Re: Problem getting Exchange 2000 to see AD 2003 GC

It sounds like you're on the right track with investigating the SACL right.
What method did you use to check the right? I believe that the old
policytest.exe has been replaced by the polcheck part of OrgPrepCheck. Have
a look at the following article.

http://support.microsoft.com/default.aspx?scid=kb;en-us;812593&product=exch2003

I believe RUS is responsible for propagating the right, so it might also be
good to check to see that RUS is working properly.

Tony
www.activedir.org

"BeFree" <BeFree@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D5814FD6-213B-4B38-BC51-E69D112E9A3E@xxxxxxxxxxxxxxxx
> Confirmation that under the Default Domain Security Policy, Enterprise
> Exchange Servers is listed under Manage Auditing and Security Log. Any
> idea
> how to get the SACL bit to be 'happy' on Windows 2003 AD?
> __________________________________________
>
> "BeFree" wrote:
>
>> Excellent idea. We turned on the logging as described, and the email
>> server
>> does see it as a GC, but still under the Directory Access tab it never
>> shows
>> up. We tried with two different servers running Windows 2003, one with
>> SP1
>> and another without. They both show the 1 in the Global Catalog bit, DC5
>> is
>> 2K3 SP1 & DC4 is 2K3 without SP1. DC2 and YVE are not reachable, they're
>> from the production network and this is the testlab network. I do see
>> from
>> this that the 2K3 servers do not get the SACL right - I am going to go
>> check
>> the default domain controller security policy and make sure that
>> Enterprise
>> Exchange servers has the right to manage the event logs (correct ?)
>>
>> Next week we are going to bring in another Windows 2000 server and then
>> upgrade it to 2K3 and see that it works. The first time we did that test
>> it
>> worked just fine, it's just the new clean build of 2K3 that's giving us
>> the
>> issue.
>>
>> Event Type: Information
>>
>> Event Source: MSExchangeDSAccess
>>
>> Event Category: Topology
>>
>> Event ID: 2080
>>
>> Date: 5/20/2005
>>
>> Time: 12:14:40 PM
>>
>> User: N/A
>>
>> Computer: CI-MAIL3
>>
>> Description:
>>
>> Process MAD.EXE (PID=1140). DSAccess has discovered the following servers
>> with the following characteristics:
>>
>> (Server name | Roles | Reachability | Synchronized | GC capable | PDC |
>> SACL right | Critical Data | Netlogon)
>>
>> In-site:
>>
>> ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0
>>
>> ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7
>>
>> ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7
>>
>> CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7
>>
>> Out-of-site:
>>
>> ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0
>>
>>
>>
>>
>>
>> For more information, click http://www.microsoft.com/contentredirect.asp.
>>
>> Event Type: Information
>>
>> Event Source: MSExchangeDSAccess
>>
>> Event Category: Topology
>>
>> Event ID: 2080
>>
>> Date: 5/20/2005
>>
>> Time: 5:33:11 PM
>>
>> User: N/A
>>
>> Computer: CI-MAIL3
>>
>> Description:
>>
>> Process INETINFO.EXE (PID=1060). DSAccess has discovered the following
>> servers with the following characteristics:
>>
>> (Server name | Roles | Reachability | Synchronized | GC capable | PDC |
>> SACL right | Critical Data | Netlogon)
>>
>> In-site:
>>
>> CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7
>>
>> ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7
>>
>> ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7
>>
>> ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0
>>
>> ci-dc4.CI.conservation.org CDG 7 7 1 0 0 1 7
>>
>> Out-of-site:
>>
>> ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0
>>
>> ------------------------------------------------------------------
>>
>> "Tony Murray" wrote:
>>
>> > The DC/GC may not be properly synchronized. You can check by
>> > connecting to
>> > RootDSE (using LDP.EXE) and looking for the IsSynchronized flag.
>> > Another
>> > good option would to use wind up the diagnostics logging on DSAccess,
>> > as
>> > explained in the following article.
>> >
>> > http://support.microsoft.com/kb/316300
>> >
>> > Tony
>> > www.activedir.org
>> >
>> > "BeFree" <BeFree@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:59D550F8-414E-426E-96A5-93485BAF4F29@xxxxxxxxxxxxxxxx
>> > > We are trying to decide the best way to upgrade our AD 2000 &
>> > > Exchange
>> > > 2000
>> > > domain to 2003. I can't upgrade the AD servers because they're off
>> > > the
>> > > HCL,
>> > > so I want to replace them with newly built Windows 2003 servers,
>> > > dcpromo'd
>> > > into the tree (after the prerequisite adprep and mangle prevention
>> > > tasks
>> > > ...). We're working all of this out in the testlab first. For the
>> > > full
>> > > story and proposed migration plan, see
>> > > http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=13776
>> > >
>> > > The problem is we can't seem to get Exchange 2000 to work after doing
>> > > that.
>> > > It can not see the newly created Windows 2003 AD as a Global Catalog.
>> > > It
>> > > does appear to actually be a GC, repadmin /showreps says IS_GC, and
>> > > it's
>> > > listed in DNS as a GC as well. But in Exchange System Manager on the
>> > > Directory Access tab it does not recognize the 2003 server
>> > > automatically.
>> > > If
>> > > we set it to manual and force it to that new server, the message
>> > > stores
>> > > don't
>> > > mount and it complains that there is no GC. All the Microsoft
>> > > literature
>> > > I've read says that Exchange 2000 will work just fine with AD 2003,
>> > > but
>> > > they
>> > > usually are talking about an upgrade path.
>> > >
>> > > When we ran through the scenario of doing it as an upgrade after
>> > > DCPROMO,
>> > > the 2003 server does work just fine with Exchange. Only when it's a
>> > > clean
>> > > build of Windows 2003 fresh (which is what I'd prefer for many
>> > > reasons)
>> > > does
>> > > it cause Exchange grief.
>> > >
>> > > Can anyone confirm that this should work, promoting a Windows 2003
>> > > server
>> > > and using it as a GC for Exchange 2000? Or will I need to keep a
>> > > Windows
>> > > 2000 GC available until Exchange 2003 has replaced Exchange 2000
>> > > completely
>> > > in our environment ?
>> > >
>> >
>> >
>> >


.

Loading