View products that this article applies to.
Expand all | Collapse all
SYMPTOMSIn Microsoft Exchange 2000 Server, when you use Exchange System Manager to try t...In Microsoft Exchange 2000 Server, when you use Exchange System Manager to try to change the Microsoft Windows 2000-based domain controller that is specified in the properties dialog box for the Recipient Update Service, you receive the following error message:
The operation failed
ID no: 80004005
Exchange System Manager
Back to the top
CAUSEThis issue occurs when one of the following conditions is true: The account that...This issue occurs when one of the following conditions is true:
The account that you are using does not have permissions to the parent object.
The serverReference attribute is not set on the parent object.
Exchange System Manager performs a Lightweight Directory Access Protocol (LDAP) search for NTDS Settings objects in the Configuration/Sites container in the Active Directory directory service. You can locate the following NTDS Settings object by using the ADSI Edit snap-in or the LDP utility:
CN=NTDS Settings,CN=Server_Name,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your_Domain,DC=com,
In this object, Server_Name is the name of a Windows-based domain controller.
Exchange System Manager then tries to read the serverReference attribute from the parent object. The parent object of the NTDS Settings object is the following server object:
CN= Server_Name,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your_Domain,DC=com,
Because the account that you are using does not have permissions to the parent object, or because the serverReference attribute is missing on the parent object, an E_FAIL error condition is returned. You then receive the error message that is mentioned in the "Symptoms" section.
Back to the top
RESOLUTIONTo resolve this issue, you must first locate the server object. This server obje...To resolve this issue, you must first locate the server object. This server object is either the object that your account does not have permissions to. Or, it is the domain controller object that contains a value that is not valid in the serverReference attribute. Then, you must grant your account the permissions that are required for the server object in Active Directory. Or, you must populate the serverReference attribute value for the server object.
Step 1: Locate the server object
Use the following script to locate the server object.
Note In line 4 of the following code, replace Your_Domain with your domain, and replace com with your domain suffix.
set connection = CreateObject("ADODB.Connection")
connection.Provider = "ADsDSOObject"
connection.Open()
set rsObjects = connection.Execute("
";(objectCategory=ntdsdsa);distinguishedName")
while not rsObjects.EOF
set obj = GetObject("LDAP://" + rsObjects.Fields("distinguishedName"))
set dc = GetObject(obj.Parent)
WScript.Echo "This is the DN of the server:" & dc.distinguishedName
if (dc.serverReference="") _
Then WScript.Echo "Error: This attribute serverReference is not found" _
else WScript.Echo "This is the ServerReference attribute of the server:" & _
dc.serverReference
rsObjects.MoveNext()
wend
Step 2: Resolve the issue
Method 1: Grant your account the permissions that are required for the server object in Active Directory
To determine whether your account has permissions to the server object, use the Dsacls utility that is included with the Microsoft Windows Support Tools. To do this, follow these steps:
Click Start, click Run, type cmd, and then click OK.
Type the following command:
dsacls "cn=server_name,cn=servers,cn=site_name,cn=sites,cn=configuration,dc=domain,dc=domain_suffix
In the command, server_name is the name of the server, site_name is the name of the Windows site, and domain and domain_suffix are the forest root domain, for example, dc=contoso,dc=com.
The correct permissions on that object should be similar to the following output:
Access list:
Effective Permissions on this object are:
Allow DOMAIN\Domain Admins FULL CONTROL
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow DOMAIN\Enterprise Admins FULL CONTROL
Allow DOMAIN\Domain Admins SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow DOMAIN\Domain Admins FULL CONTROL
Allow DOMAIN\Enterprise Admins FULL CONTROL
Allow DOMAIN\Domain Admins SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Method 2: Populate the serverReference attribute value for the server object
If the serverReference attribute value is not set, populate the value. Use the distinguished name of the server object as the value that you populate the attribute with. You can locate this distinguished name under the following domain partition:
CN=Server_Name,OU=Domain Controllers, DC=Your_Domain,DC=Domain Suffix
.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Install the ADSI Edit snap-in if it is not already installed.
The ADSI Edit snap-in is included with the Microsoft Windows 2000 Server Support Tools. To install the Windows 2000 Server Support Tools, run Setup.exe from the Support\Tools folder on the Microsoft Windows 2000 Server CD.
Click Start, click Run, type adsiedit.msc, and then click OK.
If you want to connect to a different domain controller, click Connect to on the Action menu, click Select or type a domain or server, type the fully-qualified domain name of the domain controller, and then click OK.
Expand Configuration Container [Server_Name.Your_Domain.com]
Expand CN=Configuration,DC=Your_Domain,DC=com
Expand CN=Sites.
Expand CN=Site_Name.
Expand CN=Servers.
Expand CN=Server_Name.
In this step, Server_Name is the name of the domain controller.
Right-click the domain controller server object, and then click Properties.
Select the serverReference attribute.
If this attribute is empty, populate it with the distinguished name of the server object that appears under the domain partition. To do this, follow these steps:
In the ADSI Edit snap-in, locate and then expand Domain NC [Server_Name.Your_Domain.com].
Expand DC=Your_Domain,DC=com.
Expand OU= Domain Controllers.
Expand CN=Server_Name.
Right-click Server_Name, and then copy the value of the distinguishedName attribute. This data can be pasted into the serverReference attribute that is mentioned in step 11.
Note The procedure in step 12 uses the default location for the server object.
Back to the top
MORE INFORMATIONMicrosoft provides programming examples for illustration only, without warranty...Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and the tools that are used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200. For additional information about the support options available from Microsoft, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
No comments:
Post a Comment