Solved

Exchange objects not being created in AD - Outlook clients querying wrong GC

Posted on 2008-06-11
9
318 Views
Last Modified: 2008-06-11
Hi all,

I have an issue with our exchange environment (well, a number of issues, but I suspect they are all related) and am having problems resolving them..A quick rundown on the story so far:

we have 2 local DC's, one of which is an EX03 mail box (DC1 and MAIL1), and a new remote DC (REMDC1) to handle logon requests across two domains (LOCALDOMAIN.LAN and NEWCOMPANY.LOCAL) which have a two-way trust established.

A couple of weeks ago our systems manager decided we needed an exchange 2007 server introducing into the LAN, and promptly made it so.  Once it was in we discovered that EX07 and EX03 don't really like existing in a FE/BE config when the FE is EX03, and to run EX07 we'd need a third server running the CAS....the decision was then made to remove the EX07 server from the schema.

At the same time a new DC (REMDC1) was added to another site to handle logon request from one of our satellite companies which has a trust established with the domain.

On Saturday I took down our mail server (MAIL1) for some updates; now, it turns out that this was our only GC until the new remote DC was installed...also a GC.  I think that while the mail server was down AD has looked for another GC, found REMDC1 and started directing clients to it.  I discovered this yesterday when a user complained that mail was slow, and when I checked the GAL is pointing to REMDC1.LOCALDOMAIN.LAN on about half a dozen machines..everyone else is pointing to the local data files for outlook.

I've also discovered that when I try and create new users in AD exchange doesn't create a mailbox for them.  this isn't the usual "it takes a little while for RUS to create the mailbox" or activating it etc...its been three hours and theres nothing there.  Mailboxes usually appear within a few minutes.  Additionally the only rights assigned in the exchange attributes are to "SELF", even though I copied the user from an existing object.  However, when I logon to AD on the other box (DC1) I can see the email address displayed, as if the mailbox had been created.  Tried sending mail to the user and its bouncing back (no such object).

I suspect that the issues are linked, but how much is the removal of EX07 (perhaps leaving behind some detritus in the AD schema) and how much was caused by the new GC server I don't know.  I have gone through adsiedit to try and identify any irregularities, but tbh I'm about at the limit of my knowledge and experience now, so would really appreciate any help!
0
Comment
Question by:rstainforth
  • 5
  • 3
9 Comments
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
You have an extremely complicated compound problem.
What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization.
Since the domains are not in the same forests, the domain that does NOT host the Exchange organization will have nothing to do with Exchange, and the GC in that domain will not hold information for the other domain, therefore no information for Exchange.

First thing to do in a complex setup when you have problems, is to run Netdiag.exe and DCDiag.exe (from the Support Tools which can be installed from the Windows CD-ROM) on each of the Domain Controllers to detect problems. Please post back the output from those tools (or at least the errors).
0
 
LVL 7

Expert Comment

by:bcrosby007
Comment Utility
You can change the default GC that exchange uses. You can also force Exchange to update the GC manually which should create the user mailbox. Also, you can update your Address list in outlook to reflect the change.
0
 

Author Comment

by:rstainforth
Comment Utility
"What is a bit unclear to me is which DC's are for which domain, and which domain hosts the Exchange organization."

OK, what we have is the source domain (LOCALDOMAIN.LAN) which hosts DC1 and MAIL1, then a second domain (NEWCOMPANY.LOCAL) which was aquired during a company takeover.  We established a trust between the two domains, then put the third DC (REMDC1) on LOACALDOMAIN.LAN but at the site of the second company, to handle logons from NEWCOMPANY.LOCAL without having to come to the original DC's.

I'll run DCDIAG and NETDIAG and post the results, thanks.
0
 

Author Comment

by:rstainforth
Comment Utility
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: site 1\MAIL1
      Starting test: Connectivity
         ......................... MAIL1 passed test Connectivity

Doing primary tests

   Testing server: site 1\MAIL1
      Starting test: Replications
         [Replications Check,MAIL1] Inbound replication is disabled.
         To correct, run "repadmin /options MAIL1 -DISABLE_INBOUND_REPL"
         [Replications Check,MAIL1] Outbound replication is disabled.
         To correct, run "repadmin /options MAIL1 -DISABLE_OUTBOUND_REPL"
         ......................... MAIL1 failed test Replications
      Starting test: NCSecDesc
         ......................... MAIL1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIL1 passed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\DOMAIN-GW.MYDOMAIN.
an, when we were trying to reach MAIL1.
         Server is not responding or is not considered suitable.
         ......................... MAIL1 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MAIL1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MAIL1 passed test RidManager
      Starting test: MachineAccount
         ......................... MAIL1 passed test MachineAccount
      Starting test: Services
            NETLOGON Service is paused on [MAIL1]
         ......................... MAIL1 failed test Services
      Starting test: ObjectsReplicated
         ......................... MAIL1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MAIL1 passed test frssysvol
      Starting test: frsevent
         ......................... MAIL1 passed test frsevent
      Starting test: kccevent
         ......................... MAIL1 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0000033
            Time Generated: 06/11/2008   13:04:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000033
            Time Generated: 06/11/2008   13:04:40
            (Event String could not be retrieved)
         ......................... MAIL1 failed test systemlog
      Starting test: VerifyReferences
         ......................... MAIL1 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom

   Running enterprise tests on : MYDOMAIN.lan
      Starting test: Intersite
         ......................... MYDOMAIN.lan passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN.lan passed test FsmoCheck
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:rstainforth
Comment Utility

........................................

    Computer Name: MAIL1
    DNS Host Name: MAIL1.MYDOMAIN.LAN
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
    List of installed hotfixes :
        KB921503
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB942615
        KB942763
        KB942830
        KB942831
        KB942840
        KB943055
        KB943460
        KB943484
        KB943485
        KB944338
        KB944653
        KB945553
        KB946026
        KB947864
        KB948496
        KB948590
        KB948881
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 4

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Internal LAN

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 127.0.0.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Public

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MAIL1
        IP Address . . . . . . . . : XX.XX.XX.XX
        Subnet Mask. . . . . . . . : XX.XX.XX.XX
        Default Gateway. . . . . . : XX.XX.XX.XX
        Dns Servers. . . . . . . . : XX.XX.XX.XX
                                     XX.XX.XX.XX


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    3 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'MAIL1.MYDOMAIN.LAN.'. [ERROR_TIMEOUT]
            The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'MAIL1.MYDOMAIN.LAN.'. [RCODE_SERVER_FAILURE]
            The name 'MAIL1.MYDOMAIN.LAN.' may not be registered in DNS.
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'XX.XX.XX..XX'. Please wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    The redir is bound to 3 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{7BF834CE-5F18-448A-AAFF-EA4439C01EF2}
        NetBT_Tcpip_{3B4C059A-A3C8-4B43-AEC8-6B3E6A3E2616}
        NetBT_Tcpip_{5A1AA17C-060C-4ED3-863C-5A747E4740A8}
    The browser is bound to 3 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'MYDOMAIN' is to '\\DC1.MYDOMAIN.LAN'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 250 total points
Comment Utility
Oh boy oh boy.
A significant number of configuration issues jump out from just these logs. Because there are so many interrelated problems, I doubt that I can fix your problems just by answering questions
-DNS configuration is probably not correct. You should configure only DNS servers on your internal NIC(s) and these should be your own DNS server(s) (probably your DC's) addresses. With Active Directory, all DNS problems MUST be resolved before even thinking about other possible issues.
-It seems replication between 2 DC's is not working! This is serious, and possible cause for the mailbox not being created. Also, if replication doesn't take place for longer than 30 days (in a Win2k domain), the DC holding the PDC emulator role will tombstone the other server(s).... This may already have happened! Event viewer logs will reveal more.
-Your mail server seems to be connected directly to the internet with one leg. How is the routing between the two sites arranged? There is no gateway configured on any of the internal adapters.
-The Netlogon service on mail1 is Paused. That is serious. Can it be (re)started manually? What is in the Event viewe logs about this? This could be caused by the mail1 server being tombstoned from the domain....

Furthermore,
Uninstalling Exchange 2007 and then expecting your Exchange 2003 organization to still work is too much. It is not a supported scenario. First you need to fix the underlying AD problems. If Exchange still has problems after that, you may need to re-install Exchange 2007 to really "solve" the problems.

What to do?
To solve these problems, I'd need much more info about your network (your previous reply didn't clarify your domain layout enough), event viewer logs, dcdiag/netdiag logs from ALL domain controllers etc. etc. unfortunately I don't have the time to go this deep into a single EE question.
I hope this reply gives you a bit more insight into what is going on, and you may need to split up some of these issues into separate questions.



0
 

Author Comment

by:rstainforth
Comment Utility
Redwulf,

thanks for your comments, a couple of itmes from this afternoon...

firstly the EX07 issue, I'm not sure what you mean by it being unsupported? the following document http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx details removing EX07 from a mixed exchange environment (this is, in fact, the document I followed).  On examination of the Netdiag output (which to be fair I should have done first) it is aopparent that reoplication is disabled.  I have enabled it and discovered the last succesful replication was on Saturday immediately before the server outage.  Now that replicaiton is enabled I am seeing succesful reps between the DC's, and also have resolved the Outlook issue (clients now pointing to a local GC for LDAP lookups) and also the mailboxes I created this morning have appeared......

I've experienced the issues you were talking about re: tombstoning objects when one of our engineers rolled back a DC to a backup disk that was about three weeks old, which cause dmerry havoc!

Outcome:

I suspect that while the Mail server was down on Saturday there has been a poll in AD and the new REMDC1 (which has only been in situ a week or so) was found to be the only authorititive GC server on the domain...when the mail server came back up the GC was found to be out of date and so replication was disabled, along with the netlogon service to prevent this machine servicing logon requests?!? I don;t know if this is feasible, but it makes sense in my head at least!

0
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
Yep; that explains most of it! Glad you managed to resolve your issues!
0
 

Author Comment

by:rstainforth
Comment Utility
Thanks for your help, jogged me with a load of stuff...I've assigned the points for you :)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
exchange 2013 2 31
Migrate Exchange 2013 to Exchange 2016 between trusted domains 2 25
outlook 15 42
MX Backup 4 35
Utilizing an array to gracefully append to a list of EmailAddresses
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now