0

I have installed MSMQ and MSMQ AD Integration on a domain controller which also hosts an Exchange server. The whole code has been used successfully on other domain controllers (none of which hosts an Exchange server; I sincerely hope that this is not the reason!).

As required on a domain controller, I have used the following code to allow the network service account to create queues:

SecurityIdentifier sidNetworkService = new System.Security.Principal.SecurityIdentifier("S-1-5-20");
ActiveDirectoryAccessRule NewRule = new ActiveDirectoryAccessRule(sidNetworkService, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, new Guid("9a0dc344-c100-11d1-bbc5-0080c76670c0"), ActiveDirectorySecurityInheritance.All);
de.ObjectSecurity.AddAccessRule(NewRule);
de.CommitChanges();

However, when trying to create/access a public queue, the following error occurs:

A workgroup installation computer does not support the operation.

As described here, I have then uninstalled MSMQ and MSMQ AD Integration, installed it again, but the error is the same.

I verified that MSMQ is installed in Domain Mode by proving that HKLM\Software\Microsoft\MSMQ\Parameters has Workgroup set to REG_DWORD 0x00000001 (1)

So I have had a look into eventvwr.msc and found the following errors:

The Message Queuing service failed to join the computer's domain 'EXCH'. Error 0xc00e0025:

and

Message Queuing was unable to create the msmq (MSMQ Configuration) object in Active Directory Domain Services. Error c00e0025h:

These errors are already described here, but without an accepted solution.

So, does someone have an idea where to find the culprit?

Alexander
  • 19,906
  • 19
  • 75
  • 162
  • Out of interest, why do you need to use public queues? – tom redfern Jun 02 '17 at 14:23
  • @tomredfern I have a high-load application which may be installed on a cluster, and communication between the frontend servers and the backend service is through MSMQ. – Alexander Jun 02 '17 at 14:48
  • If Workgroup = 0x00000001 then you are definitely NOT in AD integrated mode. – John Breakwell Jun 03 '17 at 00:08
  • Public queues are only useful if you need to look them up in Active Directory first. If you already know the queue names then public queues are probably a waste of time. – John Breakwell Jun 03 '17 at 00:10
  • As to the problem, you didn't have access permissions to create the necessary objects in AD. What account were you logged in with? – John Breakwell Jun 03 '17 at 00:17
  • @JohnBreakwell I am a non-native, but I think that [this document](https://technet.microsoft.com/en-us/library/cc749102(v=ws.10).aspx#sectionSection2) explicitly tells me to check that it is indeed 1. – Alexander Jun 03 '17 at 06:39
  • @JohnBreakwell My IIS app pools are running as "NetworkService", the Windows service is running as "NetworkService" and the MSMQ service is also running as "NetworkService". – Alexander Jun 03 '17 at 06:42
  • The account that installed MSMQ is relevant here, not the accounts used by it. If the account cannot create the initial AD objects, it will never work. – John Breakwell Jun 03 '17 at 07:28
  • The document says that to start with it must be 1 but that's just to check you're not already AD-integrated. Workgroup=1 means workgroup mode, – John Breakwell Jun 03 '17 at 23:30

0 Answers0