R_M_Ron
asked on
Exchange Server 2 Domain Controllers, 1 Domain
I am working on installing a second domain controller in our environment as a backup to our current domain controller. Our current environment is one domain controller and one (separate) exchange server. I am putting up a second domain controller so that if we were to lose the first it would not render our email server useless. I installed active directory and added it to the current domain. I also installed DNS, WINS (made it a replication partner) and DHCP (separate address pool on same subnet) on this second server. I set my DNS settings on the exchange server to use the first Domain Controller as the primary and the backup as the secondary. I tested this and it seemed to work fine. However I tested a "disaster" scenario by removing the first domain controller network cable to see if the exchange server would proceed to continue to function using the second controller. This did not work (probably for obvious reasons I am overlooking). Prior to this new configuration the exchange server DNS settings used the first domain controller as the primary DNS server and the internet gateway device as the secondary.
Any ideas on why the new settings are not working?
Any ideas on why the new settings are not working?
More over, its important that you made your second domain control as a Global Catalouge. Exchange require atleast one GC to be available to work.
ASKER
I am running Exchange 2007. I am double checking the GC setting now. Also read the following on
http://forums.msexchange.org/m_1800452907/mpage_1/key_/tm.htm#1800452907 (which I am going to look into);
"To fix the SACL right problem here is what you need to follow:
1. open default domain controller security policy on adsrv2.
2. expand local policies and then "user rights management"
3. look at manage auditing and security log.
4. Here you need to have "Exchange enterprise servers" (if E2k3 exists) and "Exchange Servers" group. If not add them.
If there is a group policy applied on this dc make sure it is not remvoing this permission. Once replication completes you should see the SACL right set in the next run of AD discovery by MSExchangeSA. "
http://forums.msexchange.org/m_1800452907/mpage_1/key_/tm.htm#1800452907 (which I am going to look into);
"To fix the SACL right problem here is what you need to follow:
1. open default domain controller security policy on adsrv2.
2. expand local policies and then "user rights management"
3. look at manage auditing and security log.
4. Here you need to have "Exchange enterprise servers" (if E2k3 exists) and "Exchange Servers" group. If not add them.
If there is a group policy applied on this dc make sure it is not remvoing this permission. Once replication completes you should see the SACL right set in the next run of AD discovery by MSExchangeSA. "
ASKER
The DC wasn't a Global Catalouge so I set this but it still doesn't pick it up. Going to restart the server now and see if this helps.
Before you make any changes, can you run this from the second DC and First DC
start > run > cmd
dcdiag /v /e /TEST:DNS > c:\dc1.txt
and similarly dc2.txt
check DNS
Also run this from the second DC
start > run > cmd
netdomin /query fsmo
start > run > cmd
dcdiag /v /e /TEST:DNS > c:\dc1.txt
and similarly dc2.txt
check DNS
Also run this from the second DC
start > run > cmd
netdomin /query fsmo
ASKER
dc1 output summary
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________ __________ __________ __________ ________
Domain: rmc-chi.local
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
dc2 summary
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________ __________ __________ __________ ________
Domain: rmc-chi.local
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: rmc-chi.local
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
dc2 summary
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: rmc-chi.local
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
ASKER
netdomin /query fsmo returns the owner of rmc-dc01 for all rows on both servers
Can you CTRL+F for error in both the dc1 and dc2 text files.
If it's DNS issues with resoling ldap with root-servers ignore.
Copy paste non Root-Hints related errors here.
For all you know, as Shaba said - Exchange needs a restart.
thanks
If it's DNS issues with resoling ldap with root-servers ignore.
Copy paste non Root-Hints related errors here.
For all you know, as Shaba said - Exchange needs a restart.
thanks
ASKER
I am going to check back in morning (running out of steam) thanks for the help tonight, I will finish tomorrow and post back.
Thanks
ASKER
back at it (night job). I reviewed the errors and the only consistent error I see is:
Warning: DNS server: 14ecb2.DOMAINi.local. IP: <Unavailable> Failure:Missing glue A record
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
I also restarted and still have same problems (i.e. exchange will not run without dc1 being online even though dc2 is accepting logins and running all services)
Warning: DNS server: 14ecb2.DOMAINi.local. IP: <Unavailable> Failure:Missing glue A record
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
I also restarted and still have same problems (i.e. exchange will not run without dc1 being online even though dc2 is accepting logins and running all services)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
on DC2 the errors mostly clear but not on DC1?
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________ __________ __________ __________ ________
Domain:
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
......................... failed test DNS
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain:
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
......................... failed test DNS
There should be a report before the summary.
Can you copy paste that here.
Can you copy paste that here.
ASKER
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine rmc-DC01, is a DC.
* Connecting to directory service on server rmc-DC01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\RMC-DC0
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... RMC-DC01 passed test Connectivity
Testing server: Default-First-Site\RMC-DC0
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... RMC-DC02 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\RMC-DC0
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Testing server: Default-First-Site\RMC-DC0
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : TAPI3Directory
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : rmc-chi
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : rmc-chi.local
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: rmc-DC01.rmc-chi.local
Domain: rmc-chi.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000009] VMware Accelerated AMD PCNet Adapter:
MAC address is 00:0C:29:0F:26:3E
IP address is static
IP address: 10.12.1.13
DNS servers:
10.12.1.13 (<name unavailable>) [Valid]
Warning: 10.12.1.40 (<name unavailable>) [Invalid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.12.1.40 (<name unavailable>) [Invalid]
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
Name: b.root-servers.net. IP: 128.9.0.107 [Valid]
Name: b.root-servers.net. IP: 192.228.79.201 [Valid]
Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
Name: d.root-servers.net. IP: 128.8.10.90 [Valid]
Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
Name: h.root-servers.net. IP: 128.63.2.53 [Valid]
Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
Name: l.root-servers.net. IP: 198.32.64.12 [Valid]
Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
Name: m.root-servers.net. IP: 202.12.27.33 [Valid]
TEST: Delegations (Del)
Delegation information for the zone: rmc-chi.local.
Delegated domain name: _msdcs.rmc-chi.local.
Warning: DNS server: consulti-14ecb2.rmc-chi.lo
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone rmc-chi.local.
Test record _dcdiag_test_record added successfully in zone rmc-chi.local.
Test record _dcdiag_test_record deleted successfully in zone rmc-chi.local.
TEST: Records registration (RReg)
Network Adapter [00000009] VMware Accelerated AMD PCNet Adapter:
Matching A record found at DNS server 10.12.1.13:
rmc-DC01.rmc-chi.local
Matching CNAME record found at DNS server 10.12.1.13:
89ad0f04-c761-49a8-a0bf-ed
Matching DC SRV record found at DNS server 10.12.1.13:
_ldap._tcp.dc._msdcs.rmc-c
Matching GC SRV record found at DNS server 10.12.1.13:
_ldap._tcp.gc._msdcs.rmc-c
Matching PDC SRV record found at DNS server 10.12.1.13:
_ldap._tcp.pdc._msdcs.rmc-
Error: Missing A record at DNS server 10.12.1.40 :
rmc-DC01.rmc-chi.local
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Error: Missing CNAME record at DNS server 10.12.1.40 :
89ad0f04-c761-49a8-a0bf-ed
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Error: Missing DC SRV record at DNS server 10.12.1.40 :
_ldap._tcp.dc._msdcs.rmc-c
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Error: Missing GC SRV record at DNS server 10.12.1.40 :
_ldap._tcp.gc._msdcs.rmc-c
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Error: Missing PDC SRV record at DNS server 10.12.1.40 :
_ldap._tcp.pdc._msdcs.rmc-
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Error: Record registrations cannot be found for all the network adapters
DC: rmc-dc02.rmc-chi.local
Domain: rmc-chi.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:0C:29:AF:6C:47
IP address is static
IP address: 10.12.1.14
DNS servers:
10.12.1.13 (<name unavailable>) [Valid]
10.12.1.14 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
Name: b.root-servers.net. IP: 128.9.0.107 [Valid]
Name: b.root-servers.net. IP: 192.228.79.201 [Valid]
Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
Name: d.root-servers.net. IP: 128.8.10.90 [Valid]
Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
Name: h.root-servers.net. IP: 128.63.2.53 [Valid]
Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
Name: l.root-servers.net. IP: 198.32.64.12 [Valid]
Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
Name: m.root-servers.net. IP: 202.12.27.33 [Valid]
TEST: Delegations (Del)
Delegation information for the zone: rmc-chi.local.
Delegated domain name: _msdcs.rmc-chi.local.
Warning: DNS server: consulti-14ecb2.rmc-chi.lo
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone rmc-chi.local.
Test record _dcdiag_test_record added successfully in zone rmc-chi.local.
Test record _dcdiag_test_record deleted successfully in zone rmc-chi.local.
TEST: Records registration (RReg)
Network Adapter [00000001] Intel(R) PRO/1000 MT Network Connection:
Matching A record found at DNS server 10.12.1.13:
rmc-dc02.rmc-chi.local
Matching CNAME record found at DNS server 10.12.1.13:
d7ce43ac-a526-4d0c-b838-6a
Matching DC SRV record found at DNS server 10.12.1.13:
_ldap._tcp.dc._msdcs.rmc-c
Matching GC SRV record found at DNS server 10.12.1.13:
_ldap._tcp.gc._msdcs.rmc-c
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 10.12.1.40 (<name unavailable>)
2 test failures on this DNS server
This is a valid DNS server
Name resolution is not functional. _ldap._tcp.rmc-chi.local. failed on the DNS server 10.12.1.40
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
DNS server: 202.12.27.33 (m.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 199.7.83.42 (l.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 198.41.0.4 (a.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 198.32.64.12 (l.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 193.0.14.129 (k.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.58.128.30 (j.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.5.5.241 (f.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.36.148.17 (i.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.33.4.12 (c.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.228.79.201 (b.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.203.230.10 (e.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 192.112.36.4 (g.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 128.9.0.107 (b.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 128.8.10.90 (d.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 128.63.2.53 (h.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server
DNS server: 10.12.1.14 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
DNS server: 10.12.1.13 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: rmc-chi.local
rmc-DC01 PASS WARN FAIL FAIL PASS FAIL n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
......................... rmc-chi.local failed test DNS
ASKER
I dropped the invalid address (.40) and looking better but still one fail
Auth Basc Forw Del Dyn RReg Ext
__________________________ __________ __________ __________ ________
Domain: rmc-chi.local
rmc-DC01 PASS PASS PASS FAIL PASS PASS n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: rmc-chi.local
rmc-DC01 PASS PASS PASS FAIL PASS PASS n/a
rmc-dc02 PASS PASS PASS FAIL PASS PASS n/a
In between, which version of exchange you are using?
Shaba