none
Active directory problem (0x8007203B) when installing exchange

    Question

  • Hi,

    I am in the process of upgrading / migrating my network to new servers (software and hardware).
    I had/have 2 servers:
    MAIL - Windows 2003, AD DC, Exchange 2003
    TARDIS - Windows 2003, AD DC, File & Print
    I am/have added:
    MGMT - Windows 2008R2, AD DC, some other management functions, VMware VM
    FILE - Windows 2008R2, AD DC, Files, VMware VM
    EX10 - Windows 2008R2, AD member server, Will get Exchange 2010, VMware VM

    The process for installing the new server went without any issues (that i noticed). The two new AD servers where promoted ok and can make / see changes to the AD.  They are also DNS and DHCP servers which is also working ok.
    The domain is in Windows Server 2003 mode.  FSMO has been moved to MGMT.

    I thought everything was going fine.

    Now i am following the steps for installing Exchange 2010. checks and prereqs have been done including installing the AD tools.  I can use the ADUC tool to edit the directory and that change is shown on the AD servers.  The next command is "setup /pl" (prepareLegacyExchangePermissions) which i run on the EX10 server. 
    When i run it i recive an error saying "Active Directory server XXX.YYY.com.au is not available. Error message: A local error occoured".
    I have found the Exchange setup logs and noted the entries below:

    This is from the ExchangeSetup.log
    [02/21/2011 22:29:57.0839] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Active Directory error 0x8007203B occurred while searching for domain controllers in domain ampco.com.au: A local error has occurred.
    [02/21/2011 22:29:57.0854] [0] [ERROR] Active Directory error 0x8007203B occurred while searching for domain controllers in domain ampco.com.au: A local error has occurred.
    [02/21/2011 22:29:57.0854] [0] [ERROR] A local error has occurred.

    This is from the ExBPA.201102221412243585.log
    14:12:35.125: Starting the Collecting Data phase.
    14:12:35.594: Active Directory server tardis.ampco.com.au is not available. Error message: A local error occurred.
    14:12:37.407: An error occurred (The ((&(objectClass=server)(|(cn=)(dNSHostName=)))) search filter is invalid.) while trying to search for the object LDAP://cn=Sites,CN=Configuration,DC=ampco,DC=com,DC=au-(&(objectClass=server)(|(cn=)(dNSHostName=)))-Subtree. Skipping object.
    14:12:37.844: Completed Collecting Data phase.
    14:12:37.969: Starting the Postprocessing Rules phase.
    14:12:38.032: Completed Postprocessing Rules phase.

    I have started looking for AD error 0x8007203b but have not found a viable cause yet.

    Any points in the correct direction will be a great help.

    Thanks
    Ian

    Wednesday, February 23, 2011 12:46 AM

All replies

  • Hello,

    as your problem belongs to Exchange and not Directory services, please use the Exchange server forum instead, even the domain has to be prepared it belongs to Exchange:

    http://social.technet.microsoft.com/Forums/en-US/category/exchange2010,exchangeserver/

    Please see: http://blog.schertz.name/2010/11/error-0x8007203b-during-exchange-2010-installation/ for the mentioned error, if this doesn't help please use the Exchange forum.

    Some remarks to the VMs, make sure the VMWare tools are not used for time sync with the host on them. You run into trouble if the time is used from the host instead of the PDCEmulator.

    Additional do not use snapshots from DCVMs for backup, this is not supported and result in USN rollback if you work with them.

    DCs should normally do only their basic job, AD/DNS/GC and maybe DHCP, then security must be setup for them. No other server role shold be run on them or applications are installed on them.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, February 23, 2011 2:40 AM
  • Thanks for the reply,

    I only posted the question here as it listed itself as an Active Directory error.  I still belive the problem is within my config for AD rather than Exchange.

    I had previously found that blog post about his time syncronisation being off..  I have double checked that all of my servers are in the same time zone and on the same time.  None of them are useing VMwares tools for time syncronisation.  My DCs sync with an external source.

    If you have any other ideas that i can check I would be grateful

    Thanks
    Ian

    Wednesday, February 23, 2011 3:24 AM
  • Hello,

    "My DCs sync with an external source"

    This is hopefully the current PDCEmulator only, as that DC is the domain time source for all others.

    Please post an unedited ipconfig /all from the server that should become the new one and all your DC/DNS servers.

    Did you use the installation disk direct on the FSMO roles holder and run the command there?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, February 23, 2011 3:55 AM
  • You are running Exchange server on DC & now again installing Exchange 2010 on DC, do you know installing Exchange on DC is not best practices.

    I can't believe, i missed the post, new exchange will be on member server, but you can refer the below article on old setup too:)

    http://theessentialexchange.com/blogs/michael/archive/2008/03/29/exchange-server-2007-and-domain-controllers-a-summary.aspx

    There is issue if you install Exchange on DC, it will not communicate any other GC except the DC with GC server its being installed on, i would suggest installing exchange on other server is better method than on DC. Also, installing exchange on VM too is not gud practice, but try to avoid installing Exchange on DC atleast.

    Did you check the health of the domain controller using netdiag /v & dcdiag /v /c /d /e

    Did you configure new DC's as GC too, if not, configure it, also is your new dc NIC are pointed the local DNS server in preferred & alternate dns server not any other like 169.xx.xx.xx or any public ip.

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by AwinishMVP, Moderator Wednesday, February 23, 2011 6:26 AM modified the comment new exchange will be on member server
    Wednesday, February 23, 2011 5:09 AM
    Moderator
  • Hello Awinish,

    you are complete correct with Exchange on DCs, but the OP is not doing it on the new server, only the old one is DC.

    "EX10 - Windows 2008R2, AD member server, Will get Exchange 2010, VMware VM"

    Please keep in mind that netdiag is not supported on Windows server 2008 and will not run anymore on Windows server 2008 R2.

    And as you i am still waiting for the ipconfig outputs from all DC/DNS servers and the new Exchange server.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, February 23, 2011 5:16 AM
  • Thanks Meinolf for pointing it out regarding new exchange on member server. My apology & i'll modify the comments.

     

    Wednesday, February 23, 2011 6:20 AM
    Moderator
  • Hi,

    Thanks for taking the time to look at this...
    Yes, I know my old setup was not good with EX and DC on the same machine..  trying to move away from that with the new servers.
    For the time syncing, i followed a guide in a book that i have about VMwaring teir 1 MS applications about setting the sync via a group policy with a WMI filter on it.  My understanding it that it only applies to the primary DC.
    MAIL, MGMT and FILE are all GC
    All DNS are pointing internaly. 10.27.1.2 or 10.27.1.3 are old Win2003 servers, 10.27.1.151 and 10.27.1.154 are new Win2008R2 servers.
    I'll post the ipconfig /all for each of the servers below.
    I have only attempted to run the exchange "setup /pl" command on the EX10 server, not the MGMT FSMO server.
    I just ran that dcdiag command... WOW that produces a lot of screens of output!  I will have a look at it in the morning. (is there a way to attach a copy of it so better people than I could look at it?)

    Thanks again for looking at this.
    Ian

    MAIL
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : mail
       Primary Dns Suffix  . . . . . . . : ampco.com.au
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ampco.com.au
                                           com.au
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
       Physical Address. . . . . . . . . : 00-0E-7F-AB-91-9A
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.27.1.3
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.27.1.19
       DNS Servers . . . . . . . . . . . : 10.27.1.2
                                           127.0.0.1

    TARDIS
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : tardis
       Primary Dns Suffix  . . . . . . . : ampco.com.au
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ampco.com.au
    Ethernet adapter Local Area Connection 2:
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter #2
       Physical Address. . . . . . . . . : 00-1A-4B-B2-0B-D8
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.27.1.2
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.27.1.19
       DNS Servers . . . . . . . . . . . : 10.27.1.3
                                           127.0.0.1

    MGMT
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : MGMT
       Primary Dns Suffix  . . . . . . . : ampco.com.au
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ampco.com.au
    Ethernet adapter Local Area Connection 2:
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : 00-50-56-92-00-03
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.27.1.151(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.27.1.19
       DNS Servers . . . . . . . . . . . : 10.27.1.3
                                           10.27.1.2
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.ampco.com.au:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    FILE
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : File
       Primary Dns Suffix  . . . . . . . : ampco.com.au
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ampco.com.au
    Ethernet adapter vNetwork:
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : 00-50-56-92-00-02
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.27.1.154(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.27.1.19
       DNS Servers . . . . . . . . . . . : 10.27.1.151
                                           10.27.1.3
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.ampco.com.au:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    EX10
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : EX10
       Primary Dns Suffix  . . . . . . . : ampco.com.au
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ampco.com.au
    Ethernet adapter Local Area Connection 2:
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : 00-50-56-92-00-07
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.27.1.155(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.27.1.19
       DNS Servers . . . . . . . . . . . : 10.27.1.151
                                           10.27.1.3
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.ampco.com.au:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : ampco.com.au
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Wednesday, February 23, 2011 11:00 AM
  • Hello,

    "For the time syncing, i followed a guide in a book that i have about VMwaring teir 1 MS applications about setting the sync via a group policy with a WMI filter on it.  My understanding it that it only applies to the primary DC."

    No idea what you found and configure all settings with WMI. The correct time belongs to all domain machines, regardless of the role. But i suggest to use only the dfeault Microsoft way to be sure it works correct. Never have used WMI filters for time sync on our VMs or GPO settings.

    Disabling the VMWare tools and configuring the PDCEmulator to an external time source, or a hardware device that is not domain member( router, switch, NTP hardware device) is always sufficient. More details about the domain time are to find in, including configfuration commands: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    The ipconfig outputs look ok for me. No multihoming, well a quite big subnet which creates a really big broadcast domain. Do you need that amount of clients, 65534?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, February 23, 2011 5:33 PM
  • OK,  I take your point to keep it simple.

    I'll disable the group policy and follow the steps to manualy set the PDCEmulator to the source to make sure everything is ok.

    I'm scheduled to spend the day in hospital today (just about to leave) so i may not get back to you for a day.  I'll try to do it tonight if i'm not too out of it but i will get back to you either way.

    Thanks

    Ian

    Wednesday, February 23, 2011 8:57 PM
  • Hi,

    Sorry for the delay.  the hospital visit took longer than i thought to recover from.

    I think i have taken a step backwards over the weekend with this and i'm more convinced that my problem is in the AD.

    I applied some updates over the weekend and rebooted my servers.  Every server restarted as normal and everything seems to be working correctly (file, print and exchange 2003 access).  If i make a change (edit) on either of the two 2003 servers or the two 2008R2 servers it is reflected in the other servers and everything seems to be talking correctly. 

    except...

    My future Exchange2010 server (which has the AD admin tools as part of the prerequisits) can not access the ADUC.  If it try to access a share on the DC it asks for my login details again (and then works).
    If I run the exchange Pre-Deployment Analyzer (which i have run about 4 time before without problems) I get an error.
    It checks for updates (finds none), then goes to the welcome screen, I select "new scan", it has the AD server (which is also my ex03 server) pre filled in, i select to "connect to the AD server", the progress works along to 100% and then a popup says "An operations error occoured".
    The logs (both the exchangeSetupLogs and the Event viewer logs) have no new content so i don't have an error code or anything.
    I have also tried specifing the account information for connecting to AD and EX

    I'm going to go through the BPA and see if i can find any outstanding issues that i can fix.

    Ian

    Sunday, February 27, 2011 11:43 PM
  • Hi Again.

    I think i have gotten back to where i was before.  the BPA had an item about DES encryption which was ticked in the administrators account and was sugesting that i should change to an AES encryption.  I had a look at my 2003 DC and couldn't see an option that matched the AES ones on the 2008 DC so i looked for fixes for alowing DES (atleast till i get rid of the 2003 DCs).  One comment found mentioned resetting the password (to the same as it's current password) on the 2008 DC would regenerate the needed keys.

    I did that and restarted the machines and now the future exchange member server can once again get into the ADUC and run the exchange pre-deployment analyzer.

    I am still getting an error when trying to run the exchange "setup /pl" command.
        Updating legacy permissions      ......................... FAILED
         Active Directory server mail.ampco.com.au is not available. Error message:
    A local error occurred.

    Ian

    Monday, February 28, 2011 12:25 AM