Exchange 2010 referencing incorrect domain controller
I know similar questions were asked about this topic, but I couldn't seem to parse out the definitive answer as to how to correct this problem.
I have a 2010 Exchange server. AD is running on 2 domain controllers: one is a 2003 SBS DC (which is getting ready to be removed) and a 2012 DC. Replication between the 2 DC's is current and from what I can see, AD as well as DNS appears to be functioning properly. Both DC's are Global Catalogs.
In preparation for removing the 2003 SBS as a domain controller (right now only the PDC role is on it; all other FSMO's are on the 2012 DC), during a reboot cycle of the 2003 DC, I wanted to make sure that Exchange 2010 was working properly. While being rebooted, I couldn't log into OWA internally on that server (mailbox and account can't be found/unavailable) and also couldn't launch EMC (throws a Kerberos error).
Upon the 2003 DC coming back online, without doing anything on the Exchange server, OWA and EMC will work again.
I had already changed the Configuration Domain Controller in EMC from "Default" to specifically the 2012 DC. In checking some other settings from the different articles I had found on this problem, the Exchange server is pointing to the 2003 DC (Get-ExchangeServer|fl shows OriginatingServer as 2003DC and Get-DomainController shows both DC's but each entry shows OriginatingServer as 2003 DC as well).
Get-ExchangeServer |fl also has no entries for StaticDomainControllers, StaticGlobalCatalogs, StaticConfigDomainControll
During the reboot of the 2003 DC, there are a number of errors in the Event Log, all pointing to not being able to contact a domain controller. One of the errors lists both domain controllers, but still says it can't contact a suitable domain controller. I can certainly include some of the Event ID's if necessary.
How do I go about forcing the Exchange server to use the 2012 DC for it's services and connection to AD?
I have a 2010 Exchange server. AD is running on 2 domain controllers: one is a 2003 SBS DC (which is getting ready to be removed) and a 2012 DC. Replication between the 2 DC's is current and from what I can see, AD as well as DNS appears to be functioning properly. Both DC's are Global Catalogs.
In preparation for removing the 2003 SBS as a domain controller (right now only the PDC role is on it; all other FSMO's are on the 2012 DC), during a reboot cycle of the 2003 DC, I wanted to make sure that Exchange 2010 was working properly. While being rebooted, I couldn't log into OWA internally on that server (mailbox and account can't be found/unavailable) and also couldn't launch EMC (throws a Kerberos error).
Upon the 2003 DC coming back online, without doing anything on the Exchange server, OWA and EMC will work again.
I had already changed the Configuration Domain Controller in EMC from "Default" to specifically the 2012 DC. In checking some other settings from the different articles I had found on this problem, the Exchange server is pointing to the 2003 DC (Get-ExchangeServer|fl shows OriginatingServer as 2003DC and Get-DomainController shows both DC's but each entry shows OriginatingServer as 2003 DC as well).
Get-ExchangeServer |fl also has no entries for StaticDomainControllers, StaticGlobalCatalogs, StaticConfigDomainControll
During the reboot of the 2003 DC, there are a number of errors in the Event Log, all pointing to not being able to contact a domain controller. One of the errors lists both domain controllers, but still says it can't contact a suitable domain controller. I can certainly include some of the Event ID's if necessary.
How do I go about forcing the Exchange server to use the 2012 DC for it's services and connection to AD?
ASKER
From what I've read, that command is only for choosing a domain controller to use during an Exchange Management Shell session.
Do you have subnets assigned in your AD Sites and Services configuration? That gets overlooked very regularly and can cause problems with Exchange when it tries to find DCs and determine its own topology.
ASKER
There was not a subnet configured in ADSS. It has now been configured to match the local IP subnet 10.0.0.0/24 and assigned to "Default-First-Site-Name" where both DC's exist (single location, single IP network structure).
Now that it's there, should it be tested during the 2003 DC reboot again? Or do you believe there may be more to it than that?
Now that it's there, should it be tested during the 2003 DC reboot again? Or do you believe there may be more to it than that?
Restart the Exchange topology service and it should assign itself to the site. From there it should be able to discover DCs a little easier, but the Exchange server should be able to pull domain controllers from DNS even without a site, so do make sure the 2003 DC is not set as the primary DNS server for the Exchange Server itself.
ASKER
I have confirmed that the Exchange server is pointing to the 2012 DC for primary DNS and the 2003 DC for secondary DNS.
I did also see that the 2012 DC was pointing to the 2003 DC for primary DNS and 127.0.0.1 for secondary DNS. I will be changing that to point to itself (using the actual IP address) for Primary DNS and 2003 DC for secondary DNS.
I won't be able to make that change until after hours, along with the restart of the Topology service. I'm in Central time zone.
I did also see that the 2012 DC was pointing to the 2003 DC for primary DNS and 127.0.0.1 for secondary DNS. I will be changing that to point to itself (using the actual IP address) for Primary DNS and 2003 DC for secondary DNS.
I won't be able to make that change until after hours, along with the restart of the Topology service. I'm in Central time zone.
That should be good. The DNS settings are actually fine that way, and it's a recommended practice to have DCs point to a different DC for their primary DNS, as it helps prevent DNS and AD Services race conditions at startup. If you only have or are moving toward a single DC, it's okay to keep itself for DNS.
That said, you'll also want to verify that both DCs have the same copy of the DNS zone for the domain. I recommend comparing differences and verifying that both servers are set to use the same type of Active Directory Integrated DNS zone (if one is set to use Distribute to DCs in this Domain, the other should be set the same, otherwise they can end up getting messed up and store and load different copies of the DNS database).
That said, you'll also want to verify that both DCs have the same copy of the DNS zone for the domain. I recommend comparing differences and verifying that both servers are set to use the same type of Active Directory Integrated DNS zone (if one is set to use Distribute to DCs in this Domain, the other should be set the same, otherwise they can end up getting messed up and store and load different copies of the DNS database).
ASKER
I changed the 2012 DC to point to itself for Primary DNS and the 2003 DC as Secondary.
Restarted the AD Topology service on Exchange 2010. Tested OWA and email delivery in/out; OK.
Rebooted the 2003 DC and tried OWA again. Same problems as before, no OWA and errors trying to run EMC and EMS. Once 2003 DC was back up for a little while, no problems and all works fine without restarting or doing anything on the Exchange 2010 server.
Thoughts?
Restarted the AD Topology service on Exchange 2010. Tested OWA and email delivery in/out; OK.
Rebooted the 2003 DC and tried OWA again. Same problems as before, no OWA and errors trying to run EMC and EMS. Once 2003 DC was back up for a little while, no problems and all works fine without restarting or doing anything on the Exchange 2010 server.
Thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please double-check my original question for specific details on the setup and operation as I know it to be.
As far as I'm aware and through the checking that I've done, I don't have a DC replication issue. Both DC's replicate without errors. I'm getting ready to remove the 2003 DC, which right now has the PDC role (since it is a 2003 SBS DC). All other FSMO roles are already on the 2012 DC.
I may not have been as clear as I needed to on my last post. When I try to test Exchange 2010 operation by rebooting the 2003 DC, during that reboot phase (which the server takes at least 10 minutes to boot) I can't get to Exchange 2010 via OWA internally as well as EMC/EMS. Exchange 2010 is Primary DNS to 2012 DC and secondary to 2003 DC.
As far as I'm aware and through the checking that I've done, I don't have a DC replication issue. Both DC's replicate without errors. I'm getting ready to remove the 2003 DC, which right now has the PDC role (since it is a 2003 SBS DC). All other FSMO roles are already on the 2012 DC.
I may not have been as clear as I needed to on my last post. When I try to test Exchange 2010 operation by rebooting the 2003 DC, during that reboot phase (which the server takes at least 10 minutes to boot) I can't get to Exchange 2010 via OWA internally as well as EMC/EMS. Exchange 2010 is Primary DNS to 2012 DC and secondary to 2003 DC.
ASKER
There was indeed a DC replication issue, where the new 2012 DC, although replication was showing as good, was not sharing the SYSVOL and NETLOGON. Worked with MS to correct problem and after that was resolved, Exchange worked properly when the 2003 SBS DC was inaccessible.
Credit for the solution should go to -MAS- with his response ID of 41741821.
Credit for the solution should go to -MAS- with his response ID of 41741821.
As per the comment from the asker. Comment ID: 41826217
Open in new window
Thanks