Link to home
Start Free TrialLog in
Avatar of Chris Jefferies
Chris JefferiesFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Exchange 2007 communication issues with DC

Hi,
Recently built a new domain controller 2012R2 server and migrated the FSMO rolls from a 2003R2 server to this new one, and decommission the 2003 R2 server. Everything seemed to be working fine. OWA was working, emails in Outlook, emails on iPhone's, but then emails on a BlackBerry device is unable to communicate with email server and not create the mail account. We did use to have a BES server that the user was using, but this is also decommissioned as the exchange will be upgraded to Exchange 2013, and the users blackberry has the ability to connect without a BES server.
When looking at the logs on the exchange server I see the attached errors.
The new domain controllers are on new subnets which were newly created, as previously everything in the company was on a single subnet.
voriana4.png
voriana1.png
voriana2.png
voriana3.png
voriana4.png
voriana5.PNG
Avatar of Amit Kumar
Amit Kumar
Flag of India image

Please verify below mentioned points.

1. Exchange server has correct DNS server which is serving ADDS services.
2. Windows 2012 server must be a Global Catalog server and reachable to Exchange servers for all ports. (Check firewall on Windows 2012 server)
3. run DCDIAG to check Domain controller health status.
4. If recently you have enabled Global Catalog for new DC, then take a restart DC and Exchange servers to support MAPI clients.
Avatar of Chris Jefferies

ASKER

Hi Amit,
Thanks for the response,
Can you confirm how i can check that the exchange server has the correct DNS server which is serving ADDS services please?

The 2012 R2 server is a new GC server and is reachable by the exchange server.
I am organising a restart of the exchange server tonight after business hours to see if that helps with the problem, I can't remember when the new DC was promoted to a GC, i know the exchange server was restarted last week, but not sure if it was after or before this DC work was done.

DCDIAG:
C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = VORLONADC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: VORLON\VORLONADC01
      Starting test: Connectivity
         ......................... VORLONADC01 passed test Connectivity

Doing primary tests

   Testing server: VORLON\VORLONADC01
      Starting test: Advertising
         ......................... VORLONADC01 passed test Advertising
      Starting test: FrsEvent
         ......................... VORLONADC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... VORLONADC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... VORLONADC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... VORLONADC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... VORLONADC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... VORLONADC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... VORLONADC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... VORLONADC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... VORLONADC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... VORLONADC01 passed test Replications
      Starting test: RidManager
         ......................... VORLONADC01 passed test RidManager
      Starting test: Services
         ......................... VORLONADC01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00002720
            Time Generated: 07/26/2017   08:07:08
            Event String:
            The application-specific permission settings do not grant Local Acti
vation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 07/26/2017   08:07:08
            Event String:
            The application-specific permission settings do not grant Local Acti
vation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 07/26/2017   08:07:08
            Event String:
            The application-specific permission settings do not grant Local Acti
vation permission for the COM Server application with CLSID
         ......................... VORLONADC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... VORLONADC01 passed test VerifyReferences


    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
       ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
       ......................... ForestDnsZones passed test
       CrossRefValidation

 Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
       ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
       ......................... DomainDnsZones passed test
       CrossRefValidation

 Running partition tests on : Schema
    Starting test: CheckSDRefDom
       ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
       ......................... Schema passed test CrossRefValidation

 Running partition tests on : Configuration
    Starting test: CheckSDRefDom
       ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
       ......................... Configuration passed test CrossRefValidation

 Running partition tests on : VorianaCapital
    Starting test: CheckSDRefDom
       ......................... VorianaCapital passed test CheckSDRefDom
    Starting test: CrossRefValidation
       ......................... VorianaCapital passed test
       CrossRefValidation

 Running enterprise tests on : VorianaCapital.local
    Starting test: LocatorCheck
       ......................... VorianaCapital.local passed test
       LocatorCheck
    Starting test: Intersite
       ......................... VorianaCapital.local passed test Intersite
1. Go to LAN card properties on Exchange Server and open properties of IPv4 then verify what is primary DNS Server mentioned. I believe you have Windows 2003 on Exchange 2007 server if not then check if IPv6 is enabled.
2. To check Global Catalog server login in New DC, open Active Directory Sites and Services console. Expand available site and go to Servers then  open properties of Windows 2012 Server and verify DC type properties in General page. it should be Global Catalog.
I have checked the DNS and the new PDC is the primary DNS entry for ipv4. I disabled ipv6 a few days ago in preparation to upgrade exchange to 2013.
The GC feature is enabled on both new domain controllers
Hopefully you have installed Exchange 2007 SP3 RU13 to support Windows 2012 R2 domain controller. Check it.

https://blogs.technet.microsoft.com/rmilne/2013/09/17/exchange-support-for-windows-server-2012-r2/

You will note that Windows Server 2012 R2 is currently only listed as a supported OS platform for Exchange 2013 SP1 onwards and Exchange 2016.  In addition to this please also note that Windows Server 2012 R2 is listed as a supported Domain Controller for Exchange 2016, Exchange 2013 SP1, Exchange 2010 SP3 RU5 and Exchange 2007 SP3 RU13 or later builds of each.
Yes, we have SP3 RU23 installed
So take a restart of both DC and Exchange servers and then check. One more thing what about windows firewall on either servers?
OK, i will get that arranged for this evening out of hours. Firewall services are disabled on the servers
So just ran a DCDIAG on the exchange server and have the followiing results:

C:\Users\master>dcdiag /s:VORLONADC01

Directory Server Diagnosis

Performing initial setup:
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: VORLON\VORLONADC01
      Starting test: Connectivity
         ......................... VORLONADC01 passed test Connectivity

Doing primary tests

   Testing server: VORLON\VORLONADC01
      Starting test: Advertising
         Fatal Error:DsGetDcName (VORLONADC01) call failed, error 1722
         The Locator could not find the server.
         ......................... VORLONADC01 failed test Advertising
      Starting test: FrsEvent
         ......................... VORLONADC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... VORLONADC01 passed test DFSREvent
      Starting test: SysVolCheck
         [VORLONADC01] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         ......................... VORLONADC01 failed test SysVolCheck
      Starting test: KccEvent
         ......................... VORLONADC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... VORLONADC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [VORLONADC01]:failed with 53: Win32 Error 53
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... VORLONADC01 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=VorianaCapital,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=VorianaCapital,DC=local
         ......................... VORLONADC01 failed test NCSecDesc
      Starting test: NetLogons
         [VORLONADC01] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         ......................... VORLONADC01 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... VORLONADC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... VORLONADC01 passed test Replications
      Starting test: RidManager
         ......................... VORLONADC01 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [VORLONADC01.VorianaCapital.local]: error 0x35
         "Win32 Error 53"
         ......................... VORLONADC01 failed test Services
      Starting test: SystemLog
         ......................... VORLONADC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... VORLONADC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : VorianaCapital
      Starting test: CheckSDRefDom
         ......................... VorianaCapital passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... VorianaCapital passed test CrossRefValidation

   Running enterprise tests on : VorianaCapital.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... VorianaCapital.local failed test LocatorCheck
      Starting test: Intersite
         ......................... VorianaCapital.local passed test Intersite
Seems there is issue with replication between New and Old domain controllers.

Run below command to get replication summary:

1. repadmin /replsummary *

if you see some failures then verify LAN properties with primary DNS IP, Ideally it should be self IP address or another Dc which is running well.

Try nslookup and resolve working DC's name and domain name.
To force replication you can run below command:

repadmin /syncall /AePqD
C:\Windows\system32>repadmin /replsummary *
Replication Summary Start Time: 2017-07-26 10:13:52

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 VORLONADC01               13m:32s    0 /   5    0
 VORLONADC02               08m:48s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 VORLONADC01               08m:48s    0 /   5    0
 VORLONADC02               13m:32s    0 /   5    0


Seems to be replicating ok... the old domain controllers are no longer in the domain, only the 2 new ones are left.
C:\Windows\system32>repadmin /syncall /AePqD
Syncing all NC's held on VORLONADC01.
Syncing partition: DC=ForestDnsZones,DC=VorianaCapital,DC=local
SyncAll terminated with no errors.

Syncing partition: DC=DomainDnsZones,DC=VorianaCapital,DC=local
SyncAll terminated with no errors.

Syncing partition: CN=Schema,CN=Configuration,DC=VorianaCapital,DC=local
SyncAll terminated with no errors.

Syncing partition: CN=Configuration,DC=VorianaCapital,DC=local
SyncAll terminated with no errors.

Syncing partition: DC=VorianaCapital,DC=local
SyncAll terminated with no errors.


C:\Windows\system32>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
VORLON\VORLONADC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: edf3b045-6607-44ca-bb6b-5fcd48e2f7d1
DSA invocationID: e1b5361f-60f3-4e16-9c4e-0fe81cae2b4d

==== INBOUND NEIGHBORS ======================================

DC=VorianaCapital,DC=local
    VorianaCapital\VORLONADC02 via RPC
        DSA object GUID: 8f6e0b5e-834f-4fbe-ba5a-a99b6c1def0c
        Last attempt @ 2017-07-26 10:05:04 was successful.

CN=Configuration,DC=VorianaCapital,DC=local
    VorianaCapital\VORLONADC02 via RPC
        DSA object GUID: 8f6e0b5e-834f-4fbe-ba5a-a99b6c1def0c
        Last attempt @ 2017-07-26 10:05:04 was successful.

CN=Schema,CN=Configuration,DC=VorianaCapital,DC=local
    VorianaCapital\VORLONADC02 via RPC
        DSA object GUID: 8f6e0b5e-834f-4fbe-ba5a-a99b6c1def0c
        Last attempt @ 2017-07-26 10:05:04 was successful.

DC=DomainDnsZones,DC=VorianaCapital,DC=local
    VorianaCapital\VORLONADC02 via RPC
        DSA object GUID: 8f6e0b5e-834f-4fbe-ba5a-a99b6c1def0c
        Last attempt @ 2017-07-26 10:05:04 was successful.

DC=ForestDnsZones,DC=VorianaCapital,DC=local
    VorianaCapital\VORLONADC02 via RPC
        DSA object GUID: 8f6e0b5e-834f-4fbe-ba5a-a99b6c1def0c
        Last attempt @ 2017-07-26 10:05:04 was successful.
ASKER CERTIFIED SOLUTION
Avatar of Amit Kumar
Amit Kumar
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Samarjit Baruah
Samarjit Baruah

A BES 5.0.4 or previous user has attributes in AD account that will not allow the user to connect the blackberry without the BES server. As this user was configured to use BES earlier, his AD account has those settings. You have to delete the user account and recreate it. Take care of the Exchange part though while deleting AD user.
How can I delete the account then without causing issues with the exchange account? I'll have to also review all mailbox and folder permissions in order to do that.
Although, the BES server was removed weeks ago and the account was configured on the BB fine before last weekend when the old domain controllers were removed
To isolate the issue,  I would suggest that you create a new user (like username2) and test if his blackberry works with this new account. Once the cause is established, we can work towards the fix.
Will need to organise that with the team as it is the CEO so makes it difficult getting their device for testing. Plus, they have just gone on holiday for a few weeks!
Have restarted the exchange server and near on all the errors have cleared. Just the 2 errors currently:

Exchange couldnt not find a certificate that contains the domain name 'Servers FQDN' in the personal store on the local computer. Therefore it is unavle to support the starttls smtp verb for the connector with a fqdn parameter of 'server fqdn'. if the connectors fqdn is not specified the computers fqdn is used. verify the connector configuration and the installed certificates to make sure tat there is a certificate with a domain name for that fqdn. if this certificate exists, run enable-exchangecertificate -ervices SMTP to make sure that the microsoft exchange transport service has access to the certificate key

The other error is when running dcdiag /s:vorlonadc01

Starting test: ncsecdesc
error nt authority\enterprise domain controllers doest have replication directory changes in filtered set access rights for the naming context: dc=forestdnsxones,dc=domain name,dc=local

failed test NCSecDesc
Everything working fine after a restart thanks
All working after a restart