Exchange AD interaction


I have been running a location with a DC running 2003 and Exchange 2003 for quite a while with no issues. I just brought up a new location with a new DC and Exchange 2003. I have migrated all of the FSMO roles to the new DC and all of the mail accounts to the new Exchange server. Everything seems to work ok except for authentication over RPC. I have clients connecting RPC over HTTPS with a minor issue but any MAPI clients internally don't work right.

That's the background. Here's the issue.

I have a Citrix farm setup as well a few other servers for various purposes. When I connect from an external location using RPC over HTTPS, it tries to authenticate with the original DC at the other location. It tries this three times and then fails over to the local DC and I get on. I get this information from running "outlook /rpcdiag".

Internally, connecting via straight RPC, it always asks for logon information. If I run "outlook /rpcdiag", it shows four failed tries to the directory services.

I cannot figure out why it trying to talk primarily to the original DC. I have manually set the dc in the directory access tab on all three items. I have disabled the GC on the original DC and if I automatically check for DC's in the Directory access tab, it still sets the original DC as the configuration controller.

As you can see, I am stumped. When connecting from the Citrix farm, it is very annoying to have to log into your e-mail as well. I cannot figure this one out.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When you configured RPC over HTTPs, did you use the GUI or the registry changes?
If you did it via the registry changes, which domain controller did you point it at?

Setting the domain controller manually in directory access isn't recommended, you should let it find the domain controller on its own.
How have you got your DNS configured? Do you have DNS set to use the local DC as the primary DNS server?

idyllicsysAuthor Commented:

I have used the GUI and then made the necessary registry changes because it is a single server running RPC over HTTPS. Could it be in the valid ports registry item?  I have them set as such:


Could something in this be wrong? I thought this entry would only affect the RPC over HTTPS.

I forgot one thing. As a test, I brought up another Exchange server with a base configuration and it did the same thing. No RPC over HTTPS set up at all.

The valid ports was where I was thinking initially. Make sure that it is pointing to the correct AD server.
Also ensure that the DC has the required registry change on it as well.

Otherwise I have to doubt whether that DC has taken on the GC role correctly. Exchange uses the GC that responds first - and in most cases that will be the closest one.

You haven't made any changes to the network configuration, used a host file or anything like that to "help" the machines find the other domain controller in the past?

Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

idyllicsysAuthor Commented:

Right now, that DC is the only GC in the network. I unchecked the GC setting for the other DC. Otherwise, nothing has changed. No hosts files or lmhosts. I even tried turning on WINS just to see if that helped, but nothing.

I don't know why but when you logon, whether internally or externally via RPC over HTTPS, it tries the to contact the original DC on the directory service at least 3 times. This causes multiple failures on both types of logins. I think that is why I am getting the logon box. But I am not sure.

idyllicsysAuthor Commented:
Just found something interesting.

I was double checking the port assignment for listening on the DC and see that the DC has an entry under HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Src Config NC
Src Root Domain

Both of these point back to the original DC for the domain.

Those two registry entries are a red-herring. I have just checked a working domain and that domain has a server listed that no longer exisits, and it works fine. I think that entry is just to tell you where the server got its information from.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
idyllicsysAuthor Commented:
I think I screwed up something initially. In setting up RPC over HTTPS in a haste, I ran DCPromo on the exchange server after exchange was installed. ANd then I removed it. I found an article that mentioned that these changes are not supported. If you run dcpromo on an exchange box, it will look to itself and only itself for a DC, no matter what you say.

 So, I have a backup Exchange server that works correctly. I am going to move all of the mailboxes this weekend, remove Exchange, run a DCpromo to update it and then dcpromo again to remove it. THen, when it is relatively clean again, reinstall exchange, set it up and move the mailboxes back.

Points are yours for pointing me in the right direction. Not necessarily where I wanted to go, but where I have to go.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.