Stalled Exchange 2000 Setup
Migration to Exchange 2000 seems to go fine, but setup comes to a screeching halt for this admin.
- By Bill Boswell
- July 27, 2004
Question: I have a problem related to a migration of Exchange
5.5 to Exchange 2000. I have upgraded my PDC from Windows NT 4.0 to Windows
2000 and now I'm in Mixed mode. I have two other NT BDCs and three Win2K
DCs and three Exchange 5.5 servers. I installed the ADC on the server
that will become my principal Exchange server. That went fine. I have
Connection Agreements between E5.5 and AD. I ran Exchange setup with Forestprep,
then Domainprep and that went fine.
When I ran Exchange setup to upgrade the E5.5 server, I got an error
message that I don't have enough permissions at the Site, Org, and Configuration
level. Yet, I'm logged on using the account that I've always used to manage
Exchange. This account has domain admin rights in the domain, as well.
I tried a few things and now when I run setup, I'm getting an error that
says, "There is no such object on the server."
Can you help?
—John
Answer: Since receiving this e-mail from John, we have
been working together to try to isolate the problem.
The "no such object" error may indicate that the Organization
object or one of its constituents has not been created in the Active Directory
forest during Forestprep. However, Forestprep will give a fatal error
if it cannot create all the required objects in Active Directory. John
sent me the Exchange Setup logs and I found this error:
[17:42:37] Entering ScGetExchangeServerGroups
[17:42:37] Getting DOB for group 0
[17:42:37] ScGetExchangeServerGroups
(K:\admin\src\libs\exsetup\dsmisc.cxx:301)
Error
code 0X80072030 (8240): There is no
such object
on the server.
[17:42:37] Leaving ScGetExchangeServerGroups
[17:42:37] ScPRQ_LogonMustHaveFullControlOverExchange
DomainServersGroup
(K:\admin\src\udog\excommon\prereq.cxx:4468)
This indicates that Setup can't find either the Exchange Domain Servers
group or the Exchange Enterprise Servers group. Both of these groups are
created by Domainprep and both must be in the Users container. Failing
to locate the group will cause a permission error.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
It turned out that John had moved the groups to another OU to keep the
User container tidy. Many administrators do this and get similar problems
during or after Exchange setup.
But the fun wasn't over. John continued to have set-up problems indicating
that he still had permission problems with the account he was using to
run Setup. Here's the Setup log entry:
[10:40:37] Prerequisites for Microsoft Exchange Information
Store Service
failed: The component "Microsoft
Exchange
Messaging and Collaboration Services"
cannot be
assigned the action "Upgrade" because:
- To
upgrade your Microsoft Exchange 5.5 server
or to add
a new server to an existing Microsoft
Exchange
site, the account you are logged on as
must have
Admin permissions on the Site and
Configuration
objects.
For troubleshooting, I asked John to create a new account and give it
Domain Admin membership in the domain as well as Service Admin permissions
on the Org, Site, and Configuration container in every site in Exchange.
This did not resolve the problem, but it did give an additional error
in the Exchange Setup log:
[15:23:04] Prerequisites for Microsoft Exchange Information
Store Service
failed: The component "Microsoft
Exchange
Messaging and Collaboration Services"
cannot be
assigned the action "Upgrade" because:
- To
upgrade your Microsoft Exchange 5.5 server
or to add
a new server to an existing Microsoft
Exchange
site, the account you are logged on as
must have
Admin permissions on the Site
and Configuration
objects.
- Active
Directory has not replicated all the
necessary
permissions for the deleted items
container.
Please wait until replication
completes
before running setup.
So, it appeared that we had an Active Directory replication problem,
which is often associated with a DNS configuration error of some sort.
I had John run netdiag and dcdiag on all domain controllers and the Exchange
server he was trying to install. (DNSLint is another good tool if netdiag
doesn't give enough information.)
The netdiag listings indicated that two of the domain controllers were
pointing at themselves for DNS lookups (the zone had been AD-integrated)
and two DCs were pointing at another DNS server with a standard BIND-style
primary zone.
Aside from the problem of having two different zone files that have no
way of replicating with each other, it's an error to point Windows 2000
domain controllers at themselves for DNS lookups if you use AD-integrated
zones. This can create an "island effect" that results in a
replication failure. Also, netdiag indicated that two of the domain controllers
— in different sites — had errors when attempting to communicate
with their gateway router. Here's a piece of the netdiag listing showing
the error (names and IP addresses have been changed):
Per interface results:
Adapter : Local Area Network One
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : brunhilde
IP Address . . . . . . . . : 192.168.1.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.254
Primary WINS Server. . . . : 192.168.1.3
Dns Servers. . . . . . . . : 192.168.1.200
AutoConfiguration
results. . . . . . : Passed
Default gateway test
. . . : Failed
No gateway
reachable for this adapter.
In addition, the domain controllers were pointing at different WINS servers
that might not be able to replicate with each other due to the gateway
router problems. This doesn't necessarily impact AD replication but could
cause a problem for Exchange Setup, which relies on proper flat name resolution.
So, John is going to correct the network configuration problems and make
sure that replication works between all DCs, then try the Exchange Setup
again. Keep your fingers crossed. I'll report on the result in an upcoming
column.