tp-it-team
asked on
Exchange 2007 and DC issue
Hello
I have 4 DCs and 2 Exchange 2007 servers.
I have a problem where my new exchange server can only use 1 domain controller so when the domain controller is down (I'm restarting it for example), it goes nuts, for all the users having mailboxes on it outlook will stop working etc.
Here is the 2080 event on the old server:
dc2.domain.com	CDG 1 7 7 1 0 1 1 7 1
dc1.domain.com	CDG 1 7 7 1 0 1 1 7 1
dc3.domain.com	CDG 1 7 7 1 0 1 1 7 1
DC01.domain.com	CDG 1 7 7 1 0 1 1 7 1
So in my understanding, even if one of the DCs is down, server is still happy having other DCs available.
and here is the same on the new one:
dc2.domain.com	CDG 1 0 0 1 0 0 0 0 0
dc1.domain.com	CDG 1 0 0 1 0 0 0 0 0
dc3.domain.com	CDG 1 0 0 1 0 0 0 0 0
DC01.domain.com	CDG 1 7 7 1 0 1 1 7 1
Question is simple: WHY ?
I have 4 DCs and 2 Exchange 2007 servers.
I have a problem where my new exchange server can only use 1 domain controller so when the domain controller is down (I'm restarting it for example), it goes nuts, for all the users having mailboxes on it outlook will stop working etc.
Here is the 2080 event on the old server:
dc2.domain.com	CDG 1 7 7 1 0 1 1 7 1
dc1.domain.com	CDG 1 7 7 1 0 1 1 7 1
dc3.domain.com	CDG 1 7 7 1 0 1 1 7 1
DC01.domain.com	CDG 1 7 7 1 0 1 1 7 1
So in my understanding, even if one of the DCs is down, server is still happy having other DCs available.
and here is the same on the new one:
dc2.domain.com	CDG 1 0 0 1 0 0 0 0 0
dc1.domain.com	CDG 1 0 0 1 0 0 0 0 0
dc3.domain.com	CDG 1 0 0 1 0 0 0 0 0
DC01.domain.com	CDG 1 7 7 1 0 1 1 7 1
Question is simple: WHY ?
ASKER
Same site, simple setup. As for the second part, yes, its only one dc listed on new server. All 4 on the old server.
You haven't got Exchange installed on a domain controller? That can cause issues.
When the DC that Exchange is using goes away (for a reboot for example) Exchange doesn't look for another one immediately. It can be up to 30 minutes before it decides the DC is down. Therefore if your DCs take a while to reboot you may have to hard code a DC in to Exchange so it is using another one (do it at least 30 minutes before rebooting). Then let it auto detect later.
Anything odd at all? Different IP subnets? Have you run the best practises tool from the toolbox against the new server?
Simon.
When the DC that Exchange is using goes away (for a reboot for example) Exchange doesn't look for another one immediately. It can be up to 30 minutes before it decides the DC is down. Therefore if your DCs take a while to reboot you may have to hard code a DC in to Exchange so it is using another one (do it at least 30 minutes before rebooting). Then let it auto detect later.
Anything odd at all? Different IP subnets? Have you run the best practises tool from the toolbox against the new server?
Simon.
As you have stated you only see one DC under the system settings tab which is why it is not picking up any other DC's. In that list those are the DC's that this specific exchange server will communicate with. These settings are based around AD Site settings for your DC and exchange. If you have 1 AD site and all of your exchange servers are associated with this site and they are all GC's they should all be populated under this list.
ASKER
My Exchange is not installed on the DC.
Nothing odd, same subnet.
30 minutes before it decides the DC is down ? What do you mean ? If, like my new server, it knows only about one DC out of 4, will it search for the remaining ? Or are you talking about the situation that exchange already knows about 4 DCs but decides to use another one after 30 minutes ? Then, with my new exchange knowing only one DC, why did it go nuts immediately after I rebooted that specific DC ?
Best practices didn't show anything interesting that could be related to network / dc / dns problem.
Nothing odd, same subnet.
30 minutes before it decides the DC is down ? What do you mean ? If, like my new server, it knows only about one DC out of 4, will it search for the remaining ? Or are you talking about the situation that exchange already knows about 4 DCs but decides to use another one after 30 minutes ? Then, with my new exchange knowing only one DC, why did it go nuts immediately after I rebooted that specific DC ?
Best practices didn't show anything interesting that could be related to network / dc / dns problem.
Exchange uses only one DC. Usually the first one to respond.
If that DC goes away, then it just sits there waiting for it to come back.
However with only one DC being listed, that would indicate there is a problem with the AD configuration.
Simon.
If that DC goes away, then it just sits there waiting for it to come back.
However with only one DC being listed, that would indicate there is a problem with the AD configuration.
Simon.
ASKER
After restarting that exchange server it can see all 4 dcs but after 15 minutes I get another 2080 event and its back to:
dc2.domain.com CDG 1 0 0 1 0 0 0 0 0
dc1.domain.com CDG 1 0 0 1 0 0 0 0 0
dc3.domain.com CDG 1 0 0 1 0 0 0 0 0
DC01.domain.com CDG 1 7 7 1 0 1 1 7 1
I'm puzzled as my old Exchange is working fine with all DCs and the new one is not. That tells me it could be something to do with actual Exchange server.
You are saying that exchange is using just on DC. Is it one DC out of more if available ? I thought that Exchange will automatically switch to other DC if the current one its using becomes unavailable. That's one of the reasons we have multiple DCs, right ?
Anyway, is the event 2080 showing what will be available when I right click mailbox and hub transport and choose system settings.
What is Modify Configuration Domain Controller in Organization Configuration ? I'm not sure how it is related to HT and MB system settings'
Is it possible to figure out which DC is currently used ? And is it possible to change it if I plan to restart it (or in case it will have problems).
First of all, I would like to fix my problem but I would like to understand how is exchange using dcs. Do you know any good articles about it ?
dc2.domain.com CDG 1 0 0 1 0 0 0 0 0
dc1.domain.com CDG 1 0 0 1 0 0 0 0 0
dc3.domain.com CDG 1 0 0 1 0 0 0 0 0
DC01.domain.com CDG 1 7 7 1 0 1 1 7 1
I'm puzzled as my old Exchange is working fine with all DCs and the new one is not. That tells me it could be something to do with actual Exchange server.
You are saying that exchange is using just on DC. Is it one DC out of more if available ? I thought that Exchange will automatically switch to other DC if the current one its using becomes unavailable. That's one of the reasons we have multiple DCs, right ?
Anyway, is the event 2080 showing what will be available when I right click mailbox and hub transport and choose system settings.
What is Modify Configuration Domain Controller in Organization Configuration ? I'm not sure how it is related to HT and MB system settings'
Is it possible to figure out which DC is currently used ? And is it possible to change it if I plan to restart it (or in case it will have problems).
First of all, I would like to fix my problem but I would like to understand how is exchange using dcs. Do you know any good articles about it ?
Exchange will use another domain controller, just not immediately. It sits there and waits. Otherwise it locks on to a specific DC and doesn't change.
If you are planning to reboot a domain controller then you can exclude it from being used by Exchange with the StaticExcludedDomainContro
You will need to wait at least 45 minutes after setting it for Exchange to change to another DC. You can force it by restarting the system attendant service - although that will restart other Exchange services as well.
The closest I can get to information about the domain controller use by Exchange is the design guidance: http://technet.microsoft.com/en-us/library/ff803125(v=exchg.80).aspx
Simon.
If you are planning to reboot a domain controller then you can exclude it from being used by Exchange with the StaticExcludedDomainContro
You will need to wait at least 45 minutes after setting it for Exchange to change to another DC. You can force it by restarting the system attendant service - although that will restart other Exchange services as well.
The closest I can get to information about the domain controller use by Exchange is the design guidance: http://technet.microsoft.com/en-us/library/ff803125(v=exchg.80).aspx
Simon.
ASKER
OK, any other ideas what could be the issue in my situation ?
As stated in my first post under the System Settings Tab for the specific server these will be the DC's that your Exchange server will use. If your have 1 site you should see all of the servers listed under Active Directory Servers and Global Catalog servers as well, unless they are not GC's and only DC's.
If you want to add the additional servers you can add static DNS names in there of your DC's. This would be more of a work-a-round as it should pick up any DC's that are in your site. Use the following command below to add static entries into your Exchange servers.
AD Domain Controllers
Set-ExchangeServer -Identity <server_name> -StaticDomainControllers dc1.domain.com,dc2.domain.
AD Global Catalog Servers
Set-ExchangeServer -Identity <server_name> -StaticGlobalCatalogs dc1.domain.com,dc2.domain.
Also see for more detail...
http://marckean.wordpress.com/2011/06/30/exchange-2010-domain-controller-and-global-catalog-servers-being-used-by-exchange/
As stated above this should resolve your issue but it is only a work-a-round as your Exchange servers should pick up any DC's that are in the same site.
Thanks
Will
If you want to add the additional servers you can add static DNS names in there of your DC's. This would be more of a work-a-round as it should pick up any DC's that are in your site. Use the following command below to add static entries into your Exchange servers.
AD Domain Controllers
Set-ExchangeServer -Identity <server_name> -StaticDomainControllers dc1.domain.com,dc2.domain.
AD Global Catalog Servers
Set-ExchangeServer -Identity <server_name> -StaticGlobalCatalogs dc1.domain.com,dc2.domain.
Also see for more detail...
http://marckean.wordpress.com/2011/06/30/exchange-2010-domain-controller-and-global-catalog-servers-being-used-by-exchange/
As stated above this should resolve your issue but it is only a work-a-round as your Exchange servers should pick up any DC's that are in the same site.
Thanks
Will
ASKER
Exactly, and before I will use a workaround, I would like to try to fix it first...
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
dc3.domain.com CDG 1 0 0 1 0 0 0 0 0
it looks like the server has lost access to other DC.
i will troubleshoot around exchange and AD.
1. confirm AD is healthy
2. confirm the exchange server can contact all dc's on port 389
dc3.domain.com CDG 1 0 0 1 0 0 0 0 0
it looks like the server has lost access to other DC.
i will troubleshoot around exchange and AD.
1. confirm AD is healthy
2. confirm the exchange server can contact all dc's on port 389
ASKER
OK, that's very interesting...
Running portqry -n myserver -p udp -e 389 on my older exchange - I'm getting response from all DCs
on the new one, only from DC01.
I tested the same command on randomly chosen PC / servers with same results. On some of them it works for all DCs, on other it works only with DC01.
always works when I choose tcp instead of udp.
The only difference between two exchange servers is that when I'm pinging or tracerouting dc1 on them - I get ipv4 address on the one where everything works and ipv6 on the problematic server. DC01 is resolved to ipv4 on both servers.
Running portqry -n myserver -p udp -e 389 on my older exchange - I'm getting response from all DCs
on the new one, only from DC01.
I tested the same command on randomly chosen PC / servers with same results. On some of them it works for all DCs, on other it works only with DC01.
always works when I choose tcp instead of udp.
The only difference between two exchange servers is that when I'm pinging or tracerouting dc1 on them - I get ipv4 address on the one where everything works and ipv6 on the problematic server. DC01 is resolved to ipv4 on both servers.
hmm... did your DC's ipv4 or ipv6? (windows 2003 or 2008?)
and exchange 2007, is windows 2003 or 2008?
one thing can you try is to make sure all traffic is ipv4.
and exchange 2007, is windows 2003 or 2008?
one thing can you try is to make sure all traffic is ipv4.
ASKER
dc1 - dc3 are 2003 r2
dc01 is 2008 r2
both exchange servers are 2008 r2
do you mean disabling ipv6? If yes, I'm not going to do it because:
- Microsoft advise not to do it
- one of my exchange servers CAN see all the dcs
unless there is other method to make sure traffic is ipv4...
dc01 is 2008 r2
both exchange servers are 2008 r2
do you mean disabling ipv6? If yes, I'm not going to do it because:
- Microsoft advise not to do it
- one of my exchange servers CAN see all the dcs
unless there is other method to make sure traffic is ipv4...
by looking at this, dc01 is the one that works, dc1 to dc3 has failed
i wonder something happen on windows 2003 dc ..
can you run
repadmin /replsummary
repadmin /bind *
just want to know how your AD health.
i wonder something happen on windows 2003 dc ..
can you run
repadmin /replsummary
repadmin /bind *
just want to know how your AD health.
ASKER
Below is the output from these commands.
I decommissioned DC3 since I posted this question...
Not sure if its important but both dc1 and dc2 have ipv6 installed. Not sure why its there since its optional, also ipv6 is set to be above ipv4 in binding settings (again, not sure if its default or not and how it relates to domain controller).
The biggest puzzle for me is that one server can see them and other not.
Source DC largest delta fails/total %% error
DC01 45m:30s 0 / 10 0
DC1 45m:29s 0 / 10 0
DC2 43m:01s 0 / 10 0
Destination DC largest delta fails/total %% error
DC01 43m:03s 0 / 10 0
DC1 34m:09s 0 / 10 0
DC2 45m:31s 0 / 10 0
-------------------
Bind to DC01.headoffice.trespass.c
Extensions supported:
BASE : Yes
ASYNCREPL : Yes
REMOVEAPI : Yes
MOVEREQ_V2 : Yes
GETCHG_COMPRESS : Yes
DCINFO_V1 : Yes
RESTORE_USN_OPTIMIZATION : Yes
KCC_EXECUTE : Yes
ADDENTRY_V2 : Yes
LINKED_VALUE_REPLICATION : Yes
DCINFO_V2 : Yes
INSTANCE_TYPE_NOT_REQ_ON_M
CRYPTO_BIND : Yes
GET_REPL_INFO : Yes
STRONG_ENCRYPTION : Yes
DCINFO_VFFFFFFFF : Yes
TRANSITIVE_MEMBERSHIP : Yes
ADD_SID_HISTORY : Yes
POST_BETA3 : Yes
GET_MEMBERSHIPS2 : Yes
GETCHGREQ_V6 (WHISTLER PREVIEW) : Yes
NONDOMAIN_NCS : Yes
GETCHGREQ_V8 (WHISTLER BETA 1) : Yes
GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
VERIFY_OBJECT (WHISTLER BETA 3) : Yes
XPRESS_COMPRESSION : Yes
Site GUID: 786e4b5d-663b-473b-a197-ee
Repl epoch: 0
I decommissioned DC3 since I posted this question...
Not sure if its important but both dc1 and dc2 have ipv6 installed. Not sure why its there since its optional, also ipv6 is set to be above ipv4 in binding settings (again, not sure if its default or not and how it relates to domain controller).
The biggest puzzle for me is that one server can see them and other not.
Source DC largest delta fails/total %% error
DC01 45m:30s 0 / 10 0
DC1 45m:29s 0 / 10 0
DC2 43m:01s 0 / 10 0
Destination DC largest delta fails/total %% error
DC01 43m:03s 0 / 10 0
DC1 34m:09s 0 / 10 0
DC2 45m:31s 0 / 10 0
-------------------
Bind to DC01.headoffice.trespass.c
Extensions supported:
BASE : Yes
ASYNCREPL : Yes
REMOVEAPI : Yes
MOVEREQ_V2 : Yes
GETCHG_COMPRESS : Yes
DCINFO_V1 : Yes
RESTORE_USN_OPTIMIZATION : Yes
KCC_EXECUTE : Yes
ADDENTRY_V2 : Yes
LINKED_VALUE_REPLICATION : Yes
DCINFO_V2 : Yes
INSTANCE_TYPE_NOT_REQ_ON_M
CRYPTO_BIND : Yes
GET_REPL_INFO : Yes
STRONG_ENCRYPTION : Yes
DCINFO_VFFFFFFFF : Yes
TRANSITIVE_MEMBERSHIP : Yes
ADD_SID_HISTORY : Yes
POST_BETA3 : Yes
GET_MEMBERSHIPS2 : Yes
GETCHGREQ_V6 (WHISTLER PREVIEW) : Yes
NONDOMAIN_NCS : Yes
GETCHGREQ_V8 (WHISTLER BETA 1) : Yes
GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
VERIFY_OBJECT (WHISTLER BETA 3) : Yes
XPRESS_COMPRESSION : Yes
Site GUID: 786e4b5d-663b-473b-a197-ee
Repl epoch: 0
windows 2003 don't have ipv6 by default.
some one installed on top of it
http://support.microsoft.com/kb/325449
i wonder do you want to start remove one of them and test it out ?
some one installed on top of it
http://support.microsoft.com/kb/325449
i wonder do you want to start remove one of them and test it out ?
ASKER
I could try it but then there is still that question: why is one of my Exchange servers seeing all DCs and other not ?
thats' an interesting question.
since i am blind (lack of visibility) in your environment, i can't give you any feedback on this.
Usually, this should not happen , but some how, your exchange lost the visilibty to remaining DC.
since i am blind (lack of visibility) in your environment, i can't give you any feedback on this.
Usually, this should not happen , but some how, your exchange lost the visilibty to remaining DC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not getting any answers...
If you reboot a DC and there are no other servers available in the site that is also a GC you will run into issues. If you only have funds for 1 DC in a respective site you can use the DC locator service record to allow other sites to authenticate to another DC in a differtent site if the DC in the remote site is down.
Another thing you can check is the server configuration for Exchange.
- open the EMC
- Under Server Configuration
- click Mailbox, right click the mailbox server in the right pane, select properties
- click on the system settings tab
in there you will see what DC's your respective Exchange server is using to authenticate.
Thanks
Will.