What is the cause of my New DC not supporting Exchange in Single Server mode unless the old DC is on?

Posted on 2008-11-11
Medium Priority
Last Modified: 2012-08-14
Thanks to the experts that can help solve this problem. I have the following sections to help describe the problem:
    State-1 details/observations:
      Event Log Entries:


I am trying to transistion my old server(s-old) to a new server(s-new).
s-old is w2k3 std sp2 32 bit(not R2) with exch2k3 sp2 as exch single server deploy.
s-new is w2k8 std sp1 64 bit with exch2k7 sp1 as exch single server deploy.
s-old and s-new are domain controllers/GC and are successfully replicating.
All the fsmo roles are on s-new. netdom query fsmo run on both show s-new for all.
Most user workstations are xp-pro sp2 (some sp3).
All user WSs have Outlook 2k7, which was setup >month before the transistion start.
I have moved all the mailboxes to s-new.
All users can log into the domain.
All users have full outlook capability (send/rec., sch, task etc.)
All users are supposed to have owa capability, but only some (error-1, see dump below) can do it successfully.
***Above is considered State-1.
I turned off s-old and rebooted s-new to make sure it could standalone(state-2); It worked for logins etc, but exch2k7 does not work(error-2, see below).
I turned on s-old again and all are able to return to the state (state-1) before I turned it off.

s-new continues to point at s-old as the DC/GC even after a long(>30 mins) period of time.
Exch Autodiscovery is failing and so it cannot find a DC/GC and the exch service (info store) will not start.
Ran ADSIedit on s-new and it didn't look complete. Later I ran ADSIedit on state-1 and it looked complete.

Turning on both s-old and s-new allows all to work again(state-1) except for error-1.

State-1 details/observations:

Name                Site                 ServerRole  Edition     AdminDisplayVe
----                ----                 ----------  -------     --------------
s-old                                    None        Standard    Version 6.5...
s-new               ROANH                Mailbox,... Standard    Version 8.1...

get-mailboxserver: returns s-new

get-clientaccessserver: return s-new

Name                       Server                     OwaVersion
----                       ------                     ----------
owa (Default Web Site)     s-new                     Exchange2007
Exchange (Default Web S... s-new                     Exchange2003or2000
Public (Default Web Site)  s-new                     Exchange2003or2000
Exchweb (Default Web Site) s-new                     Exchange2003or2000
Exadmin (Default Web Site) s-new                     Exchange2003or2000

In EMC->server config->s-new (listed as hub, client, mailbox)->properties->systems settings(tab)->DC and GC both have s-old listed. My understanding is this is set by autodiscovery.
In EMC->org config->hub transport->email address policies(tab)->default policy applied=false->edit (unable to edit legacy version of exchange).

DCdiag on s-new:
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = s-new
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: ROANH\s-new
      Starting test: Connectivity
         ......................... s-new passed test Connectivity

Doing primary tests

   Testing server: ROANH\s-new

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... s-new passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : ronh

   Running enterprise tests on : ronh.local
      Starting test: DNS
         Test results for domain controllers:

            DC: s-new.ronh.local
            Domain: ronh.local

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record _dcdiag_test_record
in zone ronh.local

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Clien

                     Missing AAAA record at DNS server

                     Missing AAAA record at DNS server

               Warning: Record Registrations not found in some network adapters

               s-new                       PASS WARN PASS PASS WARN WARN n/a
         ......................... ronh.local passed test DNS

Event Log Entries:
s-old, system log, warning eventID=5781
 Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.ronh.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

s-old, system log, error eventID=5775
The dynamic deletion of the DNS record '_ldap._tcp.gc._msdcs.ronh.local. 600 IN SRV 0 100 3268 ORTHO.ronh.local.' failed on the following DNS server:  

DNS server IP address: <UNAVAILABLE>
Returned Response Code (RCODE): 0
Returned Status Code: 0  

To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.  

Error Value: %%4294967196

SOME users are able to access e-mail offsite via owa successfully, others cannot. I have 2 user's dump captures below.
IMHO, User-1's error looks like a it is going to s-old to get the info.
User-2's error looks like it is going to s-new, but is a security rights issue.  

Url: http://s-new.xxxxx.com:80/owa/lang.owa

Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on s-old.ronh.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Url: http://s-new.xxxxxxxx.com:80/owa/auth/error.aspx?url=http://s-new.xxxxxxxxx.com/owa/&reason=0
User host address:

Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaInvalidConfigurationException
Exception message: The Exchange Topology service on server localhost did not return a suitable domain controller.

Call stack
Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.NoSuitableServerFoundException
Exception message: The Exchange Topology service on server localhost (I think that this is s-new?) did not return a suitable domain controller.

Call stack
Microsoft.Exchange.Data.Directory.DSAccessTopologyProvider.GetConfigDCInfo(Boolean throwOnFailure)
Microsoft.Exchange.Data.Directory.ADSession.GetConnection(String preferredServer, Boolean isWriteOperation, Boolean isNotifyOperation, ADObjectId& rootId)
Microsoft.Exchange.Data.Directory.ADSession.GetReadConnection(String preferredServer, ADObjectId& rootId)
Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator)
Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor)
Microsoft.Exchange.Data.Directory.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties)
Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults)
Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.FindServerByFqdn(String serverFqdn)

0) Any ideas of what is wrong and how to get to s-new completely functioning as a standalone exch server?
1) Is there a way to manually tell s-new's exch to use s-new as it's DC/GC?
2) If I reinstall exch2k7 on s-new, would that correct this situation?
3) Can you point me in the right direction to investigate? Problem with DNS? AD Repl? Other?


Question by:DennisHebert
  • 4
  • 2
  • 2
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22937720
Exchange depends on GC, so you nead to promote the new DC to become GC by using "AD Sites and Services"
Expand Sites\\Servers\
Right-click on "NTDS Settings" -> Properties
Tick checkbox "Global Catalog"

Wait for the replication to complete before rebooting the new GC.

See KB about Exchange and GC-promotion

Author Comment

ID: 22938871
Thanks for your reply.
It was setup as a GC when exchange was installed and still is a GC.
I doubled check just now and it is still a GC.
Exchange does not list s-new in its system settings. Do you know how to get s-new lsted there?

If I were to stop all exchange services on s-new, what is the order to restart them? I am thinking if I do this, exchange will discover the s-new DC and GC.

Do you think I should stop GC on s-old to force exchange to s-new?
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 22938881
Since you already have made the new server a GC then I don't think henjoh09's suggestion applies.

I would run dcdiag and netdiag on the new server to make sure everything is configured properly there. Also, make sure clients and new server are pointed to the new server for DNS.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 31

Accepted Solution

Henrik Johansson earned 750 total points
ID: 22942522
Re-read the question and saw the dcdiag-output indicating DNS-problems.
Ensure that DNS-zone accepts dynamic updates and run dcdiag/fix and/or netdiag/fix to try to fix problems in the tests of the commands.
Also make sure that the servers point on correct internal DNS servers. Do *not* use ISPs DNS servers for direct resolving. Configure DNS server to forward unresolved queries to ISP.

As described in the solution of this thread, it can be necessary to temporary untick the undetected GC and later promote it back as GC.

Author Comment

ID: 22949307
Thanks, I will correct the issue with DNS as advised. I can only do this on the weekends as the system is in use. I will post status when I correct the issue.

The server NIC IP points back to the server(itself), so all DNS resolution is done by it and the ISP takes care of the forwards.


Author Comment

ID: 22972196
I found the issue that was preventing exchange 2007 from seeing the s-new DC/GC. I had disabled IPv6 as I didn't think I needed it in my environment, however W2K8 requires IPv6. Without it things were not predictable. Pls see this link  

I will update this note when I get more info as I now have an issue with uninstalling the s-old exchange 2003.

S-New does operate standalone from S-Old at this point.

LVL 23

Assisted Solution

by:Jeremy Weisinger
Jeremy Weisinger earned 750 total points
ID: 22972342
For uninstalling 2003 you need to move all the public folders off it and rehome the offline address book, RUS, etc.

These links should give you the direction you need:

If it still fails after performing those steps then there might be some corrupt mailboxes or other Exchange objects that need to be moved or deleted but we can go into that later if need be.

Author Closing Comment

ID: 31515602
Thanks to both of you for the help...
Not sure if I am doing this correctly as your help led me to the solution I posted.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question