Link to home
Start Free TrialLog in
Avatar of walcycarroll
walcycarroll

asked on

Need assistance in trouble shooting an Microsoft Exchange 2K3 Services/Event Logs

I am trying to assist a user via distance support with a Microsoft Windows 2K3 Exchange Server:

The information that I have from them is that within the last 24 hours their exchange server services are not working: They have stated that the MTA Stacks and the Information Store service will not start.
I see from their event logs, which are mostly corrupted, but the event id's I am seeing the most often within the past 24 hours are: MSExchangeSA - 5008, 1005, 1004; MSExchangeAL - 8026, 8250;, MSExchangeDSAccess - 2102,2103,2104; MSExchangeSRS - 1002.

If anyone can provide assistance with atleast trying to get the services to start; or what settings to check. I am assuming that the user has rebooted, and tried to disable,re-enable start the services with no luck.

Thanks for any assistance..
Avatar of rakeshmiglani
rakeshmiglani
Flag of India image

is the system attendant service started?
Avatar of walcycarroll
walcycarroll

ASKER

No the system attendant service is not started. Sorry for to mention that. Also the above event id's are from their application logs.

I am seeing from the System Event log event id's 7001,
The Microsoft Exchange MTA Stacks service depends on the Microsoft Exchange System Attendant service which failed to start because of the following error:
%%0

Also, event id 7036, The Microsoft Exchange System Attendant service entered the stopped state.





ASKER CERTIFIED SOLUTION
Avatar of rakeshmiglani
rakeshmiglani
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I will try to contact the user to see what errors come up when they start the system attendant service.

They can ping all servers including both primary and secondary domain controllers/ gateway from their exchange server...I am almost certain that no changes have been made recently...

I just emailed the user's on a different enclave, and will try to get the information regarding what errors/ event id's show up immediately after attempting to start the system attendant services...

Currently waiting on a reply from them....
Is there anything else, that we should be thinking about having them check or do?
Is there anything I can be re-searching to try to figure this out....
This is what I got from the user:

All services appear to be started/running.

They mentioned that the system attendant service started ,and then said, it has no work to do, and doesn't appear to be started or stopped, just a blank state....

The service that is currently not started is the Information store...

Standing by for further assistance.. Thanks........
The most common event id's they are getting right now along with the one's I mentioned earlier are:

2104, 1059, 7011.
can you ask them to download and install and run the exchange best practice analyizer. it is on the MS website.
that you point out the problems that they are facing.
please confirm that no hotfixes or service packs have been installed recently?

What is the version of e2k3 that you are running and on what version platform?

regards
I will look into having them download the best practice analyizer...

I just got an email saying that when they try to start the information store service, that they are getting the event id's 1068, 1059, trying to get more information from them..
I was just told that I can not have the user's download the best practice analyzer because this is a program or record thing, or it would take them out of baseline.

I am having them check to make sure that the IIS Admin service is started and seeing if they can telnet to their exchange server port 389....

Any other suggestions... Thanks Again.....

They are running exchange 2k3 service pack 1, and they can't go to another service pack, because of agreement issues etc.. the server is a hp compaq dl 380 g2 server....
best practice analyizer is just a MS tool which is used to troubleshoot issues with exchange server. everybody uses it.
Yes, I agree it is a great tool, however I was directed that I can not direct them to use it. I believe the reason is because the software is not approved for their use or has not been tested or not program of record/baseline or something to that affect.

So I am scratching my head with trying to assist them, and figure out how to get their services back up and running... I am just trying to seek as much help as possible.....
are the exchange services using the local system account to start or has that been changed?
Is there anything else that I can have them check / perform in regards to trying to get their information store service started...thanks
Yes, it is using the local system account to start the service...
the system attendant needs to stay started to the information store to start.
Okay,

Yes it appears to start or the information for the system attendant that I got from them was that:

It appears to start, then says there is no work to do, and appears to be in a blank state...
I just verified with them that their LDAP service port 389 is working they were able to telnet into their dc1/dc2 ip port 389 fine....

What do you mean that the SA appears to be in a blank state?  Is the service running or not?

Also, what do you mean the event logs are mostly corrupted?  Are there any hardware issues on this server?

Are the Insight Agents installed?  Are any statistics for the hard drives available (to see if there are read/write errors)?
Oh, and any other Error Messages in the System Log, not obviously related to Exchange?
Wait, those 1059 and 1068 are cluster errors.  Is this a clustered Exchange server?  Are the cluster resources working ok?
This may be a dumb point so apologies for stating it. Have you done a physical reboot of the server. Shut it down and then power up. Look in the event log and look for the first suspicious event . I assume all Exchange services are set to automatic? Is this the only E2K3 server at the site?
Okay, I probably won't be able to answer most of the questions but I will try.

The server is just a regular server HP Compaq G2 server, It is setup as a raid 5 server. I am almost certain that it is not a clustering server.For the event logs, I made a mistake in viewing them on a workstation, instead of a exchange server here in my office, so now I can read most of them. As far as I know the user's have already rebooted the servers, with no luck....All services are set to automatic.. This is the only exchange server at the site...

I have the application and event logs, I can email them to someone if need be...
I will list the one's I noticed that might be saying something that I can not understand.

Application event id's/info.

1. event id 1005 - unexpected error . an operations error occurred. facility: LDAP Provider ID no: 80072020 microsoft exchange system attendant occured.

2. event id 8026- LDAP Bind was unsuccesful on directory "dc1'sname distinguished name." directory returned error (0x51) Server Down.

3. event id 2102 - process MAD.EXE (PID=3396). All domain controllers in use are not responding.

4. event id 2104 - Souce MSExchangeDSAccess: Category : Topology.
Process INETINFO.EXE (PID=620). All the DS Servers in domain are not responding.

5. event id 1059 - Source: DhcpServer
The DHCP service failed to see a directory server for authorization.

6. event id 7001 - Source: Server Control Manager
The Microsoft Exchange Information Store service depends on the M$ Exchange System Attendant service which failed to start because of the following error:
The operation completed successfully.

Is there a problem with resolving the Global Catalog server?  If the Exchange Server cannot talk to a Global Catalog server, it will not start.  Did anything on their GC change?  Are there errors in the event log there?  I would check that out.
How do I verify if there is a problem with resolving the Global Catalog Server?
I know that the servers can ping to each other, you can map, share folders on it, just about everything else that I can think of. User's use the DC1/DC2 for logins etc...

How do I verify or what do I need to have them check to see if the Exchange Server can talk to DC1 the global catalog server....

I will see if I can get some event logs from their DC1 Server. Currently I do have the event logs from their exchange server, is there an email address that I can send them to.....
Thanks I will have the user's run those commands.