Urgent: Exchange System Attendant won't start, and it's not finding a domain controller.

This is somewhat long and involved.

I just signed up with an IT company for a cloud backup.  They needed the ability to dial into my server.  I set up a user in Active Directory, but they weren't able to dial in.  They got a message when they tried to login saying that they weren't a member of a group with the ability to log in, and that if they weren't in the Administrator's group (which they are) then the ability to dial in could be granted by changing the User Rights Assignment in the Local Computer Policy.

The server they're trying to log into is my Domain Controller, and it also has Active Directory.  Another of my servers supposedly set up as a secondary Active Directory, but I have no confidence that the consultant who did that set it up right, because any time communication is lost to my main AD server, nothing works.

I should mention that I know nothing at all about our policies - they were set up by someone else and I've never changed them.  But I poked around, I Googled, and finally I found where in User Rights Assignments it showed who had the ability to RDP in, and only the Admin (me) was listed.  It also said that this was controlled by the Default Domain Policy.  After a little more poking around, I found how to edit this setting, and I added the user I had set up for the IT company.  I still wasn't able to log in as them, though.  I rebooted my AD server, thinking that might be necessary to make the change to into effect, and when it came back up, and I went to verify the change was still there, when I went into My Computer > Manage, and tried to look at the Default Domain Policy, I got a popup that said it was looking for Group Policy, and it just kept cycling, not finding anything.

At the same time, my users lost internet connectivity and emails weren't going out or coming in..  I was able to restore inernet access by changing the DNS settings for all users.  We had the AD server set as the primary DNS, and the (supposed) backup AD server set as the secondary.  I changed the secondary to our ISP's secondary DNS, and that restored internet.  Once I also changed the secondary DNS for the Exchange server, email started flowing again.

Meantime, I had called the IT company to take a look at this for me, since I was pretty sure I'd screwed something up and didn't know how to fix it - the AD server finally stopped looking, and told me there was no group policy to load.  The IT company ended up telling me that they couldn't really fix this for me, because so many of our settings were non-standard that they were concerned that any changes they made would only make things worse.  Eventually they told me that the Default Domain Policy finally loaded, but they weren't sure what they did to make that happen.  When I took a look at it, it didn't look the same as it had before - there were a lot fewer Local Security Policies listed.

Meantime, email and internet were working, so I figured we had workarounds, even though the problem wasn't solved.  A few hours later, I got a call that users weren't getting email on their phones, which I verified.  Went back to the office, looked around, and ended up rebooting Exchange.  When it came back up, the Exchange System Attendant won't start in Services.  I tried starting it manually, but it times out.  Rebooted several times, and can't get it to start automatically or manually.  When I check the Event Viewer, it says that it's not finding a Domain Controller.

At this point, we have no email at all.  And the IT company doesn't appear to be any help with this.  

I don't know for a fact that my adding a user to the User Rights Assignments caused all this, but the timing sure seems to indicate that it did.  

I asked the IT company if doing a System Restore on the AD server would help, but they said that wouldn't restore my Domain Policy.  One thing that occurred to me is that I still have the old server in storage that the Policies were copied over from.  Is there a way to import the Default Domain Policy from the old server to the new server?

At this point, email for the entire company is out.  

AD server is runnind Server 2008.  Exchange server is running Server 2003.

Any help greatly appreciated.
Who is Participating?
James HConnect With a Mentor IT DirectorCommented:
OK.  On the DC, go into Admin Tools and then services

Check to see if the DNS Server service is running.

Let's just start there...
krlaw6Author Commented:
Just tried starting Exchange System Attendant again, it timed out, and this was in Event Viewer:

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2104
Date:            5/15/2013
Time:            6:51:44 AM
User:            N/A
Computer:      EXCHANGE
Process IISIPMF6D061C9-6784-451E-9407-2762D8A5C6E5 -AP "EXCHANGEAPPLICATIONPOOL (PID=5484). All the DS Servers in domain are not responding.

For more information, click http://www.microsoft.com/contentredirect.asp.
R--RConnect With a Mentor Commented:
First check the events.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Is IP v6 enabled?
James HConnect With a Mentor IT DirectorCommented:
This is a DNS issue with the DC, let's focus on the DC right now. Can you verify that DNS is running?
krlaw6Author Commented:
Spartan_1337:  I don't know how to verify that DNS is running.  If you tell me how, I'll be glad to.

R-R: We don't use IPv6 on any of our machines.  I posted the Event Viewer message that I get immediately after System Attendant fails to start.  Were there others you were specifically looking for?
krlaw6Author Commented:
Spartan_1337:  Doesn't look like it:

> nslookup
Server:  []

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to timed-out
krlaw6Author Commented:
Spartan_1337:  On our AD server - which is the Domain Controller, both the DNS Server and DNS Client services are running.  I have no idea if that's helpful information or not.
krlaw6Author Commented:

On the DC, DNS Server service is running.
krlaw6Author Commented:
It looks like the problem is solved.  Got a consultant to look at it, and the Exchange server had some incorrect DNS entries.  I'm not sure how, since I haven't touched them, but email is flowing now.

Thanks very much for all the help.

I'm not clear on how to close this thread out, since the problem was solved on my end.
James HIT DirectorCommented:
It's up to you if/how you want to award points. Just close it out but consider the input from those who contributed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.