Link to home
Start Free TrialLog in
Avatar of stellaIT
stellaITFlag for New Zealand

asked on

Exchange 2003 ENT does not find secnd DC/GC server

Hi Guys

I have 2 DC (win2k3), 1 exchange 2003 ent. in my network. 2 DCs are also DHCP and DNS. (A and B is name of the 2 DCs) A DC is PDC and Exchange works happily with A DC but not with B DC. If somehow A DC is not responding exchange will stop working, I can see that outlook 2003/2007 have disconnect status on them. I right clicked on properties of exchange server under systems manager, under directory access tab there are no servers registered. But if DC A is up then I can see DC A is listed as directory access server for all types likes of DC, GC, Config.

Could you guys please shed some light on why that exchange does not pick up B DC as directory access server. This issue is bugging me for past few months, any pointers will be appreciated.
Avatar of crokeefe28
crokeefe28

Exchange finds this information from the sites and services.  This is the foundation of AD.  You must make sure that this is setup correctly before it will find anything.  You can also manually set this information if you so desire.  Is DC B a GC?  Try making it one as well.  Are all ports available to the second DC (high order ports, MS-DS, GC, LDAP, RPC....etc)?
Check this article
http://searchexchange.techtarget.com/news/article/0,289142,sid43_gci1119796,00.html

This article indicates towards the fact that it may be possible that the value for DC A has been hardcoded into the exchange servers registry , to allow the exchange server to communicate with only on DC/GC under all circumstances
Avatar of stellaIT

ASKER

Hi Crokeefe28 and Greesh

Thanks a lot for your comments

DC B is GC. All ports should be availble as we have not done anything special on DC B. Sites and services are happy as well, we had one issue with sites and services which we have fixed last week, I do need to test that if that change will help this issue.

what are the repercussion if we set Directory Access to mannual, some people say that this is not a good idea?

if one GC dies, do outlook 2003/2007 users needs to close and open outlook again to make connection with exhange or it is seamless process??

is there anyother way I can simulate DC A failure to see if exchange hold up when DC A dies?

Greesh, I did not find any hardcode entries in registry

Thanks
Exchange will not go looking for another GC/DC for 35 minutes after the one it is using going away. You can force it to update its list by restarting the Exchange services.

Outlook users will need to restart to establish a connection with another DC/GC.

-M
HI Mestha

Thats very interesting and silly on Microsoft part... 35min..?? is there any workaround to it

Thanks for this important information
That has been the case since Exchange 2000, and it cannot be changed.
It is a design decision, to ensure that Exchange is not constantly switching domain controllers during a temporary glitch.
Of course if you hard code Exchange to use a specific GC/DC then you will not get any fail-over at all.

-M
Hi Guys

thanks to all of  you!

Mestha thanks for your information,

crokeefe28: Thanks for those document, I need to mull over on this information. will get back to tomorrow.

Cheers
Hi Guys

I have build 3 New DCs and transferring all FSMO Roles to new DCs. Plan is to turn off DC A and restart exchange box and see if exchange picks up a new PDC for its Directory access and rest of the work.

I tried last time with my DC B but exchange just does not wanna talk to DC B even though DC A is turned off and exchange was restarted.

Any help will be apprecaited

Thanks
A couple items.....

Before you go transferring roles around, try to dcpromo the second DC into a member server and then DCPROMO back to a DC.  unless you have anything pointed directly at it for authentication (VPN, Apps, etc) you should be good to go with no problems.   Once a new DC has been added to a site or a GC, DSAccess will kick of a discovery.  You said earlier that you had a problem with your sites....can you elaborate?  All DC's in AD are pretty much equal.  Don't be confused by the FSMO roles.  Other than time, legacy apps, and legacy domains, the PDCE role really plays no role here.  I fear that you may still have an issue with your site.  Ensure that the subnets and sites are configured correctly and that the GC & DC SRV records are in-place with DNS.  Also, you can try to hard code the Configuration Server with the ESM, and leave the rest to find automatically.

I am assuming that Exchange is not installed on DC1?  If that were the case then Exchange will always use the local copy, otherwise you can have up to 10.  Also, Outlook 2000 and beyond has been configured to interact with AD, not with Exchange, so is there a GC and DC where the clients reside?  If not then it will ask Exchange where it got its information from and use that.

Increase the diagnostics logging on the Exchange server for the Topology category to Medium or Maximum, under MSExchangeDSAccess.  This should give more information as to why it is not choosing the second DC or if it has.  if it is in the list, then it will give a series of numbers and codes (letters) that will give information about the server.  here is a link to further understand the codes:

http://www.msexchange.org/tutorials/Closer-Look-Directory-Service-Access-DSAccess-Part2.html

I hope that this helps.
Hi Crokeefe28

I am really impressed with your knowledge. Here is my story&  I have already transferred roles as I cannot touch existing  2nd DC. I have installed 3 new dc for best practice reasons given by our design expert.
Problem with site was in subnets, we have mentioned like 192.168.0.0 /24 and design guy mentioned should be 192.168.0.0/16. To cover complete 3rd and 4rt octet. That did not help. These IP are not real IP as you may have thought to avoid any risk.
I think you are right in saying that I have site issue. I will spend some more time it as I understand both DNS should have same record right? DC1 and DC2 both are DNS server as well as GC.
Exchange is running on separate box. Clients do have access to GC/DC through 1 network no firewall in between or no complicated routing to that matter.
I have turned the diagnostic on and will analyze results and will keep you posted.
Today I stopped first DC and forced exchange to use new DC but exchange just dont want to work. I added new DC manually in DSaccess settings but still no joy. I kept DC 1 turned off and restarted exchange box and I waited for 15-20 min and exchange was just sitting on applying computer settings& so when started 1st DC and as soon as DC was up I could see on exchange server there was login screen. So I reset DSaccess to automatic and in seconds DSaccess found DC 1 and all is good. Here are some error with found in event viewer.
vent Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2114
Date:            28/02/2009
Time:            1:34:30 p.m.
User:            N/A
Computer:      
Description:
Process INETINFO.EXE (PID=1324). Topology Discovery failed, error 0x80040a02.

vent Type:      Warning
Event Source:      MSExchangeDSAccess
Event Category:      Configuration
Event ID:      2090
Date:            28/02/2009
Time:            1:34:30 p.m.
User:            N/A
Computer:      
Description:
Process INETINFO.EXE (PID=1324). The Configuration Domain Controller specified in the registry (DC02.domain) is unreachable.  DSAccess will choose the Configuration Domain Controller from the list of available Domain Controllers

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2103
Date:            28/02/2009
Time:            1:33:34 p.m.
User:            N/A
Computer:      
Description:
Process MAD.EXE (PID=2444). All Global Catalog Servers in use are not responding:
DC02.domain
Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      Monitoring
Event ID:      9098
Date:            28/02/2009
Time:            1:32:13 p.m.
User:            N/A
Computer:      
Description:
The MAD Monitoring thread was unable to read its configuration from the DS, error '0x80004005
Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2114
Date:            28/02/2009
Time:            1:30:38 p.m.
User:            N/A
Computer:      
Description:
Process STORE.EXE (PID=584). Topology Discovery failed, error 0x80040a02

vent Type:      Warning
Event Source:      MSExchangeDSAccess
Event Category:      Configuration
Event ID:      2090
Date:            28/02/2009
Time:            1:30:38 p.m.
User:            N/A
Computer:      
Description:
Process STORE.EXE (PID=584). The Configuration Domain Controller specified in the registry (DC02.domain) is unreachable.  DSAccess will choose the Configuration Domain Controller from the list of available Domain Controllers.

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2103
Date:            28/02/2009
Time:            1:27:34 p.m.
User:            N/A
Computer:      
Description:
Process MAD.EXE (PID=2444). All Global Catalog Servers in use are not responding:
I will do more research on your pointers as well as Sites and services and will keep you posted.  From these error messages it appears that something is blanket blocking any other server to talk to exchange for his business. Other thing I ran DCdiag from exchange to new DC and result was all pass.
Thanks a lot

First off, thank you for the compliment....

Well, this can be caused by several reasons, one of which I already mentioned about firewalls and ports not being opened.  Another is the domain security.  Ensure first that your Exchange server is in the Exchange Domain Servers, and that it is in the Enterprise Exchange Domain Servers.  Try running the setup /domainprep again to reset all top level domain permissions.  This can be done without harm.  

Make sure that the Exchange Enterprise Servers domain local group has the Manage Auditing and Security Log right (SeSecurityPrivilege). It's put there by domainprep, but may be removed if someone reapplies the default policy.
If you are stuck on applying computer settings, the likely culprit may just be DNS.
Hi

this is from dsaccess loging. I have checked exchange server and ent server group and that side is ok. I went into DNS servers and found dc2's (which is also dns) entry was missing in _msdcs, which I added,it was name server entry. this _msdcs folder is a subfolder with grey icon not yellow one. yellow one. i hope you understand what I refering to. Hope that is something!!

What do you make of this?

Event Type:      Information
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2080
Date:            28/02/2009
Time:            6:26:31 p.m.
User:            N/A
Computer:      
Description:
Process STORE.EXE (PID=584). DSAccess has discovered the following servers with the following characteristics:
 (Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
dc1.domain                           CDG 7 7 1 0 1 1 7 1 this is the DC which works with exchange
02.domain                           CDG 7 7 1 0 0 1 7 1
newDC01.domain      CDG 7 7 1 0 0 1 7 1
newDC02.domain      CDG 7 7 1 0 0 1 7 1
newDC03.domain      CDG 7 7 1 0 0 1 7 1

Thanks
here is a doc to explain the values of the codes CDG 7 7 1 0 0 1 7 1.  As you can see, NONE, but dc1 has the SACL permissions correct.  DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller.  Confirm that the domain controllers that shows 0 in the SACL right column has been domain-prepped, and then confirm that your Recipient Update Services are configured properly.
thanks for the info and decifering the code. I am not sure if secnd dc has been domain prepped, well i did not know that all DC needs to be domain prepped. Could you please advise how can check or domain prep 2nd DC, if this possible? do you mean just running E2K3 on DC uptill domain prep step. as far RUS go, thats seems to be good!

thanks
Here are the rules for running domain prep:

You must run DomainPrep in the following domains

 -  The root domain.

 -  All domains that will contain Exchange 2003 servers.

 -  All domains that will contain Exchange Server 2003 mailbox-enabled objects (such as users and groups), even if    no Exchange servers will be installed in these domains.

 -  All domains that contain global catalog servers that Exchange directory access components may potentially use.

 -  All domains that will contain Exchange 2003 users and groups that you will use to manage your Exchange 2003 organization.

Just put in the Exchange cd to any machine on the network and run (but I typically do it from the Exchange CD):

E:\setup\i386\setup /DomainPrep (obviously, E: signifies the CD drive)

Run through the setup, but just make sure that the installation does pick up the Domain Prep in the Action column of the installer.

I do not believe that you will have to reinstall, and this should fix the issue.  

This will basically setup all security principles for the domain, most importantly Exchange Enterprise Servers domain local group has the Manage Auditing and Security Log right.
Sorry I meant REBOOT in this line.....not reinstall

I do not believe that you will have to REBOOT, and this should fix the issue.
Prep is not a server setting, but a per-domain setting.
Therefore you do not have to prep every server for the domain.

However prep is non-destructive, so if you suspect it wasn't done correctly then run it again.

-M
I will try it today and let you know how I go..
thanks again for help
HI crokeefe28

Finaly I have a success, after running domain prep
Event Type: Information
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2080
Date: 3/03/2009
Time: 10:46:19 p.m.
User: N/A
Computer:
Description:
Process STORE.EXE (PID=3700). DSAccess has discovered the following servers with the following characteristics:
(Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
OLD01.stsnz.stellatravel.net CDG 7 7 1 0 1 1 7 1
OLD02.stsnz.stellatravel.net CDG 7 7 1 0 0 1 7 1
DC01.stsnz.stellatravel.net CDG 7 7 1 0 1 1 7 1
DC02.stsnz.stellatravel.net CDG 7 7 1 0 0 1 7 1
DC03.stsnz.stellatravel.net CDG 7 7 1 0 0 1 7 1

Now couple of questions,
1 why after domain prep I only got 1 more DC as SACL right capable not rest of them?
2 In exchange directory access I have 2 dc GC and Domain controller but only one for configuration domain controller, why?
I need to do final test to see if exchange survive without old dc1.
Please shed some light???
thanks again you guys

 
When you run the domain prep on the DC, you are only prepping that DC for the SACL right.

1.  You could do one of two things:
     a.  Run domain prep on the other servers that you would like to participate                   OR
     b.  Follow the instructions below to assign the right to the DC that you would like:

To fix the SACL right problem here is what you need to follow:

1. open default domain controller security policy on the DC you want to participate
2. expand local policies and then "user rights management"
3. look at manage auditing and security log.
4. Here you need to have "Exchange enterprise servers" and "Exchange Servers" group. If not add them.


For your second question, you can only have one Configuration domain controller at a time.  This is by design and is not an issue.  The reason is because DSAccess uses only a single domain controller for all configuration context requests to reduce issues of replication latency (because of a multi-master directory service environment that exists with the architecture), and to avoid partial directory additions or modifications being made to different domain controllers.
Hi Crokeefe28

thanks again for yor quick response. I did not do domain prep on DC I just ran it on random server but still only 1 random DC picked up by DSaccess?

I tried giving permissions as suggested to other domain controller and restarted the server and dsaccess did not detect this server yet, it is been 1 hour already. under manage auditing and security log i found that Exchange enterprise servers was already there but not Exchange Servers, so I added as you suggested.

any idea as to why it happened?

Thanks in advance
not really sure....that may be the one that stumps me.  is the Exchange Servers group in the Exchange Enterprise Servers group?  Are the other servers in that group?
it is lil diffrent exchange domain server group is in exchange entprise server group. there is no other server in same group.

thanks again
crokeefe28

all right, I ran Domain Prep on one server and exchange picked it up as GC and DC, So good... thanks a lot..
ASKER CERTIFIED SOLUTION
Avatar of crokeefe28
crokeefe28

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial