Stalled Exchange 2000 Setup

Migration to Exchange 2000 seems to go fine, but setup comes to a screeching halt for this admin.

Question: I have a problem related to a migration of Exchange 5.5 to Exchange 2000. I have upgraded my PDC from Windows NT 4.0 to Windows 2000 and now I'm in Mixed mode. I have two other NT BDCs and three Win2K DCs and three Exchange 5.5 servers. I installed the ADC on the server that will become my principal Exchange server. That went fine. I have Connection Agreements between E5.5 and AD. I ran Exchange setup with Forestprep, then Domainprep and that went fine.

When I ran Exchange setup to upgrade the E5.5 server, I got an error message that I don't have enough permissions at the Site, Org, and Configuration level. Yet, I'm logged on using the account that I've always used to manage Exchange. This account has domain admin rights in the domain, as well. I tried a few things and now when I run setup, I'm getting an error that says, "There is no such object on the server."

Can you help?

Answer: Since receiving this e-mail from John, we have been working together to try to isolate the problem.

The "no such object" error may indicate that the Organization object or one of its constituents has not been created in the Active Directory forest during Forestprep. However, Forestprep will give a fatal error if it cannot create all the required objects in Active Directory. John sent me the Exchange Setup logs and I found this error:

[17:42:37] Entering ScGetExchangeServerGroups
[17:42:37] Getting DOB for group 0
[17:42:37] ScGetExchangeServerGroups
           Error code 0X80072030 (8240): There is no
           such object on the server.
[17:42:37] Leaving ScGetExchangeServerGroups
[17:42:37] ScPRQ_LogonMustHaveFullControlOverExchange

This indicates that Setup can't find either the Exchange Domain Servers group or the Exchange Enterprise Servers group. Both of these groups are created by Domainprep and both must be in the Users container. Failing to locate the group will cause a permission error.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

It turned out that John had moved the groups to another OU to keep the User container tidy. Many administrators do this and get similar problems during or after Exchange setup.

But the fun wasn't over. John continued to have set-up problems indicating that he still had permission problems with the account he was using to run Setup. Here's the Setup log entry:

[10:40:37] Prerequisites for Microsoft Exchange Information
           Store Service failed: The component "Microsoft
           Exchange Messaging and Collaboration Services"
           cannot be assigned the action "Upgrade" because:
           - To upgrade your Microsoft Exchange 5.5 server
           or to add a new server to an existing Microsoft
           Exchange site, the account you are logged on as
           must have Admin permissions on the Site and
           Configuration objects.

For troubleshooting, I asked John to create a new account and give it Domain Admin membership in the domain as well as Service Admin permissions on the Org, Site, and Configuration container in every site in Exchange. This did not resolve the problem, but it did give an additional error in the Exchange Setup log:

[15:23:04] Prerequisites for Microsoft Exchange Information
           Store Service failed: The component "Microsoft
           Exchange Messaging and Collaboration Services"
           cannot be assigned the action "Upgrade" because:
           - To upgrade your Microsoft Exchange 5.5 server
           or to add a new server to an existing Microsoft
           Exchange site, the account you are logged on as
           must have Admin permissions on the Site
           and Configuration objects.
           - Active Directory has not replicated all the
           necessary permissions for the deleted items
           container. Please wait until replication
           completes before running setup.

So, it appeared that we had an Active Directory replication problem, which is often associated with a DNS configuration error of some sort. I had John run netdiag and dcdiag on all domain controllers and the Exchange server he was trying to install. (DNSLint is another good tool if netdiag doesn't give enough information.)

The netdiag listings indicated that two of the domain controllers were pointing at themselves for DNS lookups (the zone had been AD-integrated) and two DCs were pointing at another DNS server with a standard BIND-style primary zone.

Aside from the problem of having two different zone files that have no way of replicating with each other, it's an error to point Windows 2000 domain controllers at themselves for DNS lookups if you use AD-integrated zones. This can create an "island effect" that results in a replication failure. Also, netdiag indicated that two of the domain controllers — in different sites — had errors when attempting to communicate with their gateway router. Here's a piece of the netdiag listing showing the error (names and IP addresses have been changed):

Per interface results:
   Adapter : Local Area Network One
      Netcard queries test . . . : Passed
      Host Name. . . . . . . . . : brunhilde
      IP Address . . . . . . . . :
      Subnet Mask. . . . . . . . :
      Default Gateway. . . . . . :
      Primary WINS Server. . . . :
      Dns Servers. . . . . . . . :

      AutoConfiguration results. . . . . . : Passed

      Default gateway test . . . : Failed
          No gateway reachable for this adapter.

In addition, the domain controllers were pointing at different WINS servers that might not be able to replicate with each other due to the gateway router problems. This doesn't necessarily impact AD replication but could cause a problem for Exchange Setup, which relies on proper flat name resolution.

So, John is going to correct the network configuration problems and make sure that replication works between all DCs, then try the Exchange Setup again. Keep your fingers crossed. I'll report on the result in an upcoming column.

comments powered by Disqus

Reader Comments:

Fri, Jul 30, 2004 Russ Redmond, WA

I thought you had to have at least one domain in native mode in order to upgrade to Exchange 2000? It doesn't say whether there is at least one in native mode. Could that contribute to the problem?

Wed, Jul 28, 2004 Ronnie Jackson Tyler, TX

Excellent article. Didnt know that about DC's pointing to themselves. One other thing you might try is to add the exchange service account, and or the account that the admin is logged on under to the schema admins group to grant permissions to modify the schema. I believe exchange has to update the schema in order to do the install. Just a thought.

Wed, Jul 28, 2004 Anonymous Anonymous

More questions about the DNS "island" effect. I think I've read somewhere that a Win2K DC should point to itself for DNS resolution. I know for certain that the WINS entries must be pointed to itself so it registers itself with itself and owns its own record. Perhaps you could clarify the DNS best practices settings in a future column.

Tue, Jul 27, 2004 Anonymous Anonymous

Good article Bill. But with all these basic configuration problems I'd say John is not qualified to upgrade Exchange, or even be a domain admin.

Tue, Jul 27, 2004 Anonymous Anonymous

I'm confused about the DNS "island effect".
I have W2K AD integrated DNS servers that point at themselves for DNS resolution. I have found that initially you have to have the server for which you are trying to created the zone pointing at a different DC/DNS server, otherwise the term "island" certainly applies - the server thinks that it's the first DNS server in the domain. The reason that I started doing it this way is not only because I ran into this very problem, but because I had seen conflicting directions where some articles would say to point the DNS server at itself, where others such as Bill's warn of the "island" affect.
Why would my method fail?

Tue, Jul 27, 2004 Anonymous Anonymous

Excellent troubleshooting article

Tue, Jul 27, 2004 Anonymous Anonymous

Try giving the Exchange 5.5 management account the Log On Locally priv.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.