Event ID 2123 — Message Queuing Active Directory Operation

  • Article

Applies To: Windows Server 2008 R2

Message Queuing must integrate successfully with Active Directory Domain Services (AD DS) to function properly in domain mode. The integration of the Active Directory interface, configuration, and other related issues can affect Message Queuing.

Event Details

Product: Windows Operating System
ID: 2123
Source: MSMQ
Version: 6.1
Symbolic Name: CANNOT_DETERMINE_TRUSTED_FOR_DELEGATION
Message: The Message Queuing server cannot determine if the local domain controller is trusted for delegation. This may indicate a serious problem.

Resolve

Enable domain controller delegation

The domain controller must have the Active Directory option Trust computer for delegation enabled.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Note: This procedure applies to Windows Server 2008 only.

Note: Make sure that this computer really should be trusted for delegation before performing this procedure, as trusting for delegation could be a security risk.

To enable delegation for the local domain controller:

  1. Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.
  2. In the console tree, click Domain Controllers.
  3. Right-click the computer that you want to configure (that is, the local domain controller), and then click Properties.
  4. Click Trust this computer for delegation to any service (Kerberos only), and then click OK.
  5. Accept any confirmation dialog boxes.

Verify

You can confirm the presence of the Directory Service Integration feature by doing the following:

  • Verify the registry key setting
  • Verify that the computer is joined to the correct domain
  • Verify Active Directory operation

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Verify the registry key setting

To verify the registry key setting:

  1. Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.

  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand MSMQ, and then click Setup.

  3. In the details pane, double-click msmq_ADIntegrated.

  4. Confirm that Value data is set to 1.

  5. Under MSMQ, expand Parameters.

  6. In the details pane, double-click Workgroup.

  7. Confirm that Value data is not set to 1.

Verify that the computer is joined to the correct domain

To verify that the computer is joined to the correct domain:

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
  2. Confirm that the domain that is listed in Computer Information is the correct domain.

Verify Active Directory operation

You can confirm that Active Directory is operating correctly by verifying that the Public Queue feature is enabled in Message Queuing.

To verify that the Public Queue feature is enabled:

  1. Open the Computer Management snap-in. To open Computer Management, click Start. In the search box, type compmgmt.msc, and then press ENTER.
  2. Navigate to MSMQ.
  3. If the Public Queues folder exists and you can right-click the folder, Message Queuing is operating correctly in domain mode with Active Directory Integration.
  4. For further confirmation, run a test application that uses the Active Directory features that you require.

Message Queuing Active Directory Operation

Message Queuing