Event ID 2116 — Active Directory Integration Configuration

Updated: January 31, 2008

Applies To: Windows Server 2008

red

Directory Service Integration enables Message Queuing to function in domain mode. This makes possible the publication of queue properties to Active Directory Domain Services (AD DS) (for public queues), out-of-the-box authentication, encryption of messages using certificates that are registered in AD DS, and routing of messages across Message Queuing sites.

The health of the initial Active Directory integration configuration process is important for Message Queuing. Integration with AD DS is required so that Message Queuing can use the features that the Message Queuing domain mode operation supports.

Event Details

Product: Windows Operating System
ID: 2116
Source: MSMQ
Version: 6.0
Symbolic Name: CreateMsmqConfig_ERR
Message: Message Queuing was unable to create the msmq (MSMQ Configuration) object in Active Directory. Error %1: %2

Diagnose

The MSMQ configuration object cannot be created in Active Directory Domain Services (AD DS). This error might be caused by one of the following conditions:

  • The user who is installing Message Queuing does not have the correct permissions to create child objects in AD DS.
  • Replication delays are not configured properly.
  • A corrupted computer object exists in AD DS.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

The user who is installing Message Queuing does not have the correct permissions to create child objects in AD DS

To confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators security group:

  1. Open the Computer Management console. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, expand Local Users and Groups, and then click Groups.
  3. In the details pane, double-click Administrators.
  4. In the Members section, confirm that the user is member of this group (Administrators).
  5. If the user is not a member of the group, see the section titled "Grant appropriate permissions."

Replication delays are not configured properly

  • If you determine that replication delays are the problem, see the section titled "Configure replication delays."

A corrupted computer object exists in AD DS

To confirm that there are stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory Integration is not installed on that particular computer, these objects are stale.
  5. If you determine that there are stale objects, see the section titled "Remove stale Active Directory objects."

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).

Resolve

Grant appropriate permissions

Message Queuing may not be able to create Active Directory objects if the account it is running under does not have appropriate permissions. Check the following:

  1. Confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators group.
  2. Confirm that the proper Active Directory service tools are installed.
  3. If the account is a domain user, contact your domain administrator to check privileges.
  4. If you have the appropriate permissions, grant the Message Queuing user account permission to modify child objects.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators group

To confirm that the user who is installing Message Queuing is a domain user and a member of the local administrator group:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, expand Local Users and Groups, and then click Groups.
  3. In the details pane, double-click Administrators.
  4. In the Members section, confirm that the user is member of this group (Administrators). If the user is not a member of this group, add the user to the group.

Confirm that the proper Active Directory service tools are installed

To confirm that the proper Active Directory service tools are installed:

  1. Click Start, point to Administrative Tools.
  2. Ensure that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Grant the Message Queuing user account permission to modify child objects

If you have the appropriate permissions, use the following procedure to grant the Message Queuing user account permission to create and delete child objects. You must have the Active Directory services and control components installed in Role Administration Tools under the Remote Server Administration feature.

To grant Message Queuing user account permissions:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Right-click the name of your computer, and then click Properties.
  4. On the Security tab, make sure that the user is a part of a group that has permission to create and delete child objects.

For more information about the correct access control settings, see your Active Directory documentation.

Contact Microsoft

If possible, consult with your domain administrator by providing the error description in the event.

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).

Configure replication delays

There is an issue with replication delays. This issue should be resolved after Active Directory Domain Services (AD DS) replicates itself. After replication is complete, try to create the Active Directory object again:

  • For smaller networks, replication should take a few minutes.
  • For larger networks, the replication may take a long time.

Advanced users and domain administrators can also use the Knowledge Consistency Checker (KCC) to configure replication delays. For more information about optimizing Active Directory replication in a large network, see article 244368 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=107511).

Remove stale Active Directory objects

Stale objects can cause issues that prevent the MSMQ Service from operating properly. Deleting stale objects may solve this problem. However, deleting a computer object in Active Directory Domain Services (AD DS) can cause problems on the client computer. Before you delete the computer object, make sure that no services that are running on the client computer will be affected. In this case, deleting the Message Queuing Active Directory object will delete public queues on that computer.

You must have the Active Directory service tools installed in Role Administration tools under Remote Server Administration.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that Active Directory service tools are installed

To confirm that Active Directory service tools are installed:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers,and then clickRun as administrator.
  2. Confirm that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Delete stale computer objects

To delete stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as Containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory Integration is not installed on that particular computer, this object is stale. Delete the particular Message Queuing Active Directory object, and then restart the MSMQ Service or, if necessary, restart the computer.

Verify

You can confirm the presence of the Directory Service Integration feature by doing the following:

  • Verify the registry key setting
  • Verify that the computer is joined to the correct domain
  • Verify Active Directory operation

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Verify the registry key setting

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To verify the registry key setting:

  1. Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand MSMQ, and then click Setup.
  3. In the details pane, double-click msmq_ADIntegrated.
  4. Confirm that Value data is set to 1.
  5. Under MSMQ, expand Parameters.
  6. In the details pane, double-click Workgroup.
  7. Confirm that Value data is not set to 1.

Verify that the computer is joined to the correct domain

To verify that the computer is joined to the correct domain:

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools,and then click Server Manager.
  2. Verify that the domain that is listed in Computer Information is the correct domain.

Verify Active Directory operation

You can confirm that Active Directory is operating correctly by verifying that the Public Queue feature is enabled in Message Queuing.

To verify that Public Queue is enabled:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. Navigate to MSMQ.
  3. If the Public Queues folder exists and you can right-click the folder, Message Queuing is operating correctly in domain mode with Active Directory Integration.
  4. For further confirmation, run a test application that uses the Active Directory features that you require.

Related Management Information

Active Directory Integration Configuration

Message Queuing

Community Additions

ADD
Show: