Correcting security permission issues after moving Microsoft Message Queuing (MSMQ) off the system drive

Problem

Correcting security permission issues after moving Microsoft Message Queuing (MSMQ) off the system drive

Cause

1. A1 and A2 or R1 and R2 (if Journal Archiving is enabled, J1 and J2) private queues may disappear.
    
2. Enterprise Vault (EV) server could be reported as Not Available when attempting a manual archive (A1 and A2 missing).
    
3. Enterprise Vault Client trace showing 0x8007005 (Access Denied) when trying to archive or restore a vaulted item.
    
4. Where MSMQ private queues are available, archiving may seem to take too long to complete processing items regardless of how much the administrator tries to optimize Enterprise Vault Application settings.
    
5. Enterprise Vault Event logs may not flag any obvious error messages on Message Queuing but some warning events could contain a description string suggesting not enough storage available to complete this operation.

Solution

Pre Windows 2008 Procedure:

1. Log on to the EV server and stop the Enterprise Vault Admin Service
    
2. Accept the warning that other dependent services will also stop.
    
3. Locate the desktop icon My Computer, right click and select Manage.
    
4. Expand Services and Applications > Message Queuing.
    
5. Right click Message Queuing > select All Tasks > Take Message Queuing Offline...
    
6. Left click Private Queues in the left pane.
    
7. The column labeled Number of Messages in the right pane should list zero (0) entries otherwise continue to step 11.
    
8. In the right pane, right click any EV queues containing messages and click New Window from here.
    
9. In the left pane, click Queue messages to preview the list in the right pane
    
10. Note: This action should only be carried out with express notification from Veritas support personnel.
    
    Right click Queue messages select All Tasks > Purge and click Yes to accept the admin prompt.
     
11. Exit the current queue window via the lower X, top right.
     
12. Repeat steps 8 - 10 to clear every EV queue and associated admin queue listing a number of messages greater than 0.
     
13. Repeat step 6 above to verify that all EV queues have zero entries.
     
14. Make sure Message Queuing remain in the Offline state (step 5).
     
15. Set security permissions on the new ?:\MSMQ\Storage location exactly as follows:
     
    1. Share = None.
        
    2. Security = Right click the new MSMQ root directory and click Properties > Security tab.
        
    3. Click Advanced > clear the tick box at Allow inheritable permissions.
        
    4. Click Copy.
        
    5. Skip the local machine Administrators group and highlight each entry one at a time under Group or user names: then click Remove.
        
    6. In Advanced Security Settings for MSMQ verify that the local machine Administrators group now has Special Full Control Permissions <not inherited>.
       
       Figure 1
       
       
        
    7. Set Apply onto to This Folder and files.
       
       Figure 2
       
       
        
    8. Repeat steps a - f on the \Storage subfolder.
        

 
Windows Server 2008 / Windows Server 2012 Procedure

Assign MSMQ group permissions to the MSMQ storage location using the command line, this is not possible using the GUI.

icacls "MSMQStoragelocationpath" /grant "NT SERVICE\MSMQ":(OI)(F)

To read a bit more about icacls and related switches please see the following technet article:

Icalcs
https://technet.microsoft.com/en-us/library/cc753525.aspx

Then, follow these steps:

1. Take Message queuing offline within Server Manager.
    
2. Take Message Queuing Service offline.
    
3. Change the storage file path to desired location.
    
4. Bring Message Queuing service online.
    
5. Bring Message Queuing online within Server Manager.
    
6. Validate Drive:\MSMQ\Storage location for newly created files (LQS folder and approx 5 other LG* files)

 
Caveat:

Microsoft Message Queuing (MSMQ) is a Microsoft component and as such any errors that can't be addresses in this document should be put to Microsoft Support.