Solved

Global Catalog Issue

Posted on 2006-06-15
14
400 Views
Last Modified: 2008-02-26
Overview:
I have three Windows Server 2003 servers in our domain.

Server A is configured as:
Domain Controller
Exchange Front-End
DNS Server

Server B is configured as:
Domain Controller
Exchange Back-End
DNS Server
Global Catalog

Server C is configured as:
Domain Controller
Global Catalog
(previously) Exchange Back-End
(previously) DNS Server
(previously) WINS Server

Global Catalog

Desire:
I have been working to transfer the functionality of Server C to Server B, and to take Server C out of commission. I have transferred all 5 FSMO roles to Server B.

Issue:
Server A can only see Server C as a global catalog. It will not use Server B as a global catalog server.

Test Accomplished:
1) Opened Exchange System Manager on Server A and browsed to the Server, right click and choose properties, then Directory Access. It shows the following:
Server A -- Config (auto)
Server C -- DC (auto)
Server C -- GC (auto)

2) If I shutdown Server C, then Server A come to a halt. Can no longer route emails.

3) Under DNS (on Server A and all other DNS servers), Forward Loockup Zones, domain name, _tcp I have to entries for _gc of Server B and Server C

4) Run dcdiag /v /s:Server B it shows that the server is advertising itself as a Global Catalog
      Starting test: Advertising
         The DC Server B is advertising itself as a DC and having a DS.
         The DC Server B is advertising as an LDAP server
         The DC Server B is advertising as having a writeable directory
         The DC Server B is advertising as a Key Distribution Center
         The DC Server B is advertising as a time server
         The DS Server B is advertising as a GC.
         ......................... Server B passed test Advertising

Other Issues Observed (perhaps non-related):
1) Server B has not been able to do Automatic Certificate enrollment:
Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Date:            6/15/2006
Time:            2:58:05 AM
User:            N/A
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

I have attempted serveral of the potential solutions presented in this forum and elsewhere but have not been able to resolve this.

0
Comment
Question by:tiggermt
  • 6
  • 6
  • 2
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16915924
Exchange uses the first GC to respond.
It also doesn't fail over very well - it will not go looking for another DC for 35 minutes.

Therefore I would take off the GC role on the machine you want to decommission, then restart the Exchange services on the backend Exchange server. As the original GC isn't responding it will force Exchange to go looking for another DC.

Simon.
0
 

Author Comment

by:tiggermt
ID: 16916022
I did actually try removing the GC roles from Server C (as well as just shutting it down). In either case, Server A did not switch over to the other GC. I did not wait for 35 minutes.

Are you saying that I have to make the switch (i.e. remove the GC role from Server C) and wait 35 minutes before it will switch over to Server B during which time my email will be down?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16916049
Exchange will go looking for another GC/DC for at least 35 minutes.
Therefore if you want to force Exchange to switch you must restart the services with the other server unavailable.

I usually make the change out of hours, so that I can restart everything without it causing too much disruption.

Simon.
0
 

Author Comment

by:tiggermt
ID: 16916189
I have done this test. I have tried it with both:
a) Server C shutdown
b) Server C configured to not be a GC (through Active Directory Sites & Services (NTDS Settings)

In both cases I have attempted to restart the Exchange services and to restart the machine. After restart, Server A cannot contact a GC. I get the following error on Server A:
Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2103
Date:            6/14/2006
Time:            6:37:45 PM
User:            N/A
Description:
Process MAD.EXE (PID=1116). All Global Catalog Servers in use are not responding:
Server C
Server B

Server B is running and accessible at the time.
 
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16916254
I completely missed that server A is a domain controller and an Exchange server.
You MUST make that server a global catalog. When Exchange is loaded on to a domain controller it will only use itself for a global catalog. I am surprised that you haven't had problems up to now.

Simon.
0
 

Author Comment

by:tiggermt
ID: 16916273
Server A is only a front-end server. Does it still need to be a GC?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16916292
Its Exchange - whether it is a frontend or a backend. The same rules apply.

Ideally you shouldn't have Exchange on any kind of domain controller. I wouldn't dream of putting a frontend on a DC.

To be honest, if you are of the size network that justifies a frontend Exchange server then I am surprised that you have Exchange on domain controllers. When I have deployed Exchange in to a site that justifies a dedicated FE server there are dedicated DCs.

Simon.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:tiggermt
ID: 16916346
The front-end was implemented primarily for the functionality (RPC over HTTP). The DC is a legacy thing. My goal is to actually recommision Server C (rebuilt) to be primarily a DC.

Is the primary reason you would avoid putting a DC on a front-end due to security?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16916388
You don't need a frontend server for RPC over HTTPS, although Microsoft's documentation reads like that (although if we all did everything Microsoft's way, every network would have a dozen servers).

Security, performance. It just isn't something that is required.

Simon.
0
 

Author Comment

by:tiggermt
ID: 16916400
Thanks!
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16919736
Well why dont you forcefully set exchaneg on server A to use Server b as a global Catalog. by changing the setting in registry for system attendant profie or in the dsaccess itself in esm. Also try to do a telnet frm server a to server b on 3268 to make sure that you are able to connect to the GC. Also you can maximise the system attendat logging from ESM to find out why its not using server b a a GC.

Please let me know what happens
0
 

Author Comment

by:tiggermt
ID: 16921066
The item I had missed was that Server A needed to be a GC. I tested this last night and this resolved the issue.

I did actually try forcing Server A to use Server B through the method described at http://www.brienposey.com/kb/global_catalog_selection.asp but to no avail.

Thanks for everyone's help!
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16921135
Well i dont agree with this thing that exchange server on a dc has to be a GC. Check exchange 2003 technical reference..
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16923292
EXBPA flags when Exchange is on a domain controller that isn't a global catalog.

It will then send you to this page...

http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/7423376e-686b-4cda-b90f-cf5cff4f8981.mspx?mfr=true

Simon.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now