[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2003 can't find domain controller - Microsoft IS stumped!  Event 2114 & 2102

Posted on 2005-05-09
19
Medium Priority
?
14,823 Views
Last Modified: 2010-05-18
We have several clients that are in this boat.  After running perfectly fine for days, weeks, months, their servers suddenly start popping up messages that ExchangeDS can't find the AD server.  In some cases, the Exchange server IS the AD server (Some SBS clients.)  When we start seeing these messages pop up in the event logs, users can not send or receive mail - it just queues up.  

We're not sure the problem is related to Exchange or if it's something with Server 2003, thus I've posted here.

I have about 6 clients having this issue.  Two cases open with Microsoft, and they can't figure it out yet.  They've pulled reports from Exchange and the AD servers, netdiags, dcdiags, etc.  They said the servers look clean, built properly, etc.  But they can't figure out what's causing it.  We've gone through a bunch of different scenarios with them regarding Symantec anti-virus, GFI Mail Essentials, etc.  Nothing.

When the errors start, I must reboot the Exchange and AD servers to fix.  One or the other doesn't help.

I'm not necessarily looking for a solution, but am looking to see if anyone else is having anything similar?  Here's some samples of the events:

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2114
Date:            5/9/2005
Time:            6:12:55 AM
User:            N/A
Computer:      SBSERVER
Description:
Process INETINFO.EXE (PID=496). Topology Discovery failed, error 0xffffffff.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2102
Date:            5/9/2005
Time:            6:10:13 AM
User:            N/A
Computer:      SBSERVER
Description:
Process MAD.EXE (PID=5356). All Domain Controller Servers in use are not responding:
server.domain.local
 

For more information, click http://www.microsoft.com/contentredirect.asp.

500 points if anyone actually has a fix!
0
Comment
Question by:dipersp
  • 7
  • 3
  • 2
  • +5
17 Comments
 
LVL 14

Expert Comment

by:ckratsch
ID: 13961177
Similar symptoms here:
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21417498.html

No solution yet, but I thought I would connect these seemingly related questions.
0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13961268
Event ID: 2114

This problem can appear because the service principal name for ldap is not registered for the Exchange virtual server.

You can verify this with the SETSPN utility from the Windows 2003 Res Kit

Run the following command:

”setspn -l [exchange_virtual_server_name]”.

If you do not see:

”ldap/[exchange_virtual_server_name]
”ldap/[exchange_virtual_server_FullQualifiedDomainName]”,

then add it manually

”setspn -a ldap/[exchange_virtual_server_name]”
”setspn -a ldap/[exchange_virtual_server_FQDN]”.

------------------------------------------------------------------------------------------------------------------------------------------
Event ID: 2102

As per Microsoft: "This issue may occur if the Exchange Enterprise Servers security group does not have Manage auditing and security logs permissions on the domain controller. The Exchange Enterprise Servers group must have Manage auditing and security logs permissions on all the domain controllers in the domain". See Q328662 and Q321318 to fix this problem.

This issue may also occur if the Exchange server is not listed as a member of the Exchange Domain Servers group. See Q327844 for more details.

See Q842116 for additional information.


0
 
LVL 9

Author Comment

by:dipersp
ID: 13961419
Regarding the SETSPN:

When the issue first arose, I only had one server with the issue.  At the time, we were in the middle of an Exchange migration from 5.5 and we were using the ADConnector.  I found the event and KB you mention, but also found this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;281431

Stating NOT to set the SPN if you're using the ADC or it will fail.  MS wanted me to do it, until I had to show them this KB.  That stopped them dead.  Good research boys.

We've since finished the migration, and also have plenty of other servers failing.  I will look back into this again.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13961549
Activate the MSExchangeDSAccess diagnostic logging. Set the Topology section to maximum logging.

The next topology discovery cycle should reveal some information

Do you have any external DNS servers specified.
Suspect that it might DNS related. More specifically Exchange topology discovery engine might referencing external DNS servers before moving on to the Internal DNS servers when searching IS information.
0
 
LVL 9

Author Comment

by:dipersp
ID: 13962618
Actually, I had enabled the max logging on topology when it first started.  Unfort., it didn't give us any additional help or information.  I forgot to include those as well:

Event Type:      Warning
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2107
Date:            4/27/2005
Time:            10:16:07 PM
User:            N/A
Computer: ExchangeServer
Description:
Process INETINFO.EXE (PID=5552). DSAccess failed to obtain an IP address for DS server adserver.domain.local, error 11001.  This host will not be used as a DS server by DSAccess.

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2122
Date:            4/27/2005
Time:            10:16:07 PM
User:            N/A
Computer:      ExchangeServer
Description:
Process INETINFO.EXE (PID=5552). Error 0x8007000e occurred when DNS was queried for the service location  (SRV) resource record used to locate a domain controller for domain domain.local
 The query was for the SRV record for _ldap._tcp.dc._msdcs.domain.local
 For information about correcting this problem,  type in the command line:
hh tcpip.chm::/sag_DNS_tro_dcLocator_messageA.htm

It definitely APPEARS to be a DNS issue, but DNS is setup fine, as per MS.  Also, the SRV record for ldap also appears in DNS properly.

On the server, it has a single NIC pointing to itself for DNS.  DNS is set with forwarders to our ISPs DNS.

One other interesting note/event. . .

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            5/7/2005
Time:            11:02:39 PM
User:            N/A
Computer:      ExchangeServer
Description:
The Security System could not establish a secured connection with the server DNS/prisoner.iana.org.  No authentication protocol was available.
Data:
0000: 8b 01 00 c0               ‹..À    

An MS tech made a quick mention of seeing this in our event logs.  He thought it odd since he ONLY sees this on servers in a 192.168.x.x address scheme.  But we're on 10.x.x.x.  He couldn't give me a good reason of why the system would be looking to this while being on a 10 subnet.
0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13962790
Here's a thought,

remove the fowarders to your ISPs DNS, and see what the results are. There might me a significant change.

I know that Event ID: 2107

Refers to a DC or GC being unavailable or of there is a slow connection to the GC and DC

Event ID: 40961

If this warning appears by itself on an hourly basis, check that the credentials assigned to the DHCP server to register DNS dynamic updates are valid.

Spelling errors or incorrect passwords and/or domain names can be to blame.

To do this in Windows Server 2003, open the DHCP snap-in, open the properties for your DHCP server, select the "Advanced" tab, and click the "Credentials" button. Verify the username, password, and domain listed here are valid

and check FRS

This can occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started.
0
 
LVL 9

Author Comment

by:dipersp
ID: 13978746
Add another server to the list.  Great. . .  

I have the forwarders on this server because we were having problems without them.  A few of the other servers do not.  

I verified the credentials within DHCP, they seemed OK.  We're getting the prisioner error every day, once a day at the same time.

Still nothing from MS.
0
 
LVL 9

Author Comment

by:dipersp
ID: 13985629
Hmmmm, might be a GFI problem after all.  All of my systems with this problem are running it (Though some systems I handle with GFI are NOT having this problem.)

Page 2 starts talking about this issue:
http://forums.gfi.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=7;t=002636;p=2
0
 

Expert Comment

by:avn_expert
ID: 14027428
Its a know issue. Call microsoft and they will give you a hot fix.

http://support.microsoft.com/kb/898060
0
 
LVL 9

Author Comment

by:dipersp
ID: 14027805
That would be too easy.  Unfort,. we haven't rolled out 05-019 or SP1 to our production environment yet.  Thanks for trying though!
0
 

Expert Comment

by:eycc
ID: 14336088
I was having similar problems.  Try running domainprep again.  That solved my issue with the same event ids...
0
 
LVL 9

Author Comment

by:dipersp
ID: 14756510
Well, after several months, Microsoft has yet to come up with an answer.  However, currently, all signs ARE pointing to GFI.

Go ahead and close this question with no resolution.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 14810330
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0
 
LVL 9

Author Comment

by:dipersp
ID: 14813342
For what it's worth, we have removed GFI from two of our worst servers (One crashed 4 times in one day, the other, two in one day.)  Since then - no crashes.  It's been about 1-2 weeks on both boxes.

GFI is still trying to replicate - I have a feeling we'll have Mail Essentials removed from all of our servers before they figure out what's up.
0
 

Expert Comment

by:christian_dinh
ID: 21198777
SeanUK777,

I'm experiencing similar problem and try to use the SETSPN to manually add LDAP on my exchange server, but received this error message:

Failed to assign SPn on account 'CN=hostname, CN=OU, DC=domain, DC=.net, error 0x20b5/8373 --> the name reference is invalid.

also, i would like to know if I was supposed to run this command on my exchange box or my dc/gc.  Thanks.
0
 

Expert Comment

by:christian_dinh
ID: 21198795
when i performed the 'setspn -l serverHostname' the followings appear:

MSSQLSVC/serverHostname.FQDN:1433
exchangeMDB/serverhostname.FQDN
exchangeMDB/serverhostname
SMTPSVC/serverhostname
SMTPSVC/serverhostname.FQDN
exchangeRFR/serverhostname
exchangeRFR/serverhostname.FQDN
Host/serverhostname
Host/serverhostname.FQDN

Thank you for your all assistance.
0
 
LVL 1

Expert Comment

by:Drutch
ID: 24326664
Most times that I've run into:

Failed to assign SPn on account 'CN=hostname, CN=OU, DC=domain, DC=.net, error 0x20b5/8373 --> the name reference is invalid.
 
the error has been that I forgot to add the service type .. ie http,host,etc

setspn -A http/[name] [server name]
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Integration Management Part 2

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question