I ran into a problem while installing our Exchange 2010
server where client access authentication does not work unless the server is configured as a domain controller with global catalogue
.
I went to production with this because of time constraints but I really need to fix it now. I have no idea where the problem could be or how to identify the problem.
My question(s) is(are):
What could cause this issue? How could I test it and repair it?
I don't really know what information would be relevant to the issue but;
Server OS is Win 2008 R2
and all DCs are the same.
Exchange server has CAS
, Hub Transport
and Mailbox Server
roles.
External mail is received by another exchange 2010 server running the Edge role in the DMZ. (this works okay and Edge server is not a DC... obviously ;) )
Please let me know what additional information could be added to improve this question. I will add it as soon as I can.
This is a follow-on question from this.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC2, is a Directory Server.
Home Server = DC2
* Connecting to directory service on server DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.corp.domain/corp.domain
* SPN found :LDAP/DC2.corp.domain
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.corp.domain/corpdomain
* SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain
* SPN found :HOST/DC2.corp.domain/corp.domain
* SPN found :HOST/DC2.corp.domain
* SPN found :HOST/DC2
* SPN found :HOST/DC2.corp.domain/corpdomain
* SPN found :GC/DC2.corp.domain/corp.domain
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=corp,DC=domain
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=corp,DC=domain
(Configuration,Version 3)
* Security Permissions Check for
DC=corp,DC=domain
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC2\netlogon
Verified share \\DC2\sysvol
......................... DC2 passed test NetLogons
Starting test: ObjectsReplicated
DC2 is in domain DC=corp,DC=domain
Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
......................... DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3102 to 1073741823
* DC2.corp.domain is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1818
......................... DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC2 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:15:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:15:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:30:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:30:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:45:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:45:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:53:46
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:53:46.0000 3/19/2013 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$
Target Name:
Error Text:
File: 3
Line: 576
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 14:00:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 4:0:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
......................... DC2 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and
backlink on
CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (serverReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are
correct.
......................... DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : corp
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... corp passed test CrossRefValidation
Running enterprise tests on : corp.domain
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
PDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Preferred Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
KDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
......................... corp.domain passed test
LocatorCheck
Starting test: Intersite
Skipping site Brisbane, this site is outside the scope provided by the
command line arguments provided.
......................... corp.domain passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Topology
......................... DC2 passed test Topology
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Replications
......................... DC2 passed test Replications
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
DNSLint Report
System Date: Tue Mar 19 14:43:20 2013
Command run:
c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21
Root of Active Directory Forest:
corp.domain
Active Directory Forest Replication GUIDs Found:
DC: DC2
GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DC: DC3
GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
DC: MX1
GUID: 579be28b-006e-4f1c-911a-780458c5d081
Total GUIDs found: 3
--------------------------------------------------------------------------------
The following 2 DNS servers were checked for records related to AD forest replication:
DNS server: dc2.corp.domain
IP Address: 10.1.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc2.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc3.corp.domain
IP Address: 10.1.1.22
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc3.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Zone query result:
Zone info:
ptr = 0000000000197AB0
zone name = corp.domain
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 168
no refresh = 168
scavenge available = 0
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 1
directory partition = AD-Domain flags 00000015
zone DN = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain
Command completed successfully.
Repadmin: running command /showrepl against full DC localhost
Brisbane\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b
==== INBOUND NEIGHBORS ======================================
DC=corp,DC=domain
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:58:35 was successful.
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:59:08 was successful.
CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
CN=Schema,CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=DomainDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=ForestDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Replication Summary Start Time: 2013-03-19 14:59:31
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC2 12m:51s 0 / 8 0
DC3 12m:51s 0 / 8 0
MX1 11m:11s 0 / 6 0
Destination DSA largest delta fails/total %% error
DC2 04m:00s 0 / 8 0
DC3 11m:11s 0 / 8 0
MX1 12m:51s 0 / 6 0
Repadmin: running command /kcc against full DC localhost
Brisbane
Current Site Options: (none)
Consistency check on localhost successful.
Schema master DC2.corp.domain
Domain naming master DC2.corp.domain
PDC DC2.corp.domain
RID pool manager DC2.corp.domain
Infrastructure master DC2.corp.domain
The command completed successfully.
Exchange 2010 servers requires a domain controller with a GC in the same site.
Also, running Exchange on a domain controller is not recommended. And you definitely can't promote an Exchange server to a domain controller.
It sounds like from your description you broken at least two of these rules, if not all three.
Solution offered by ashdrewness
It's not supported to run dcpromo on a server after exchange is installed. It's also not supported to do an in-place upgrade from std to ent with exchange installed. You have to uninstall exchange or perform a disaster recovery install of exchange (setup.com /recoverserver).
From http://technet.microsoft.com/en-us/library/aa996719(v=exchg.141).aspx
Installing Exchange 2010 on Directory Servers
For security and performance reasons, we recommend that you install Exchange 2010 only on member servers and not on Active Directory directory servers. However, you can't run DCPromo on a computer running Exchange 2010. After Exchange 2010 is installed, changing its role from a member server to a directory server, or vice versa, isn't supported.
User contributions licensed under CC BY-SA 3.0