Solved

Windows 2003 Secondary DC unable to communicate AD with FMSO DC at other end of WAN

Posted on 2012-12-27
24
204 Views
Last Modified: 2014-08-08
I have a Windows 2003 Secondary DC located in office 2 it also runs Exchange 2003.  Since yesterday it cannot provide shares for users and cannot replicate with DC1 at office 1.  I can communicate with server via ip address (192.168.2.11) and when I ping DC1 using fully qual name (dc1.domain.com) it shows correct address, which reflects DNS Server entry, but if I PING DC1 with just host name (DC1) it shows 192.168.2.119 which is incorrect.  I have checked host files and they do not show that address.
I get several errors in the event log
NTDS KCC 1865
NTDS KCC 1311
multiple KERBEROS 4 events
Userenv 1006 (Windows cannot bind to domain)


This problem is also causing a problem for Exchange System Attendant Service to start, causing Exchange not to function
0
Comment
Question by:mberryaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
  • 4
  • +3
24 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38724079
If SA isnt starting what is the error for SA you get in EVent logs ?
How Many DC's are in the local Site for Exchange ?

- Rancy
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724095
two sites each containing a DC, each site has global catalog
MSExchaneSA Event 9098  The MAD Monitoring thread was unable to read its configuration from the DS, error '0x80010002'.
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724116
Do you have any secondary NIC on Office 2 DC, If so, check it might be got registered in DNS, that could be one reason for this issue.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38724117
Did you rename the Domain ?
http://support.microsoft.com/kb/327844

Ensure the EDS and EES groups are in default Users conatiner
Also you can try to run /domainprep

- Rancy
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724126
no, the domain was not renamed
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724133
Before you run /domainprep as suggested by Rancy, just run policytest.exe and check the result, if sesecurityprivilege shows not found on office 2 dc, then domain prep is required to fix it.
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724139
Any extra NIC?
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724160
I really do not believe that Exchange is the cause.  I believe that there is a larger AD, DNS or Authentication issue which is the problem and Exchange is just a symptom.  If the DC2 could correctly communicate and replicate with AD on DC1, I believe that Exchange SA will start
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724167
yes, there are two NICs
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724170
ok run ipconfig /all | more and post here.
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724247
the second ID on NIC is not registered in DNS (it had been removed years ago)
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724277
if I run policytest.exe from DC2 it shows
DC = "DC2"
In Site = "Phoenix"
Right found: "SeSecurityPrivelege"

DC = "DC1"
In Site = "Denver"
!! LSAOpenPolicy returned error 5 !!!
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724290
basically on all computers connecting to DC2 cannot access shares and on one RDP Windows 2008 server, users get authentication issues with trying to logon, since it attaches to that local DC.  This cannot be just an exchange issue
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724335
anything you disabled recently, like ipv6 or firewall. check all automatic services are running on dc.
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724352
Microsoft .NET Framework NGEN v4.0.30319_X86
Microsoft Exchange System Attendant
Microsoft Exchange Information Store

those are not running
0
 
LVL 43

Expert Comment

by:Taurus
ID: 38724357
Computer Browser service is running, i might suggest to do a reboot
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724380
Computer browser running, I've rebooted several times
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38724627
Is the DC with FSMO roles not contactable or not on the same site as Exchange ?

- Rancy
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724651
I can ping and access DC1 (the one with FMSO roles) and can access shares via IP address, but cannot access shares using host name \\DC1 I says "\\DC1 is not accessible. Logon Failure: The target account name is incorrect.
The name \\DC1 correctly resolves to IP address
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38724657
The reason i asked is if its a FSMO issue why not transfer the roles to DC2 and get Exchange running and then check whats the AD or DNS side issue

- Rancy
0
 
LVL 1

Author Comment

by:mberryaz
ID: 38724687
because I need the Server at the other site to hold those roles
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 38726386
I think your replication is out of sync between these servers.
It could very well be that your DC at the far side of the WAN is tombstoned.
Run the following commands on each DC to check the health and replication status.

dcdiag /c /v /f:dcdiag.txt - runs comprehensive ad tests and writes results to a log file. Upload the log file for further analysis.

repadmin /showrepl - shows the replication status and latest update times for all replication partners

repadmin /replsummary - shows the time offset of the most recent updates carried over by replication.

netdom query fsmo - returns the fsmo role holders that each DC knows about.

Not that it's makes a big difference, but I'm quite curious now...Can you also confirm the reason for "because I need the Server at the other site to hold those roles".
Note: I'm not suggesting that you transfer...just curious.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 38733741
In your orginal post you stated that for two day's you haven't been able to access shares on DC1. Was anything changed on the server? Configuration, Windows updates, AV etc...

is the time on the server correct?
In DNS are all of the necessary AD DNS records in place?
When you view the sysvol/netlogon share on DC1 does it contain all of the same files and correct timestamps as the sysvol share on dc2?
Have you tried to install the MSBPA for AD to help troubleshoot the issue further: http://technet.microsoft.com/en-us/library/dd378893(v=ws.10).aspx
0
 
LVL 13

Expert Comment

by:Sandy
ID: 38734215
Check AD partition status from replmon
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question