Exchange AD Problems

Posted on 2014-01-22
Medium Priority
Last Modified: 2014-01-26
This was in a log file for which the process failed. Can anyone tell me what it means and more importantly how to fix it?

Incorrect Exchange AD Entry found, role property is not an integer, LDAP://CN=SERVER-EXCH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=net, [System.Byte[]]

Open in new window

Question by:mohrk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39802781
Without context it is hard to say.
When did you get that error?
What are the servers listed in the error? Live servers?


Author Comment

ID: 39803833
I am trying to use Server 2012 Essentials and the integrate On premise exchange 2013 feature. This is part of the log from the failure.

There were issues with the exchange server hardware and OS compatibility but finally the stars aligned and everything went well.

After the install some DNS changes needed to be made. I have had this as a sticking point before but essentially the idea is to have mail.domain.com and owa.domain.com reach the mail server internally and externally. The procedure was to add CNAME records with these aliases to DNS to achieve this. Not understanding DNS well enough I concluded that unless my domain is actually domain.com (it is not it is ad.domain.com) then I cant do this. The best I can do is mail.ad.domain.com and owa.ad.domain.com. I know there is something later on about forward lookup zones but I wanted to get each piece working correctly first.

The process that to lead me to the CNAME conclusion involved using nslookup and not getting the correct ip addresses returned. This caused me to look at the DNS for SERVER-EXCH (yes it is live) and because it had a timestamp rather than "static" I thought (through Google guessing) that the permissions to SELF using the machines AD account where missing and there was also an orphaned SID. The owner should also have been SYSTEM and not this orphaned SID. Since the DC was the same throughout the failed and finally successful Exchange install I concluded that this caused the orphaned SID/permission issue. I removed the SID, added SERVER-EXCH$ with permissions of ALL.

One of the last pieces to this puzzle was to integrate Exchange with the Essentials role on the DC which failed with 3 entries similar lines in the log file as above. The "wizard" only says it cannot find exchange. This is a block to continuing.

Thanks for looking at this.
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 39803982
You have over complicated the DNS configuration.
To use the same host name internally and externally you need to a single host name split DNS. This is where you only configure DNS for the exact hosts.


Pretty much mandatory with Exchange deployments now.

I think the problem is that you removed the SID and has broken things. Is Exchange working correctly at the moment?

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 39804088
Exchange is working inbound and outbound and the IIS sites are working internally have not done all of the configuration for the split DNS and reverse proxy yet. Taking the server down reverting to my mail queueing service where NEW mail is available online for a few weeks. Cleaning up DNS and AD and re-installing OS and Exchange is within the realm but not desirable.

The DC would be problematic though.

Thank you

Author Comment

ID: 39804204
Thank you for the link. It is most helpful and I believe covers all of the things I have come across.

A question that does not seemed to be addressed; when you say for the zone replacement need assessment I see "You want to replace the MX records with a host using a different name." I have a spam service so my MX records point to them which forward on to me.

LVL 10

Expert Comment

by:Marshal Hubs
ID: 39805546
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39806218
On a split DNS system, the MX records are for INTERNAL use only. Therefore the fact that you are using an external provider doesn't really mean anything.
For example, if you have a service or application inside that can only use DNS records for delivery, you don't really want the email going out to come back in again.


Author Comment

ID: 39810646

No help at the link. It is from 2011 and says nothing about the essentials connecting to on premise Exchange. Sorry if the question was too vague.


I think your split DNS is what I needed but not in time to save my AD. Each revolution I learn another piece of this really complicated setup. Hardware issues have intervened at the moment.


Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Here's a look at newsworthy articles and community happenings during the last month.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question