Problems when logging into Exchange as Administrator
Greetings everybody, We are running MS Exchange 2003 on Win 2003 Server Standard Edt. We have a simple network with one domain controller and one exchange server. Both of them are on our LAN (exchange is not in DMZ.) About a week ago we started having a following issue: When we log into Exchange using domain administrator login: a) it takes about 20-30 minutes to log in, b) when we try to open a queue in Exchange Systems Manager we get an error msg: A local error has occurred. Facility: Win32 ID no: 8007203b Exchange System Manager c) when we open Active Directory Users & Computers we can not create new mailboxes/modify existing ones d)Recepient Update Service (RUS) will not run When I log into Exchange using my personal account (memeber of Domain Admins) everything works fine & it takes about 3 seconds to log in. Your suggestions/input are greatly appreciated, we do need to be logged in as admin (several critical services run under administrator login). Thank you!!!
July 14th, 2008 7:25pm
Quick shot in the dark here: Arethe domain controllers in the local site of the Exchange servers working fine? Is your personal admin account in a different site? You may review DC listthat Exchange is user andtry bouncing the domain controller that is first on the list. I may have had the same issue a few years back.
Within System Manager, drill down to the server, right-click, go to Properties, and goto Directory Access tab. Review Domain controller list, and check the health of that DC. Review Event logs on Exchange and DC, and reboot the DC.
Let us know.
Jeremy
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2008 9:20pm
I appreciate you taking the time Jeremy.We have only one DC, which contains all user accounts, including the administrator account & my personal one. The Domain Controller appears to be functioning correctly.Please let me know if you have any other idea.Thanks much!Alex
July 14th, 2008 10:53pm
Please review, understand, and consider the changes prior to making them.
Does your personal admin account have specific permissions defined with Exchange? Does the Domain Admin account have specific permissions. We may bem dealing with corrupted pemissions down at the Server level (as you mentioned you get a failure when trying to view a queue). what you need to determine before you make any changes is what is safe and unsafe to change.
If you have no specific Exchange permisions for your personal admin account then the Exchange permissions are derived from your 'domain admin' group membership. You should find where you have granted 'Domain Admins' permissions within Exchange. In this case, look for any specific pemissions granted to the 'Domain Administor' account and remove them (they may be corrupt). The Domain Administrator's permissions will be derived from the group membership at that point.
If your personal admin account has specific Exchange admin rights (and we know everything works for you) and NO exchange services utililze the Domain Administrator account for logon, and NO permissons are specifically granted to the Domain Administrator account then you know it's a relatively safe to proceed to this step: Reset the permissons granted to the Domain Administrators group. The permissions granted to the Domain Administrator (via specific or derived from group membership)are be corrupt.
Please review, understand, and consider the changes prior to making them.
Regards,
Jeremy
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2008 11:48pm
I will check what you have mentioned above. Thank you.What do yo mean by "Reset the permissions granted to the Domain Administrators group"?Also, I was thinking of just booting into safe mode, logging in with LOCAL administrator account, and zapping the domain administrator profile (deleting the folder from Documnent & Settings). Then making the system re-recreate the profile. Would you recommend doing this or no?Thanks Much!Alex
July 15th, 2008 12:09am
My thought is you are dealing with an Exchange permissions issue with the Domain Administrator account. So depending on the way Domain Administrator is obtaining these pemissions (direct or via a group permission), you need to remove and re-add them. So 'reset' should be interpreted as remove, apply, replace, apply.
I don't think removing the domain admin profile from Documentand Settings is going to buy you anything. if you thing the profile is bad (on the Exchange server), then just logo onto your client computer, as the domain Administrator, and manage Excahnge from System console loaded locally.
Hope this helps.
Jeremy
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2008 12:18am
Hi,
Error code 8007203b means LDAP_LOCAL_ERROR.I suspect that something wrong with the account since exchange server runs normally at another adminstrator account.
Please check whether you have change your administrator account password, please run services.msc to check whether the log on account for these exchange related Services which stopped are correct.
Besides, Ive checked it from my lab and found that administrator should be the member of the below group.
Administrators
Domain Admins
Domain Users
Enterprise Admins
Exchange Organization Administrators
Group Policy Creator Owners
Schema Admins
If all the above do not help, then I recommend you re-create the administrator profile to replace the old one.
Error messages when you open Active Directory snap-ins and Exchange System Manager
http://support.microsoft.com/kb/329642
Hope it helps.
Xiu
July 15th, 2008 12:56pm
Thank you Jeremy and Xiu. I will try recreating the administrator profie tonight and will let you know of the results.Also, Xiu, I've checked the Administrator group membership and it looks like we do not have Exchange Organization Administrators group. We only have Exchange Domain Servers & Exchange Enterprise Servers groups.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2008 6:06pm
Maybe I have make you confused.Groups listed in my previously post is for Exchange 2007.
With Exchange 2003,administrator should be the member of:
Administrator
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Schema Admins
Best regards,
Xiu
July 16th, 2008 5:09am