Solved: Re: AvCsMgr difficult to start after 3.1(5) install

wallyb · ‎12-03-2002

Testing in a lab, after I installed 3.1(5) in the process of transitioning from using E55 to E2K/E55 mixed mode using Dirt backup/Uninstall/Install/Dirt restore, AvCsMgr would not start until I did the remedy in step 16, have the services logon as Unity_<server>, of the tech note about AvCsMgr not starting.

However, because my configuration doesn't fit any of the conditions listed in step 16, I'd like to know more about why it was necessary. I prefer not to attempt this process on the production systems without a little more understanding of the underlying problem if at all possible.

I can post more info, please let me know what would be helpful.

Unity 3.1(5), E2K+sp3, E55+sp4a, all on W2K+sp3, all in a single domain, single site, one bi-directional, primary CA between E55:Recipients and the AD root domain. Attempted to install once with different install and service accounts, once with the same install and service account. Used the permission wizard and when thru the steps for setting permissions in the install guide. The error is:

Source: MALEx_MC

Event ID: 30002

Description: ...8004011d. The MAPI subsystem returned the following error: You do not have permission to logon.

Sincerely,

Wally Brechtelsbauer

RAND

lindborg · ‎12-03-2002

Short story is the rights to have access to the directory (AD in this case) and the rights necessary for access to the mailstore come into conflict in this environement (and, in fact, other Exchange 2000 configurations other than just mixed 55/2K). Having the directory facing accounts (AVDSAD, AVDSGlobalCatalog) and the message facing accounts (AVCSMgr, AVMsgStoreMonitorSvr) use the same account is difficult. For instance members of the domain admins group are explicitly denied send as/receive as rights for the Exchange mailstores, among other things.

This is why in 4.0(x) we now require that you cough up two accounts for the permissions wizard - one for directory facing rights and one for message facing rights. You can, in fact, download the permissions wizard off the 4.x tools page on www.CiscoUnityTools.com and use it on your 3.x system here if you like. The Permissions Wizard in 4.0 will simply not allow you to use the same account for both since we ran into so many problems trying to shoe-horn all the rights needed into one account (and getting bit by the changes in the SPs released by Microsoft along the way when we finally got it right).

It's a little bit of a pain to have to use two accounts but the failure rate for permissions issues resulting in Unity not staring up should be greatly reduced...

View solution in original post

lindborg · ‎12-03-2002

Short story is the rights to have access to the directory (AD in this case) and the rights necessary for access to the mailstore come into conflict in this environement (and, in fact, other Exchange 2000 configurations other than just mixed 55/2K). Having the directory facing accounts (AVDSAD, AVDSGlobalCatalog) and the message facing accounts (AVCSMgr, AVMsgStoreMonitorSvr) use the same account is difficult. For instance members of the domain admins group are explicitly denied send as/receive as rights for the Exchange mailstores, among other things.

This is why in 4.0(x) we now require that you cough up two accounts for the permissions wizard - one for directory facing rights and one for message facing rights. You can, in fact, download the permissions wizard off the 4.x tools page on www.CiscoUnityTools.com and use it on your 3.x system here if you like. The Permissions Wizard in 4.0 will simply not allow you to use the same account for both since we ran into so many problems trying to shoe-horn all the rights needed into one account (and getting bit by the changes in the SPs released by Microsoft along the way when we finally got it right).

It's a little bit of a pain to have to use two accounts but the failure rate for permissions issues resulting in Unity not staring up should be greatly reduced...