Problem getting Exchange 2000 to see AD 2003 GC

[BeFree]

We are trying to decide the best way to upgrade our AD 2000 & Exchange 2000
domain to 2003. I can't upgrade the AD servers because they're off the HCL,
so I want to replace them with newly built Windows 2003 servers, dcpromo'd
into the tree (after the prerequisite adprep and mangle prevention tasks
....). We're working all of this out in the testlab first. For the full
story and proposed migration plan, see
http://x220.win2ktest.com/forum/topi...TOPIC_ID=13776

The problem is we can't seem to get Exchange 2000 to work after doing that.
It can not see the newly created Windows 2003 AD as a Global Catalog. It
does appear to actually be a GC, repadmin /showreps says IS_GC, and it's
listed in DNS as a GC as well. But in Exchange System Manager on the
Directory Access tab it does not recognize the 2003 server automatically. If
we set it to manual and force it to that new server, the message stores don't
mount and it complains that there is no GC. All the Microsoft literature
I've read says that Exchange 2000 will work just fine with AD 2003, but they
usually are talking about an upgrade path.

When we ran through the scenario of doing it as an upgrade after DCPROMO,
the 2003 server does work just fine with Exchange. Only when it's a clean
build of Windows 2003 fresh (which is what I'd prefer for many reasons) does
it cause Exchange grief.

Can anyone confirm that this should work, promoting a Windows 2003 server
and using it as a GC for Exchange 2000? Or will I need to keep a Windows
2000 GC available until Exchange 2003 has replaced Exchange 2000 completely
in our environment ?

[Tony Murray]

The DC/GC may not be properly synchronized. You can check by connecting to
RootDSE (using LDP.EXE) and looking for the IsSynchronized flag. Another
good option would to use wind up the diagnostics logging on DSAccess, as
explained in the following article.

http://support.microsoft.com/kb/316300

Tony
www.activedir.org

"BeFree" <BeFree@discussions.microsoft.com> wrote in message
news:59D550F8-414E-426E-96A5-93485BAF4F29@microsoft.com...

We are trying to decide the best way to upgrade our AD 2000 & Exchange
2000
domain to 2003. I can't upgrade the AD servers because they're off the
HCL,
so I want to replace them with newly built Windows 2003 servers, dcpromo'd
into the tree (after the prerequisite adprep and mangle prevention tasks
...). We're working all of this out in the testlab first. For the full
story and proposed migration plan, see
http://x220.win2ktest.com/forum/topi...TOPIC_ID=13776

The problem is we can't seem to get Exchange 2000 to work after doing
that.
It can not see the newly created Windows 2003 AD as a Global Catalog. It
does appear to actually be a GC, repadmin /showreps says IS_GC, and it's
listed in DNS as a GC as well. But in Exchange System Manager on the
Directory Access tab it does not recognize the 2003 server automatically.
If
we set it to manual and force it to that new server, the message stores
don't
mount and it complains that there is no GC. All the Microsoft literature
I've read says that Exchange 2000 will work just fine with AD 2003, but
they
usually are talking about an upgrade path.

When we ran through the scenario of doing it as an upgrade after DCPROMO,
the 2003 server does work just fine with Exchange. Only when it's a clean
build of Windows 2003 fresh (which is what I'd prefer for many reasons)
does
it cause Exchange grief.

Can anyone confirm that this should work, promoting a Windows 2003 server
and using it as a GC for Exchange 2000? Or will I need to keep a Windows
2000 GC available until Exchange 2003 has replaced Exchange 2000
completely
in our environment ?

[BeFree]

Excellent idea. We turned on the logging as described, and the email server
does see it as a GC, but still under the Directory Access tab it never shows
up. We tried with two different servers running Windows 2003, one with SP1
and another without. They both show the 1 in the Global Catalog bit, DC5 is
2K3 SP1 & DC4 is 2K3 without SP1. DC2 and YVE are not reachable, they're
from the production network and this is the testlab network. I do see from
this that the 2K3 servers do not get the SACL right - I am going to go check
the default domain controller security policy and make sure that Enterprise
Exchange servers has the right to manage the event logs (correct ?)

Next week we are going to bring in another Windows 2000 server and then
upgrade it to 2K3 and see that it works. The first time we did that test it
worked just fine, it's just the new clean build of 2K3 that's giving us the
issue.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 12:14:40 PM

User: N/A

Computer: CI-MAIL3

Description:

Process MAD.EXE (PID=1140). DSAccess has discovered the following servers
with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0





For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 5:33:11 PM

User: N/A

Computer: CI-MAIL3

Description:

Process INETINFO.EXE (PID=1060). DSAccess has discovered the following
servers with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc4.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0

------------------------------------------------------------------

"Tony Murray" wrote:

The DC/GC may not be properly synchronized. You can check by connecting to
RootDSE (using LDP.EXE) and looking for the IsSynchronized flag. Another
good option would to use wind up the diagnostics logging on DSAccess, as
explained in the following article.

http://support.microsoft.com/kb/316300

Tony
www.activedir.org

"BeFree" <BeFree@discussions.microsoft.com> wrote in message
news:59D550F8-414E-426E-96A5-93485BAF4F29@microsoft.com...
We are trying to decide the best way to upgrade our AD 2000 & Exchange
2000
domain to 2003. I can't upgrade the AD servers because they're off the
HCL,
so I want to replace them with newly built Windows 2003 servers, dcpromo'd
into the tree (after the prerequisite adprep and mangle prevention tasks
...). We're working all of this out in the testlab first. For the full
story and proposed migration plan, see
http://x220.win2ktest.com/forum/topi...TOPIC_ID=13776

The problem is we can't seem to get Exchange 2000 to work after doing
that.
It can not see the newly created Windows 2003 AD as a Global Catalog. It
does appear to actually be a GC, repadmin /showreps says IS_GC, and it's
listed in DNS as a GC as well. But in Exchange System Manager on the
Directory Access tab it does not recognize the 2003 server automatically.
If
we set it to manual and force it to that new server, the message stores
don't
mount and it complains that there is no GC. All the Microsoft literature
I've read says that Exchange 2000 will work just fine with AD 2003, but
they
usually are talking about an upgrade path.

When we ran through the scenario of doing it as an upgrade after DCPROMO,
the 2003 server does work just fine with Exchange. Only when it's a clean
build of Windows 2003 fresh (which is what I'd prefer for many reasons)
does
it cause Exchange grief.

Can anyone confirm that this should work, promoting a Windows 2003 server
and using it as a GC for Exchange 2000? Or will I need to keep a Windows
2000 GC available until Exchange 2003 has replaced Exchange 2000
completely
in our environment ?

[BeFree]

Confirmation that under the Default Domain Security Policy, Enterprise
Exchange Servers is listed under Manage Auditing and Security Log. Any idea
how to get the SACL bit to be 'happy' on Windows 2003 AD?
__________________________________________

"BeFree" wrote:

Excellent idea. We turned on the logging as described, and the email server
does see it as a GC, but still under the Directory Access tab it never shows
up. We tried with two different servers running Windows 2003, one with SP1
and another without. They both show the 1 in the Global Catalog bit, DC5 is
2K3 SP1 & DC4 is 2K3 without SP1. DC2 and YVE are not reachable, they're
from the production network and this is the testlab network. I do see from
this that the 2K3 servers do not get the SACL right - I am going to go check
the default domain controller security policy and make sure that Enterprise
Exchange servers has the right to manage the event logs (correct ?)

Next week we are going to bring in another Windows 2000 server and then
upgrade it to 2K3 and see that it works. The first time we did that test it
worked just fine, it's just the new clean build of 2K3 that's giving us the
issue.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 12:14:40 PM

User: N/A

Computer: CI-MAIL3

Description:

Process MAD.EXE (PID=1140). DSAccess has discovered the following servers
with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0





For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 5:33:11 PM

User: N/A

Computer: CI-MAIL3

Description:

Process INETINFO.EXE (PID=1060). DSAccess has discovered the following
servers with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc4.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0

------------------------------------------------------------------

"Tony Murray" wrote:

The DC/GC may not be properly synchronized. You can check by connecting to
RootDSE (using LDP.EXE) and looking for the IsSynchronized flag. Another
good option would to use wind up the diagnostics logging on DSAccess, as
explained in the following article.

http://support.microsoft.com/kb/316300

Tony
www.activedir.org

"BeFree" <BeFree@discussions.microsoft.com> wrote in message
news:59D550F8-414E-426E-96A5-93485BAF4F29@microsoft.com...
We are trying to decide the best way to upgrade our AD 2000 & Exchange
2000
domain to 2003. I can't upgrade the AD servers because they're off the
HCL,
so I want to replace them with newly built Windows 2003 servers, dcpromo'd
into the tree (after the prerequisite adprep and mangle prevention tasks
...). We're working all of this out in the testlab first. For the full
story and proposed migration plan, see
http://x220.win2ktest.com/forum/topi...TOPIC_ID=13776

The problem is we can't seem to get Exchange 2000 to work after doing
that.
It can not see the newly created Windows 2003 AD as a Global Catalog. It
does appear to actually be a GC, repadmin /showreps says IS_GC, and it's
listed in DNS as a GC as well. But in Exchange System Manager on the
Directory Access tab it does not recognize the 2003 server automatically.
If
we set it to manual and force it to that new server, the message stores
don't
mount and it complains that there is no GC. All the Microsoft literature
I've read says that Exchange 2000 will work just fine with AD 2003, but
they
usually are talking about an upgrade path.

When we ran through the scenario of doing it as an upgrade after DCPROMO,
the 2003 server does work just fine with Exchange. Only when it's a clean
build of Windows 2003 fresh (which is what I'd prefer for many reasons)
does
it cause Exchange grief.

Can anyone confirm that this should work, promoting a Windows 2003 server
and using it as a GC for Exchange 2000? Or will I need to keep a Windows
2000 GC available until Exchange 2003 has replaced Exchange 2000
completely
in our environment ?

[Tony Murray]

It sounds like you're on the right track with investigating the SACL right.
What method did you use to check the right? I believe that the old
policytest.exe has been replaced by the polcheck part of OrgPrepCheck. Have
a look at the following article.

http://support.microsoft.com/default...oduct=exch2003

I believe RUS is responsible for propagating the right, so it might also be
good to check to see that RUS is working properly.

Tony
www.activedir.org

"BeFree" <BeFree@discussions.microsoft.com> wrote in message
news:D5814FD6-213B-4B38-BC51-E69D112E9A3E@microsoft.com...

Confirmation that under the Default Domain Security Policy, Enterprise
Exchange Servers is listed under Manage Auditing and Security Log. Any
idea
how to get the SACL bit to be 'happy' on Windows 2003 AD?
__________________________________________

"BeFree" wrote:

Excellent idea. We turned on the logging as described, and the email
server
does see it as a GC, but still under the Directory Access tab it never
shows
up. We tried with two different servers running Windows 2003, one with
SP1
and another without. They both show the 1 in the Global Catalog bit, DC5
is
2K3 SP1 & DC4 is 2K3 without SP1. DC2 and YVE are not reachable, they're
from the production network and this is the testlab network. I do see
from
this that the 2K3 servers do not get the SACL right - I am going to go
check
the default domain controller security policy and make sure that
Enterprise
Exchange servers has the right to manage the event logs (correct ?)

Next week we are going to bring in another Windows 2000 server and then
upgrade it to 2K3 and see that it works. The first time we did that test
it
worked just fine, it's just the new clean build of 2K3 that's giving us
the
issue.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 12:14:40 PM

User: N/A

Computer: CI-MAIL3

Description:

Process MAD.EXE (PID=1140). DSAccess has discovered the following servers
with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0





For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Information

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2080

Date: 5/20/2005

Time: 5:33:11 PM

User: N/A

Computer: CI-MAIL3

Description:

Process INETINFO.EXE (PID=1060). DSAccess has discovered the following
servers with the following characteristics:

(Server name | Roles | Reachability | Synchronized | GC capable | PDC |
SACL right | Critical Data | Netlogon)

In-site:

CI-DC5.CI.conservation.org CDG 7 7 1 0 0 1 7

ci-dc3.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc1.CI.conservation.org CDG 7 7 1 0 1 1 7

ci-dc2.CI.conservation.org CDG 0 0 1 0 0 0 0

ci-dc4.CI.conservation.org CDG 7 7 1 0 0 1 7

Out-of-site:

ci-dcyve.CI.conservation.org CDG 0 0 1 0 0 0 0

------------------------------------------------------------------

"Tony Murray" wrote:

The DC/GC may not be properly synchronized. You can check by
connecting to
RootDSE (using LDP.EXE) and looking for the IsSynchronized flag.
Another
good option would to use wind up the diagnostics logging on DSAccess,
as
explained in the following article.

http://support.microsoft.com/kb/316300

Tony
www.activedir.org

"BeFree" <BeFree@discussions.microsoft.com> wrote in message
news:59D550F8-414E-426E-96A5-93485BAF4F29@microsoft.com...
We are trying to decide the best way to upgrade our AD 2000 &
Exchange
2000
domain to 2003. I can't upgrade the AD servers because they're off
the
HCL,
so I want to replace them with newly built Windows 2003 servers,
dcpromo'd
into the tree (after the prerequisite adprep and mangle prevention
tasks
...). We're working all of this out in the testlab first. For the
full
story and proposed migration plan, see
http://x220.win2ktest.com/forum/topi...TOPIC_ID=13776

The problem is we can't seem to get Exchange 2000 to work after doing
that.
It can not see the newly created Windows 2003 AD as a Global Catalog.
It
does appear to actually be a GC, repadmin /showreps says IS_GC, and
it's
listed in DNS as a GC as well. But in Exchange System Manager on the
Directory Access tab it does not recognize the 2003 server
automatically.
If
we set it to manual and force it to that new server, the message
stores
don't
mount and it complains that there is no GC. All the Microsoft
literature
I've read says that Exchange 2000 will work just fine with AD 2003,
but
they
usually are talking about an upgrade path.

When we ran through the scenario of doing it as an upgrade after
DCPROMO,
the 2003 server does work just fine with Exchange. Only when it's a
clean
build of Windows 2003 fresh (which is what I'd prefer for many
reasons)
does
it cause Exchange grief.

Can anyone confirm that this should work, promoting a Windows 2003
server
and using it as a GC for Exchange 2000? Or will I need to keep a
Windows
2000 GC available until Exchange 2003 has replaced Exchange 2000
completely
in our environment ?