Share via


Message Queuing and Active Directory

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Message Queuing and Active Directory

In a domain environment, one or more Message Queuing objects are created in Active Directory during setup for all the types of Message Queuing computers except dependent clients. These objects store various information associated with Message Queuing. The access of users to Message Queuing objects is controlled by assigning security descriptors to the objects. A security descriptor lists the users and groups that are granted or denied access to an object and the specific permissions assigned to those users and groups. For more information about the control of access to Message Queuing objects, see Access control for Message Queuing.

Note that if you install Message Queuing on a computer that is in a domain environment, and later re-image the computer, the new installation of Message Queuing on the computer will create a new Queue Manager globally unique identifier (GUID). This has the following effects:

  1. The public queue data from the old installation of Message Queuing will no longer be usable.

  2. The new installation of Message Queuing does not recognize the Message Queuing objects in Active Directory that belong to the old installation. This prevents Message Queuing from working in Domain mode, which means that features that require Domain mode, such as access to public queues, authentication, encryption, and routing, will not be available. For more information, see Deploying in a domain environment.

To resolve the latter issue, the domain administrator must delete the Message Queuing objects in Active Directory for the old installation of Message Queuing. Note that this will also delete all public queues for the computer that was re-imaged. For more information about deleting Message Queuing objects, see Remove Message Queuing objects from Active Directory.

Under certain conditions, the name of an object can be changed by the directory service. This can occur if multiple objects with the same name are created simultaneously on different domain controllers. For information about how Active Directory handles object naming and conflicts, see Object names, in the Active Directory online Help file.

The following table lists those objects that are created by Message Queuing by default for each type of Message Queuing computer and that are displayed in the MMC snap-ins. For general information about MMC and snap-ins, see Microsoft Management Console.

Message Queuing computer Object name Object class

Message Queuing server without directory service functionality or routing services on a domain controller

msmq

MSMQ-Configuration

Message Queuing server with directory service functionality on a domain controller

msmq; MSMQ-Settings

MSMQ-Configuration; MSMQ-Settings

Message Queuing server with routing services

msmq; MSMQ-Settings

MSMQ-Configuration; MSMQ-Settings

Message Queuing server on a nondomain controller

msmq

MSMQ-Configuration

Independent client

msmq

MSMQ-Configuration

Dependent client

none

not applicable

When you manually create an object in Active Directory, you are prompted to specify the minimal information needed to establish the object in Active Directory. Each object has many more properties (attributes) that can be set. After an object is created, the values of many of these additional attributes can be viewed and modified in the Properties dialog box.

In addition, some information for Message Queuing is also stored in Active Directory in non-Message Queuing objects. Specifically, the User object contains about user certificates, the applicable computer object (above the msmq object) contains certificate information, information related to foreign sites (for cross-platform messaging) is contained in the Sites object, and distribution lists are defined as distribution group objects.

For advanced information about object attributes, see the Active Directory topic in the Microsoft Platform Software Development Kit (SDK). To access the Message Queuing SDK on the Web, refer to the MSDN Library Web site(https://msdn.microsoft.com/library/default.asp).