exchange does not find global catalog - LSASS might be the reason
Posted on 2006-03-22
I have a problem on our Exchange server witch probably is caused by a problem on our DC (jupiter).
It started with a hanging outlook. Upon inspection of the exchange server (called SATURN) I found the following entry in the app evt log:
[Event Type - Source - Category - ID - Date Time - User - Computer
*** Error - MSExchangeDSAccess - Topology - 2103 - 15.03.06 13:40:15 - N/A - SATURN
Process MAD.EXE (PID=2384). All Global Catalog Servers in use are not responding:jupiter.xxx.com
The DC was locked with the domain admin account. I was unable to unlock the server, it always said invalid password. I'm convinced I typed the correct password.
On an other occasion when I was logged in as doman admin and tried to shut the server down, it said that I had no permission to shut the server down.
I also noticed that LSASS was using 60% to 99% CPU, so even after rebooting the exchange server the information store would not start while LSASS on the DC was running wild. After a while LSASS went down to almost no CPU (I didn't actually DO anything, I was just watching with task manager and process explorer) and then a reboot of the exchange got it back to work.
*** Information - MSExchangeDSAccess - Topology - 2081 - 15.03.06 16:06:02 - N/A - SATURN
Process INETINFO.EXE (PID=728). DSAccess will use the servers from the following list:
The Configuration Domain Controller is set to jupiter.xxx.com
I also found the following entry in the evt log of the DC:
*** Error - Userenv - None - 1000 - 15.03.06 13:39:20 - NT AUTHORITY\SYSTEM - JUPITER
Windows cannot obtain the domain controller name for your computer network. Return value (2146).Userenv.log: USERENV(e8.39c) 13:33:39:662 ProcessGPOs: DSGetDCName failed with 2146.
*** Warning - w32time - None - 63 - 15.03.06 14:42:53 - N/A - JUPITER
The time service cannot provide secure (signed) time to client 192.168.1.140
because the attempt to validate its computer account failed with error 1723.
Falling back to insecure (unsigned) time for this client.
0000: 00 00 00 00 ....
[Note: 192.168.1.140 is a W2k client)
*** Error - Userenv - None - 1000 - 15.03.06 15:04:25 - NT AUTHORITY\SYSTEM - JUPITER
Windows cannot obtain the domain controller name for your computer network. Return value (2146).
The problem has happened 3 times with two to three days inbetween.
We have a small W2k domain with about 100 user/mailboxes and 30 desktops/notebooks.
I have collected some more evidence but not knowing what is relevant I stop here to not overwhelm you with too many details.