Re: Exchange 2007 installation error

THANK YOU! That worked.

Given, however, what I saw in terms of permission changes to the container
in question, however, I no longer trust the state of the domain as a whole
and suspect that one of the administrative accounts may have been compromised
on the machine that apparently was infected. As a precaution, I intend to
rebuild the domain from scratch---inconvenient, but feasible, since there are
only about 40 users/machines in this particular domain.

You did, however, introduce me to a very useful tool that I intend to learn
more about going forward. Many kind thanks.

Boy have I ever learned the value of dedicated firewalls today. Think I'm
going to put a Linux-based reverse-proxy in front of the HTTP (OWA) and SMTP
ports on the Exchange Server before it is deployed again.....

"PL" wrote:

It sounds like you have Deny Full Control security settings on your Exchange
Organization Container. You can try to view the security descriptor of the
container using LDP. You may change the container's security settings by
using DSACLS.exe if you are the owner of the container.


PL


Thank you for the reply. The container does not show up at all in the
adsiedit panel. It does, however, show up in the ldp utiliy. I realize
that
must seem very odd.

I created this mess by installing Exch 2003 the first time on a test
server
while I was waiting for 2007 to be released. I brought it on-line briefly,
but it immediately started sending spam so I took it off-line because I
had
no idea what I was doing with Exchange, having never used it before, and
discovered that (unlike the UNIX systems I am used to) all useful logging
is
turned off by default on Exchange so I had no way of even seeing what the
problem might have been.

When 2007 was released, I installed that on a separate machine running
Server 2003 x64. I had no problems installing it at that time. The
Linux-based server that was running their e-mail at the time had a failing
disc controller, so I wound up doing an emergency switch-over to the older
Exch2003 box, after I turned on some logging and turned on port filtering.
NOD32 was on the box and could find no viruses. I thought maybe an account
had been compromised, so I forced all users to change their login
passwords
and changed DNS to point MX to the Exch2003 box again. Once more, it
started
sending spam and the origin of the spam, from the headers, appeared to be
the
box itself.

I disabled the WAN-side Ethernet interface and intended to start
diagnosing
what had happened, but the box started to become sluggish to the point of
unusability, so I rebooted it. It never came back up. When I attempted to
boot the box into safe mode, it took over an hour to show the login
prompt,
even when it was completely disconnected from ALL networks, and would take
another hour just to show the desktop after logging in. I finally gave up
trying to diagnose the box and reformatted it.

To my horror, I then discovered that the Exch2007 box also started
behaving
strangely (it also had a public IP at the time, but no MX service), so I
rebooted it and it, too, would not restart.

After rebuilding both boxes from scratch, I attempted to install Exch2007
again and it failed. I tried reinstalling Exch2003 again and it failed. I
can't even get to the point where there is a copy of Exchange on a box
again
because the installation setup process fails every time.

After digging around for what seemed like an eternity, I got desperate and
used the ldp utility to look at the raw service container
(Configuration->Services->MS Exchange) and noticed that there was an
existing
organization container there with the name of the organization I assigned
to
the 2003 machine. The /removeorg option would not remove it. Attempting to
delete it directly would not remove it. Running /forestprep and
/domainprep
again would simply create another container with GUID for its CN key.

At this point, I'm in way over my head and cannot seem to find a way of
getting AD to the point where I can simply reinstall Exchange from
scratch.
I'm about ready to nuke the Domain Controller and recreate the user and
machine accounts from scratch, but this seriously dampens my confidence in
the recoverability of Exchange as a mission-critical service....

Any other suggestions or insights would be warmly welcome.

Thanks again.
K

"Gell Feng(MSFT)" wrote:

Dear Sapient,

Thank you for posting in the partner newsgroup.

According to your descirption, I know you want to remove your Exchange
completely in your Activate Directory and when you tried to remove your
original organization, you find that you could not delete it
successfully
even if you get the Enterprise Admins permission.

So based on my research, I just want to know if you have try to remove
the
Original organization by using ADSI edit? If none, then let us try to
remove the incorrect organization by using ADSI edit and then test the
results.

================================
1: Download the Adsiedit tool
from:http://go.microsoft.com/fwlink/?LinkId=62270
2: Run adsiedit.msc
3: Navigate to Configuration partition->cn=service->cn=microsoft
exchange->cn=your organization name
4: Right click it can choose delete to remove it

If you cannot remove this incorrect organization with the permission
error,
then you can check the permission of this object.
=====================
1: Navigate to Configuration partition->cn=service->cn=microsoft
exchange->cn=your organization name
2: Right click it and choose properties
3: then choose security tab and check the permission.

After these steps, let us refer to steps in this link page and then test
the results.
How to completely remove Exchange 2000 or Exchange 2003 from Active
Directory
http://support.microsoft.com/kb/273478/en-us

Thanks

Best regards,

Gell Feng
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think
by
posting

from the web interface: Partner Feedback
from your newsreader:
microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
====================================================






.

Relevant Pages

  • Re: Exchange 2007 installation error
    ... The container does not show up at all in the ... turned off by default on Exchange so I had no way of even seeing what the ... I had no problems installing it at that time. ... If you cannot remove this incorrect organization with the permission error, ...
    (microsoft.public.exchange.setup)
  • Re: Exchange 2007 installation error
    ... It sounds like you have Deny Full Control security settings on your Exchange ... Organization Container. ... I had no problems installing it at that time. ...
    (microsoft.public.exchange.setup)
  • RE: Groups That Must Remain In AD Users OU?
    ... The Users container is the default container for all newly-created users and ... There is only one exception for a domain environment with Exchange ... Domain Servers" group or the "Exchange Enterprise Servers" group out of this ... Most applications mostly care about SID. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SMS-Site-001 could not be created, error code = 5 in hman.log
    ... When I installed SMS, ... How did you verify that the container was there? ... for the systems management container, after first installing SMS, it ... SMS site server account. ...
    (microsoft.public.sms.admin)
  • Re: Enabling IMF on Exchange 2003 SP2
    ... create the container, but SP2 should create it for you, assuming that you ... have the right pems (Exchange Full Admin, or Exchange Administrator at the ... As far as where it goes, you'd find it under the Configuration container ...
    (microsoft.public.exchange.admin)
Loading