Exchange 2010 Would Not Authenticate to Secondary DC
Hi.
I have 2 DCs in one site, both GCs with DNS. DC 1 failed with memory pool errors and would not process any requests. Users could authenticate to the domain, but they could not authenticate to their Exchange accounts. This is 2003 AD and
2010 Exhcange.
I checked replication, and it passes. Event 2080 shows both insite DCs and 1 out of site DC (which is located in a branch office).
I have the following events on the Exchange server:
8365 - MSExchange AL (could not read security descriptor from Exchange Server object)
6003 - SACL Watcher (cannot open group policy on DC1)
9385 - MSCxchange SA (system attendant failed to read membership of universal security grp)
I got DC1 back online quickly, but cannot figure out why DC2 wouldn't authenticate Exchange. What am I missing?
April 23rd, 2012 3:06pm
Please post the full text of the 2080 event log entry.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 6:08pm
How long did you wait after taking the DC out of service? The failover to a different DC can take a few minutes, or you can reboot the Exchange server to speed it up.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
April 23rd, 2012 6:19pm
DC1 reported a memory pool problem during backup at 12:50 a.m. but I was not aware. Everyone came in in the morning and was working normally. Almost 12 hours later, more memory pool errors. Then at 1:01 PM DHCP
Server on DC1 failed to see a directory server (DC1 is the only DHCP server), 1:09 PM event ID 5787 - global catalog no longer automatically covers remote site for forest, 1:09 PM event ID 5781 details below:
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 4/20/2012
Time: 1:09:48 PM
User: N/A
Computer: DC1
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'mydomain.WC.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain)
or as an LDAP server (if the specified domain is an application partition).
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource
Kit CD.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
At 1:09 p.m. DC1 was choking, but no one really noticed until about 1:50 p.m. I would think with the DNS error at 1:09, DC2 should have picked up by 1:50. And, it did, as far as network login. We just couldn't get Outlook to authenticate
to our Exchange server.
I shut DC1 down, brought it back up, and all is well. Just can't figure out why DC2 wouldn't authenticate to Exchange...
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 7:01pm
Hi,
Please try to run DCdiag from your Exchange to see if it can find and pass all the test with DC2.
Please try to force DC replication.
Please try to manually specify the configuration domain contoller and preferred domain controller and then test the issue again.Xiu Zhang
TechNet Community Support
April 24th, 2012 5:15am
That's why I never configure that kind of thing.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 1:50am