I have installed MSMQ and MSMQ AD Integration on a domain controller which also hosts an Exchange server. The whole code has been used successfully on other domain controllers (none of which hosts an Exchange server; I sincerely hope that this is not the reason!).
As required on a domain controller, I have used the following code to allow the network service account to create queues:
SecurityIdentifier sidNetworkService = new System.Security.Principal.SecurityIdentifier("S-1-5-20");
ActiveDirectoryAccessRule NewRule = new ActiveDirectoryAccessRule(sidNetworkService, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, new Guid("9a0dc344-c100-11d1-bbc5-0080c76670c0"), ActiveDirectorySecurityInheritance.All);
de.ObjectSecurity.AddAccessRule(NewRule);
de.CommitChanges();
However, when trying to create/access a public queue, the following error occurs:
A workgroup installation computer does not support the operation.
As described here, I have then uninstalled MSMQ and MSMQ AD Integration, installed it again, but the error is the same.
I verified that MSMQ is installed in Domain Mode by proving that HKLM\Software\Microsoft\MSMQ\Parameters has Workgroup set to REG_DWORD 0x00000001 (1)
So I have had a look into eventvwr.msc and found the following errors:
The Message Queuing service failed to join the computer's domain 'EXCH'. Error 0xc00e0025:
and
Message Queuing was unable to create the msmq (MSMQ Configuration) object in Active Directory Domain Services. Error c00e0025h:
These errors are already described here, but without an accepted solution.
So, does someone have an idea where to find the culprit?
Related
I'm writing my first application using MSMQ and everything works well with local queues on my development machine. I cannot seem to connect to a remote queue when I tested it.
I have 10 Windows 10 Pro installation (not domain joined, but I have also tried this on two domain joined machines), both with MSMQ installed. I have disabled the firewall on both machines, unchecked the 'Disable un-authenticated RPC calls" on both machines. Changed the permissions on the queue to full control for everyone and anonymous.
I'm using .NET and the system.messaging namespace. When I call the messagequeue constructor, I can see that most of the properties are in a exception state.
VB code New MessageQueue("FormatName:Direct=TCP:x.x.x.x\private$\test")
I found an article detailing a registry entry NewRemoteReadServerAllowNoneSecurityClient I thought might work but got the same result. I'm sure this is some sort of security issue but I have no idea what I'm doing wrong.
Anyone have any ideas? Seems like this should be much easier than I am experiencing.
I'm trying to enable MSMQ on my development computer (running Windows 7).
I go to turn windows features on or off -> Microsoft Message Queue (MSMQ) Server Core -> Check MSMQ Active Directory Domain Services Integration AND MSMQ HTTP Support.
When I click OK, I get the error "An Error has occurred. Not all of the features were successfully changed." -> Click OK -> "You must restart your computer to apply these changes".
I've clicked Restart Now and Restart later and no matter what, same issue every time.
If I selected Restart later and go into Services...I see Message Queuing (stopped), and if I try to start the service, I get the error "Windows could not start the Message Queuing service on Local Computer. Error 0x80070005: Access denied."
I checked my privileges and I am an Admin on the machine. Just to be safe, I even logged into the machine as the actual Administrator. Same scenario.
Furthermore, when I go into the Event Viewer, I check the Application logs. I have an error with MSMQ as the Source. EventID: 2076, Error: The logger files cannot be initialized. The file QMLog in the Msmq\Storage folder is corrupted or absent. Error 0x80070005: Access denied.
If I check the System Logs, I see another error with the source being Service Control manager. Error eventId: 7023, Error: The Message Queuing service terminated with the following error: %%-2147024891
When I look up the error codes on Microsoft, there is NOTHING.
I had something like this - not sure how it came about as I always had AD integration turned ON for my MSMQ (as I needed it) but somewhere along the line, it got turned off and I couldn't turn it back on again via Control Panel - I would get the error behaviour (and restart!) that the OP describes. To fix it, I accessed my machine via the AD services manager app on one of our domain servers and deleted the "msmq" object that was under it.
I restarted my local MSMQ service on my machine AND rebooted (not sure which or both was required) and then when I checked my local registry entries, it indicated I was correctly running in AD mode once again. Everything started to work again after that.
This link was helpful in giving me the right direction to go in: Technet MSMQ delete stale objects article
I'm trying to get the list of available queues on the remote machine. The machine is a Win2003R2 in Workgroup mode, and the client machine that runs the code is a Windows 8 machine both using the same Workgroup name. I get an exception when running the following code:
var messages = MessageQueue.GetPrivateQueuesByMachine("Win2003SRV");
And the error message is:
base {System.Runtime.InteropServices.ExternalException}: {"Access to Message Queuing system is denied."}
Message: "Access to Message Queuing system is denied."
MessageQueueErrorCode: AccessDenied
I'm pretty sure it has something to do with permissions on Windows 2003 but couldn't find much. The code works fine with another Win Server 2008 (but in workgroup mode) and works with local MSMQ as well. According to the MSDN page, this function is supported on Workgroup mode, so what's the catch?
SOLVED:
My issue turned out to be that I didn't have MSMQ installed on my Client machine! The help on the link pointed me to the right direction, so all I had to do was to install MSMQ on client machine as well. If you look at the implementation of GetPrivateQueuesByMachine, the native call can throw a DllNotFoundException and it is that exception that translates into that specific message, so it should give you a hint on what is wrong
John Breakwell who is/was a msmq MVP has a few posts which may help. The problem seems to be caused because the GetPrivateQueuesByMachine() method uses RPC under the hood to communicate between queue managers on different machines.
http://blogs.msdn.com/b/johnbreakwell/archive/2010/03/24/understanding-how-msmq-security-blocks-rpc-traffic.aspx
What considerations should be addressed when moving a Microsoft 2003 server with MSMQ installed to another domain?
We assigned permissions to the queue for a user account from the new domain. We still get an error "Access to Message Queing system is denied."
There are no other servers in the new domain running MSMQ. Is there an Active Directory object that gets created when MSMQ is installed on a member server?
The issue has been resolved. The problem was with a private queue created by our application. That explains why we didn't see any AD object created. Using domain admin credentials, we tried to modify the permissions on the private queue using the MMC snapin. We got an error and could not make the required change because the domain admin was not on the ACL for that queue. We found a work around to the problem. We created a new temporary private queue and assigned full control to the user account we need for our application. We located the newly created private queue configuration file in the \system32\msmq\storage\lqs directory. We opened the file and copied the entire security line. Then we opened the configuration file for the private queue we are trying to fix and pasted the security line over the same line in that file. We saved the configuration file. We restarted the MSMQ service and then started our application service. The application could now function properly. Thanks everyone for your help!
If the domain is in a different forest and you wish to make use of public queues, etc. then you will need to reinstall MSMQ so that all the MSMQ objects are created in AD.
What exact operation generates "Access to Message Queing system is denied."?
If you don't have any messages or journal history that you need to save, I would suggest uninstalling and reinstalling MSMQ.
Have you logged into the server directly using the account that is trying to send the message? This is necessary to establish a message queuing certificate, a little understood and poorly documented area of MSMQ.
We also found another easier way to reset the permissions on the private queue. Instead of modifying the private queue configuration file, we took ownership of the private queue as the domain admin, assigned full permissions to the user account needed for our application, and transfered ownership to the same user. This restored the private queue to the state it was in prior to the server move.
There is a public queue named queue1 on machine A. I want to send messages to this queue from machine B. In order to achieve this, I wrote that c# code.
if (MessageQueue.Exists("machineA\queue1"))
{
label1.Text = "queue found";
}
else
{
label1.Text = "queue could not be found";
}
But Exists() method return false on machine B. The same code works well on machine C.
I found somethings related with msmq domain mode and workgroup mode. I think that msmq installed in workgoup mode on machine B.
How can I change this configuration from workgroup mode to domain mode?
HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters\
Check the data for the REG_DWORD workgroup. Is it 1 or 0?
1 is workgroup mode.
0 is AD mode
Basically the difference between domain and work group mode is not defined by the value of the registry flag "workgroup" mentioned by #engin. This flag just reflects current operational mode but doesn't set it.
Whether you run in domain or workgroup mode is defined whether you installed MSMQ on domain controller or on a member server. Details about differences between these two modes can be found here: https://support.microsoft.com/en-us/kb/884974/
MSMQ 1.0 used to support domain mode only. Current MSMQ version is 5.0.
Next you may see quite interesting behavior when you installed MSMQ on your DC, your workgroup flag continuously reverts to 1 after each MSMQ service restart. This means that you have to grant Network Service account the Create MSMQ Configuration Objects permission to the computer object in Active Directory Domain Services before installing the Directory Services Integration feature on a computer that is a domain controller.
You may find details on how to do it here:
https://technet.microsoft.com/en-us/library/cc730960.aspx
MSMQ runs under the (less privileged) Network Service account instead of (all powerful) Local System account starting from version 4.0 (Vista/Server 2008)
So to answer #mkus question more directly to "set" domain mode you just install MSMQ on domain controller and make sure that proper permissions in place for Network Service account. Once this is done you well see it operating in domain mode with workgroup flag switched to 0 automatically to reflect this.
Also couple of links to clarify issues around MSMQ objects permissions and when/why you need to set them:
http://blogs.msdn.com/b/johnbreakwell/archive/2009/08/03/default-msmq-queue-permissions-have-changed-in-msmq-4-0.aspx. In short starting from MSMQ 4.0 Everyone and Anonymous Logon were removed from default MSMQ objects ACLs as precaution against DoS attacks (though there are exlusions to this change and Workgroup mode is one of those).
And as you may read in Technet article below you need to go a grant certain rigts to MSMQ objects either to Network Service OR to Computer accounts when installing the Routing Service feature on a Windows Server 2008 R2 (or later) computer that is not a domain controller OR when installing the Directory Service Integration feature of Message Queuing on a Windows Server 2008 R2 (or later) computer that is a domain controller. See details here:
https://technet.microsoft.com/en-us/library/cc749102(v=ws.10).aspx
Run Server Manager on the machine that is hosting the queue. Right-click on Features and click "add features"
Drill down under Message Queuing and under Message Queuing Services. You should see a checkbox for Directory Service Integration.
Check it and click install.
Usually you have to reboot the server for it to show the change.
I ran into some problems, no matter how much I installed or uninstalled MSMQ or restarted, I still wasn't able to use the queue. So I wanted to post some links here
http://support.microsoft.com/kb/935498
When it gets to a part about "To work around this problem, use the Active Directory Users and Computer Microsoft Management Console (MMC)...". Below is how you do that.
How to delete from active directory
http://technet.microsoft.com/en-us/library/cc773660(v=WS.10).aspx
"Delete stale computer objects" is the part you are interested in.
I also found this nice error in the event log "The Message Queuing service will not join the domain. An MSMQ Configuration (msmq) object exists in the new domain with an ID differing from the service ID. Please delete the MSMQ Configuration object in the new domain, restart the Message Queuing service, and log on again."- which helped to point out they way.
I have face this issue for windows server 2016, where even thought I was changing registry value to domain mode "0", it reverts to "1", after server restart.
To solve the issue on OS 2016, we need to uninstall below MSMQ feature as they are deprecated from OS 2016 onward.
Message Queuing Trigger
Multicasting support
Routing Service