none
Exchange server claims it cannot connect to Domain Controllers

    Question

  • Hello, and thank you for taking the time to read and hopefully respond to my issue.

    I am having trouble with my Exchange 2010 server. It will randomly reject outgoing emails claiming a "cannot realy" type error. Minutes later the exact same email will go out just fine. This will happen to random emails from random people at random times. I have found no pattern with it yet, luckily it has not happened to the same person twice, so I am still under the radar of management on this issue.

    I decided to run the best practices analyzer to see if that could lead me to the issue. I was recently handed this department and have had almost nothing to do with any of the setup and deployment decisions before now, so I have little idea how things are actually configured. And thusly i cannot answer many questions about the setup without some guidance on how to find the answers you seek. The analyzer came back with 5 errors, it was pretty easy to guess what they were.

    Cannot contact the server acting as the Domain Naming Master on port 389. Check that Active Directory server 'dc1.DOMAIN.com' is functioning correctly. Error code: 389 Not Available.

    Cannot contact the server acting as the Schema Master on port 389. Check that Active Directory server 'dc1.DOMAIN.com' is functioning correctly. Error code: 389 Not Available.

    Cannot contact the server acting as the Infrastructure Master for domain 'DOMAIN' on port 389. Check that Active Directory server 'DC2.DOMAIN.com' is functioning correctly. Error code: 389 Not Available.

    Cannot contact the server acting as the PDC Emulator for domain 'DOMAIN' on port 389. Check that Active Directory server 'DC2.DOMAIN.com' is functioning correctly. Error code: 389 Not Available.

    Cannot contact the server acting as the RID Master for domain 'DOMAIN' on port 389. Check that Active Directory server 'DC2.DOMAIN.com' is functioning correctly. Error code: 389 Not Available.

    The issue is that the Exchange server clearly has connection to the server on port 389 as Netstat shows them open on the domain controllers. Netstat on the Exchange server also shows them as open. So I uninstalled Kaspersky (various versions on the servers), restarted all machines and I am left with the exact same errors after another best practices scan.

    Before you jump to conclusions (don't forget your mat)...

    This technet article:

    http://technet.microsoft.com/en-us/library/aa995877%28v=exchg.80%29.aspx

    Does not help me. All of the schema owners and masters are up and running, and the previous domain controller and owner was stripped of the master and owner schema/roles before it was demoted. It does not provide a real solution to this issue. especially since I can see the open ports in netstat.

    System and domain information:

    Domain Controllers and Exchange server are all running on Server 2008r2 boxes.

    2 current domain controllers (both up to date)

    Domain functional level: Server 2008 (NOT r2)

    We have 5 RODCs at remote locations, 4 are 2008r2, 1 is 2008 (NOT r2)

    DC1 and dc2 are primary DNS for entire domain

    Outlook from anywhere is enabled but non-functional (yet)

    Entire network is VPN together from multiple sites, all sites have unique /24 DHCP address lot assigned by the primary DC or RODC on site.

    Domain control was recently ran 100% by a 2003 server, transferred roles, demoted server and upped functional level.

    "Public" servers actually have a private IP and are NAT'ed to a public IP (ISP config, not ours). So Exchange webmail is available from anywhere, but Outlook anywhere is not.

    The server seems fully functional, but these errors and the recent problems trouble me (and might put my management ability in question)

    if there is any other information that you need, please let me know and I will be happy to provide it. i am just trying to get a grasp on all this.

    Thank you,

    -Max


    Rule your day, you never know when it might be your last.

    Saturday, March 16, 2013 2:38 AM

All replies

  • Post the event ID 2080 from application log from exchange server.

    Gulab Prasad,
    Exchange Ranger
    Z-Hire Employee Provisioning App

    Sunday, March 17, 2013 10:54 AM
  • Hello,

    This is the Exchange 2013 forum. I will help you to move your issue to exchange 2010 forum.


    Cara Chen
    TechNet Community Support

    Monday, March 18, 2013 6:24 AM
    Moderator
  • Hello,

    Please run dcdiag to check if the DC run normally.

    Please specify another DC for your exchange server and check the result.

    How to Use a Specific Domain Controller in Exchange 2010 Management Shell

    http://exchangeserverpro.com/how-to-use-a-specific-domain-controller-in-exchange-2010-management-shell


    Cara Chen
    TechNet Community Support

    Monday, March 18, 2013 6:30 AM
    Moderator
  • Process STORE.EXE (PID=4012). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
     (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
    In-site:
    dc1.DOMAIN.com    CDG 1 7 7 1 0 1 1 7 1
    DC2.DOMAIN.com    CDG 1 7 7 1 0 1 1 7 1
     Out-of-site:

    There are a few of them ,but they are of course all identical.

    Thanks

    -Max


    Rule your day, you never know when it might be your last.

    Monday, March 18, 2013 9:57 PM
  • From DC2:

    Microsoft Windows [Version 6.1.7601]

    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

     

    C:\Windows\system32>dcdiag

     

    Directory Server Diagnosis

     

    Performing initial setup:

       Trying to find home server...

       Home Server = DC2

       * Identified AD Forest.

       Done gathering initial info.

     

    Doing initial required tests

     

       Testing server: Default-First-Site-Name\DC2

          Starting test: Connectivity

             ......................... DC2 passed test Connectivity

     

    Doing primary tests

     

       Testing server: Default-First-Site-Name\DC2

          Starting test: Advertising

             Warning: DC2 is not advertising as a time server.

             ......................... DC2 failed test Advertising

          Starting test: FrsEvent

             ......................... DC2 passed test FrsEvent

          Starting test: DFSREvent

             ......................... DC2 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... DC2 passed test SysVolCheck

          Starting test: KccEvent

             ......................... DC2 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... DC2 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... DC2 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... DC2 passed test NCSecDesc

          Starting test: NetLogons

             ......................... DC2 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... DC2 passed test ObjectsReplicated

          Starting test: Replications

             ......................... DC2 passed test Replications

          Starting test: RidManager

             ......................... DC2 passed test RidManager

          Starting test: Services

             ......................... DC2 passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x0000006C

                Time Generated: 03/18/2013   16:12:51

                Event String:

                Failed to apply changes to software installation settings.  Software

     changes could not be applied.  A previous log entry with details should exist.

     The error was : %%2147746153

             A warning event occurred.  EventID: 0x0000043D

                Time Generated: 03/18/2013   16:12:51

                Event String:

                Windows failed to apply the Software Installation settings. Software

     Installation settings might have its own log file. Please click on the "More in

    formation" link.

             An error event occurred.  EventID: 0x0000006C

                Time Generated: 03/18/2013   16:46:02

                Event String:

                Failed to apply changes to software installation settings.  Software

     changes could not be applied.  A previous log entry with details should exist.

     The error was : %%2147746153

             A warning event occurred.  EventID: 0x0000043D

                Time Generated: 03/18/2013   16:46:02

                Event String:

                Windows failed to apply the Software Installation settings. Software

     Installation settings might have its own log file. Please click on the "More in

    formation" link.

             ......................... DC2 failed test SystemLog

          Starting test: VerifyReferences

             ......................... DC2 passed test VerifyReferences

     

     

       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

     

       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

     

       Running partition tests on : DOMAIN

          Starting test: CheckSDRefDom

             ......................... DOMAIN passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DOMAIN passed test CrossRefValidation

     

       Running enterprise tests on : DOMAIN.com

          Starting test: LocatorCheck

             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

             A Time Server could not be located.

             The server holding the PDC role is down.

             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

             1355

             A Good Time Server could not be located.

             ......................... DOMAIN.com failed test LocatorCheck

          Starting test: Intersite

             ......................... DOMAIN.com passed test Intersite

     

    C:\Windows\system32>

    From DC1:

    Microsoft Windows [Version 6.1.7601]

    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

     

    C:\Windows\system32>dcdiag

     

    Directory Server Diagnosis

     

    Performing initial setup:

       Trying to find home server...

       Home Server = dc1

       * Identified AD Forest.

       Done gathering initial info.

     

    Doing initial required tests

     

       Testing server: Default-First-Site-Name\DC1

          Starting test: Connectivity

             ......................... DC1 passed test Connectivity

     

    Doing primary tests

     

       Testing server: Default-First-Site-Name\DC1

          Starting test: Advertising

             Warning: DC1 is not advertising as a time server.

             ......................... DC1 failed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.

             ......................... DC1 passed test FrsEvent

          Starting test: DFSREvent

             ......................... DC1 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... DC1 passed test SysVolCheck

          Starting test: KccEvent

             ......................... DC1 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... DC1 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... DC1 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... DC1 passed test NCSecDesc

          Starting test: NetLogons

             ......................... DC1 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... DC1 passed test ObjectsReplicated

          Starting test: Replications

             ......................... DC1 passed test Replications

          Starting test: RidManager

             ......................... DC1 passed test RidManager

          Starting test: Services

             ......................... DC1 passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 03/18/2013   16:02:32

                Event String:

                The session setup from computer 'BADKINS-2730P' failed because the s

    ecurity database does not contain a trust account 'BADKINS-2730P$' referenced by

     the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 03/18/2013   16:18:05

                Event String:

                The session setup from the computer BADKINS-2730P failed to authenti

    cate. The following error occurred:

             An error event occurred.  EventID: 0x0000006C

                Time Generated: 03/18/2013   16:26:58

                Event String:

                Failed to apply changes to software installation settings.  Software

     changes could not be applied.  A previous log entry with details should exist.

     The error was : %%2147746153

             A warning event occurred.  EventID: 0x0000043D

                Time Generated: 03/18/2013   16:26:58

                Event String:

                Windows failed to apply the Software Installation settings. Software

     Installation settings might have its own log file. Please click on the "More in

    formation" link.

             ......................... DC1 failed test SystemLog

          Starting test: VerifyReferences

             ......................... DC1 passed test VerifyReferences

     

     

       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

     

       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

     

       Running partition tests on : DOMAIN

          Starting test: CheckSDRefDom

             ......................... DOMAIN passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DOMAIN passed test CrossRefValidation

     

       Running enterprise tests on : DOMAIN.com

          Starting test: LocatorCheck

             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

             A Time Server could not be located.

             The server holding the PDC role is down.

             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

             1355

             A Good Time Server could not be located.

             ......................... DOMAIN.com failed test LocatorCheck

          Starting test: Intersite

             ......................... DOMAIN.com passed test Intersite

     

    C:\Windows\system32>


    Rule your day, you never know when it might be your last.

    Monday, March 18, 2013 10:01 PM
  • On Mon, 18 Mar 2013 22:01:50 +0000, Maxim Sinclair wrote:
     
    > Running enterprise tests on : DOMAIN.com
    >
    > Starting test: LocatorCheck
    >
    > Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
    >
    > A Time Server could not be located.
    >
    > The server holding the PDC role is down.
    >
    > Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
    >
    > 1355
    >
    > A Good Time Server could not be located.
    >
    > ......................... DOMAIN.com failed test LocatorCheck
    >
     
    Not having a working time service is a problems:
    http://www.petenetlive.com/KB/Article/0000705.htm
     
    Before you do that, verify that the date and time on the Exchange
    server and your DCs are all the same. Kerberos depends on clock not
    being more than 5 minutes apart.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, March 21, 2013 3:02 AM
  • DCs and Exchange are less than 5 seconds apart. The DC wasnt broadcasting the NTP services, but was still servicing them.

    I have corrected the advertisement of the services.

    Any other clues? It's getting worse, more and more people more and more frequently.

    Thanks,

    -Max


    Rule your day, you never know when it might be your last.

    Thursday, March 21, 2013 8:24 PM
  • On Thu, 21 Mar 2013 20:24:11 +0000, Maxim Sinclair wrote:
     
    >DCs and Exchange are less than 5 seconds apart. The DC wasnt broadcasting the NTP services, but was still servicing them.
    >
    >I have corrected the advertisement of the services.
    >
    >Any other clues? It's getting worse, more and more people more and more frequently.
     
    Post the contents of a current 2080 EventID from your application log.
     
    Also note that it's the FSMO roles that the Exchange server says it
    can't contact. You'll see a connection to the DC on port 389, but
    that's just to the default naming context.
     
    If you have more than one DC try moving one of the FSMO roles and
    rerun the ExBPA to see if the error about that role disappears. If it
    does, try moving the others.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, March 22, 2013 1:23 AM
  • Log Name:      Application
    Source:        MSExchange ADAccess
    Date:          3/26/2013 2:03:54 PM
    Event ID:      2080
    Task Category: Topology
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      exchange.DOMAIN.com
    Description:
    Process STORE.EXE (PID=4516). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
     (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
    In-site:
    dc1.DOMAIN.com    CDG 1 7 7 1 0 1 1 7 1
    DC2.DOMAIN.com    CDG 1 7 7 1 0 1 1 7 1
     Out-of-site:

    Rule your day, you never know when it might be your last.

    Tuesday, March 26, 2013 7:12 PM
  • Also, now all of a sudden I cannot get OWA and smartphone access to the email system. The management console fails initialization.

    The following error occurred while attempting to connect to the specified Exchagne server 'exchange.DOMAIN.com':

    The attempt to connect to http://exchange.DOMAIN.com/PowerShell using "kerberos" authentication failed: Connecting to the remote server failed with the following message: The client cannot connect to the destination specifiec int eh request. Verify that the service on the destination is running and accepting requests. Consult the logs and documentation for the WS_Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure that WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting help topic.

    I have been through many of the troubleshoting pages taht Google and Bing and dleiver to me, and nothing has changed the problem.

    It appears to be an issue with the IIS website and powershell connectivity.

    MORE BROKEN THINGS.


    Rule your day, you never know when it might be your last.

    Tuesday, March 26, 2013 7:50 PM
  • Event looks good.
    One more thing, out of these two DC's all these are old dc's or you promoted a new one recently?

    Did you restarted the exchange and tried?


    Gulab Prasad,
    Exchange Ranger
    Z-Hire Employee Provisioning App

    Tuesday, March 26, 2013 7:52 PM
  • Kerberos issue should be fixed by restarting the server.
    I have seen this issue several time and restart has fixed the issue.

    Gulab Prasad,
    Exchange Ranger
    Z-Hire Employee Provisioning App

    Tuesday, March 26, 2013 7:55 PM
  • I promoted DC2 about 6months ago, I don't know when dc1 was promoted, but it was here when I got here in August 2012.

    RODC systems have been recently promoted at remote locations. 4 of them in total, but that was about a month ago at this point. Weill before the issues started.

    I restarted Exchange quite a few times before I posted earlier. What it ended up being was that somehow the WinRM IIS Extension was no longer installed. I installed the feature and things began to fall into place. However, when Exchange server is restarted now, I have to kill EdgeTransport service and kill EdgeTransport.exe, then go to IIS and start the default website. Then the edgetransports can be restarted.

    Do these need to be running? I had to bypass my antispam server and an MTA that were no longer routing emails through. I am going to spin up new systems for antispam and possibly MTA, but in what situations would the edge stuff be needed? Right now exchange is all there is, in and out. Is an MTA a good plan for a medium sized business (500-800 emails/day)? or is dual quad core 16GB memory oging to handle send mail just fine enough?

    Still getting DC connection problems even with the linux MTA and antispam out of the equation.


    Rule your day, you never know when it might be your last.

    Thursday, March 28, 2013 7:14 PM
  • No, you don't need Edge service running if you are not using EDGE server. So that's ok to stop the service.

    16 GB is enough for the number of email you have mentioned.
    Check on the DC too, do you see anything suspicious in event viewer?


    Gulab Prasad,
    Exchange Ranger
    Z-Hire Employee Provisioning App

    Thursday, March 28, 2013 7:49 PM