[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Domain/Exchange Issues

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
I am having an issue with an Exchange 2007 server.  Last week there was domain wide issue.

My problems originated with the "MainDC" Domain Controller.  I was getting repeated NTDS replication errors in the error log.  Some of the other errors that we were getting included:
DNS:    Event 4000, The DNS Server was unable to open Active Directory
Userenv:  Evnet 1053, Windows cannot determine the user or the computer name
The MainDC held the Schema Master, Global Catalog, and PDC Operations Master roles for the bob.local domain.  Users were reporting issues while trying to login, but drive shares on the MainDC were working.  After several hours of trying to make repairs to no avail, we decided to take a "brute force" approach to fixing the issue.  These were the steps:
We used the other domain controllers to assume the FSMO roles that the MainDC owned.  
We ran a dcpromo /FORCEREMOVAL on the MainDC  (Had to force it since it couldn't communicated with AD)
We used the NTDSUTIL utility to clean up the metadata left behind for the MainDC
We removed DNS from MainDC
We rejoined MainDC to the domain as a member server
We reinstalled DNS on the MainDC
We reinstalled Active Directory on the MainDC using DCPROMO.
At that point, everything went back to normal across the domain.  The replication errors stopped and there have been no major event IDs since.
Exchange stopped working the same time that the MainDC stopped working.  We did nothing on the Exchange server since it wasn't mission critical (it's a brand new install).

The repeated events that i am seeing are:

Event 2114
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Event 2080
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1808). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1

Event 2501
Process MSEXCHANGEADTOPOLOGY (PID=1808). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server.

Event 2604
Process MSEXCHANGEADTOPOLOGY (PID=1808). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object MAIL2 - Error code=80040a01.
 The Exchange Active Directory Topology service will continue with limited permissions.

Event 2102
Process MAD.EXE (PID=2312). All Domain Controller Servers in use are not responding:

Any help is greatly appreciated.
Question by:learjetta96
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 24144858
You may have lost exchange AD objects during the corruption. I had a similar issue but did not have to demote and repromote the server. I was able to solve my errors using ASDIedit.msc. I went through and deleted all traces of the old AD server in there, esp under:

CN=Configuration,DC=domain > CN=Sites >CN=Default-First-Site-Name > CN=Servers >

If it was a fresh install, it may be best to reinstall it. Just to avoid any future issues.
LVL 17

Expert Comment

ID: 24147822
Run setup /preparedomain or setup /prepareAD and this should resolve the issue. The issue is with the permission for the Exchange server services to run.

Event ID: 2080 does shows the SACL rights are missing.

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
Dc2.bob.local       CDG 1 7 7 1 0 0 1 7 1
DC3.bob.local         CDG 1 7 7 1 0 0 1 7 1
DC4.bob.local      CDG 1 0 0 1 0 0 0 0 0
DC5.bob.local      CDG 1 0 0 1 0 0 0 0 0
MainDC.bob.local              CDG 1 7 7 1 0 0 1 7 1

Once you run the setup /preparedomain your issue would be resolved.

Author Comment

ID: 24152231
That definitely helped.  The server is up and running but i am now experiencing the following events.

Event 9385
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group.

If this computer is not a member of the group '/dc=local/dc=bob/ou=Microsoft Exchange Security Groups/cn=Exchange Servers1', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services.

Event 2003
The RPC over HTTP Proxy component is not installed or is not configured correctly. Use the Windows Component Wizard to add the RPC over HTTP Proxy component to the Networking Services.

Event 12014
Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Hub Transport Prerequisite with a FQDN parameter of mail.domain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Any ideas on how to resolve these issues?  Your help is greatly appreciated.

Thank you.
LVL 17

Accepted Solution

Suraj earned 2000 total points
ID: 24168447
By running the setup /preparedomain it should have resolved this. You could just to verify check the exchange servers group in the Microsoft Exchange Security Group in the Active Directory Users and Computers see if the Exchange server is a member of this group and the Exchange Installed Domain Servers in the Microsoft Exchange System Object Organization Unit.

For the second event run get-exchangecertificate | fl and check if the SMTP service is been enabled if not the run enable-exchangecertificate -thumbprint <thumbprint from the output of get-exchangecertificate> -Services SMTP

This should resolve your issue.


Author Closing Comment

ID: 31569948
Thank you very much.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question