rstainforth
asked on
Exchange objects not being created in AD - Outlook clients querying wrong GC
Hi all,
I have an issue with our exchange environment (well, a number of issues, but I suspect they are all related) and am having problems resolving them..A quick rundown on the story so far:
we have 2 local DC's, one of which is an EX03 mail box (DC1 and MAIL1), and a new remote DC (REMDC1) to handle logon requests across two domains (LOCALDOMAIN.LAN and NEWCOMPANY.LOCAL) which have a two-way trust established.
A couple of weeks ago our systems manager decided we needed an exchange 2007 server introducing into the LAN, and promptly made it so. Once it was in we discovered that EX07 and EX03 don't really like existing in a FE/BE config when the FE is EX03, and to run EX07 we'd need a third server running the CAS....the decision was then made to remove the EX07 server from the schema.
At the same time a new DC (REMDC1) was added to another site to handle logon request from one of our satellite companies which has a trust established with the domain.
On Saturday I took down our mail server (MAIL1) for some updates; now, it turns out that this was our only GC until the new remote DC was installed...also a GC. I think that while the mail server was down AD has looked for another GC, found REMDC1 and started directing clients to it. I discovered this yesterday when a user complained that mail was slow, and when I checked the GAL is pointing to REMDC1.LOCALDOMAIN.LAN on about half a dozen machines..everyone else is pointing to the local data files for outlook.
I've also discovered that when I try and create new users in AD exchange doesn't create a mailbox for them. this isn't the usual "it takes a little while for RUS to create the mailbox" or activating it etc...its been three hours and theres nothing there. Mailboxes usually appear within a few minutes. Additionally the only rights assigned in the exchange attributes are to "SELF", even though I copied the user from an existing object. However, when I logon to AD on the other box (DC1) I can see the email address displayed, as if the mailbox had been created. Tried sending mail to the user and its bouncing back (no such object).
I suspect that the issues are linked, but how much is the removal of EX07 (perhaps leaving behind some detritus in the AD schema) and how much was caused by the new GC server I don't know. I have gone through adsiedit to try and identify any irregularities, but tbh I'm about at the limit of my knowledge and experience now, so would really appreciate any help!
I have an issue with our exchange environment (well, a number of issues, but I suspect they are all related) and am having problems resolving them..A quick rundown on the story so far:
we have 2 local DC's, one of which is an EX03 mail box (DC1 and MAIL1), and a new remote DC (REMDC1) to handle logon requests across two domains (LOCALDOMAIN.LAN and NEWCOMPANY.LOCAL) which have a two-way trust established.
A couple of weeks ago our systems manager decided we needed an exchange 2007 server introducing into the LAN, and promptly made it so. Once it was in we discovered that EX07 and EX03 don't really like existing in a FE/BE config when the FE is EX03, and to run EX07 we'd need a third server running the CAS....the decision was then made to remove the EX07 server from the schema.
At the same time a new DC (REMDC1) was added to another site to handle logon request from one of our satellite companies which has a trust established with the domain.
On Saturday I took down our mail server (MAIL1) for some updates; now, it turns out that this was our only GC until the new remote DC was installed...also a GC. I think that while the mail server was down AD has looked for another GC, found REMDC1 and started directing clients to it. I discovered this yesterday when a user complained that mail was slow, and when I checked the GAL is pointing to REMDC1.LOCALDOMAIN.LAN on about half a dozen machines..everyone else is pointing to the local data files for outlook.
I've also discovered that when I try and create new users in AD exchange doesn't create a mailbox for them. this isn't the usual "it takes a little while for RUS to create the mailbox" or activating it etc...its been three hours and theres nothing there. Mailboxes usually appear within a few minutes. Additionally the only rights assigned in the exchange attributes are to "SELF", even though I copied the user from an existing object. However, when I logon to AD on the other box (DC1) I can see the email address displayed, as if the mailbox had been created. Tried sending mail to the user and its bouncing back (no such object).
I suspect that the issues are linked, but how much is the removal of EX07 (perhaps leaving behind some detritus in the AD schema) and how much was caused by the new GC server I don't know. I have gone through adsiedit to try and identify any irregularities, but tbh I'm about at the limit of my knowledge and experience now, so would really appreciate any help!
You can change the default GC that exchange uses. You can also force Exchange to update the GC manually which should create the user mailbox. Also, you can update your Address list in outlook to reflect the change.
ASKER
"What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization."
OK, what we have is the source domain (LOCALDOMAIN.LAN) which hosts DC1 and MAIL1, then a second domain (NEWCOMPANY.LOCAL) which was aquired during a company takeover. We established a trust between the two domains, then put the third DC (REMDC1) on LOACALDOMAIN.LAN but at the site of the second company, to handle logons from NEWCOMPANY.LOCAL without having to come to the original DC's.
I'll run DCDIAG and NETDIAG and post the results, thanks.
OK, what we have is the source domain (LOCALDOMAIN.LAN) which hosts DC1 and MAIL1, then a second domain (NEWCOMPANY.LOCAL) which was aquired during a company takeover. We established a trust between the two domains, then put the third DC (REMDC1) on LOACALDOMAIN.LAN but at the site of the second company, to handle logons from NEWCOMPANY.LOCAL without having to come to the original DC's.
I'll run DCDIAG and NETDIAG and post the results, thanks.
ASKER
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: site 1\MAIL1
Starting test: Connectivity
......................... MAIL1 passed test Connectivity
Doing primary tests
Testing server: site 1\MAIL1
Starting test: Replications
[Replications Check,MAIL1] Inbound replication is disabled.
To correct, run "repadmin /options MAIL1 -DISABLE_INBOUND_REPL"
[Replications Check,MAIL1] Outbound replication is disabled.
To correct, run "repadmin /options MAIL1 -DISABLE_OUTBOUND_REPL"
......................... MAIL1 failed test Replications
Starting test: NCSecDesc
......................... MAIL1 passed test NCSecDesc
Starting test: NetLogons
......................... MAIL1 passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\DOMAIN-GW.MYDOMAIN.
an, when we were trying to reach MAIL1.
Server is not responding or is not considered suitable.
......................... MAIL1 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... MAIL1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MAIL1 passed test RidManager
Starting test: MachineAccount
......................... MAIL1 passed test MachineAccount
Starting test: Services
NETLOGON Service is paused on [MAIL1]
......................... MAIL1 failed test Services
Starting test: ObjectsReplicated
......................... MAIL1 passed test ObjectsReplicated
Starting test: frssysvol
......................... MAIL1 passed test frssysvol
Starting test: frsevent
......................... MAIL1 passed test frsevent
Starting test: kccevent
......................... MAIL1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0000033
Time Generated: 06/11/2008 13:04:04
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000033
Time Generated: 06/11/2008 13:04:40
(Event String could not be retrieved)
......................... MAIL1 failed test systemlog
Starting test: VerifyReferences
......................... MAIL1 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Running enterprise tests on : MYDOMAIN.lan
Starting test: Intersite
......................... MYDOMAIN.lan passed test Intersite
Starting test: FsmoCheck
......................... MYDOMAIN.lan passed test FsmoCheck
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: site 1\MAIL1
Starting test: Connectivity
......................... MAIL1 passed test Connectivity
Doing primary tests
Testing server: site 1\MAIL1
Starting test: Replications
[Replications Check,MAIL1] Inbound replication is disabled.
To correct, run "repadmin /options MAIL1 -DISABLE_INBOUND_REPL"
[Replications Check,MAIL1] Outbound replication is disabled.
To correct, run "repadmin /options MAIL1 -DISABLE_OUTBOUND_REPL"
......................... MAIL1 failed test Replications
Starting test: NCSecDesc
......................... MAIL1 passed test NCSecDesc
Starting test: NetLogons
......................... MAIL1 passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\DOMAIN-GW.MYDOMAIN.
an, when we were trying to reach MAIL1.
Server is not responding or is not considered suitable.
......................... MAIL1 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... MAIL1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MAIL1 passed test RidManager
Starting test: MachineAccount
......................... MAIL1 passed test MachineAccount
Starting test: Services
NETLOGON Service is paused on [MAIL1]
......................... MAIL1 failed test Services
Starting test: ObjectsReplicated
......................... MAIL1 passed test ObjectsReplicated
Starting test: frssysvol
......................... MAIL1 passed test frssysvol
Starting test: frsevent
......................... MAIL1 passed test frsevent
Starting test: kccevent
......................... MAIL1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0000033
Time Generated: 06/11/2008 13:04:04
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000033
Time Generated: 06/11/2008 13:04:40
(Event String could not be retrieved)
......................... MAIL1 failed test systemlog
Starting test: VerifyReferences
......................... MAIL1 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Running enterprise tests on : MYDOMAIN.lan
Starting test: Intersite
......................... MYDOMAIN.lan passed test Intersite
Starting test: FsmoCheck
......................... MYDOMAIN.lan passed test FsmoCheck
ASKER
..........................
Computer Name: MAIL1
DNS Host Name: MAIL1.MYDOMAIN.LAN
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
List of installed hotfixes :
KB921503
KB924667-v2
KB925398_WMP64
KB925876
KB925902
KB926122
KB927891
KB929123
KB930178
KB931784
KB932168
KB933729
KB933854
KB935839
KB935840
KB936021
KB936357
KB936782
KB938127
KB941202
KB941568
KB941569
KB941644
KB941672
KB941693
KB942615
KB942763
KB942830
KB942831
KB942840
KB943055
KB943460
KB943484
KB943485
KB944338
KB944653
KB945553
KB946026
KB947864
KB948496
KB948590
KB948881
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection 4
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : MAIL1
IP Address . . . . . . . . : XX.XX.XX.XX
Subnet Mask. . . . . . . . : XX.XX.XX.XX
Default Gateway. . . . . . :
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : Internal LAN
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : MAIL1
IP Address . . . . . . . . : XX.XX.XX.XX
Subnet Mask. . . . . . . . : XX.XX.XX.XX
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 127.0.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : Public
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : MAIL1
IP Address . . . . . . . . : XX.XX.XX.XX
Subnet Mask. . . . . . . . : XX.XX.XX.XX
Default Gateway. . . . . . : XX.XX.XX.XX
Dns Servers. . . . . . . . : XX.XX.XX.XX
XX.XX.XX.XX
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7BF834CE-5F18
NetBT_Tcpip_{3B4C059A-A3C8
NetBT_Tcpip_{5A1AA17C-060C
3 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the name
'MAIL1.MYDOMAIN.LAN.'. [ERROR_TIMEOUT]
The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for the name
'MAIL1.MYDOMAIN.LAN.'. [RCODE_SERVER_FAILURE]
The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7BF834CE-5F18
NetBT_Tcpip_{3B4C059A-A3C8
NetBT_Tcpip_{5A1AA17C-060C
The redir is bound to 3 NetBt transports.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7BF834CE-5F18
NetBT_Tcpip_{3B4C059A-A3C8
NetBT_Tcpip_{5A1AA17C-060C
The browser is bound to 3 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'MYDOMAIN' is to '\\DC1.MYDOMAIN.LAN'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Redwulf,
thanks for your comments, a couple of itmes from this afternoon...
firstly the EX07 issue, I'm not sure what you mean by it being unsupported? the following document http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx details removing EX07 from a mixed exchange environment (this is, in fact, the document I followed). On examination of the Netdiag output (which to be fair I should have done first) it is aopparent that reoplication is disabled. I have enabled it and discovered the last succesful replication was on Saturday immediately before the server outage. Now that replicaiton is enabled I am seeing succesful reps between the DC's, and also have resolved the Outlook issue (clients now pointing to a local GC for LDAP lookups) and also the mailboxes I created this morning have appeared......
I've experienced the issues you were talking about re: tombstoning objects when one of our engineers rolled back a DC to a backup disk that was about three weeks old, which cause dmerry havoc!
Outcome:
I suspect that while the Mail server was down on Saturday there has been a poll in AD and the new REMDC1 (which has only been in situ a week or so) was found to be the only authorititive GC server on the domain...when the mail server came back up the GC was found to be out of date and so replication was disabled, along with the netlogon service to prevent this machine servicing logon requests?!? I don;t know if this is feasible, but it makes sense in my head at least!
thanks for your comments, a couple of itmes from this afternoon...
firstly the EX07 issue, I'm not sure what you mean by it being unsupported? the following document http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx details removing EX07 from a mixed exchange environment (this is, in fact, the document I followed). On examination of the Netdiag output (which to be fair I should have done first) it is aopparent that reoplication is disabled. I have enabled it and discovered the last succesful replication was on Saturday immediately before the server outage. Now that replicaiton is enabled I am seeing succesful reps between the DC's, and also have resolved the Outlook issue (clients now pointing to a local GC for LDAP lookups) and also the mailboxes I created this morning have appeared......
I've experienced the issues you were talking about re: tombstoning objects when one of our engineers rolled back a DC to a backup disk that was about three weeks old, which cause dmerry havoc!
Outcome:
I suspect that while the Mail server was down on Saturday there has been a poll in AD and the new REMDC1 (which has only been in situ a week or so) was found to be the only authorititive GC server on the domain...when the mail server came back up the GC was found to be out of date and so replication was disabled, along with the netlogon service to prevent this machine servicing logon requests?!? I don;t know if this is feasible, but it makes sense in my head at least!
Yep; that explains most of it! Glad you managed to resolve your issues!
ASKER
Thanks for your help, jogged me with a load of stuff...I've assigned the points for you :)
What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization.
Since the domains are not in the same forests, the domain that does NOT host the Exchange organization will have nothing to do with Exchange, and the GC in that domain will not hold information for the other domain, therefore no information for Exchange.
First thing to do in a complex setup when you have problems, is to run Netdiag.exe and DCDiag.exe (from the Support Tools which can be installed from the Windows CD-ROM) on each of the Domain Controllers to detect problems. Please post back the output from those tools (or at least the errors).