In the Daily Drill Down entitled “Understanding Exchange 2000's Active Directory Connector,” I talked about planning, deploying, and configuring the Active Directory Connector (ADC). The ADC allows Exchange 5.5 to communicate with Windows 2000 and Exchange 2000. Unfortunately, the ADC, like many other components, comes with its own share of problems. In this article, I’ll take a look at where you might encounter some of these problems from the installation to the day-to-day use of the connector.
Nine times out of 10 you’ll encounter most of your technical nightmares during the installation of any software. Installing the ADC is no different. Here is a small sampling of some problems you might encounter during installation of the ADC.
Schema update stops during install
During the install of the ADC, the Windows 2000 schema is updated. If the schema master is a machine that is too slow, you may receive the following message:
Schema Update failed—-Busy.
The only way to correct this error is make a faster machine the schema master.
Error message during install of the ADC on Windows 2000 Advanced Server
When installing the ADC on a Windows 2000 Advanced Server, you may get this error message:
Extending the schema in the Active Directory failed.
Please consult the following error log: %s\ldif.err.
ID no: c1037ae6
Microsoft Active Directory Connector Setup
This problem occurs because when you ran Exchange 2000’s setup, the user account you logged on to the server with was not a member of the local Administrators and the global schema Admins group. Add the logged in account to those groups, and you’ll be good to go.
Post installation problems
Okay, now you’ve gotten over that install hump. So, what happens if all is not right when setting up the connection agreements? Here are some additional problems you may encounter.
Establishing a connection agreement on an Exchange 5.5 server located on a Windows 2000 DC
You may receive this message when trying to establish a connection agreement on an Exchange 5.5 server that is running on a Windows 2000 domain controller:
The Microsoft Exchange specified on the Connections page is invalid.
Enter a valid server name.
ID no c1031b9e
Microsoft Active Directory Connector Management.
An Active Directory (AD) domain controller (DC) uses port 389 to talk to the Exchange server, and when it does, it locks up the port. This causes problems for the ADC because it is also trying to use the same port (via LDAP) when establishing a connection agreement via the ADC and Exchange. This situation is easily resolved by changing the default LDAP port in Exchange with the Exchange Server Administrator program. Once it’s changed, restart the Exchange directory service and reestablish the connection agreement.
Setting a connection agreement produces an error
When setting a connection agreement on either an Exchange 5.5 or Windows 2000 server, you may get the following message:
The credentials specified on the Connections tab are
incorrect or do not have sufficient permissions to access
the Exchange 5.5 Directory. Please ensure that the credentials
specified are entered correctly and that sufficient permissions
are granted in order to access the Exchange 5.5 directory.
ID no: c1031b95
Microsoft Active Directory Connector Management
This is caused by not having the permissions set correctly or having the incorrect service pack installed on the Exchange server. To fix this, make sure you have Service Pack 2 or later installed, check the permissions to make sure they are set correctly, or change the port number to something other then 390 (in case the port is already in use). Accounts used to set up the ADC should be able to log on locally and access the computer from the network. The Exchange service account should have Service Account Administrator rights at the site, organization, and configuration levels, as well.
Saving a connection agreement produces an error (Exchange 5.5)
When attempting to save a connection agreement that specifies a connection between and Exchange 5.5 and Windows 2000 server, you might be presented with the following message:
The credentials specified on the connections tab are incorrect
or do not have sufficient permissions to access the Exchange 5.5
directory. Please ensure that the credentials specified are
entered correctly and that sufficient permissions are granted
in order to access the Exchange 5.5 directory.
Error ID c103aa11
Microsoft Active Directory Management
This occurs because the Exchange 5.5 LDAP Windows NT Challenge/Response is disabled. To correct this problem, enable it on either the one Exchange server you are creating the agreement with or on all Exchange servers in the site.
Saving a connection agreement (Exchange 2000)
When attempting to save a connection agreement on a member server, you might receive the following error:
An Error has occurred while saving the Connection Agreement
credentials with the security authority on the ADC server
responsible for this Connection Agreement. Please ensure that the
account you are logged in as has permissions to administer the ADC
Service and that the ADC Service has been started as a member of
the built-in Administrators security group. id no:c103aa66
Microsoft Active Directory Connector Management
This happens because the account used as the ADC service account is not added to the local Administrators group during the setup. This is a known bug in Exchange 2000’s Setup program. To correct this, manually add the service account to the computer’s local Administrator group.
Day-to-day problems with the ADC
It’s installed; it’s configured, but how about those inevitable things that happen while it’s running? No need to fear, here are a few suggestions that might get you back in business:
Active Directory replication causes event 8182
When replication occurs and event 8182 pops up, the following will appear in the application log:
Event ID: 8182
Description: Could not import the entry
into the directory server 'DOMAINPDC' in the
second attempt. (Connection Agreement 'TestADC')
No Data will be available.
This happens because the right permissions have not been assigned to the account used in the configuration of the AD connection agreement. The lack of proper rights keeps the connector from performing the replication according to the connection agreement.
If you’re trying to perform one-way replication, the account must have Read access to the export folder and Write access to the import folder involved in the replication.
If you’re going for two-way replication, the account must have Read and Write access on not only the Windows 2000 Active directory but also the Exchange server, as well.
To remedy this problem, give the account the proper rights to perform the replication, set the connection to use the Exchange service account, or make the account part of the domain administrators.
The ADC service stops
The ADC service may stop and log the following error:
Event ID: 8145
Description: Exception c0000005 was raised at address <some #>
Event ID: 8143
Descriptions: The Connection Agreement (Name and Site)
threw an unexpected exception.
This happens when a Fully Qualified Domain Name (FQDN) is specified in the Exchange Server Information portion of the Connections tab on the connection agreement. To fix the problem, change the FQDN to the NETBIOS name of the Exchange server.
As you can see from this small sampling of issues, the Active Directory Connector, like it’s predecessors in Windows technology, comes with its fair share of problems and issues. Some of the messages can be a bit confusing, but with a little bit of work, you can resolve most of the problems you’ll encounter.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.