NeilMackie
asked on
Exchange 2007 - The Exchange topology service did not return a suitable domain controller
Hello,
I am having an issue with my exchange 2007 SP1 server. The entire office environment runs on server 2003 standard.
I have narrowed the problem down to the exchange server not "seeing" any AD servers in my domain. I can ping from my email server to both my DC's and there does not seem to be any DNS issues as everything is resolving to the correct IP's. I keep getting the following errors in my event log on the exchange server about every minute:
Event Type: Error
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2114
Date: 12/28/2007
Time: 6:36:44 PM
User: N/A
Computer: EMAIL1
Description:
Process IISIPM1DED805F-6588-48A0-9
and
Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2080
Date: 12/28/2007
Time: 6:36:44 PM
User: N/A
Computer: EMAIL1
Description:
Process IISIPM1DED805F-6588-48A0-9
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
AD1.FQDN CDG 1 7 7 1 0 0 1 7 1
AD2.FQDN CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
So from I see the topology service sees the AD serves but is not reporting them as suitable for the other MS exchange services to use so many fail at startup including the exchange transport service.
Looking further into the logs i also find these two events which point to an account problem in AD but I cannot find any problems there.
Event Type: Warning
Event Source: MSExchange ADAccess
Event Category: General
Event ID: 2601
Date: 12/28/2007
Time: 6:28:25 PM
User: N/A
Computer: EMAIL1
Description:
Process MSEXCHANGEADTOPOLOGY (PID=252). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=DC1301662F547445B9
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
and
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1097
Date: 12/28/2007
Time: 5:11:37 PM
User: NT AUTHORITY\SYSTEM
Computer: EMAIL1
Description:
Windows cannot find the machine account, No authority could be contacted for authentication. .
Any ideas? The big problems always seem to happen around the holidays don't they?
I am having an issue with my exchange 2007 SP1 server. The entire office environment runs on server 2003 standard.
I have narrowed the problem down to the exchange server not "seeing" any AD servers in my domain. I can ping from my email server to both my DC's and there does not seem to be any DNS issues as everything is resolving to the correct IP's. I keep getting the following errors in my event log on the exchange server about every minute:
Event Type: Error
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2114
Date: 12/28/2007
Time: 6:36:44 PM
User: N/A
Computer: EMAIL1
Description:
Process IISIPM1DED805F-6588-48A0-9
and
Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2080
Date: 12/28/2007
Time: 6:36:44 PM
User: N/A
Computer: EMAIL1
Description:
Process IISIPM1DED805F-6588-48A0-9
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
AD1.FQDN CDG 1 7 7 1 0 0 1 7 1
AD2.FQDN CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
So from I see the topology service sees the AD serves but is not reporting them as suitable for the other MS exchange services to use so many fail at startup including the exchange transport service.
Looking further into the logs i also find these two events which point to an account problem in AD but I cannot find any problems there.
Event Type: Warning
Event Source: MSExchange ADAccess
Event Category: General
Event ID: 2601
Date: 12/28/2007
Time: 6:28:25 PM
User: N/A
Computer: EMAIL1
Description:
Process MSEXCHANGEADTOPOLOGY (PID=252). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=DC1301662F547445B9
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
and
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1097
Date: 12/28/2007
Time: 5:11:37 PM
User: NT AUTHORITY\SYSTEM
Computer: EMAIL1
Description:
Windows cannot find the machine account, No authority could be contacted for authentication. .
Any ideas? The big problems always seem to happen around the holidays don't they?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like you don't have an Global Catalog enabled DC. Enable on of the DC's as GC and it should see some improvement. Refer to http://technet2.microsoft.com/windowsserver/en/library/7b1c3e1c-ef32-4b8e-b4c4-e73910575f611033.mspx?mfr=true for how to enable or disable GC on DC
Sometime this will happened if we move the exchange server machine account from default folder(computer ) to any other OU
ASKER
Thank you for all you input the problem s now solved. After a late night I tried as another post suggested and made the computer account a member domain admins group. This did solve the problem of access but is obviously not the correct configuration. Another associate found that there was indeed a problem with the DNS. The email server did not have a PTR record and when we added one for the email server and tried to update the DNS records we got a few security errors but the change did eventually take and upon a reboot of the email server everything worked.
Although This still doesn't explain why the DC lost the PTR record and the ability to update the DNS correctly my exchange is back up and running.
I will award points to busbar as his solution matched what myself and associate did.
Thanks for all your help!
Although This still doesn't explain why the DC lost the PTR record and the ability to update the DNS correctly my exchange is back up and running.
I will award points to busbar as his solution matched what myself and associate did.
Thanks for all your help!
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
server1.domain.com CDG 1 7 7 1 0 1 1 7 1
server2.domain.com CDG 1 7 7 1 0 1 1 7 1
Here is the reason why:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2210464&SiteID=17
From the above post:
Your server does not have the SACL Right
That means that Exchange does not have the permissions to access the server
DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G), that is reachable for that role (the appropriate bit flag connected by an OR value in the Reachability column), and that shows 1 in the SACL right column. If you do not have these servers, confirm that the domain controller that shows 0 in the SACL right column has been domain-prepped
Have you ran Setup /PrepareDomain?
Can you run Setup /PrepareDomain or Setup /PrepareAllDomains again?