none
Exchange 2010 Would Not Authenticate to Secondary DC RRS feed

  • Question

  • Hi.

    I have 2 DCs in one site, both GCs with DNS.  DC 1 failed with memory pool errors and would not process any requests.  Users could authenticate to the domain, but they could not authenticate to their Exchange accounts.  This is 2003 AD and 2010 Exhcange.

    I checked replication, and it passes.  Event 2080 shows both insite DCs and 1 out of site DC (which is located in a branch office).

    I have the following events on the Exchange server:

    8365 - MSExchange AL (could not read security descriptor from Exchange Server object)
    6003 - SACL Watcher (cannot open group policy on DC1)
    9385 - MSCxchange SA (system attendant failed to read membership of universal security grp)

    I got DC1 back online quickly, but cannot figure out why DC2 wouldn't authenticate Exchange.  What am I missing?

    Monday, April 23, 2012 7:06 PM

Answers

  • Everything checked out fine.  Finally figured out that the devices that could not connect to email had the crashed DC explicitly configured for authentication.

    Sometimes the answer is just that simple :).  Thanks for your comments.

    • Marked as answer by VioletBlueThru Wednesday, April 25, 2012 9:47 PM
    Wednesday, April 25, 2012 9:47 PM

All replies

  • Please post the full text of the 2080 event log entry.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, April 23, 2012 10:08 PM
    Moderator
  • Log Name:      Application
    Source:        MSExchange ADAccess
    Date:          4/23/2012 2:50:52 PM
    Event ID:      2080
    Task Category: Topology
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      ES1.mydomain.WC
    Description:
    Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1504). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
     (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
    In-site:
    DC1.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    DC2.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
     Out-of-site:
    DC3.mydomain.WC CD- 1 6 6 0 0 1 1 6 1
     
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSExchange ADAccess" />
        <EventID Qualifiers="16388">2080</EventID>
        <Level>4</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-04-23T21:50:52.000000000Z" />
        <EventRecordID>223415</EventRecordID>
        <Channel>Application</Channel>
        <Computer>ES1.mydomain.WC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data>
        <Data>1504</Data>
        <Data>DC1.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    DC2.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    </Data>
        <Data>DC3.mydomain.WC CD- 1 6 6 0 0 1 1 6 1
    </Data>
      </EventData>
    </Event>

    Monday, April 23, 2012 10:14 PM
  • How long did you wait after taking the DC out of service?  The failover to a different DC can take a few minutes, or you can reboot the Exchange server to speed it up.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, April 23, 2012 10:19 PM
    Moderator
  • DC1 reported a memory pool problem during backup at 12:50 a.m. but I was not aware.  Everyone came in in the morning and was working normally.   Almost 12 hours later, more memory pool errors.  Then at 1:01 PM DHCP Server on DC1 failed to see a directory server (DC1 is the only DHCP server),  1:09 PM event ID 5787 - global catalog no longer automatically covers remote site for forest, 1:09 PM event ID 5781 details below:

    Event Type: Warning
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5781
    Date:  4/20/2012
    Time:  1:09:48 PM
    User:  N/A
    Computer: DC1
    Description:
    Dynamic registration or deletion of one or more DNS records associated with DNS domain 'mydomain.WC.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

    Possible causes of failure include: 
    - TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
    - Specified preferred and alternate DNS servers are not running
    - DNS server(s) primary for the records to be registered is not running
    - Preferred or alternate DNS servers are configured with wrong root hints
    - Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration 

    USER ACTION 
    Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 2a 23 00 00               *#..   

    At 1:09 p.m. DC1 was choking, but no one really noticed until about 1:50 p.m.  I would think with the DNS error at 1:09, DC2 should have picked up by 1:50.  And, it did, as far as network login.  We just couldn't get Outlook to authenticate to our Exchange server. 

    I shut DC1 down, brought it back up, and all is well.  Just can't figure out why DC2 wouldn't authenticate to Exchange...

    Monday, April 23, 2012 11:01 PM
  • Hi,

    Please try to run DCdiag from your Exchange to see if it can find and pass all the test with DC2.

    Please try to force DC replication.

    Please try to manually specify the configuration domain contoller and preferred domain controller and then test the issue again.


    Xiu Zhang

    TechNet Community Support

    Tuesday, April 24, 2012 9:15 AM
  • Everything checked out fine.  Finally figured out that the devices that could not connect to email had the crashed DC explicitly configured for authentication.

    Sometimes the answer is just that simple :).  Thanks for your comments.

    • Marked as answer by VioletBlueThru Wednesday, April 25, 2012 9:47 PM
    Wednesday, April 25, 2012 9:47 PM
  • That's why I never configure that kind of thing.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, April 27, 2012 5:50 AM
    Moderator