Solved

Domain/Exchange Issues

Posted on 2009-04-14
5
1,378 Views
Last Modified: 2012-05-06
I am having an issue with an Exchange 2007 server.  Last week there was domain wide issue.

My problems originated with the "MainDC" Domain Controller.  I was getting repeated NTDS replication errors in the error log.  Some of the other errors that we were getting included:
DNS:    Event 4000, The DNS Server was unable to open Active Directory
Userenv:  Evnet 1053, Windows cannot determine the user or the computer name
 
The MainDC held the Schema Master, Global Catalog, and PDC Operations Master roles for the bob.local domain.  Users were reporting issues while trying to login, but drive shares on the MainDC were working.  After several hours of trying to make repairs to no avail, we decided to take a "brute force" approach to fixing the issue.  These were the steps:
 
We used the other domain controllers to assume the FSMO roles that the MainDC owned.  
We ran a dcpromo /FORCEREMOVAL on the MainDC  (Had to force it since it couldn't communicated with AD)
We used the NTDSUTIL utility to clean up the metadata left behind for the MainDC
We removed DNS from MainDC
We rejoined MainDC to the domain as a member server
We reinstalled DNS on the MainDC
We reinstalled Active Directory on the MainDC using DCPROMO.
 
At that point, everything went back to normal across the domain.  The replication errors stopped and there have been no major event IDs since.
 
Exchange stopped working the same time that the MainDC stopped working.  We did nothing on the Exchange server since it wasn't mission critical (it's a brand new install).

The repeated events that i am seeing are:

Event 2114
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Event 2080
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1
 Out-of-site:

Event 2501
Process MSEXCHANGEADTOPOLOGY (PID=1808). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server.

Event 2604
Process MSEXCHANGEADTOPOLOGY (PID=1808). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object MAIL2 - Error code=80040a01.
 The Exchange Active Directory Topology service will continue with limited permissions.

Event 2102
Process MAD.EXE (PID=2312). All Domain Controller Servers in use are not responding:
MainDC.bob.local
DC2.bob.local
DC3.bob.local
DC4.bob.local
DC5.bob.local

Any help is greatly appreciated.
0
Comment
Question by:learjetta96
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:dud386
ID: 24144858
You may have lost exchange AD objects during the corruption. I had a similar issue but did not have to demote and repromote the server. I was able to solve my errors using ASDIedit.msc. I went through and deleted all traces of the old AD server in there, esp under:

CN=Configuration,DC=domain > CN=Sites >CN=Default-First-Site-Name > CN=Servers >

If it was a fresh install, it may be best to reinstall it. Just to avoid any future issues.
0
 
LVL 17

Expert Comment

by:Suraj
ID: 24147822
Run setup /preparedomain or setup /prepareAD and this should resolve the issue. The issue is with the permission for the Exchange server services to run.

Event ID: 2080 does shows the SACL rights are missing.

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1

Once you run the setup /preparedomain your issue would be resolved.
0
 

Author Comment

by:learjetta96
ID: 24152231
That definitely helped.  The server is up and running but i am now experiencing the following events.

Event 9385
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group.

If this computer is not a member of the group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services.


Event 2003
The RPC over HTTP Proxy component is not installed or is not configured correctly. Use the Windows Component Wizard to add the RPC over HTTP Proxy component to the Networking Services.


Event 12014
Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Hub Transport Prerequisite with a FQDN parameter of mail.domain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Any ideas on how to resolve these issues?  Your help is greatly appreciated.

Thank you.
0
 
LVL 17

Accepted Solution

by:
Suraj earned 500 total points
ID: 24168447
By running the setup /preparedomain it should have resolved this. You could just to verify check the exchange servers group in the Microsoft Exchange Security Group in the Active Directory Users and Computers see if the Exchange server is a member of this group and the Exchange Installed Domain Servers in the Microsoft Exchange System Object Organization Unit.

For the second event run get-exchangecertificate | fl and check if the SMTP service is been enabled if not the run enable-exchangecertificate -thumbprint <thumbprint from the output of get-exchangecertificate> -Services SMTP

This should resolve your issue.

Thanks,
x-sam
0
 

Author Closing Comment

by:learjetta96
ID: 31569948
Thank you very much.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now