What is the cause of my New DC not supporting Exchange in Single Server mode unless the old DC is on?

Posted on 2008-11-11
Last Modified: 2012-08-14
Thanks to the experts that can help solve this problem. I have the following sections to help describe the problem:
    State-1 details/observations:
      Event Log Entries:


I am trying to transistion my old server(s-old) to a new server(s-new).
s-old is w2k3 std sp2 32 bit(not R2) with exch2k3 sp2 as exch single server deploy.
s-new is w2k8 std sp1 64 bit with exch2k7 sp1 as exch single server deploy.
s-old and s-new are domain controllers/GC and are successfully replicating.
All the fsmo roles are on s-new. netdom query fsmo run on both show s-new for all.
Most user workstations are xp-pro sp2 (some sp3).
All user WSs have Outlook 2k7, which was setup >month before the transistion start.
I have moved all the mailboxes to s-new.
All users can log into the domain.
All users have full outlook capability (send/rec., sch, task etc.)
All users are supposed to have owa capability, but only some (error-1, see dump below) can do it successfully.
***Above is considered State-1.
I turned off s-old and rebooted s-new to make sure it could standalone(state-2); It worked for logins etc, but exch2k7 does not work(error-2, see below).
I turned on s-old again and all are able to return to the state (state-1) before I turned it off.

s-new continues to point at s-old as the DC/GC even after a long(>30 mins) period of time.
Exch Autodiscovery is failing and so it cannot find a DC/GC and the exch service (info store) will not start.
Ran ADSIedit on s-new and it didn't look complete. Later I ran ADSIedit on state-1 and it looked complete.

Turning on both s-old and s-new allows all to work again(state-1) except for error-1.

State-1 details/observations:

Name                Site                 ServerRole  Edition     AdminDisplayVe
----                ----                 ----------  -------     --------------
s-old                                    None        Standard    Version 6.5...
s-new               ROANH                Mailbox,... Standard    Version 8.1...

get-mailboxserver: returns s-new

get-clientaccessserver: return s-new

Name                       Server                     OwaVersion
----                       ------                     ----------
owa (Default Web Site)     s-new                     Exchange2007
Exchange (Default Web S... s-new                     Exchange2003or2000
Public (Default Web Site)  s-new                     Exchange2003or2000
Exchweb (Default Web Site) s-new                     Exchange2003or2000
Exadmin (Default Web Site) s-new                     Exchange2003or2000

In EMC->server config->s-new (listed as hub, client, mailbox)->properties->systems settings(tab)->DC and GC both have s-old listed. My understanding is this is set by autodiscovery.
In EMC->org config->hub transport->email address policies(tab)->default policy applied=false->edit (unable to edit legacy version of exchange).

DCdiag on s-new:
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = s-new
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: ROANH\s-new
      Starting test: Connectivity
         ......................... s-new passed test Connectivity

Doing primary tests

   Testing server: ROANH\s-new

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... s-new passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : ronh

   Running enterprise tests on : ronh.local
      Starting test: DNS
         Test results for domain controllers:

            DC: s-new.ronh.local
            Domain: ronh.local

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record _dcdiag_test_record
in zone ronh.local

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Clien

                     Missing AAAA record at DNS server

                     Missing AAAA record at DNS server

               Warning: Record Registrations not found in some network adapters

               s-new                       PASS WARN PASS PASS WARN WARN n/a
         ......................... ronh.local passed test DNS

Event Log Entries:
s-old, system log, warning eventID=5781
 Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.ronh.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

s-old, system log, error eventID=5775
The dynamic deletion of the DNS record '_ldap._tcp.gc._msdcs.ronh.local. 600 IN SRV 0 100 3268 ORTHO.ronh.local.' failed on the following DNS server:  

DNS server IP address: <UNAVAILABLE>
Returned Response Code (RCODE): 0
Returned Status Code: 0  

To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.  

Error Value: %%4294967196

SOME users are able to access e-mail offsite via owa successfully, others cannot. I have 2 user's dump captures below.
IMHO, User-1's error looks like a it is going to s-old to get the info.
User-2's error looks like it is going to s-new, but is a security rights issue.  


Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on s-old.ronh.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

User host address:

Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaInvalidConfigurationException
Exception message: The Exchange Topology service on server localhost did not return a suitable domain controller.

Call stack
Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.NoSuitableServerFoundException
Exception message: The Exchange Topology service on server localhost (I think that this is s-new?) did not return a suitable domain controller.

Call stack
Microsoft.Exchange.Data.Directory.DSAccessTopologyProvider.GetConfigDCInfo(Boolean throwOnFailure)
Microsoft.Exchange.Data.Directory.ADSession.GetConnection(String preferredServer, Boolean isWriteOperation, Boolean isNotifyOperation, ADObjectId& rootId)
Microsoft.Exchange.Data.Directory.ADSession.GetReadConnection(String preferredServer, ADObjectId& rootId)
Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator)
Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor)
Microsoft.Exchange.Data.Directory.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties)
Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults)
Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.FindServerByFqdn(String serverFqdn)

0) Any ideas of what is wrong and how to get to s-new completely functioning as a standalone exch server?
1) Is there a way to manually tell s-new's exch to use s-new as it's DC/GC?
2) If I reinstall exch2k7 on s-new, would that correct this situation?
3) Can you point me in the right direction to investigate? Problem with DNS? AD Repl? Other?


Question by:DennisHebert
    LVL 31

    Expert Comment

    by:Henrik Johansson
    Exchange depends on GC, so you nead to promote the new DC to become GC by using "AD Sites and Services"
    Expand Sites\\Servers\
    Right-click on "NTDS Settings" -> Properties
    Tick checkbox "Global Catalog"

    Wait for the replication to complete before rebooting the new GC.

    See KB about Exchange and GC-promotion

    Author Comment

    Thanks for your reply.
    It was setup as a GC when exchange was installed and still is a GC.
    I doubled check just now and it is still a GC.
    Exchange does not list s-new in its system settings. Do you know how to get s-new lsted there?

    If I were to stop all exchange services on s-new, what is the order to restart them? I am thinking if I do this, exchange will discover the s-new DC and GC.

    Do you think I should stop GC on s-old to force exchange to s-new?
    LVL 18

    Expert Comment

    by:Jeremy Weisinger
    Since you already have made the new server a GC then I don't think henjoh09's suggestion applies.

    I would run dcdiag and netdiag on the new server to make sure everything is configured properly there. Also, make sure clients and new server are pointed to the new server for DNS.
    LVL 31

    Accepted Solution

    Re-read the question and saw the dcdiag-output indicating DNS-problems.
    Ensure that DNS-zone accepts dynamic updates and run dcdiag/fix and/or netdiag/fix to try to fix problems in the tests of the commands.
    Also make sure that the servers point on correct internal DNS servers. Do *not* use ISPs DNS servers for direct resolving. Configure DNS server to forward unresolved queries to ISP.

    As described in the solution of this thread, it can be necessary to temporary untick the undetected GC and later promote it back as GC.

    Author Comment

    Thanks, I will correct the issue with DNS as advised. I can only do this on the weekends as the system is in use. I will post status when I correct the issue.

    The server NIC IP points back to the server(itself), so all DNS resolution is done by it and the ISP takes care of the forwards.


    Author Comment

    I found the issue that was preventing exchange 2007 from seeing the s-new DC/GC. I had disabled IPv6 as I didn't think I needed it in my environment, however W2K8 requires IPv6. Without it things were not predictable. Pls see this link

    I will update this note when I get more info as I now have an issue with uninstalling the s-old exchange 2003.

    S-New does operate standalone from S-Old at this point.

    LVL 18

    Assisted Solution

    by:Jeremy Weisinger
    For uninstalling 2003 you need to move all the public folders off it and rehome the offline address book, RUS, etc.

    These links should give you the direction you need:

    If it still fails after performing those steps then there might be some corrupt mailboxes or other Exchange objects that need to be moved or deleted but we can go into that later if need be.

    Author Closing Comment

    Thanks to both of you for the help...
    Not sure if I am doing this correctly as your help led me to the solution I posted.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now