In Microsoft Exchange Server 2003, you may experience the following symptoms:
Consider the following scenario.
You are using Exchange Server 2003 on a computer that is running Windows Server 2003 Service Pack 1 (SP1).
You install Windows Internet Explorer 7 on the computer that is running Exchange System Manager.
You try to access Exchange Help in Exchange System Manager.
In this scenario, Exchange System Manager stops responding because of an access violation.
You install Internet Explorer 7 on the server that is running Exchange Server 2003. Then, you try to view the MAPI public folder content in the instance of Exchange System Manager that is running on the Exchange Server 2003 server. When you do this, you may receive the following message:
The operation completed successfully Facility: Win32 ID no: c0070000 Exchange System Manager
In this case, you can view the public folders. However, when you try to view the content in Exchange System Manager, you see only a gray screen where the content should be.

To work around this problem, you must rename the Psapi.dll file in the Exchsrvr\Bin directory so that the Exchange services use the Psapi.dll file from the %Windir%\System32 directory. To do this, follow the steps that are appropriate for your situation.
Back to the top
You have installed Internet Explorer 7 on the Exchange server that also has Exchange System Manager installed
loadTOCNode(2, ‘workaround’);

If you have installed Internet Explorer 7 on the Exchange server that also has Exchange System Manager installed, follow these steps:
Stop all Exchange and Internet Information Services (IIS) services.
Open the Services snap-in.
Stop the Microsoft Exchange System Attendant service.Important Note the list of dependent services that will be stopped. For example, the list of dependent services may resemble the following:
Microsoft Exchange Information Store
Microsoft Exchange MTA Stacks
Stop the IIS Admin Service.Important Note the list of dependent services that will be stopped. For example, the list of dependent services may resemble the following:
World Wide Web Publishing Service
Simple Mail Transfer Protocol (SMTP)
HTTP SSL
AntigenIMC
Rename the Psapi.dll file. To do this, follow these steps:
Open a command prompt.
Move to the following directory:
Drive_Letter:\Program Files\Exchsrvr\bin
Change the name of the Psapi.dll file to Psapi.dll.old.
Close the Command Prompt window.
Restart the Exchange services and the IIS services. This includes the dependent services that were stopped.
Back to the top
You have installed Internet Explorer 7 on a workstation that also has Exchange System Manager installed
loadTOCNode(2, ‘workaround’);

If you have installed Internet Explorer 7 on a workstation that also has Exchange System Manager installed, follow these steps:
Stop all IIS services. To do this, open the Services snap-in, and then stop the IIS Admin Service.Important Note the list of dependent services that will be stopped. For example, the list of dependent services may resemble the following:
World Wide Web Publishing Service
HTTP SSL
Rename the Psapi.dll file.
Open a command prompt.
Move to the following directory:
Drive_Letter:\Program Files\Exchsrvr\bin
Change the name of the Psapi.dll file to Psapi.dll.old.
Close the Command Prompt window.
Restart the IIS services. This includes the dependent services that were stopped.

By default, Exchange System Attendant no longer requires RPCs when it runs on a front-end server. The components of System Attendant that use RPCs are no longer loaded on front-end servers; therefore, these components are disabled when you designate a server as a front-end server. The following list briefly describes these components:
DSProxy The DSProxy service refers MAPI clients (such as Microsoft® Office Outlook® 2002) to global catalog servers for global address list lookups. DSProxy also allows MAPI clients with older versions of Outlook to access Active Directory. DSProxy no longer runs on front-end servers; therefore, the front-end server can no longer determine which back-end server contains a MAPI client’s mailbox. As a result, you cannot point a MAPI client to the front-end server to determine the user’s back-end server and then route the request to the appropriate server.
Note:
To enable DSProxy on the front-end server for routing MAPI client requests, install Exchange 2000 Server Service Pack 3 (SP3) and create the registry key described in Microsoft Knowledge Base article 319175, “XADM: You Cannot Perform a Check Names Query Against a Front-End Exchange Computer.” Note that to receive these referrals, the client must have RPC access to the front-end server. Additionally, the front-end server must have RPC access to domain controllers.
Recipient Update Service The Recipient Update Service updates recipients in the directory to match address lists or recipient proxy policies. The Recipient Update Service no longer runs on front-end servers, so be sure that none of your front-end servers are designated to run the Recipient Update Service. To do this, in Exchange System Manager, under Recipients, check the properties of each Recipient Update Service and ensure that no front-end servers are named in the Exchange server field.
Offline Address Book Generation (OABGen) OABGen creates the offline address book. Without the OABGen service, front-end servers no longer generate offline address books.
Group Polling System Attendant uses group polling to ensure that the local computer remains a member of the Domain Exchange Servers group. System Attendant polls the Domain Exchange Servers group and adds the local computer back to the group if it is no longer a member. Front-end servers no longer perform this function.
Mailbox Management The Mailbox Management service starts and stops the mailbox cleanup process according to the settings defined in Recipient Policies. Mailbox Management no longer runs on front-end servers.
Free/Busy (madfb.dll) The free/busy service manages user schedules. This service no longer runs on front-end servers.

Configuring Smart Hosts

You can route all outgoing messages for remote domains through a smart host instead of sending them directly to the domain. This enables you to route messages over a connection that may be more direct or less costly than other routes. The smart host is similar to the route domain option for remote domains. The difference is that, after a smart host is designated, all outgoing messages are routed to that server. With a route domain, only messages for the remote domain are routed to a specific server.
Important
Make sure your designated smart host is secure and administered by a trusted authority, especially when forwarding sensitive information.
If you set up a smart host, you can still designate a different route for a remote domain. The route domain setting overrides the smart host setting.
You can identify the smart host by fully qualified domain name (FQDN) or an IP address (but if you change the IP address, you would have to change it on every virtual server as well). If you use an IP address, enclose it in brackets ([ ]) to increase system performance. The SMTP service checks first for a server name, and then an IP address. The brackets identify the value as an IP address, so the DNS lookup is bypassed.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName “mmc systemroot\system32\inetsrv\iis.msc”.
Procedures
To set up a smart host
In IIS Manager, right-click the SMTP virtual server, and then click Properties.
Click the Delivery tab, and click Advanced.
In the Smart host box, type the name of the smart host server. You can type a string to represent a name or enter an IP address.
If you want the SMTP service to attempt to deliver remote messages directly before forwarding them to the smart host server, select the Attempt direct delivery before sending to smart host check box. The default is to send all remote messages to the smart host, not to attempt direct delivery.
Related Information
For information about setting the message hop count, see Setting the Message Hop Count.
For information about setting a fully qualified domain name, see Setting Fully Qualified Domain Names.

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Ntdsutil.exe is built into Windows Server 2008. It is available if you have AD DS installed. To use Ntdsutil.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
If you have the AD LDS server role installed but not the AD DS server role, you can use the dsdbutil.exe and dsmgmt.exe command-line tools to perform the same tasks that you can perform with ntdsutil.exe. For more information about the dsdbutil command, see Dsdbutil. For more information about the dsmgmt command, see Dsmgmt.
For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:
Copy Code
activate instance ntds
ac i ntds
The short form for each command is listed in the following table.
Syntax
Copy Code
Ntdsutil [activate instance %s authoritative restore change service account %s1 %s2 configurable settings DS behavior files group membership evaluation Help ifm ldap policies ldap port %d list instance local roles metadata cleanup partition management popups on popups off quit roles security account management semantic database analysis set DSRM password snapshot SSL port %d]
Commands

Command
Description
Activate instance %s
short form: ac i %s
Sets NTDS or a specific AD LDS instance as the active instance.
authoritative restore
Short form: au r
Authoritatively restores the Active Directory database or AD LDS instance.
Change service account %s1 %s2
Changes the AD LDS service account to user name %s1 and password %s2. Use “NULL” for a blank password. Use * to prompt the user to enter a password.
Ntdsutil
Short form: co s
Manages configurable settings.
DS behavior
Short form: ds b
Views and modifies AD DS or AD LDS behavior.
files
Short form: f
Manages AD DS or AD LDS database files.
group membership evaluation
Short form: g m e
Evaluates security IDs (SIDs) in the token for a given user or group.
Help
Shows this help information.
ifm
Short form: i
Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.
LDAP policies
Manages Lightweight Directory Access Protocol (LDAP) protocol policies.
Ldap port %d
Configures an LDAP port for an AD LDS instance.
List instances
Short form: li i
Lists all AD LDS instances that are installed on a computer.
local roles
Short form: lo r
Manages local administrative roles on an RODC.
metadata cleanup
Short form: m c
Cleans up objects of decommissioned servers.
partition management
Short form: pa m
Manages directory partitions.
Popups off
Short form: po off
Disables popups.
Popups on
Short form: po on
Enables popups.
Quit
Short form: q
Quits the command.
roles
Short form: r
Transfers and seizes operations master roles.
security account management
Short form: sec a m
Manages SIDs.
semantic database analysis
Short form: sem d a
Verifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics.
set DSRM password
Short form: set d p
Resets the Directory Services Restore Mode (DSRM) administrator password.
snapshot
Short form: sn
Manages snapshots of the volumes that contain the Active Directory database and log files.
SSL port %d
Configures a Secure Sockets Layer (SSL) port for an AD LDS instance.

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders. The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:
Schema master – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
Domain naming master – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
RID master – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
Infrastructure master – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.We recommend that you transfer FSMO roles in the following scenarios:
The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles. We recommend that you seize FSMO roles in the following scenarios:
The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds. The partition for each FSMO role is in the following list:
Collapse this tableExpand this table
FSMO role
Partition
Schema
CN=Schema,CN=configuration,DC=
Domain Naming Master
CN=configuration,DC=
PDC
DC=
RID
DC=
Infrastructure
DC=A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.
Back to the top
Transfer FSMO roles
loadTOCNode(2, ‘moreinformation’);

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER. Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Back to the top
Seize FSMO roles
loadTOCNode(2, ‘moreinformation’);

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes
Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base:
223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers
If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article:
216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion
Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest. To test whether a domain controller is also a global catalog server:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
Open the Servers folder, and then click the domain controller.
In the domain controller’s folder, double-click NTDS Settings.
On the Action menu, click Properties.
On the General tab, view the Global Catalog check box to see if it is selected.For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:
197132 (http://support.microsoft.com/kb/197132/ ) Windows 2000 Active Directory FSMO roles
223787 (http://support.microsoft.com/kb/223787/ ) Flexible Single Master Operation transfer and seizure process