Link to home
Create AccountLog in
Avatar of rstainforth
rstainforth

asked on

Exchange objects not being created in AD - Outlook clients querying wrong GC

Hi all,

I have an issue with our exchange environment (well, a number of issues, but I suspect they are all related) and am having problems resolving them..A quick rundown on the story so far:

we have 2 local DC's, one of which is an EX03 mail box (DC1 and MAIL1), and a new remote DC (REMDC1) to handle logon requests across two domains (LOCALDOMAIN.LAN and NEWCOMPANY.LOCAL) which have a two-way trust established.

A couple of weeks ago our systems manager decided we needed an exchange 2007 server introducing into the LAN, and promptly made it so.  Once it was in we discovered that EX07 and EX03 don't really like existing in a FE/BE config when the FE is EX03, and to run EX07 we'd need a third server running the CAS....the decision was then made to remove the EX07 server from the schema.

At the same time a new DC (REMDC1) was added to another site to handle logon request from one of our satellite companies which has a trust established with the domain.

On Saturday I took down our mail server (MAIL1) for some updates; now, it turns out that this was our only GC until the new remote DC was installed...also a GC.  I think that while the mail server was down AD has looked for another GC, found REMDC1 and started directing clients to it.  I discovered this yesterday when a user complained that mail was slow, and when I checked the GAL is pointing to REMDC1.LOCALDOMAIN.LAN on about half a dozen machines..everyone else is pointing to the local data files for outlook.

I've also discovered that when I try and create new users in AD exchange doesn't create a mailbox for them.  this isn't the usual "it takes a little while for RUS to create the mailbox" or activating it etc...its been three hours and theres nothing there.  Mailboxes usually appear within a few minutes.  Additionally the only rights assigned in the exchange attributes are to "SELF", even though I copied the user from an existing object.  However, when I logon to AD on the other box (DC1) I can see the email address displayed, as if the mailbox had been created.  Tried sending mail to the user and its bouncing back (no such object).

I suspect that the issues are linked, but how much is the removal of EX07 (perhaps leaving behind some detritus in the AD schema) and how much was caused by the new GC server I don't know.  I have gone through adsiedit to try and identify any irregularities, but tbh I'm about at the limit of my knowledge and experience now, so would really appreciate any help!
Avatar of Redwulf__53
Redwulf__53
Flag of Netherlands image

You have an extremely complicated compound problem.
What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization.
Since the domains are not in the same forests, the domain that does NOT host the Exchange organization will have nothing to do with Exchange, and the GC in that domain will not hold information for the other domain, therefore no information for Exchange.

First thing to do in a complex setup when you have problems, is to run Netdiag.exe and DCDiag.exe (from the Support Tools which can be installed from the Windows CD-ROM) on each of the Domain Controllers to detect problems. Please post back the output from those tools (or at least the errors).
You can change the default GC that exchange uses. You can also force Exchange to update the GC manually which should create the user mailbox. Also, you can update your Address list in outlook to reflect the change.
Avatar of rstainforth
rstainforth

ASKER

"What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization."

OK, what we have is the source domain (LOCALDOMAIN.LAN) which hosts DC1 and MAIL1, then a second domain (NEWCOMPANY.LOCAL) which was aquired during a company takeover.  We established a trust between the two domains, then put the third DC (REMDC1) on LOACALDOMAIN.LAN but at the site of the second company, to handle logons from NEWCOMPANY.LOCAL without having to come to the original DC's.

I'll run DCDIAG and NETDIAG and post the results, thanks.
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: site 1\MAIL1
      Starting test: Connectivity
         ......................... MAIL1 passed test Connectivity

Doing primary tests

   Testing server: site 1\MAIL1
      Starting test: Replications
         [Replications Check,MAIL1] Inbound replication is disabled.
         To correct, run "repadmin /options MAIL1 -DISABLE_INBOUND_REPL"
         [Replications Check,MAIL1] Outbound replication is disabled.
         To correct, run "repadmin /options MAIL1 -DISABLE_OUTBOUND_REPL"
         ......................... MAIL1 failed test Replications
      Starting test: NCSecDesc
         ......................... MAIL1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIL1 passed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\DOMAIN-GW.MYDOMAIN.
an, when we were trying to reach MAIL1.
         Server is not responding or is not considered suitable.
         ......................... MAIL1 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MAIL1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MAIL1 passed test RidManager
      Starting test: MachineAccount
         ......................... MAIL1 passed test MachineAccount
      Starting test: Services
            NETLOGON Service is paused on [MAIL1]
         ......................... MAIL1 failed test Services
      Starting test: ObjectsReplicated
         ......................... MAIL1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MAIL1 passed test frssysvol
      Starting test: frsevent
         ......................... MAIL1 passed test frsevent
      Starting test: kccevent
         ......................... MAIL1 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0000033
            Time Generated: 06/11/2008   13:04:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000033
            Time Generated: 06/11/2008   13:04:40
            (Event String could not be retrieved)
         ......................... MAIL1 failed test systemlog
      Starting test: VerifyReferences
         ......................... MAIL1 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom

   Running enterprise tests on : MYDOMAIN.lan
      Starting test: Intersite
         ......................... MYDOMAIN.lan passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN.lan passed test FsmoCheck

........................................

    Computer Name: MAIL1
    DNS Host Name: MAIL1.MYDOMAIN.LAN
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
    List of installed hotfixes :
        KB921503
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB942615
        KB942763
        KB942830
        KB942831
        KB942840
        KB943055
        KB943460
        KB943484
        KB943485
        KB944338
        KB944653
        KB945553
        KB946026
        KB947864
        KB948496
        KB948590
        KB948881
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 4

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Internal LAN

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 127.0.0.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Public

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . : XX.XX.XX.XX
        Dns Servers. . . . . . . . : XX.XX.XX.XX
                                     XX.XX.XX.XX


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    3 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'MAIL1.MYDOMAIN.LAN.'. [ERROR_TIMEOUT]
            The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'MAIL1.MYDOMAIN.LAN.'. [RCODE_SERVER_FAILURE]
            The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    The redir is bound to 3 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    The browser is bound to 3 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'MYDOMAIN' is to '\\DC1.MYDOMAIN.LAN'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
ASKER CERTIFIED SOLUTION
Avatar of Redwulf__53
Redwulf__53
Flag of Netherlands image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Redwulf,

thanks for your comments, a couple of itmes from this afternoon...

firstly the EX07 issue, I'm not sure what you mean by it being unsupported? the following document http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx details removing EX07 from a mixed exchange environment (this is, in fact, the document I followed).  On examination of the Netdiag output (which to be fair I should have done first) it is aopparent that reoplication is disabled.  I have enabled it and discovered the last succesful replication was on Saturday immediately before the server outage.  Now that replicaiton is enabled I am seeing succesful reps between the DC's, and also have resolved the Outlook issue (clients now pointing to a local GC for LDAP lookups) and also the mailboxes I created this morning have appeared......

I've experienced the issues you were talking about re: tombstoning objects when one of our engineers rolled back a DC to a backup disk that was about three weeks old, which cause dmerry havoc!

Outcome:

I suspect that while the Mail server was down on Saturday there has been a poll in AD and the new REMDC1 (which has only been in situ a week or so) was found to be the only authorititive GC server on the domain...when the mail server came back up the GC was found to be out of date and so replication was disabled, along with the netlogon service to prevent this machine servicing logon requests?!? I don;t know if this is feasible, but it makes sense in my head at least!

Yep; that explains most of it! Glad you managed to resolve your issues!
Thanks for your help, jogged me with a load of stuff...I've assigned the points for you :)