Exchange 2010 SP2 AD Problems
-
Thursday, May 03, 2012 11:06 AM
Hello,
we have the following Problem with our two Exchange SP2 UR1 (MBX, CAS, HUB) Servers. Both Exchange Server are located in Site B and member of a DAG. In front of the Exchange Server are two HWL(KEMP) located. The Exchange Server are Member of special EMAIL Active Directory an the independet AD Forrests from the Users are connected via a Trust.
The EMAIL AD has 3 DC an 3 Sites. In Site B are the two Exchange Servers an in Site C is a single Exchange Server located.
A the moment we have several issues with the Exchange Servers in Site B with the AD Access.
Problem 1:
When we create a New User/Mailbox on Exchange B the user ist not created on the DC in Site B but on DC A in Site A. When we creat the User/Mailbox on a different Exchange the user will be created on the correct DC for the Site.
We manually set the Config DC and GC but with no success. Interessting ist hat a change in the Userobject is made directly on DC B.
At the Eventlog the Event 2080 from ADAccess show all DCs in the correct Sites. There are no other Errors in the Eventlog. The Diagnostic Level for ADAccess is set to Expert.
A Check oft he DC an the AD with DCdiag /V /E /C didn’t came up with new errors.
A BPA Connectivity Check was also passed.
Problem 2:
The Second Exchange in Site B shows since a few Days the following Warning in the Eventlog
Warnung,03.05.2012 11:19:55,MSExchange ADAccess,2128,Konfiguration,"Prozess Microsoft.Exchange.EdgeSyncSvc.exe (PID=1760). Das Objekt CN=EdgeSyncService,CN=BB,CN=Sites,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:18:27,MSExchange ADAccess,2128,Konfiguration,"Prozess Microsoft.Exchange.Search.ExSearch.exe (PID=2612). Das Objekt CN=BB-PF01,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:17:44,MSExchange ADAccess,2128,Konfiguration,"Prozess STORE.EXE (PID=3784). Das Objekt CN=MOBILE,CN=407,CN=Address-Templates,CN=Addressing,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller dcdeWI01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:15:30,MSExchange ADAccess,2128,Konfiguration,"Prozess msexchangerepl.exe (PID=2368). Das Objekt CN=DAG-BB,CN=Database Availability Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller dcdeWI01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:14:53,MSExchange ADAccess,2128,Konfiguration,"Prozess MSExchangeMailboxReplication.exe () (PID=1992). Das Objekt CN=MTS-PF01,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:14:53,MSExchange ADAccess,2128,Konfiguration,"Prozess MSExchangeMailboxReplication.exe () (PID=1992). Das Objekt CN=BB-PF02,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:14:53,MSExchange ADAccess,2128,Konfiguration,"Prozess MSExchangeMailboxReplication.exe () (PID=1992). Das Objekt CN=DAG-BB,CN=Database Availability Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
Warnung,03.05.2012 11:14:53,MSExchange ADAccess,2128,Konfiguration,"Prozess MSExchangeMailboxReplication.exe () (PID=1992). Das Objekt CN=BB-PF01,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de nicht gefunden. Dies weist möglicherweise auf ein Replikations- oder Berechtigungsproblem hin. "
A Check of the Permission with ADSI and a check of the network was successful.
We’re have no further Ideas because every Test we made was successfull and google didn’t came up with new suggestions. The third server in site C has no Errors an works fine. A check with the BPA show also no Errors.
Have anyone a idea or suggestion for Us??
Best regards,
Christoph
All Replies
-
Thursday, May 03, 2012 11:19 AM
To me it looks like AD replication issue.
Post the event ID related to replication
Gulab Prasad,
MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
MCITP: Lync Server 2010 | MCITP: Windows Server 2008
My Blog | Z-Hire Employee Provisioning App
-
Thursday, May 03, 2012 11:49 AM
Hello,
sry but there are no events related to the Replication. I also checked the Replication with Repadmin and dcdiag and there where no errors.
Christoph
-
Thursday, May 03, 2012 11:58 AM
Hello,
sry but there are no events related to the Replication. I also checked the Replication with Repadmin and dcdiag and there where no errors.
Christoph
Please use Microsoft Skydrive to upload the output of these commands on all DCs you have:
- ipconfig /all > c:\ipconfig.txt
- dcdiag /v /e > c:\dcdiag.txt
Once done, post a link here.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Thursday, May 03, 2012 12:41 PM
Thanks for the help
- Edited by Logarn Thursday, May 03, 2012 12:45 PM
-
Thursday, May 03, 2012 1:33 PM
Thanks for the help
OK. So it seems that there is no failures with AD replication (I am not used to read in german :)).
What I have see is that there is a event in the System container in event viewer of a DC which states that this DC is receiving authentication attempts from IP addresses which does not belong to a configured subnet in dssite.msc.
Please start by that:
- Make sure that AD sites are well configured and that DCs are under the correct AD sites
- Make sure that all subnets in use had been created and are linked to the correct AD site
I saw that one DC is using ::1 as primary DNS server so please delete this in its IPv6 DNS settings.
Since you are using multiple DCs in multiple domains in your AD forest then you can proceed like that to avoid issues with DNS resolution.
- Choose a healthy DC / DNS server in your root domain
- Make all DCs in its AD forest points to it as primary DNS server
- Make sure that all your AD forest DNS zones are AD-Integrated and set to be replicated to all DCs in your forest
Like that, all updates / DNS resolution for DCs in your AD forest will be sent to this DC and then this DC will replicate any updates on your DNS zones to each DC / DNS server in your AD forest.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Thursday, May 03, 2012 2:07 PM
yes i'm sorry for the german logs :)
The Error with the subnets ist fiex. One of the Client Networks was missing, but i didn't that there is a connection between this error and ther Exchange Errors.
Thanks a lot for your help
-
Thursday, May 03, 2012 2:24 PM
yes i'm sorry for the german logs :)
The Error with the subnets ist fiex. One of the Client Networks was missing, but i didn't that there is a connection between this error and ther Exchange Errors.
Thanks a lot for your help
I just wanted to check that each Exchange Server is connecting to the closest DC (which is in its site).
From your first post you wrote "When we create a New User/Mailbox on Exchange B the user ist not created on the DC in Site B but on DC A in Site A".
This behavior can be due to wrong AD sites configuration. For that, I recommended checking it. Once the AD object is created then please note that it will be replicated depending of your replication schedules between AD sites.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Thursday, May 03, 2012 2:39 PM
Ye you're right, that was also my first thougt but i checked it at the Site Configruation is correct. Also the Exchange B will find that he is in the correct Site B and that in Site B DCB is his correct DC.
Here the Eventlog for the MSExchangeDSAccess
Event Type: Information
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2080
Computer: MyComputer
Description:
Process MAD.EXE (PID=1808). DSAccess has discovered the following servers with the following characteristics:
(Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DCDEBB01.email.Vegas.de CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
DCDEMTS01.email.vegas.de CDG 1 7 7 1 0 1 1 7 1
DCDEWI01.email.vegas.de CDG 1 7 7 1 0 1 1 7 1Christoph
-
Thursday, May 03, 2012 3:18 PM
Ok i checked again with adsiedit the warning and it looks like that the
CN=MOBILE,CN=407,CN=Address-Templates,CN=Addressing,CN=VEGAS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=email,DC=VEGAS,DC=de
and
CN=EdgeSyncService,CN=BB,CN=Sites,CN=Configuration,DC=email,DC=VEGAS,DC=de wurde auf dem Domänencontroller DCDEBB01.email.VEGAS.de
are really missing
and in the DNS Configruation i found under Forward-Lookupzonen/email.vegas.de/DomainDNSZone/_sites/ and under
Forward-Lookupzonen/email.vegas.de/ForestDNSZones/_sites/
a default-First-Site-Name Site which doesn't exist.
can i Delete this one?
-
Friday, May 04, 2012 6:46 AMModerator
Hi,
Please run "nltest /dsgetsite" and then post the value here.
Please run the command below and then post the result here.
[PS] C:\Windows\system32> $Forest =[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
[PS] C:\Windows\system32> $Forest.FindAllGlobalCatalogs() | Select Name,SiteName, Domain, Roles
Xiu Zhang
TechNet Community Support
-
Friday, May 04, 2012 8:28 AM
Good Morning,
after a lot tests i didn't find anything that was making problems on the Exchange A with the Warnings MSExchange ADAccess,2128. An after i set the Eventlog Level for ADAccess to lowest/low the warning was gone away. The funny thing is that even i our Testlab the Warning appears when i turn on the Eventlogging to Expert.
So i think not that there is a real Problem with the Warning 2128
The other Problem on Exchange B with the wrong DC was gone away after i enabled the Change Notifications on the InterSiteTransportLink.
Best regards an Thanks a lot for your Help and Ideas
Christoph
- Marked As Answer by Logarn Friday, May 04, 2012 8:28 AM
.png)
