• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1411
  • Last Modified:

Domain/Exchange Issues

I am having an issue with an Exchange 2007 server.  Last week there was domain wide issue.

My problems originated with the "MainDC" Domain Controller.  I was getting repeated NTDS replication errors in the error log.  Some of the other errors that we were getting included:
DNS:    Event 4000, The DNS Server was unable to open Active Directory
Userenv:  Evnet 1053, Windows cannot determine the user or the computer name
 
The MainDC held the Schema Master, Global Catalog, and PDC Operations Master roles for the bob.local domain.  Users were reporting issues while trying to login, but drive shares on the MainDC were working.  After several hours of trying to make repairs to no avail, we decided to take a "brute force" approach to fixing the issue.  These were the steps:
 
We used the other domain controllers to assume the FSMO roles that the MainDC owned.  
We ran a dcpromo /FORCEREMOVAL on the MainDC  (Had to force it since it couldn't communicated with AD)
We used the NTDSUTIL utility to clean up the metadata left behind for the MainDC
We removed DNS from MainDC
We rejoined MainDC to the domain as a member server
We reinstalled DNS on the MainDC
We reinstalled Active Directory on the MainDC using DCPROMO.
 
At that point, everything went back to normal across the domain.  The replication errors stopped and there have been no major event IDs since.
 
Exchange stopped working the same time that the MainDC stopped working.  We did nothing on the Exchange server since it wasn't mission critical (it's a brand new install).

The repeated events that i am seeing are:

Event 2114
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Event 2080
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1
 Out-of-site:

Event 2501
Process MSEXCHANGEADTOPOLOGY (PID=1808). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server.

Event 2604
Process MSEXCHANGEADTOPOLOGY (PID=1808). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object MAIL2 - Error code=80040a01.
 The Exchange Active Directory Topology service will continue with limited permissions.

Event 2102
Process MAD.EXE (PID=2312). All Domain Controller Servers in use are not responding:
MainDC.bob.local
DC2.bob.local
DC3.bob.local
DC4.bob.local
DC5.bob.local

Any help is greatly appreciated.
0
learjetta96
Asked:
learjetta96
  • 2
  • 2
1 Solution
 
dud386Commented:
You may have lost exchange AD objects during the corruption. I had a similar issue but did not have to demote and repromote the server. I was able to solve my errors using ASDIedit.msc. I went through and deleted all traces of the old AD server in there, esp under:

CN=Configuration,DC=domain > CN=Sites >CN=Default-First-Site-Name > CN=Servers >

If it was a fresh install, it may be best to reinstall it. Just to avoid any future issues.
0
 
SurajCommented:
Run setup /preparedomain or setup /prepareAD and this should resolve the issue. The issue is with the permission for the Exchange server services to run.

Event ID: 2080 does shows the SACL rights are missing.

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1

Once you run the setup /preparedomain your issue would be resolved.
0
 
learjetta96Author Commented:
That definitely helped.  The server is up and running but i am now experiencing the following events.

Event 9385
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group.

If this computer is not a member of the group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services.


Event 2003
The RPC over HTTP Proxy component is not installed or is not configured correctly. Use the Windows Component Wizard to add the RPC over HTTP Proxy component to the Networking Services.


Event 12014
Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Hub Transport Prerequisite with a FQDN parameter of mail.domain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Any ideas on how to resolve these issues?  Your help is greatly appreciated.

Thank you.
0
 
SurajCommented:
By running the setup /preparedomain it should have resolved this. You could just to verify check the exchange servers group in the Microsoft Exchange Security Group in the Active Directory Users and Computers see if the Exchange server is a member of this group and the Exchange Installed Domain Servers in the Microsoft Exchange System Object Organization Unit.

For the second event run get-exchangecertificate | fl and check if the SMTP service is been enabled if not the run enable-exchangecertificate -thumbprint <thumbprint from the output of get-exchangecertificate> -Services SMTP

This should resolve your issue.

Thanks,
x-sam
0
 
learjetta96Author Commented:
Thank you very much.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now