output of DCdiag on einstein: > ------------------------------ > Doing primary tests > > Testing server: Alt-Moabit\EINSTEIN > Starting test: Replications > [Replications Check,EINSTEIN] A recent replication > attempt failed: > From PLATON to EINSTEIN > Naming Context: DC=cyberconsult,DC=lan > The replication generated an error (8453): > Der Replikationszugriff wurde verweigert. > The failure occurred at 2002-06-04 19:48.21. > The last success occurred at 2002-05-23 17:02.11. > 3115 failures have occurred since the last success. > The machine account for the destination EINSTEIN. > is not configured properly. > Check the userAccountControl field. > Kerberos Error. > The machine account is not present, or does not > match on the. > destination, source or KDC servers. > Verify domain partition of KDC is in sync with > rest of enterprise. > The tool repadmin/syncall can be used for this purpose. > ......................... EINSTEIN passed test Replications > Starting test: NCSecDesc > --------------------- > > output of DCdiag on platon: > Doing primary tests > > Testing server: Alt-Moabit\PLATON > Starting test: Replications > ......................... PLATON passed test Replications > Starting test: NCSecDesc > Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER > ORGANISATION doesn't have > Replicating Directory Changes > Replication Syncronization > Manage Replication Topology > access rights for the naming context: > DC=cyberconsult,DC=lan > ......................... PLATON failed test NCSecDesc > --------------------- > > > Using replmon.exe to determine the status of replication > I get the following: > --------------------- > Directory Partition: DC=cyberconsult,DC=lan > > Partner Name: Alt-Moabit\PLATON > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > Last Attempted Replication: 6/4/2002 4:31:46 PM (local) > Last Successful Replication: 5/23/2002 5:02:11 > PM (local) > Number of Failures: 3077 > Failure Reason Error Code: 8453 > Failure Description: Der Replikationszugriff wurde > verweigert. > Synchronization Flags: > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > USN of Last Property Updated: 337656 > USN of Last Object Updated: 337656 > Transport: Intra-Site RPC > > Change Notifications for this Directory Partition > ------------------------------------------------- > Server Name: Alt-Moabit\PLATON > Object GUID: DBE24D70-EE08-479C-9129-D048C1A6CD91 > Time Added: 12.02.2002 15:20:29 > Flags: DRS_WRIT_REP > Transport: RPC > --------------------- > > "Der Replikationszugriff wurde verweigert" means "replication > access was denied". There are no errors for other partitions > or into the other direction. > > What is also strange to me: > under .\sysvol I have the shared directory .\sysvol\sysvol > including the .\sysvol\sysvol\'domain_name' directory in it > (last change 5/23/2002). But I also have an .\sysvol\domain > directory with the same content as > .\sysvol\sysvol\'domain_name'. I found a registry key from > frs which is pointing there. > > So if someone has the hint to fix that replication issue it > would be just great... I know that I can not expect people > from a mailing list to go through a lot of text and > log-files. But maybe one is interested in that issue... > > regards > > elmer > > > -----Original Message----- > > From: Kevin Miller [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, June 04, 2002 6:51 PM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Event log entries.. DCdiag report, Netdiag report. Get some > > information > > before you do something. > > > > --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond > > http://www.daughtry.ca/ For Graphics and WebDesign, GO here! > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Elmer Stöwer > > Sent: Tuesday, June 04, 2002 9:41 AM > > To: Exchange Discussions > > Subject: RE: slightly OT: ExchangeServer stops every 10 > > minutes (Active > > Direct ory issue?) > > > > > > Exchange hangs every ten minutes because the AD replication > > doesn't work > > (single domain, two DCs with exchange on one of them). > > > > Now I wonder if it is a very bad Idea to use dcpromo to change the > > server from DC to a member server. > > > > regards > > > > Elmer > > > > > -----Original Message----- > > > From: Elmer Stöwer > > > Sent: Wednesday, May 29, 2002 3:22 PM > > > To: Exchange Discussions > > > Subject: slightly OT: ExchangeServer stops every 10 > minutes (Active > > > Direct ory issue?) > > > > > > > > > I already posted this one to W2K diskussion group. Nobody > > > replied. I think > > > it is an AD issue but it affects mainly our E2K-Server. So > > > maybe someone > > > here has an idea. This really drives me crazy... > > > > > > Situation: > > > ---------- > > > Two 2K-AD-Servers (one of them Exchange and global catalogue > > > server). Both > > > upgraded from NT half a year ago, > > > One Site, one Domain. > > > 15 W2K and one XP clients. > > > > > > Problem: > > > -------- > > > The Exchange/global catalogue server stands about every 10 > > > minutes for about > > > 45 seconds. No response on any click, nor it is possible to > > work with > > > outlook 'on' that server for the 45 seconds. > > > > > > According to the event log I had a couple of issues with user > > > rights in > > > local security (power user etc.) (SceCli every 8 minutes). I > > > followed the > > > Microsoft guides and removed the group entries from local > > > security policy. > > > > > > No I don't have any event log entries anymore, but the > > > problem persists. > > > > > > speculation of Cause/Solution? > > > ------------------------------ > > > I guess that there is still a problem with AD. On the second > > > server I can > > > see issues in the AD replication monitor for the first > > > server. Objects could > > > not be replicated due to access failure. > > > > > > On the Exchange/global catalogue server in the registry in > > > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtFrs\Paramet > > > ers\Replica > > > Sets\d5c32359-0ee1-42a9-8bac72a28682a096 I found a wrong path for > > > ...\sysvol\domain. It points to an non existing directory. > > > So it seems that active directory is not able to find active > > > directory. > > > > > > I did not want to correct it via the registry. There must be > > > a better way to > > > correct wrong path settings for the active directory container. > > > > > > Here is the main question > > > ------------------------- > > > I appreciate any hint how to fix the ntfrs/AD settings on > > > that machine. > > > Where are path settings stored? Is it necessary to use DC > > > promo to remove > > > and add the server from/to the domain or is there an easier > > > way to fix it? > > > > > > Best Regards > > > > > > Elmer [glad that the machines are still running under these > > > circumstances] > > > -- > > > Elmer Stöwer > > > System- und Netzwerkadministration > > > CyberConsult GmbH > > > mailto:[EMAIL PROTECTED] > > > www.cyberconsult.de > > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
