Stalled Exchange 2000 Setup

Migration to Exchange 2000 seems to go fine, but setup comes to a screeching halt for this admin.

Question: I have a problem related to a migration of Exchange 5.5 to Exchange 2000. I have upgraded my PDC from Windows NT 4.0 to Windows 2000 and now I'm in Mixed mode. I have two other NT BDCs and three Win2K DCs and three Exchange 5.5 servers. I installed the ADC on the server that will become my principal Exchange server. That went fine. I have Connection Agreements between E5.5 and AD. I ran Exchange setup with Forestprep, then Domainprep and that went fine.

When I ran Exchange setup to upgrade the E5.5 server, I got an error message that I don't have enough permissions at the Site, Org, and Configuration level. Yet, I'm logged on using the account that I've always used to manage Exchange. This account has domain admin rights in the domain, as well. I tried a few things and now when I run setup, I'm getting an error that says, "There is no such object on the server."

Can you help?
—John

Answer: Since receiving this e-mail from John, we have been working together to try to isolate the problem.

The "no such object" error may indicate that the Organization object or one of its constituents has not been created in the Active Directory forest during Forestprep. However, Forestprep will give a fatal error if it cannot create all the required objects in Active Directory. John sent me the Exchange Setup logs and I found this error:

[17:42:37] Entering ScGetExchangeServerGroups
[17:42:37] Getting DOB for group 0
[17:42:37] ScGetExchangeServerGroups
           (K:\admin\src\libs\exsetup\dsmisc.cxx:301)
           Error code 0X80072030 (8240): There is no
           such object on the server.
[17:42:37] Leaving ScGetExchangeServerGroups
[17:42:37] ScPRQ_LogonMustHaveFullControlOverExchange
           DomainServersGroup
           (K:\admin\src\udog\excommon\prereq.cxx:4468)

This indicates that Setup can't find either the Exchange Domain Servers group or the Exchange Enterprise Servers group. Both of these groups are created by Domainprep and both must be in the Users container. Failing to locate the group will cause a permission error.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

It turned out that John had moved the groups to another OU to keep the User container tidy. Many administrators do this and get similar problems during or after Exchange setup.

But the fun wasn't over. John continued to have set-up problems indicating that he still had permission problems with the account he was using to run Setup. Here's the Setup log entry:

[10:40:37] Prerequisites for Microsoft Exchange Information
           Store Service failed: The component "Microsoft
           Exchange Messaging and Collaboration Services"
           cannot be assigned the action "Upgrade" because:
           - To upgrade your Microsoft Exchange 5.5 server
           or to add a new server to an existing Microsoft
           Exchange site, the account you are logged on as
           must have Admin permissions on the Site and
           Configuration objects.

For troubleshooting, I asked John to create a new account and give it Domain Admin membership in the domain as well as Service Admin permissions on the Org, Site, and Configuration container in every site in Exchange. This did not resolve the problem, but it did give an additional error in the Exchange Setup log:

[15:23:04] Prerequisites for Microsoft Exchange Information
           Store Service failed: The component "Microsoft
           Exchange Messaging and Collaboration Services"
           cannot be assigned the action "Upgrade" because:
           - To upgrade your Microsoft Exchange 5.5 server
           or to add a new server to an existing Microsoft
           Exchange site, the account you are logged on as
           must have Admin permissions on the Site
           and Configuration objects.
           - Active Directory has not replicated all the
           necessary permissions for the deleted items
           container. Please wait until replication
           completes before running setup.

So, it appeared that we had an Active Directory replication problem, which is often associated with a DNS configuration error of some sort. I had John run netdiag and dcdiag on all domain controllers and the Exchange server he was trying to install. (DNSLint is another good tool if netdiag doesn't give enough information.)

The netdiag listings indicated that two of the domain controllers were pointing at themselves for DNS lookups (the zone had been AD-integrated) and two DCs were pointing at another DNS server with a standard BIND-style primary zone.

Aside from the problem of having two different zone files that have no way of replicating with each other, it's an error to point Windows 2000 domain controllers at themselves for DNS lookups if you use AD-integrated zones. This can create an "island effect" that results in a replication failure. Also, netdiag indicated that two of the domain controllers — in different sites — had errors when attempting to communicate with their gateway router. Here's a piece of the netdiag listing showing the error (names and IP addresses have been changed):

Per interface results:
   Adapter : Local Area Network One
      Netcard queries test . . . : Passed
      Host Name. . . . . . . . . : brunhilde
      IP Address . . . . . . . . : 192.168.1.1
      Subnet Mask. . . . . . . . : 255.255.255.0
      Default Gateway. . . . . . : 192.168.1.254
      Primary WINS Server. . . . : 192.168.1.3
      Dns Servers. . . . . . . . : 192.168.1.200

      AutoConfiguration results. . . . . . : Passed

      Default gateway test . . . : Failed
          No gateway reachable for this adapter.

In addition, the domain controllers were pointing at different WINS servers that might not be able to replicate with each other due to the gateway router problems. This doesn't necessarily impact AD replication but could cause a problem for Exchange Setup, which relies on proper flat name resolution.

So, John is going to correct the network configuration problems and make sure that replication works between all DCs, then try the Exchange Setup again. Keep your fingers crossed. I'll report on the result in an upcoming column.

Featured