We have Exchange 2007 Std. installed on Server 2003 Ent. We have 3 domains, 1 forest root, and two child domains. All of which have one domain controller (yeah, we are expanding on this...). The exchange server resides in the forest root domain, most of the users exist in the child domains. All servers are virtual, on a single VMWare ESV 3.5 U4 host. Obviously this implementation does not fall within MS support policy, so we can't bring this issue to support.The problem is, every 7 - 10 hours the following errors fire off on the exchange server. When these errors happen, users are unable to authenticate to OWA, outlook anywhere, sign into Outlook, or log into the server via RDP. The issue usually last for about ten minutes, then everything is back to normal.I have seen some 5719's on the other domain controllers, but with no frequency that worries me. I say this meaningthat there was probablysome network maintainencebeing performedduring these occurences.Event Type:ErrorEvent Source:MSExchange ADAccessEvent Category:Topology Event ID:2104Date:5/15/2009Time:8:05:45 PMUser:N/AComputer:MAIL1Description:Process IISIPMF0067C56-1FAD-48F7-89B6-464FB95DF7CE -AP "MSEXCHANGEOWAAPPPOOL (PID=732). None of the domain controllers in the domain are responding. This event can occur if the domain controllers in local or all domains become unreachable because of network problems. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers. Run the Dcdiag command line tool to test domain controller health. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type:ErrorEvent Source:NETLOGONEvent Category:NoneEvent ID:5719Date:5/15/2009Time:7:59:17 PMUser:N/AComputer:MAIL1Description:This computer was not able to set up a secure session with a domain controller in domain OFFICE due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 5e 00 00 c0 ^.. Event Type:WarningEvent Source:BROWSEREvent Category:NoneEvent ID:8021Date:5/15/2009Time:8:02:57 PMUser:N/AComputer:MAIL1Description:The browser service was unable to retrieve a list of servers from the browser master \\DC2 on the network \Device\NetBT_Tcpip_{46BBBB5E-E93F-4D54-A2EA-A41DBD22DBF6}.Browser master: \\DC2Network: \Device\NetBT_Tcpip_{46BBBB5E-E93F-4D54-A2EA-A41DBD22DBF6}This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 35 00 00 00 5... Event Type:ErrorEvent Source:KerberosEvent Category:NoneEvent ID:7Date:5/15/2009Time:8:03:30 PMUser:N/AComputer:MAIL1Description:The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the clientXXXXXXXX in realmtoronto.contoso.com had a PAC which failed to verify or was modified. Contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 5e 00 00 c0 ^..

Hello,Seems like networking Issue.Could you first run ExBPA, netdiag /v > abc.txt and netdiag /f > abc1.txt, dcdiag /s:<FQDN of FSMO holder> > dc1.txtrunning Netdiag and DCdiag need windows support tool which you can download it from internet or you can find inside your windows 2003 mediaFix all the neccessary recommendation in ExBPA and then we will proceed further from there. Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3

Thanks for the response Arun!The command dcdiag /dc:<FQDN of FSMO holder> > dc1.txt would not execute as recommended in Arun's reply, so instead I ran dcdiag /s:<FQDN of FSMO holder> /c> dc1.txtOne of the DC's had DNS failures due to root hints. This has been corrected.I found something interesting running DCDiag. For instance, when running DCDiag against1/3 our domain controllers, all tests pass except the last test for DNS.--------------------------------------------------------------Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Main\Main-DC1 Starting test: Connectivity ......................... Main-DC1 passed test Connectivity Doing primary tests Testing server: Main\Main-DC1 Starting test: Replications ......................... Main-DC1 passed test Replications Starting test: Topology ......................... Main-DC1 passed test Topology Starting test: CutoffServers ......................... Main-DC1 passed test CutoffServers Starting test: NCSecDesc ......................... Main-DC1 passed test NCSecDesc Starting test: NetLogons ......................... Main-DC1 passed test NetLogons Starting test: Advertising ......................... Main-DC1 passed test Advertising Starting test: KnowsOfRoleHolders ......................... Main-DC1 passed test KnowsOfRoleHolders Starting test: RidManager ......................... Main-DC1 passed test RidManager Starting test: MachineAccount ......................... Main-DC1 passed test MachineAccount Starting test: Services ......................... Main-DC1 passed test Services Starting test: OutboundSecureChannels ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... Main-DC1 passed test OutboundSecureChannels Starting test: ObjectsReplicated ......................... Main-DC1 passed test ObjectsReplicated Starting test: frssysvol ......................... Main-DC1 passed test frssysvol Starting test: frsevent ......................... Main-DC1 passed test frsevent Starting test: kccevent ......................... Main-DC1 passed test kccevent Starting test: systemlog ......................... Main-DC1 passed test systemlog Starting test: VerifyReplicas ......................... Main-DC1 passed test VerifyReplicas Starting test: VerifyReferences ......................... Main-DC1 passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... Main-DC1 passed test VerifyEnterpriseReferences Starting test: CheckSecurityError [Main-DC1] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>. ......................... Main-DC1 passed test CheckSecurityError DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : toronto1 Starting test: CrossRefValidation ......................... toronto1 passed test CrossRefValidation Starting test: CheckSDRefDom ......................... toronto1 passed test CheckSDRefDom Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running enterprise tests on : contoso.gdi Starting test: Intersite ......................... contoso.gdi passed test Intersite Starting test: FsmoCheck ......................... contoso.gdi passed test FsmoCheck Starting test: DNS Test results for domain controllers: DC: Main-DC1.toronto1.contoso.gdi Domain: toronto1.contoso.gdi TEST: Basic (Basc) Error: No WMI connectivity Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext ________________________________________________________________ Domain: toronto1.contoso.gdi Main-DC1 PASS FAIL n/a n/a n/a n/a n/a ......................... contoso.gdi failed test DNS-------------------------------------------------------------ExBPA Critical Issues reports:*SAN mismatch for activesync and owa.ExBPA All Issues reports:* Network Driver older than two years - We are using the driver provided by VMware, from what I've read this is typical* Storage Driver older than two years - We are using the driver provided by VMware, from what I've read this is typical* Database Backup Warning - The Database is being backed up right now* Recovery Storage Group enabled - This is in use* VMware Detected - Expected-------------------------------------------------------------Thats all for now, thank you for your assistance with this.

Hello,did you confirmed the DNS settings?Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3

No, I am working to correct the following two issues affecting two different DC's. I will repost when I haverectified these issues. If you have any suggestions on these, let me know. Thanks! TEST: Basic (Basc) Error: No WMI connectivity TEST: Basic (Basc) Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)

Here are some more details on the errors/warnings shown in my last post.TEST: Basic (Basc) Error: No WMI connectivity: This affecting a DC that is in different AD Sitefrom the mail server. If I remember correctly, WMI does notwork cross site so thismight beexpected.TEST: Basic (Basc) Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration): This zone is not AD integrated, and the _mdcs, _sites, _tcp, _udp and domaindnszones are present. So this might be expected also.I am still researching these errors/warnings to confirm my expectations or find a fix.

FYI, we haven't seen the issue for over 36 hours now. This may have been resolvedby correcting the root hints issue that I described earlier in the thread.

aha.. that is so good to hear.. :)Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3

The issue is happening again, just as described before with a frequency of at leastonce every 24 hours. No changes were made on our part. I am also seeing 5783's in the system log.

I added more memory to the host, this seems to have cleared up the issue.