Event ID 2124 — Message Queuing Functioning in Domain Mode

  • Article

Applies To: Windows Server 2008 R2

Directory Service Integration enables Message Queuing to function in domain mode. This feature makes possible the publishing of queue properties to Active Directory Domain Services (AD DS) (for public queues), out-of-the-box authentication, encryption of messages using certificates that are registered in AD DS, and routing of messages across Message Queuing sites. This feature becomes operational only when the computer joins a domain. Message Queuing must be able to join the domain and operate in domain mode.

Event Details

Product: Windows Operating System
ID: 2124
Source: MSMQ
Version: 6.1
Symbolic Name: JoinMsmqDomain_ERR
Message: The Message Queuing service failed to join the computer's domain '%3'. Error %1: %2

Diagnose

Message Queuing was not able to join the domain or MSMQ Routing failed because of domain connectivity issues. This error might be caused by one of the following conditions:

  • Stale objects in Active Directory Domain Services (AD DS) are preventing Message Queuing from joining the domain.
  • The computer does not have connectivity and cannot join a domain.
  • Appropriate permissions are needed to create and access objects.

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Support Options from Microsoft Services (https://go.microsoft.com/fwlink/?LinkId=52267).

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Stale objects in AD DS are preventing Message Queuing from joining the domain

Note: This procedure applies to Windows Server 2008 only.

To confirm the presence of stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers,and then clickRun as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory integration is not installed on that particular computer, these objects are stale.
  5. If you determine that there are stale objects, see the section titled "Remove stale Active Directory objects."

The computer does not have connectivity and cannot join a domain

  • If your computer does not have network or domain connectivity, see the section titled "Contact Microsoft."

Appropriate permissions are needed to create and access objects

To confirm that the user who is installing Message Queuing is a domain user and is a member of the local administrator group:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, and then expand Local Users and Groups.
  3. In the details pane, double-click Administrators, and then confirm that the user is member of this group.
  4. If you determine that the user does not have the appropriate permissions, see the section titled "Grant appropriate permissions."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

Active Directory Domain Services has stale objects

Remove stale Active Directory objects

Appropriate permissions have not been granted

Grant appropriate permissions

The computer has no connectivity or is not joined to domain

Contact Microsoft

Remove stale Active Directory objects

Stale objects can prevent the MSMQ Service from operating properly. Deleting stale objects may solve this problem. However, deleting a computer object in Active Directory Domain Services (AD DS) can cause problems on the client computer. Before deleting the computer object, make sure that no services running on the client computer will be affected. In this case, deleting the Message Queuing Active Directory object will delete public queues on that computer.

You must have the Active Directory services tools installed in Role Administration tools under Remote Server Administration.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that Active Directory services and control components are installed

To confirm that Active Directory services and control components are installed properly:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers,and then clickRun as administrator.
  2. Confirm that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Delete stale computer objects

To delete stale computer objects:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers,and then clickRun as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Browse to the particular computer. Check whether there are Message Queuing objects present under that computer.
  4. If there are Message Queuing objects and Message Queuing with Active Directory integration is not installed on that particular computer, these objects are stale. Delete the particular Message Queuing Active Directory object, and then restart the MSMQ Service or, if necessary, restart the computer.

Grant appropriate permissions

Message Queuing may not be able to create Active Directory objects if the account it is running under does not have appropriate permissions. Check the following:

  1. Confirm that the user who is installing Message Queuing is a domain user as well as a member of the local administrators group.
  2. Confirm that the proper Active Directory service tools are installed.
  3. If the account is a domain user, contact your domain administrator to check privileges.
  4. If you have the appropriate permissions, grant the Message Queuing user account permission to modify child objects.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Confirm that the user who is installing Message Queuing is a domain user and a member of local administrators group

To confirm that the user who is installing Message Queuing is a domain user and a member of the local administrators group:

  1. Open the Computer Management console. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. In the console tree, expand System Tools, expand Local Users and Groups, and then click Groups.
  3. In the details pane, double-click Administrators.
  4. In the Members section, confirm that the user is member of this group. If the user is not a member of the administrators group, add the user to the group.

Confirm that the proper Active Directory service tools are installed

To confirm that the proper Active Directory service tools are installed:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. Ensure that the following Active Directory tools appear in the list:
    • Active Directory Domains and Trusts
    • Active Directory Sites and Services
    • Active Directory Users and Computers

Grant the Message Queuing user account permission to modify child objects

If you have the appropriate permissions, use the following procedure to grant the Message Queuing user account permission to create and delete child objects. You must have the Active Directory services and control components installed in Role Administration Tools under the Remote Server Administration feature.

To grant Message Queuing user account permissions:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. On the View menu, ensure that Users, Contacts, Groups and Computers as containers is selected and that Advanced Features is selected.
  3. Right-click the name of your computer, and then click Properties.
  4. On the Security tab, make sure that the user is a part of a group that has permission to create and delete child objects.

For more information about the correct access control settings, see your Active Directory documentation.

Contact Microsoft

If possible, consult with your domain administrator by providing the error description in the event.

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (https://go.microsoft.com/fwlink/?LinkId=52267).

Verify

You can confirm the presence of the Directory Service Integration feature by doing the following:

  • Verify the registry key setting
  • Verify that the computer is joined to the correct domain
  • Verify Active Directory operation

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Verify the registry key setting

To verify the registry key setting:

  1. Open Registry Editor. To open Registry Editor, click Start. In the search box type regedit, and then press ENTER.

  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand MSMQ, and then click Setup.

  3. In the console tree, double-click msmq_ADIntegrated.

  4. Confirm that Value data is set to 1.

  5. Under MSMQ, expand Parameters.

  6. In the details pane, double-click Workgroup.

  7. Verify that Value data is not set to 1.

Verify that the computer is joined to the correct domain

To verify that the computer is joined to the correct domain:

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
  2. Verify that the domain that is listed in the Computer Information is the correct domain.

Verify Active Directory operation

You can confirm that Active Directory Domain Services (AD DS) is operating correctly by verifying that the Public Queue feature is enabled in Message Queuing.

To verify that the Public Queue feature is enabled in Message Queuing:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. Navigate to MSMQ.
  3. If the Public Queues folder exists and you can right-click the folder, Message Queuing is operating correctly in domain mode with Active Directory Integration.
  4. For further confirmation, run a test application that uses the Active Directory features that you require.

Message Queuing Functioning in Domain Mode

Message Queuing