Exchange Server Sees Only 1 GC
- <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-1610611985 1073750091 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {mso-style-noshow:yes; mso-style-priority:99; mso-style-link:"Plain Text Char"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.5pt; font-family:Consolas; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} span.PlainTextChar {mso-style-name:"Plain Text Char"; mso-style-noshow:yes; mso-style-priority:99; mso-style-unhide:no; mso-style-locked:yes; mso-style-link:"Plain Text"; mso-ansi-font-size:10.5pt; mso-bidi-font-size:10.5pt; font-family:Consolas; mso-ascii-font-family:Consolas; mso-hansi-font-family:Consolas;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->
Hi all,
We have a secondary domain controller that is also set up as a GC. When I look in the ESM's properties I only see the PDC as the GC. I set the topology logging to maximum and this is what I got:
Process MAD.EXE (PID=3112). DSAccess has discovered the following servers with the following characteristics:
(Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
pdc.subdomain.domain.xy CDG 7 7 1 0 1 1 7 1
gc2.subdomain.domain.xy CDG 7 7 1 0 0 1 7 1
Out-of-site:
I have changed the server names but the server that isn't showing up in ESM is "gc2.subdomain.domain.xy" even though the log shows it. I'm unsure what the problem could be. Any insights on this issue would be great.
Thanks in advance!
Answers
- Oh, I agree. In fact, I should have looked closer at the dsacess 2080 the OP posted earlier.
gc2.subdomain.domain.xy CDG 7 7 1 0 0 1 7 1
The DC doesnt have the SACL right.
Exad, here are some articles on how to troubleshoot that if a simple restart doesnt solve it:
http://support.microsoft.com/kb/316300
http://ntoskrnl.wordpress.com/2008/08/20/eventid-2080-dsaccess-sacl-right-fix/
http://social.technet.microsoft.com/Forums/en/exchangesvrgeneral/thread/d57c4227-ab6b-4833-93b5-99616b52a2af- Marked As Answer byJames-LuoMSFT, ModeratorTuesday, November 10, 2009 2:41 AM
- I would go for /domainprep on the second GC so that it will fix Manage Auditing and Security Log.
and then replicate the changes between both GC'S
i would also try restarting the SA so that DSACCESS cache can pick both GC's
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|- Marked As Answer byJames-LuoMSFT, ModeratorTuesday, November 10, 2009 2:40 AM
All Replies
- Both the GC's are in the same AD site where exchange is? Normally exchange will not pick up the GC which is in the other AD site. Are AD replications fine? If you try SET L command from command promt on the exchange what do you get.
Try to run exbpa and when it asks the DC name, punch in the gc2 over there and see the results of exbpa and paste it over here.
Raj - Yes, both the GC's are in the same AD site. The AD replications look fine to me. The SET L command shows the PDC server. What part of the exbpa output would you like me to attach here since it is a big file.
Thanks Raj! Exchange isnt installed on the PDC is it?
As for ExBpa, post any critical warnings.- Here are some of the warnings:
Items of severity Warning:
- Network interface driver file is more than two years old
- Storage driver is more than two years old
- Symantec Mail Security for Exchange update available
- Temporary file path optimization
- Virus scanning API (VSAPI) plain text scanning
Items of severity Best Practices:
- Application log size
- Consider setting 'TarpitTime'
- Single global catalog in toplogy
- BIOS update available
- Outlook connection range - Even exbpa is detecting single global catalog in the AD site. Try runnning dcdiag and net diag on the problematic domain controller. Check with replmon /showreps on the dc.
Also run the commands from nltest with dclist, dcname and dsgetsite.
Raj - Check your local DNS server for _gc (SRV) records..
Stop the firewall service on both the domain controllers and even exchange 2003
restart the new DC which has been promoted to GC once done restart the Exchange 2003 Server (take downtime time)
Hari Bylapudi - In addition to Hari's suggestion, I would check the event logs on that new GC.
- On Sat, 7-Nov-09 15:47:01 GMT, Andy David wrote:
>In addition to Hari's suggestion, I would check the event logs on that new GC.
Heck, I'd reboot the GC first. I didn't see any info on what O/S or SP
the GC is using and it used to be that a GC needed a reboot after it
was made a GC before it would show up.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP - Oh, I agree. In fact, I should have looked closer at the dsacess 2080 the OP posted earlier.
gc2.subdomain.domain.xy CDG 7 7 1 0 0 1 7 1
The DC doesnt have the SACL right.
Exad, here are some articles on how to troubleshoot that if a simple restart doesnt solve it:
http://support.microsoft.com/kb/316300
http://ntoskrnl.wordpress.com/2008/08/20/eventid-2080-dsaccess-sacl-right-fix/
http://social.technet.microsoft.com/Forums/en/exchangesvrgeneral/thread/d57c4227-ab6b-4833-93b5-99616b52a2af- Marked As Answer byJames-LuoMSFT, ModeratorTuesday, November 10, 2009 2:41 AM
- Hi all,
Thanks for all your help. When I ran the dsdiag command on the exchange server I saw the message about not having the proper security. In addition, I checked the DC gc2's "Manage Auditing and Security Log" and it does give the Exchange Enterprise Servers the permission. Since everything looks good except that the exchange server doesn't have the required privilege on the DC I feel that I should run the setup.exe command with the /domainprep flag (as described in Article 314294). Do you folks think that that is a good way to go about it? Since the exchange server is in production I hope it doesn't mess anything up?
Thanks once again! - I think that should be fine. Make sure you take a system state back up from the domain controller.
Raj - Hi Raj,
Should I be running the setup command with the /domainprep switch on the exchange server or the DC gc2?
Thanks! - Did you check the 'read nTSecurityDescriptor" referenced in:
http://ntoskrnl.wordpress.com/2008/08/20/eventid-2080-dsaccess-sacl-right-fix/
Also check:
http://social.technet.microsoft.com/Forums/en/exchangesvrgeneral/thread/4cfab637-4d82-4c03-9362-5fa11777c70d - On Sun, 8-Nov-09 21:42:13 GMT, exad wrote:
>Hi Raj,Should I be running the setup command with the /domainprep switch on the exchange server or the DC gc2?Thanks!
It doesn't matter, as long ss you're on a machine that's a member of
the domain you're preparing.
But I don't know if /domainprep will fix your problem. If it doesn't,
this may be the more appropriate reference:
http://support.microsoft.com/kb/328662
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP - I would go for /domainprep on the second GC so that it will fix Manage Auditing and Security Log.
and then replicate the changes between both GC'S
i would also try restarting the SA so that DSACCESS cache can pick both GC's
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|- Marked As Answer byJames-LuoMSFT, ModeratorTuesday, November 10, 2009 2:40 AM
- Thanks to all of you as now my exchange server sees both GCs.
- Glad you got it working!
