Cannot see mailbox stores on parent domain exchange server
Hello,
We've just setup a child domain in our branch office, we have our exchange server at our main office on the parent domain.
I've run domain prep on the child domain so I can now do exchange tasks and mail activate child domain users, however when I choose to create a new mailbox I get to the part where you have to the mailbox store and the poup list is empty.
I though this might be a permissions thing but the mailbox stores have access granted to the enterprise admin.
Is there something I've missed?
Thanks, Kevin
July 26th, 2010 5:11pm
Hi Qreen
In addition to running domainprep in the child
domain, you will have to create a
Domain RUS for child
domain in order to have Exchange Mailboxes for users in
child domain.
I hope following information may help you to resolve the issue:
SYMPTOMS
When Microsoft Exchange 2000
Server or Microsoft Exchange Server 2003 is installed, two Recipient Update Services (RUS) are
created, one for the
Enterprise Configuration and another for the
domain. The domain Recipient Update Service only processes objects in the Windows
domain where Exchange was installed. When you
create a user in a remote Windows domain, the Recipient Update Service does not process that
account.
CAUSE
A Recipient Update Service is not automatically created for a remote or
child Windows domain. This causes the Recipient Update Service to not be able to process any
mailbox-enabled users or mail-enabled users in the remote or
child Windows domain.
RESOLUTION
To resolve this issue, first run Exchange Setup with the /domainprep switch on a server in the remote
Windows
domain. Then, on your Exchange server use the Exchange System Manager to
create a Recipient Update Service for the remote
domain. To do this, follow these steps:
1. Click Start, click Programs, click Microsoft Exchange, and then click System
Manager.
2. Expand the Organization object, and then expand the Recipients container.
3. Click Recipient Update Service.
4. In the right pane, right-click New, and then click Recipient Update Service.
5. Click the domain that does not have an instance of the Recipient Update service and that has users that must be updated by Exchange.
6. Click Next.
7. Choose the server that you want to run the Recipient Update Service and process all the necessary users with the Exchange attributes.
8. Click Next.
9. Click Finish.
10. To manually initiate an update of the recipients in that
domain, right-click the Recipient Update Service, and then click Update Now to force an update.
Please refer to KB 275294 - http://support.microsoft.com/kb/275294
wish it will be helpful for you :)
Regards,
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 7:17pm
Ah yes, I've already created the RUS for the child domain. It doesn't seem tot make any difference hough even after clicking "update now"
I tried deleting the RUS and creatnig it again, this time I received an error saying"The RPC server is unavailable" there's a KB article here that covers this - http://support.microsoft.com/kb/271328/en-us
I don't understand though, I only have one domain controller in the child domain so how come it isn't available? The workarounds on that KB article seem to be basically to disable the unavailable DC to force the RUS setup to select a different one, that's
not going to work for me though as I only have one.
Thanks, Kev
July 27th, 2010 2:04pm
ok, I've managed to create the RUS for the child domain again. The exchange server searches for the child DC by first name only. I set the exchange server to add first the parent domain and then the child domain suffix when resolving names.
So, the RUS is back but I still can't see the mailbox stores from the child DC when I try to create a mailbox.
Should I be using replmon to view the update?
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 2:27pm
HI KEV
do you see an event like the next in event viewer
Event ID: 2080
Computer: EXCHANGE
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1188). Exchange Active
Directory Provider has discovered the following servers with the following
characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable |
PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
adsrv.vtunes.net CDG 1 7 7 1 0 1 1 7 1
adsrv2.vtunes.net CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
July 27th, 2010 4:37pm
No I don't, I take it you mean on the exchange server...........Also I've just read in a MS article that RUS is needed in every domain that either hosts an exchange server or any mail enabled users.
SO I need to create an RUS on the child domain pointing back to the exchange server? The exchange system manager on the child DC doesn't show the recipient update services folder though......
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 5:27pm
yes it's for exchange server
to see this event, you must increase diagnostics logging on the MSExchangeDSAccess category:
From Exchange 2000 or Exchange 2003, click Start, point to
Programs, point to Microsoft Exchange, and then click
System Manager. Expand your organization name, expand Administrative Groups, expand <var>Applicable Administrative Group</var>, and then expand
Servers. Right-click <var>Applicable Exchange server name</var>, and then click
Properties. Click the Diagnostics Logging tab, click MSExchangeDSAccess Service in the left pane, and then click
Topology in the right pane. Set the logging level to Medium or higher, click Apply, and then click
OK. If possible, restart the Exchange server to see the initial topology detection
July 27th, 2010 6:20pm
ok, I've turned on the logging. I've found an event id 2080 already.....The chilc domain DC seems to be listed as "out of sight"
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 6:45pm
Now i think that you have to do some steps to make it work
On DC > Active Directory Users & Computers, click on the
View menu and select Advanced Features. Then browse to
Domain Controllers OU, right click on the DC which misses the SACL right and select
Properties. Click on the Security tab and select
Advanced.
on the Permissions tab, click on Add >
Select the Exchange Servers security group and click on
OK.
You will see a dialog with two tabs: Object and Properties. Select Properties. Then scroll down until you find
Read nTSecurityDescriptor. Check Allow, click on
OK as much as needed to close the window.
Then check your event log after a while. Your DC should now report that it has the SACL right
regards
July 27th, 2010 7:13pm
ok, I think we're getting somewhere. The child DC doesn't show in the Domain Controllers OU in the parent domain, I can only see the 3 parent domain DCs.
Should I be able to see the child DC in the domain controller OU in the parent domain?
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 7:28pm
But you can see them all from the child domain Right ?
July 27th, 2010 7:44pm
no, from the child domain I can only see the child DC. I wasn't sure if that was right. I can browse to the other domain when adding users to groups etc.....
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 7:47pm
you have to do the steps to the child Domain for the puspose of Exchange to see it , so you can make the steps in the child domain , try it and i'm still with you untill it works :)
July 27th, 2010 7:59pm
So, from the child domain controller I should be able to see the 3 Domain Controllers in the parent domain? They should show up in the Domain Controllers OU?
How do I get to that point? I thought I'd created the child domain correctly.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 1:02pm
HI
if you can connect from the Parent Domain to the child from ADUC and can search your parent domain and add obejects to groups in the child with no error so it's ok , if you want to validate your child ,, there are many ways to do so .. try
to connect from the root to child using ADUC .. search for an object to add in child group .. The event log will tell you if anything is wrong ..
From the Child, run: "netdom query fsmo" The forest role (DNM and SM) should be reported to be in a
parent DC.
about the "Read nTSecurityDescriptor" it must done in the child domain .
regards
|Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 28th, 2010 4:56pm
ok, I'm having problems changing the "Read nTSecurityDescriptor"
When I try it on the child dc there's no security tab at all. I'm just downloading the support tools pack so I can run netdom
Thanks
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 5:33pm
ok, netdom looks ok, schema owner and domain role owner are both in the parent domain as you say. The other 3 roles are on the single child dc.
July 28th, 2010 5:39pm
ok, I'm a fool. I've found the security tab on the child dc.
Which group do you need me to add?
the exchange enterprise servers group is already there. If I browse the parent domain I can see the exchange services group, is that the one you mean?
If so, I can't see the "Read nTsecurityDescriptor" permission in the property list...........
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 5:47pm
HI
you can try another way might be useful for you
from Run > MMC > Add ADSI Edit tool >
Domain > Domain Controller OU . Right Click on the
OU select Properties > Security TAB > Advnced >
Permission TAB . Click on Add Exchange Servers security group , Click on
OK . Select Properties . Find "Read nTSecurityDescriptor " Check Mark on Allow . Click
ok to the end .
Good Luck|Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 28th, 2010 7:20pm
ok, II can't see an exchange servers group, only an exchange services one in the parent domain.I used that one and ticked "allow" on the Read nTSecurityDescriptor permission.
The 2080 event is still in the event log on the exchange server, it says SACL right although looking back it always has. the event looks the same
The stats for all 4 servers show CDG 771 0 1171
I'm still unable to view the mailbox stores, is there more?I started an update on the child domain RUS, I'll leave it a while and try again.
Do I need to create a recipient update service from the child DC, I shouldn't need to as it's already in place on the mail server in the parent domain right?
Thanks very much for all your help.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 12:46pm
ok, II can't see an exchange servers group, only an exchange services one in the parent domain.I used that one and ticked "allow" on the Read nTSecurityDescriptor permission.
The 2080 event is still in the event log on the exchange server, it says SACL right although looking back it always has. the event looks the same
The stats for all 4 servers show CDG 771 0 1171
I'm still unable to view the mailbox stores, is there more?I started an update on the child domain RUS, I'll leave it a while and try again.
Thanks very much for all your help.
This option must be ticked for the Child ..
|Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 29th, 2010 1:18pm
ok, so from the child DCI used ADSIedit to tick allow on the permission for the parent domain group Exchange Services.
I've also realised I've been logggin into the child DC as the child domain admin which didn't have exchange full admin rights. Once I gave the child domain admin full exchange rights using the delegate control wizard everything started working.
I can see the mailbox stores from the child dc and open exchange system manager.
Thanks again Ahmed, you're a lifesaver!
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 2:37pm
You Are welcome Green any time :D .. kindly propose it As Answer .. it might be beneficial to other community members|Ahmed Tarek | Please vote helpful or mark as answer if it's answered your question, this help us follow up the question status.
July 29th, 2010 4:02pm
Hi,
One more thing if that's ok. I can now create mailboxes for child domain users. I was having trouble logging in via owa and outlook though so I tried running domainprep again in the child domain
domainprep is failing now with this error in the event viewer - Exchange Server component MicrosoftExchange Domain Preparation failed. Error - 0x0070560 - The specified local group does not exist
I've checked and both the enterprise and domain exchange server groups are in the users OU.
Maybe I should start a new thread?
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 5:10pm