Cannot see mailbox stores on parent domain exchange server
Hello, We've just setup a child domain in our branch office, we have our exchange server at our main office on the parent domain. I've run domain prep on the child domain so I can now do exchange tasks and mail activate child domain users, however when I choose to create a new mailbox I get to the part where you have to the mailbox store and the poup list is empty. I though this might be a permissions thing but the mailbox stores have access granted to the enterprise admin. Is there something I've missed? Thanks, Kevin
July 26th, 2010 5:11pm

Hi Qreen In addition to running domainprep in the child domain, you will have to create a Domain RUS for child domain in order to have Exchange Mailboxes for users in child domain. I hope following information may help you to resolve the issue: SYMPTOMS When Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 is installed, two Recipient Update Services (RUS) are created, one for the Enterprise Configuration and another for the domain. The domain Recipient Update Service only processes objects in the Windows domain where Exchange was installed. When you create a user in a remote Windows domain, the Recipient Update Service does not process that account. CAUSE A Recipient Update Service is not automatically created for a remote or child Windows domain. This causes the Recipient Update Service to not be able to process any mailbox-enabled users or mail-enabled users in the remote or child Windows domain. RESOLUTION To resolve this issue, first run Exchange Setup with the /domainprep switch on a server in the remote Windows domain. Then, on your Exchange server use the Exchange System Manager to create a Recipient Update Service for the remote domain. To do this, follow these steps: 1. Click Start, click Programs, click Microsoft Exchange, and then click System Manager. 2. Expand the Organization object, and then expand the Recipients container. 3. Click Recipient Update Service. 4. In the right pane, right-click New, and then click Recipient Update Service. 5. Click the domain that does not have an instance of the Recipient Update service and that has users that must be updated by Exchange. 6. Click Next. 7. Choose the server that you want to run the Recipient Update Service and process all the necessary users with the Exchange attributes. 8. Click Next. 9. Click Finish. 10. To manually initiate an update of the recipients in that domain, right-click the Recipient Update Service, and then click Update Now to force an update. Please refer to KB 275294 - http://support.microsoft.com/kb/275294 wish it will be helpful for you :) Regards,
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 7:17pm

Ah yes, I've already created the RUS for the child domain. It doesn't seem tot make any difference hough even after clicking "update now" I tried deleting the RUS and creatnig it again, this time I received an error saying"The RPC server is unavailable" there's a KB article here that covers this - http://support.microsoft.com/kb/271328/en-us I don't understand though, I only have one domain controller in the child domain so how come it isn't available? The workarounds on that KB article seem to be basically to disable the unavailable DC to force the RUS setup to select a different one, that's not going to work for me though as I only have one. Thanks, Kev
July 27th, 2010 2:04pm

ok, I've managed to create the RUS for the child domain again. The exchange server searches for the child DC by first name only. I set the exchange server to add first the parent domain and then the child domain suffix when resolving names. So, the RUS is back but I still can't see the mailbox stores from the child DC when I try to create a mailbox. Should I be using replmon to view the update?
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 2:27pm

HI KEV do you see an event like the next in event viewer Event ID: 2080 Computer: EXCHANGE Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1188). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adsrv.vtunes.net CDG 1 7 7 1 0 1 1 7 1 adsrv2.vtunes.net CDG 1 7 7 1 0 0 1 7 1 Out-of-site: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
July 27th, 2010 4:37pm

No I don't, I take it you mean on the exchange server...........Also I've just read in a MS article that RUS is needed in every domain that either hosts an exchange server or any mail enabled users. SO I need to create an RUS on the child domain pointing back to the exchange server? The exchange system manager on the child DC doesn't show the recipient update services folder though......
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 5:27pm

yes it's for exchange server to see this event, you must increase diagnostics logging on the MSExchangeDSAccess category: From Exchange 2000 or Exchange 2003, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager. Expand your organization name, expand Administrative Groups, expand <var>Applicable Administrative Group</var>, and then expand Servers. Right-click <var>Applicable Exchange server name</var>, and then click Properties. Click the Diagnostics Logging tab, click MSExchangeDSAccess Service in the left pane, and then click Topology in the right pane. Set the logging level to Medium or higher, click Apply, and then click OK. If possible, restart the Exchange server to see the initial topology detection
July 27th, 2010 6:20pm

ok, I've turned on the logging. I've found an event id 2080 already.....The chilc domain DC seems to be listed as "out of sight"
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 6:45pm

Now i think that you have to do some steps to make it work On DC > Active Directory Users & Computers, click on the View menu and select Advanced Features. Then browse to Domain Controllers OU, right click on the DC which misses the SACL right and select Properties. Click on the Security tab and select Advanced. on the Permissions tab, click on Add > Select the Exchange Servers security group and click on OK. You will see a dialog with two tabs: Object and Properties. Select Properties. Then scroll down until you find Read nTSecurityDescriptor. Check Allow, click on OK as much as needed to close the window. Then check your event log after a while. Your DC should now report that it has the SACL right regards
July 27th, 2010 7:13pm

ok, I think we're getting somewhere. The child DC doesn't show in the Domain Controllers OU in the parent domain, I can only see the 3 parent domain DCs. Should I be able to see the child DC in the domain controller OU in the parent domain?
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 7:28pm

But you can see them all from the child domain Right ?
July 27th, 2010 7:44pm

no, from the child domain I can only see the child DC. I wasn't sure if that was right. I can browse to the other domain when adding users to groups etc.....
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 7:47pm

you have to do the steps to the child Domain for the puspose of Exchange to see it , so you can make the steps in the child domain , try it and i'm still with you untill it works :)
July 27th, 2010 7:59pm

So, from the child domain controller I should be able to see the 3 Domain Controllers in the parent domain? They should show up in the Domain Controllers OU? How do I get to that point? I thought I'd created the child domain correctly.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 1:02pm

HI if you can connect from the Parent Domain to the child from ADUC and can search your parent domain and add obejects to groups in the child with no error so it's ok , if you want to validate your child ,, there are many ways to do so .. try to connect from the root to child using ADUC .. search for an object to add in child group .. The event log will tell you if anything is wrong .. From the Child, run: "netdom query fsmo" The forest role (DNM and SM) should be reported to be in a parent DC. about the "Read nTSecurityDescriptor" it must done in the child domain . regards |Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 28th, 2010 4:56pm

ok, I'm having problems changing the "Read nTSecurityDescriptor" When I try it on the child dc there's no security tab at all. I'm just downloading the support tools pack so I can run netdom Thanks
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 5:33pm

ok, netdom looks ok, schema owner and domain role owner are both in the parent domain as you say. The other 3 roles are on the single child dc.
July 28th, 2010 5:39pm

ok, I'm a fool. I've found the security tab on the child dc. Which group do you need me to add? the exchange enterprise servers group is already there. If I browse the parent domain I can see the exchange services group, is that the one you mean? If so, I can't see the "Read nTsecurityDescriptor" permission in the property list...........
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 5:47pm

HI you can try another way might be useful for you from Run > MMC > Add ADSI Edit tool > Domain > Domain Controller OU . Right Click on the OU select Properties > Security TAB > Advnced > Permission TAB . Click on Add Exchange Servers security group , Click on OK . Select Properties . Find "Read nTSecurityDescriptor " Check Mark on Allow . Click ok to the end . Good Luck|Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 28th, 2010 7:20pm

ok, II can't see an exchange servers group, only an exchange services one in the parent domain.I used that one and ticked "allow" on the Read nTSecurityDescriptor permission. The 2080 event is still in the event log on the exchange server, it says SACL right although looking back it always has. the event looks the same The stats for all 4 servers show CDG 771 0 1171 I'm still unable to view the mailbox stores, is there more?I started an update on the child domain RUS, I'll leave it a while and try again. Do I need to create a recipient update service from the child DC, I shouldn't need to as it's already in place on the mail server in the parent domain right? Thanks very much for all your help.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 12:46pm

ok, II can't see an exchange servers group, only an exchange services one in the parent domain.I used that one and ticked "allow" on the Read nTSecurityDescriptor permission. The 2080 event is still in the event log on the exchange server, it says SACL right although looking back it always has. the event looks the same The stats for all 4 servers show CDG 771 0 1171 I'm still unable to view the mailbox stores, is there more?I started an update on the child domain RUS, I'll leave it a while and try again. Thanks very much for all your help. This option must be ticked for the Child .. |Ahmed Tarek | Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 29th, 2010 1:18pm

ok, so from the child DCI used ADSIedit to tick allow on the permission for the parent domain group Exchange Services. I've also realised I've been logggin into the child DC as the child domain admin which didn't have exchange full admin rights. Once I gave the child domain admin full exchange rights using the delegate control wizard everything started working. I can see the mailbox stores from the child dc and open exchange system manager. Thanks again Ahmed, you're a lifesaver!
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 2:37pm

You Are welcome Green any time :D .. kindly propose it As Answer .. it might be beneficial to other community members|Ahmed Tarek | Please vote helpful or mark as answer if it's answered your question, this help us follow up the question status.
July 29th, 2010 4:02pm

Hi, One more thing if that's ok. I can now create mailboxes for child domain users. I was having trouble logging in via owa and outlook though so I tried running domainprep again in the child domain domainprep is failing now with this error in the event viewer - Exchange Server component MicrosoftExchange Domain Preparation failed. Error - 0x0070560 - The specified local group does not exist I've checked and both the enterprise and domain exchange server groups are in the users OU. Maybe I should start a new thread?
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 5:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics