Event ID 2116 — Active Directory Integration Configuration

Event ID 2116 — Active Directory Integration Configuration

Updated: January 31, 2008

Applies To: Windows Server 2008

Directory Service Integration enables Message Queuing to function in domain mode. This makes possible the publication of queue properties to Active Directory Domain Services (AD DS) (for public queues), out-of-the-box authentication, encryption of messages using certificates that are registered in AD DS, and routing of messages across Message Queuing sites.

The health of the initial Active Directory integration configuration process is important for Message Queuing. Integration with AD DS is required so that Message Queuing can use the features that the Message Queuing domain mode operation supports.

Event Details

Product: Windows Operating System
ID: 2116
Source: MSMQ
Version: 6.0
Symbolic Name: CreateMsmqConfig_ERR
Message: Message Queuing was unable to create the msmq (MSMQ Configuration) object in Active Directory. Error %1: %2

Diagnose

The MSMQ configuration object cannot be created in Active Directory Domain Services (AD DS). This error might be caused by one of the following conditions:

  • The user who is installing Message Queuing does not have the correct permissions to create child objects in AD DS.
  • Replication delays are not configured properly.
  • A corrupted computer object exists in AD DS.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

The user who is installing Message Queuing does not have the correct permissions to create child objects in AD DS

To confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators security group:

  1. Open the Computer Management console. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, expand Local Users and Groups, and then click Groups.
  3. In the details pane, double-click Administrators.
  4. In the Members section, confirm that the user is member of this group (Administrators).
  5. If the user is not a member of the group, see the section titled “Grant appropriate permissions.”

Replication delays are not configured properly

  • If you determine that replication delays are the problem, see the section titled “Configure replication delays.”

A corrupted computer object exists in AD DS

To confirm that there are stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory Integration is not installed on that particular computer, these objects are stale.
  5. If you determine that there are stale objects, see the section titled “Remove stale Active Directory objects.”

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).

Resolve
Grant appropriate permissions

Message Queuing may not be able to create Active Directory objects if the account it is running under does not have appropriate permissions. Check the following:

  1. Confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators group.
  2. Confirm that the proper Active Directory service tools are installed.
  3. If the account is a domain user, contact your domain administrator to check privileges.
  4. If you have the appropriate permissions, grant the Message Queuing user account permission to modify child objects.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators group

To confirm that the user who is installing Message Queuing is a domain user and a member of the local administrator group:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, expand Local Users and Groups, and then click Groups.
  3. In the details pane, double-click Administrators.
  4. In the Members section, confirm that the user is member of this group (Administrators). If the user is not a member of this group, add the user to the group.

Confirm that the proper Active Directory service tools are installed

To confirm that the proper Active Directory service tools are installed:

  1. Click Start, point to Administrative Tools.
  2. Ensure that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Grant the Message Queuing user account permission to modify child objects

If you have the appropriate permissions, use the following procedure to grant the Message Queuing user account permission to create and delete child objects. You must have the Active Directory services and control components installed in Role Administration Tools under the Remote Server Administration feature.

To grant Message Queuing user account permissions:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Right-click the name of your computer, and then click Properties.
  4. On the Security tab, make sure that the user is a part of a group that has permission to create and delete child objects.

For more information about the correct access control settings, see your Active Directory documentation.

Contact Microsoft

If possible, consult with your domain administrator by providing the error description in the event.

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).

Configure replication delays

There is an issue with replication delays. This issue should be resolved after Active Directory Domain Services (AD DS) replicates itself. After replication is complete, try to create the Active Directory object again:

  • For smaller networks, replication should take a few minutes.
  • For larger networks, the replication may take a long time.

Advanced users and domain administrators can also use the Knowledge Consistency Checker (KCC) to configure replication delays. For more information about optimizing Active Directory replication in a large network, see article 244368 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=107511).

Remove stale Active Directory objects

Stale objects can cause issues that prevent the MSMQ Service from operating properly. Deleting stale objects may solve this problem. However, deleting a computer object in Active Directory Domain Services (AD DS) can cause problems on the client computer. Before you delete the computer object, make sure that no services that are running on the client computer will be affected. In this case, deleting the Message Queuing Active Directory object will delete public queues on that computer.

You must have the Active Directory service tools installed in Role Administration tools under Remote Server Administration.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that Active Directory service tools are installed

To confirm that Active Directory service tools are installed:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers,and then clickRun as administrator.
  2. Confirm that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Delete stale computer objects

To delete stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as Containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory Integration is not installed on that particular computer, this object is stale. Delete the particular Message Queuing Active Directory object, and then restart the MSMQ Service or, if necessary, restart the computer.

Verify

You can confirm the presence of the Directory Service Integration feature by doing the following:

  • Verify the registry key setting
  • Verify that the computer is joined to the correct domain
  • Verify Active Directory operation

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Verify the registry key setting

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To verify the registry key setting:

  1. Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand MSMQ, and then click Setup.
  3. In the details pane, double-click msmq_ADIntegrated.
  4. Confirm that Value data is set to 1.
  5. Under MSMQ, expand Parameters.
  6. In the details pane, double-click Workgroup.
  7. Confirm that Value data is not set to 1.

Verify that the computer is joined to the correct domain

To verify that the computer is joined to the correct domain:

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools,and then click Server Manager.
  2. Verify that the domain that is listed in Computer Information is the correct domain.

Verify Active Directory operation

You can confirm that Active Directory is operating correctly by verifying that the Public Queue feature is enabled in Message Queuing.

To verify that Public Queue is enabled:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. Navigate to MSMQ.
  3. If the Public Queues folder exists and you can right-click the folder, Message Queuing is operating correctly in domain mode with Active Directory Integration.
  4. For further confirmation, run a test application that uses the Active Directory features that you require.

Related Management Information

Active Directory Integration Configuration

Message Queuing

Related:

Process %1 (PID=%2). The domain controller %3 is running Windows %4 %5. Exchange Active Directory Provider requires that domain controllers are running Windows Server 2003 Service Pack 1 or later versions of Windows.

Details
Product: Exchange
Event ID: 2116
Source: MSExchange ADAccess
Version: 8.0
Symbolic Name: DSC_EVENT_BAD_OS_VERSION
Message: Process %1 (PID=%2). The domain controller %3 is running Windows %4 %5. Exchange Active Directory Provider requires that domain controllers are running Windows Server 2003 Service Pack 1 or later versions of Windows.
   
Explanation

This Warning event indicates that the domain controller specified in the event description is running Microsoft® Windows® 2003 Server Service Pack 1 (SP1) or later version of Windows. This event may also occur when one or more of the following conditions are true:

  • The Microsoft Exchange Active Directory® Topology service is unable to read the serverName attribute on the RootDSE.

  • The Microsoft Exchange Active Directory Topology service is unable to read the serverReference attribute from the Active Directory configuration naming context. For more information about RootDSE attributes, see RootDSE at the MSDN Web site.

  • The Lightweight Directory Access Protocol (LDAP) query of the Active Directory domain naming context for theoperatingSystem and operatingSystemServicePack attributes failed. These attributes are missing or corrupted.

You will see Unknown Operating System and Unknown Service Pack in the event description when one or more of the conditions explained here are true.

The domain controller specified in the event description will not be used. As long as there is sufficient capacity in alternative, appropriate domain controllers, mail flow will not be interrupted. However, it is recommended the issue be investigated and fixed as soon as possible.

   
User Action

To resolve this warning, do one or more of the following:

  • Upgrade the domain controller specified in the event description to Windows 2003 Server SP1 or later version of Windows.

  • If you see Unknown Operating System and Unknown Service Pack in the event description, do one or more of the following:

    • Make sure that the account you are logged in as has Read permissions on the RootDSE.

    • Check network connectivity to the domain controller specified in the event description. For more information, see Microsoft Knowledge Base article 325487, How to troubleshoot network connectivity problems.

  • Run the Dcdiag command line tool to test domain controller health. To do this, run dcdiag /s:<Domain Controller Name> at a command prompt on the Exchange Server. Use the output of Dcdiag to discover the root cause of any failures or warnings that it reports. For more information, see Dcdiag Overview at the Microsoft Windows Server TechCenter.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.

Related:

An MTA database server error was encountered. Supplied object identifier was not on queue . [ ] (14)

Details
Product: Exchange
Event ID: 2116
Source: MSExchangeMTA
Version: 6.5.6940.0
Component: Microsoft Exchange Message Transfer Agent
Message: An MTA database server error was encountered. Supplied object identifier <id> was not on queue <name>. [<value> <value> <value> <value>] (14)
   
Explanation

The message transfer agent (MTA) encountered an internal processing error while processing a message or report object. This indicates a logic error or database integrity failure.

   
User Action

To help Microsoft Product Support Services determine the problem, create log files. For more information, see Microsoft Knowledge Base articles 163032 and 168906.

To create Ap*.log files, in the Diagnostics Logging tab of the Server Properties dialog box, select MSExchangeMTA and set the logging level of the Interoperability and Interface categories to Maximum. To create Bf*.log files, set the logging level of the APDU and X.400 Service categories to Maximum. Save all MTA log files (mtadata\*.log), Event Viewer output, and database files. Contact Microsoft Product Support Services.

You can enable text event log files (Ev*.log) by modifying the Registry. Contact Microsoft Product Support Services for assistance.

Related:

The device or directory does not exist.

Details
Product: Windows Operating System
Event ID: 2116
Source: System
Version: 5.0
Symbolic Name: NERR_UnknownDevDir
Message: The device or directory does not exist.
   
Explanation

You specified an unknown device or directory.

   
User Action

Check the spelling of the device or directory name.

Related:

An MTA database server error was encountered. Supplied object identifier {id} was not on queue {name}. [{value}{value}{value}{value}] (14)

Details
Product: Exchange
Event ID: 2116
Source: MSExchangeMTA
Version: 6.0
Component: Message Transfer Agent
Symbolic Name: MTA02116
Message: An MTA database server error was encountered. Supplied object identifier {id} was not on queue {name}. [{value}{value}{value}{value}] (14)
   
Explanation
The message transfer agent (MTA) encountered an internal processing error while processing a message or report object. This indicates a logic error or database integrity failure.
   
User Action
To help Microsoft Product Support Services track down the problem, create log files. For more information, see Knowledge Base articles Q163032 and Q168906. To create Ap*.log files, in the Diagnostics Logging tab of the Server Properties dialog box, select MSExchangeMTA and set the logging level of the Interoperability and Interface categories to Maximum. To create Bf*.log files, set the logging level of the APDU and X.400 Service categories to Maximum.Save all MTA log files (mtadata\*.log), Event Viewer output, and database files. Contact Microsoft Product Support Services.You can enable text event log files (Ev*.log) by modifying the Registry. Contact Microsoft Product Support Services for assistance.

Related:

An MTA database server error was encountered. Supplied object identifier id was not on queue name. [valuevaluevaluevalue] (14)

Details
Product: Exchange
Event ID: 2116
Source: MSExchangeMTA
Version: 6.5.0000.0
Message: An MTA database server error was encountered. Supplied object identifier id was not on queue name. [valuevaluevaluevalue] (14)
   
Explanation
The message transfer agent (MTA) encountered an internal processing error while processing a message or report object. This indicates a logic error or database integrity failure.
   
User Action
To help Microsoft Product Support Services track down the problem, create log files. For more information, see Knowledge Base articles Q163032 and Q168906.

To create Ap*.log files, in the Diagnostics Logging tab of the Server Properties dialog box, select MSExchangeMTA and set the logging level of the Interoperability and Interface categories to Maximum.

To create Bf*.log files, set the logging level of the APDU and X.400 Service categories to Maximum.

Save all MTA log files (mtadata\*.log), Event Viewer output, and database files. Contact Microsoft Product Support Services.

You can enable text event log files (Ev*.log) by modifying the Registry. Contact Microsoft Product Support Services for assistance.

Related:

Process (PID=). The Domain Controller is running . DSAccess requires that Domain Controllers that run Windows 2000 have at least Service Pack 3 installed.

Details
Product: Exchange
Event ID: 2116
Source: MSExchangeDSAccess
Version: 6.5.6940.0
Component: Microsoft Exchange Directory Access Cache
Message: Process <process name> (PID=<process id>). The Domain Controller <distinguished name> is running <text> <text>. DSAccess requires that Domain Controllers that run Windows 2000 have at least Service Pack 3 installed.
   
Explanation

This event indicates that the specified domain controller has an unsupported OS/service pack combination. The specified domain controller will not be used by DSAccess. As long as there is sufficient capacity in alternate, suitable domain controllers, mail flow will not be interrupted. However, it is recommended the issue be investigated and fixed as soon as possible. Following are the possible causes:

  • The named domain controller is running Windows 2000 SP2 or earlier.
  • DSAccess could not read the operatingSystem and operatingSystemServicePack attributes from the domain controller.
   
User Action

Upgrade the domain controller to Windows 2000 SP3 or later, or, if the event says Unknown OS or Unknown Service Pack, manually check if the Local System account on the Exchange server can access these attributes.

Related: