idyllicsys
asked on
Exchange AD interaction
Hi,
I have been running a location with a DC running 2003 and Exchange 2003 for quite a while with no issues. I just brought up a new location with a new DC and Exchange 2003. I have migrated all of the FSMO roles to the new DC and all of the mail accounts to the new Exchange server. Everything seems to work ok except for authentication over RPC. I have clients connecting RPC over HTTPS with a minor issue but any MAPI clients internally don't work right.
That's the background. Here's the issue.
I have a Citrix farm setup as well a few other servers for various purposes. When I connect from an external location using RPC over HTTPS, it tries to authenticate with the original DC at the other location. It tries this three times and then fails over to the local DC and I get on. I get this information from running "outlook /rpcdiag".
Internally, connecting via straight RPC, it always asks for logon information. If I run "outlook /rpcdiag", it shows four failed tries to the directory services.
I cannot figure out why it trying to talk primarily to the original DC. I have manually set the dc in the directory access tab on all three items. I have disabled the GC on the original DC and if I automatically check for DC's in the Directory access tab, it still sets the original DC as the configuration controller.
As you can see, I am stumped. When connecting from the Citrix farm, it is very annoying to have to log into your e-mail as well. I cannot figure this one out.
Ted
I have been running a location with a DC running 2003 and Exchange 2003 for quite a while with no issues. I just brought up a new location with a new DC and Exchange 2003. I have migrated all of the FSMO roles to the new DC and all of the mail accounts to the new Exchange server. Everything seems to work ok except for authentication over RPC. I have clients connecting RPC over HTTPS with a minor issue but any MAPI clients internally don't work right.
That's the background. Here's the issue.
I have a Citrix farm setup as well a few other servers for various purposes. When I connect from an external location using RPC over HTTPS, it tries to authenticate with the original DC at the other location. It tries this three times and then fails over to the local DC and I get on. I get this information from running "outlook /rpcdiag".
Internally, connecting via straight RPC, it always asks for logon information. If I run "outlook /rpcdiag", it shows four failed tries to the directory services.
I cannot figure out why it trying to talk primarily to the original DC. I have manually set the dc in the directory access tab on all three items. I have disabled the GC on the original DC and if I automatically check for DC's in the Directory access tab, it still sets the original DC as the configuration controller.
As you can see, I am stumped. When connecting from the Citrix farm, it is very annoying to have to log into your e-mail as well. I cannot figure this one out.
Ted
ASKER
Simon,
I have used the GUI and then made the necessary registry changes because it is a single server running RPC over HTTPS. Could it be in the valid ports registry item? I have them set as such:
exchangeserver:100-5000;ex changeserv er:593;exc hangeserve r.domain.T LD:593;exc hangeserve r:6001-600 2;exchange server.dom ain.TLD:60 01-6002;ex changeserv er:6004;ex changeserv er.domain. TLD:6004;e xchangeser ver.domain .TLD:6001- 6002;excha ngeserver. domain.TLD :6004;adse rver:593;a dserver.do main.TLD:5 93;adserve r:6004;ads erver.doma in.TLD:600 4;
Could something in this be wrong? I thought this entry would only affect the RPC over HTTPS.
I forgot one thing. As a test, I brought up another Exchange server with a base configuration and it did the same thing. No RPC over HTTPS set up at all.
Thanx
I have used the GUI and then made the necessary registry changes because it is a single server running RPC over HTTPS. Could it be in the valid ports registry item? I have them set as such:
exchangeserver:100-5000;ex
Could something in this be wrong? I thought this entry would only affect the RPC over HTTPS.
I forgot one thing. As a test, I brought up another Exchange server with a base configuration and it did the same thing. No RPC over HTTPS set up at all.
Thanx
The valid ports was where I was thinking initially. Make sure that it is pointing to the correct AD server.
Also ensure that the DC has the required registry change on it as well.
Otherwise I have to doubt whether that DC has taken on the GC role correctly. Exchange uses the GC that responds first - and in most cases that will be the closest one.
You haven't made any changes to the network configuration, used a host file or anything like that to "help" the machines find the other domain controller in the past?
Simon.
Also ensure that the DC has the required registry change on it as well.
Otherwise I have to doubt whether that DC has taken on the GC role correctly. Exchange uses the GC that responds first - and in most cases that will be the closest one.
You haven't made any changes to the network configuration, used a host file or anything like that to "help" the machines find the other domain controller in the past?
Simon.
ASKER
Simon,
Right now, that DC is the only GC in the network. I unchecked the GC setting for the other DC. Otherwise, nothing has changed. No hosts files or lmhosts. I even tried turning on WINS just to see if that helped, but nothing.
I don't know why but when you logon, whether internally or externally via RPC over HTTPS, it tries the to contact the original DC on the directory service at least 3 times. This causes multiple failures on both types of logins. I think that is why I am getting the logon box. But I am not sure.
Ted
Right now, that DC is the only GC in the network. I unchecked the GC setting for the other DC. Otherwise, nothing has changed. No hosts files or lmhosts. I even tried turning on WINS just to see if that helped, but nothing.
I don't know why but when you logon, whether internally or externally via RPC over HTTPS, it tries the to contact the original DC on the directory service at least 3 times. This causes multiple failures on both types of logins. I think that is why I am getting the logon box. But I am not sure.
Ted
ASKER
Just found something interesting.
I was double checking the port assignment for listening on the DC and see that the DC has an entry under HKLM\System\CurrentControl Set\Servic es\NTDS\Pa rameters
Src Config NC
Src Root Domain
Both of these point back to the original DC for the domain.
I was double checking the port assignment for listening on the DC and see that the DC has an entry under HKLM\System\CurrentControl
Src Config NC
Src Root Domain
Both of these point back to the original DC for the domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I screwed up something initially. In setting up RPC over HTTPS in a haste, I ran DCPromo on the exchange server after exchange was installed. ANd then I removed it. I found an article that mentioned that these changes are not supported. If you run dcpromo on an exchange box, it will look to itself and only itself for a DC, no matter what you say.
So, I have a backup Exchange server that works correctly. I am going to move all of the mailboxes this weekend, remove Exchange, run a DCpromo to update it and then dcpromo again to remove it. THen, when it is relatively clean again, reinstall exchange, set it up and move the mailboxes back.
Points are yours for pointing me in the right direction. Not necessarily where I wanted to go, but where I have to go.
So, I have a backup Exchange server that works correctly. I am going to move all of the mailboxes this weekend, remove Exchange, run a DCpromo to update it and then dcpromo again to remove it. THen, when it is relatively clean again, reinstall exchange, set it up and move the mailboxes back.
Points are yours for pointing me in the right direction. Not necessarily where I wanted to go, but where I have to go.
If you did it via the registry changes, which domain controller did you point it at?
Setting the domain controller manually in directory access isn't recommended, you should let it find the domain controller on its own.
How have you got your DNS configured? Do you have DNS set to use the local DC as the primary DNS server?
Simon.