Exchange Server 2007 & AD Sites
Hi,
Would like to check if there is any issue in using Supernetted IP subnets in Active Directory sites for Exchange server 2007 subnet.Our Exchange server is not able to verify the sitemembership, however itis happening only if AD topology service is running with local system account which is default setting.
It works fine when AD topology service is running with AD enterprise admin account. However, as soon as we change it to local system account, the event viewer fills up with event ID 2501, 2601 & 2604.
Any idea will be highly appreciated.
Thanks,
v-beta
May 15th, 2008 11:46am
Hi,
Please check the following method:
1. Open Configuration Container > Sites by using ADSI-edit
2. Right click the AD site object where the Exchange server located in, please ensure that the Authenticated User has Read Permissionn.
3. If the above setting is correct, please also navigate to Configuration Container > Services -> Microsoft Exchange -> "Your Organization Name" -> Administrative Groups -> "Your Administrative Group" -> Servers -> Server Name
4. Please check whether the msExchServerSite property is correctly configured
If the above configuration are both correct, please help me gather the detailed Event Log of 2501, 2601 and 2604 for further research.
Thanks,
Mike
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2008 10:26am
Hi Mike,
Thanks for your response!
Yes, Authenticates Users have read permission on site object. DSACLS output:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Yes, msExchServerSite is populated with correct site name.
However, would like to highlight that right now MSExchange ADTopology service is running with Enterprise Admin account. Changing it back to local system account will result in above errors and affects the mail flow.
Detailed event log of 2601, 2604 & 2501:
Event Id: 2601 Source: MSExchange ADAccess
Description: Process MSEXCHANGEADTOPOLOGY (PID=1524). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=xxxxx..,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f.
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
Event Id: 2604 Source: MSExchange ADAccess
Description: Process MSEXCHANGEADTOPOLOGY (PID=1524). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object ServerName - Error code=8007077f.
The Exchange Active Directory Topology service will continue with limited permissions.
Event Id: 2501 Source: MSExchange ADAccess
Description: Process MSEXCHANGEADTOPOLOGY (PID=1524). The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server.
Also, to help you in further research, following are my findings:
Decode the error code in event description - Error code=8007077f
ERROR_NO_SITENAME, No site name is available for this machine.SQL_1919_severity_16, Cannot create index on column '%.*ls' because it is of a non-indexable type.
Check and make sure that Exchange is correctly registered DNS Server.
NSLOOKUP is fine, A record registration of Exchange server in DNS is fine, Dcdiag does not report any DNS issue with the DCs in the domain where Exchange is installed.
Make sure that AD Sites/Subnet configuration is correct.
A super net is created and is assigned to Exchange site. Exchange server IP address falls under this super net.
Exchange Computer account is placed in default OU (Computers) or has been moved to some other OU? If yes, is there any GPO object applied on that OU?
Exchange server moved to some other OU with a GPO applied to it.
Network Adapter check Is teaming/bridging enabled? Are there multiple gateways defined?
Teaming/bridging is not enabled. However, gateways are defined on both NICs, but are same. Both NICs are being used to facilitate CAS NLB.
Check to make sure that network drivers are up to date.
Network drivers are updated with a Driver Date of Jan, 08. However, a new updated driver is available at vendors Website.
Check if the "Exchange Servers" & "Exchange Install Servers" group has all the Exchange 2007 servers listed.
Exchange Install server group doesnt have Exchange server listed.
Check Default Domain Controllers Security Settings to make sure that Exchange Servers group has managed auditing and security logs permissions.
OK.
Run Policytest.exe to check the permissions issue.
LookupAccountName returned error 1332. It looks like that policytest is trying to find the Exchange Enterprise Servers group, which is no more there in Exchange server 2007.
Check the Binding order on the Exchange server and see if the enabled NIC is on top.
OK
Patch mentioned in KB 948496 has been applied to the Exchange Server.
OK
Run DCDiag to check domain controller health
OK
Checked the Netlogon log file in %windir%debug. Exchange server was never reported as an out of site client.
NLTEST /DSGETSITE command on Exchange server reports the correct site.
Used the DSACLS support tool to export the permission entries on Domain & DC objects. Compared it with MS article explaining all the permissions assigned by various phases of Exchange setup. No discrepancy found.
http://technet.microsoft.com/en-us/library/bb310770(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb310792(EXCHG.80).aspx
The problem gets resolved by running MSExchange ADTopology Service by Enterprise Admin account.
Sorry for the long post.
Thanks,
v-beta
May 20th, 2008 1:28pm
Hi,
Just to update that issue got resolved by changing the order the services start. Configuring the netlogon service the dependency of ADTopology service resolved the issue.
Thanks,
V-beta
June 3rd, 2008 9:13am
Changing the registry settings for MSExchangeADTopology service and adding "DependOnService" = Netlogon didn't help in my case.
I didn't dare to try the other way aroundmaking the Netlogon service dependent on the MSExchangeADTopology service (so it can't start before MSExchangeADTopology)- unsure if this was what you did (?).
Anyway I solved it by:
1. ChangedExchange services to manual startup
2. Made a batch script with "net start" commands that would start allthe necessaryExchange Services (and a simple ping commandto delay the scripta bit)
3. Scheduled it via Scheduled Tasks to run at computer startup.
The server also didn't always mount the databases (located on iSCSI which also had eventlog failures during startup) so my script also callsan additional Powershell script that mounts the databasesif they aren't already mounted. The scriptrepeats itself three times.
It seems that service startup timing is a major issue on Exchange. Would be nice if any could add info on how to delay service startups X seconds if possible (I am really missing that as an option in services.msc)
This issue has also been discussed on:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3570392&siteid=17
Others have been succesfull with disabling "Receive Side Scaling" on the NICothers with upgrading Windows 2003 OSfrom SP1 to SP2.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2008 6:56pm
Found this article...
http://support.microsoft.com/kb/940845/en-us
While it is not exceptionally relevant, it does point out that you can use the a DWORD Value under the Parameters called BOOTPAUSE. The value is the number of seconds to wait.
Paul
October 25th, 2008 12:51am
Phins - nice solution - quite sure that will work too
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2008 10:48am