RE: [ActiveDir] moving domain admins
Title: RE: [ActiveDir] moving domain admins You can see that they have full Exchange Admin Rights on their AG and when you log in as one of them (is this correct? I've been going back over the thread and it's not clear if you have the problem from your domain or when logged in as an admin in their domain locally or what?) you can't see the details of the server? I think that's what you're saying. Try this: Create a new user in that child domain and delegate full exchange permissions to it. Don't make it a domain admin. Let replication occur and then log in locally to that domain as that new user. What were the results? I'm wondering if there isn't some other restriction going on for the domain admins group (by default, domain admins will be restricted in some ways to prevent them from overrunning the Exchange org, but Maybe something could have happened?) Also, have you seen this kb? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 It describes what permissions are granted for each of the Exchange levels. -ajm From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 7:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain admins no. they cannot see any AG or the ORG in exchangeMan. In asdiedit, they can only see the org. what i'm saying is, if from my domain i can see they have full exchange admin rights on their AG, why can't they see it? where should i look? what are they missing and most importantly, why would it change sudddenly? -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 4/15/2004 5:24 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] moving domain admins Would you expect them to see the details without rights at the Exchangelevel? I wouldn't. I'd expect that they can see that there is another AG,but not have rights to do anything with it by default. Domain admins hasnothing to do with Exchange rights per se.Even in the config container, they shouldn't have too many rights unlessyou've granted them.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:53 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsCorrect.Why is it when in look into the AG from exchangeMan in my domain, I see thattheir domainAdmins have full exchange rights?Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit,they can only see the ORG in the config container.Seems very strange. Someone had to have done something and it would have tobe someone with enterpriseAdmin rights which no one has in that domain.Are you sure a misconfigured exchange 2003 server could not do this?What could?thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsSo to summarize, you can't see details in their AG and they can't seedetails in your AG? That about right?Sounds like you need to redelegate the permissions to the AG, but I'mguessing. It's tough to get a read on the situation over time :)Seems odd though.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsyes they are mixed with the latest hotfixes.they have all rights on their AG except send as and recieve as.on the org, they are not listed, except of course their exchange domainservers group. same as us, and we see everything.further info- the root domain in the forest is in win2k native mode.theyare running one exchange2003 server on a win2k box.thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 11:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsAre both child domains at SP34 mixed? Any hotfixes?I do know that e2k3 does work with permissions on the first install.But ifyou have perms in the one child domain and not the other, that doesn't soundlike the issue directly. Sounds more like an Active Directory issue or somechange that was made that nobody told you about/realized was made.Can you double check the permissions on the ORG and AG's?-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 10:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminschild domains are at sp3 and sp4.exchange2k sp3child domains were not prepped-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 9:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsWhat version is the child domain at (sp level of Windows DC?) and were thechild domains domain prepp'd?Were both child domains treated the same?-Original
RE: [ActiveDir] moving domain admins
Title: RE: [ActiveDir] moving domain admins When i log in as their admin of their domain, i see nothing. when i log in as an admin into my domain, i see everything. in my domain, the admin account has full exchange rights. the same for their domain. yet, they see nothing, not even the org. i think the restriction for domain admins in exchange is "send as" "recieve as", and "full mail box rights" are explcitly or implicitly(depending on the location in the tree)denied so domain admins can't open up and read everyones mail in the org or ag. thanks -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, April 16, 2004 9:09 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] moving domain admins You can see that they have full Exchange Admin Rights on their AG and when you log in as one of them (is this correct? I've been going back over the thread and it's not clear if you have the problem from your domain or when logged in as an admin in their domain locally or what?) you can't see the details of the server? I think that's what you're saying. Try this: Create a new user in that child domain and delegate full exchange permissions to it. Don't make it a domain admin. Let replication occur and then log in locally to that domain as that new user. What were the results? I'm wondering if there isn't some other restriction going on for the domain admins group (by default, domain admins will be restricted in some ways to prevent them from overrunning the Exchange org, but Maybe something could have happened?) Also, have you seen this kb? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 It describes what permissions are granted for each of the Exchange levels. -ajm From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 7:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain admins no. they cannot see any AG or the ORG in exchangeMan. In asdiedit, they can only see the org. what i'm saying is, if from my domain i can see they have full exchange admin rights on their AG, why can't they see it? where should i look? what are they missing and most importantly, why would it change sudddenly? -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 4/15/2004 5:24 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] moving domain admins Would you expect them to see the details without rights at the Exchangelevel? I wouldn't. I'd expect that they can see that there is another AG,but not have rights to do anything with it by default. Domain admins hasnothing to do with Exchange rights per se.Even in the config container, they shouldn't have too many rights unlessyou've granted them.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:53 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsCorrect.Why is it when in look into the AG from exchangeMan in my domain, I see thattheir domainAdmins have full exchange rights?Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit,they can only see the ORG in the config container.Seems very strange. Someone had to have done something and it would have tobe someone with enterpriseAdmin rights which no one has in that domain.Are you sure a misconfigured exchange 2003 server could not do this?What could?thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsSo to summarize, you can't see details in their AG and they can't seedetails in your AG? That about right?Sounds like you need to redelegate the permissions to the AG, but I'mguessing. It's tough to get a read on the situation over time :)Seems odd though.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsyes they are mixed with the latest hotfixes.they have all rights on their AG except send as and recieve as.on the org, they are not listed, except of course their exchange domainservers group. same as us, and we see everything.further info- the root domain in the forest is in win2k native mode.theyare running one exchange2003 server on a win2k box.thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 11:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsAre both child domains at SP34 mixed? Any hotfixes?I do know that e2k3 does work with permissions on the first install.But ify
RE: [ActiveDir] moving domain admins
Title: RE: [ActiveDir] moving domain admins That's correct. Domain admins are denied those. What happened if you created a new account? From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain admins When i log in as their admin of their domain, i see nothing. when i log in as an admin into my domain, i see everything. in my domain, the admin account has full exchange rights. the same for their domain. yet, they see nothing, not even the org. i think the restriction for domain admins in exchange is "send as" "recieve as", and "full mail box rights" are explcitly or implicitly(depending on the location in the tree)denied so domain admins can't open up and read everyones mail in the org or ag. thanks -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, April 16, 2004 9:09 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] moving domain admins You can see that they have full Exchange Admin Rights on their AG and when you log in as one of them (is this correct? I've been going back over the thread and it's not clear if you have the problem from your domain or when logged in as an admin in their domain locally or what?) you can't see the details of the server? I think that's what you're saying. Try this: Create a new user in that child domain and delegate full exchange permissions to it. Don't make it a domain admin. Let replication occur and then log in locally to that domain as that new user. What were the results? I'm wondering if there isn't some other restriction going on for the domain admins group (by default, domain admins will be restricted in some ways to prevent them from overrunning the Exchange org, but Maybe something could have happened?) Also, have you seen this kb? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 It describes what permissions are granted for each of the Exchange levels. -ajm From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 7:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain admins no. they cannot see any AG or the ORG in exchangeMan. In asdiedit, they can only see the org. what i'm saying is, if from my domain i can see they have full exchange admin rights on their AG, why can't they see it? where should i look? what are they missing and most importantly, why would it change sudddenly? -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 4/15/2004 5:24 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] moving domain admins Would you expect them to see the details without rights at the Exchangelevel? I wouldn't. I'd expect that they can see that there is another AG,but not have rights to do anything with it by default. Domain admins hasnothing to do with Exchange rights per se.Even in the config container, they shouldn't have too many rights unlessyou've granted them.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:53 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsCorrect.Why is it when in look into the AG from exchangeMan in my domain, I see thattheir domainAdmins have full exchange rights?Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit,they can only see the ORG in the config container.Seems very strange. Someone had to have done something and it would have tobe someone with enterpriseAdmin rights which no one has in that domain.Are you sure a misconfigured exchange 2003 server could not do this?What could?thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 4:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsSo to summarize, you can't see details in their AG and they can't seedetails in your AG? That about right?Sounds like you need to redelegate the permissions to the AG, but I'mguessing. It's tough to get a read on the situation over time :)Seems odd though.-Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 15, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] moving domain adminsyes they are mixed with the latest hotfixes.they have all rights on their AG except send as and recieve as.on the org, they are not listed, except of course their exchange domainservers group. same as us, and we see everything.further info- the root domain in the forest is in win2k native mode.theyare running one exchange2003 server on a win2k box.thanks-Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]]Sent: Thurs
RE: [ActiveDir] moving domain admins
Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] moving domain admins
they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive
RE: [ActiveDir] moving domain admins
What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com
RE: [ActiveDir] moving domain admins
ok, they can't see any objects under the exchange org in the configuration partition. they're are no replication errors. my child domain can see everything fine. we are in mixed mode with sp3 and sp4 dc's and gc's. their domain's config is pretty much the same as ours in terms of mixed mode and sp3/4 dc/gc's. any thoughts? thanks -Original Message- From: Kern, Tom Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group
RE: [ActiveDir] moving domain admins
Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager
RE: [ActiveDir] moving domain admins
yes they are mixed with the latest hotfixes. they have all rights on their AG except send as and recieve as. on the org, they are not listed, except of course their exchange domain servers group. same as us, and we see everything. further info- the root domain in the forest is in win2k native mode. they are running one exchange2003 server on a win2k box. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin
RE: [ActiveDir] moving domain admins
So to summarize, you can't see details in their AG and they can't see details in your AG? That about right? Sounds like you need to redelegate the permissions to the AG, but I'm guessing. It's tough to get a read on the situation over time :) Seems odd though. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins yes they are mixed with the latest hotfixes. they have all rights on their AG except send as and recieve as. on the org, they are not listed, except of course their exchange domain servers group. same as us, and we see everything. further info- the root domain in the forest is in win2k native mode. they are running one exchange2003 server on a win2k box. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From
RE: [ActiveDir] moving domain admins
Correct. Why is it when in look into the AG from exchangeMan in my domain, I see that their domainAdmins have full exchange rights? Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit, they can only see the ORG in the config container. Seems very strange. Someone had to have done something and it would have to be someone with enterpriseAdmin rights which no one has in that domain. Are you sure a misconfigured exchange 2003 server could not do this? What could? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins So to summarize, you can't see details in their AG and they can't see details in your AG? That about right? Sounds like you need to redelegate the permissions to the AG, but I'm guessing. It's tough to get a read on the situation over time :) Seems odd though. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins yes they are mixed with the latest hotfixes. they have all rights on their AG except send as and recieve as. on the org, they are not listed, except of course their exchange domain servers group. same as us, and we see everything. further info- the root domain in the forest is in win2k native mode. they are running one exchange2003 server on a win2k box. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from
RE: [ActiveDir] moving domain admins
Would you expect them to see the details without rights at the Exchange level? I wouldn't. I'd expect that they can see that there is another AG, but not have rights to do anything with it by default. Domain admins has nothing to do with Exchange rights per se. Even in the config container, they shouldn't have too many rights unless you've granted them. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Correct. Why is it when in look into the AG from exchangeMan in my domain, I see that their domainAdmins have full exchange rights? Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit, they can only see the ORG in the config container. Seems very strange. Someone had to have done something and it would have to be someone with enterpriseAdmin rights which no one has in that domain. Are you sure a misconfigured exchange 2003 server could not do this? What could? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins So to summarize, you can't see details in their AG and they can't see details in your AG? That about right? Sounds like you need to redelegate the permissions to the AG, but I'm guessing. It's tough to get a read on the situation over time :) Seems odd though. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins yes they are mixed with the latest hotfixes. they have all rights on their AG except send as and recieve as. on the org, they are not listed, except of course their exchange domain servers group. same as us, and we see everything. further info- the root domain in the forest is in win2k native mode. they are running one exchange2003 server on a win2k box. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore. we are a multi domain win2k forest. the root domain is in win2k native mode, every other domain is mixed. we are in exchange2k native mode, though i think ther is a exchange2003 server in the root domain now. thats all that has been changed this specfic domain is the only one with an issue. hope that helps a little -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Well, let's backup. Where and why did they move the domain admins group? Can you move it back and see if your issue gets resolved? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running
RE: [ActiveDir] moving domain admins
no. they cannot see any AG or the ORG in exchangeMan. In asdiedit, they can only see the org. what i'm saying is, if from my domain i can see they have full exchange admin rights on their AG, why can't they see it? where should i look? what are they missing and most importantly, why would it change sudddenly? -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 4/15/2004 5:24 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] moving domain admins Would you expect them to see the details without rights at the Exchange level? I wouldn't. I'd expect that they can see that there is another AG, but not have rights to do anything with it by default. Domain admins has nothing to do with Exchange rights per se. Even in the config container, they shouldn't have too many rights unless you've granted them. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Correct. Why is it when in look into the AG from exchangeMan in my domain, I see that their domainAdmins have full exchange rights? Yet, they can't see any AG or even the Org in exchangeMan? And in adsiedit, they can only see the ORG in the config container. Seems very strange. Someone had to have done something and it would have to be someone with enterpriseAdmin rights which no one has in that domain. Are you sure a misconfigured exchange 2003 server could not do this? What could? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins So to summarize, you can't see details in their AG and they can't see details in your AG? That about right? Sounds like you need to redelegate the permissions to the AG, but I'm guessing. It's tough to get a read on the situation over time :) Seems odd though. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins yes they are mixed with the latest hotfixes. they have all rights on their AG except send as and recieve as. on the org, they are not listed, except of course their exchange domain servers group. same as us, and we see everything. further info- the root domain in the forest is in win2k native mode. they are running one exchange2003 server on a win2k box. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins Are both child domains at SP34 mixed? Any hotfixes? I do know that e2k3 does work with permissions on the first install. But if you have perms in the one child domain and not the other, that doesn't sound like the issue directly. Sounds more like an Active Directory issue or some change that was made that nobody told you about/realized was made. Can you double check the permissions on the ORG and AG's? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins child domains are at sp3 and sp4. exchange2k sp3 child domains were not prepped -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins What version is the child domain at (sp level of Windows DC?) and were the child domains domain prepp'd? Were both child domains treated the same? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins they moved it to another ou that has no group policy applied to it. i moved it back, still the same. i don't think it has anything to do with moving the group anymore
RE: [ActiveDir] moving domain admins
Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] moving domain admins
another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] moving domain admins
If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] moving domain admins
I see nothing strange in ldp and no replication errors in event log or rep monitor. I think its a permissions issue but i have nowhere to begin looking and as far as i know nothing has been changed. They don't really have an IT dept(we admin them) so no one would even know how to change something anyway. I can see the server and admin group using enterprise manager from my domain just not theirs(where the server is located). However when i try to access the directory tab of the server, i get information about directory services could not be entirely obtained. make sure exchange management service is running. exchange management service IS running. very strange indeed. any other thoughts, tips? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins If you open it up in LDP, what do you see (authenticated of course)? Is it possible that there's a replication issue? Have you checked the logs of the domains to see what's logged when you attempt to connect? Just where did they move the domain administrators from/to? Just from cn=users to something else? Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] moving domain admins another labyrinthine cross post(sorry)- Also, i fire up adsi edit from their domain and i can only get to the organization in the config partition. when on go to the security tab, there are no entries. how can they just lose permissions to certain parts of the config paritition? the only change made was the root domain of the forest installed exchange 2003, but i doubt that had anything to do with. i'm very puzzled. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] moving domain admins Heck of a cross post, isn't it? Moving the domain administrators group is not something that should cause this type of issue. What else was done during those changes? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:45 PM To: Admin Issues (E-mail) Cc: ActiveDir (E-mail) Subject: [ActiveDir] moving domain admins I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] moving domain admins
I know moving the default exchange groups out of the users folder can screw things up as exchange expects to find them there, but will moving the domain admins from the users folder into another ou(no gpo applied) screw things up with exchange or any other services in ad? I only ask because some admin in another domain moved this group and now when i open exchange manager in their domain, i can't see the servers or any admin groups. i'm running exchange manager as their administrator account and thier domain admins have full exchange rights on their admin group. other than that exchange is functioning normally. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/