Installing Exchange 2010 SP1 Hub Transport keeps failing with an error "Service 'MSExchangeTransport' failed to reach status 'Running' on this server"
Hi Zoran,
Exchange 2010 is using AD Sites and Services for Site discovery. You're saying that you have a DC in the site where you want to install the HUB/CAS server?
Is your Exchange 2010 HUB/CAS server that you try to install in the correct AD site (the same as where the local site DC is)? And is the DC configured as Global Catalog for that site?
You need to have a global catalog in every site where you want to have an Exchange server.
Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard
November 11th, 2011 2:58am
Hi Cor,
Yes, there is a DC/GC server in the DR site and yes the DR HUB/CAS-to-be is in the same site. All DCs on the system are also GCs.
Thanks
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2011 3:30am
Okay, I think I might have something. Even though the Exchange Servers group has proper permissions over "Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log", I found that the DC container has "block
inheritance" on, so this could actually prevent the GPO setting from updating the group membership list with the new server. We recently had an issue with applying a password policy because the GP inheritance was blocked at the DC container. I will need to
leave this for Monday, as I'm not sure why these guys have it on and will probably need to raise a CR, and will let you know if this caused the issue, once I turn it off and retry the installation.
Thanks
November 11th, 2011 3:57am
Super! No problem and good luck in solving this issue.Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2011 4:27am
Hi guys,
I've been trying to install a DR Hub Transport/CAS (Exchange 2010 SP1 on Windows 2008 R2 Enterprise SP1) on a DR site, but the installation keeps failing. There are several errors and warnings logged in the application log at every atempt. These are the
logegd events:
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:32:08 AM
Event ID: 2101
Task Category: Topology
Level: Warning
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). The configuration domain controller specified in a call to SetConfigDCName (local_dc_server) is unreachable. Exchange Active Directory Provider will select the configuration domain controller from the list
of available domain controllers.
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:32:08 AM
Event ID: 2102
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). All Domain Controller Servers in use are not responding:
Local_dc_server
Remote_dc_server
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:32:08 AM
Event ID: 2114
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge
Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:33:07 AM
Event ID: 2601
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGY (PID=2536). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E39D35ABE5747B979FFC0C6E5EA26,CN=Microsoft Exchange,CN=Services,CN=Configuration,...>
- Error code=80040a01.
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:33:07 AM
Event ID: 2501
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGY (PID=2536). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server.
Log Name: Application
Source: MSExchange ADAccess
Date: 11/11/2011 9:34:07 AM
Event ID: 2604
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: localhost
Description:
Process MSEXCHANGEADTOPOLOGY (PID=2536). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object localhost -
Error code=80040a01.
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
The local DC and all remote DCs are up and accessible. The server is registered in DNS. IPv6 is enabled. The server has only 1 NIC and a static IP. It's a VM on EXS 4.1. There is no AV software installed. The same set of GP settings applies to the production
HT/CAS and DR HT/CAS. Windows OS is fully patched. All Exchange prerequisites for Windows 2008 R2 have been installed as per http://technet.microsoft.com/en-us/library/bb691354.aspx. I'm running the installation under an account which is Domain/Enterprise/Schema
admin.
The production Exchange servers run without any issues. There are 30 servers on the DR site (DC/apps/DBs/backup etc) and they all run without any issues.
Any idea?
Thanks
November 12th, 2011 10:49pm
Hi Zoran,
Exchange 2010 is using AD Sites and Services for Site discovery. You're saying that you have a DC in the site where you want to install the HUB/CAS server?
Is your Exchange 2010 HUB/CAS server that you try to install in the correct AD site (the same as where the local site DC is)? And is the DC configured as Global Catalog for that site?
You need to have a global catalog in every site where you want to have an Exchange server.
Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2011 3:21am
Hi Cor,
Yes, there is a DC/GC server in the DR site and yes the DR HUB/CAS-to-be is in the same site. All DCs on the system are also GCs.
Thanks
November 13th, 2011 3:52am
Okay, I think I might have something. Even though the Exchange Servers group has proper permissions over "Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log", I found that the DC container has "block
inheritance" on, so this could actually prevent the GPO setting from updating the group membership list with the new server. We recently had an issue with applying a password policy because the GP inheritance was blocked at the DC container. I will need to
leave this for Monday, as I'm not sure why these guys have it on and will probably need to raise a CR, and will let you know if this caused the issue, once I turn it off and retry the installation.
Thanks
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2011 4:19am
Super! No problem and good luck in solving this issue.Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard
November 13th, 2011 4:50am
Hi,
How is the issue now?
For the issue, we can troubleshoot via the following steps.
1.
we can run
NLtest /dsgetsite
to verify the
subnet
of the site
2.
Check if we have enable IPV6
on connected NIC
and
in registry
3.
Under manage audit and security logs, we
need have Exchange servers security group
4.
We
can run rsop.msc to verify which GPO
is applied currently, ensure that “Exchange server security group” has been applied the GPO.
5.
We can force DC replication to ensure that all the DCs are in the same status.
Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server
http://support.microsoft.com/kb/896703
Event ID 2080 from MSExchangeDSAccess
http://support.microsoft.com/kb/316300
Xiu
Free Windows Admin Tool Kit Click here and download it now
November 14th, 2011 10:49am
Hi Xiu,
I ran nltest, dcdiag and netdiag tests and they all came back ok. nltest returned the DR site. As I said, the client already has 2 Exchange servers in production and they are running fine as well as several other AD ingrated apps running in the DR site.
The group Exchange Servers was granted access to DCs (Manage auditing and security log) through a GPO at the DC container. IPv6 is on as this is a fresh installation. I did try disabling
it, including adding DisabledComponents "ffffffff" value in the registry, but that didn't help.
I'm still waiting for a CR to be approved and then I will remove the "block inheritance" option at the DC container. I believe this is what's been blocking the DCs to see an updated group membership for the group Exchange Servers. We've recently enforced
a new password policy and it failed to apply because the "block inheritance" was set over the DC container. Once that was lifted, the policy applied successfully. Then they set the blockage back, even though the guys who manage the system have no idea who
set it nor why. They just don't want to get rid of it as they are afraid it could break something.
So, once I get ok from the CM, I will try it again and let you know how it went.
Thanks
November 14th, 2011 5:22pm
Ok.
Please feel free to update here.
Xiu
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2011 11:04pm
Hi,
You can Try Following Things:-
1) Disable
IPv6 if it is disable then enable & Try to Install Exchange Hub Transport Server Role
2)
Turn Off/On (Vice Versa) Your Firewall
& Try to Install Exchange Hub Transport Server Role
3)
Delete your Server Host A Record from DNS Server (If Dns Entry is Static then Recreate it manually) If It is Dynamic then Try to Reregister DNS Entry with following Command
IPCONFIG /Registerdns
4)
Check Your
firewall settings from your Active Directory To Hub Transport Server
http://technet.microsoft.com/en-us/library/bb331973.aspx
November 17th, 2011 7:44pm
Hi,
You can Try Following Things:-
1) Disable
IPv6 if it is disable then enable & Try to Install Exchange Hub Transport Server Role
2)
Turn Off/On (Vice Versa) Your Firewall
& Try to Install Exchange Hub Transport Server Role
3)
Delete your Server Host A Record from DNS Server (If Dns Entry is Static then Recreate it manually) If It is Dynamic then Try to Reregister DNS Entry with following Command
IPCONFIG /Registerdns
4)
Check Your
firewall settings from your Active Directory To Hub Transport Server
http://technet.microsoft.com/en-us/library/bb331973.aspx
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2011 11:17am
Hi Xiu,
I ran nltest, dcdiag and netdiag tests and they all came back ok. nltest returned the DR site. As I said, the client already has 2 Exchange servers in production and they are running fine as well as several other AD ingrated apps running in the DR site.
The group Exchange Servers was granted access to DCs (Manage auditing and security log) through a GPO at the DC container. IPv6 is on as this is a fresh installation. I did try disabling
it, including adding DisabledComponents "ffffffff" value in the registry, but that didn't help.
I'm still waiting for a CR to be approved and then I will remove the "block inheritance" option at the DC container. I believe this is what's been blocking the DCs to see an updated group membership for the group Exchange Servers. We've recently enforced
a new password policy and it failed to apply because the "block inheritance" was set over the DC container. Once that was lifted, the policy applied successfully. Then they set the blockage back, even though the guys who manage the system have no idea who
set it nor why. They just don't want to get rid of it as they are afraid it could break something.
So, once I get ok from the CM, I will try it again and let you know how it went.
Thanks
December 24th, 2011 4:52pm
Hi Xiu,
Please close the thread as these guys want to log a call with Microsoft because they don't understand why would "block inheritance" cause an issue if the group was already granted access. I will reopen if I get more info.
Thanks
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2011 9:59pm
Ok.
Please feel free to update here.
Xiu
December 24th, 2011 10:40pm
Hi,
How is the issue now?
For the issue, we can troubleshoot via the following steps.
1.
we can run
NLtest /dsgetsite
to verify the
subnet
of the site
2.
Check if we have enable IPV6
on connected NIC
and
in registry
3.
Under manage audit and security logs, we
need have Exchange servers security group
4.
We
can run rsop.msc to verify which GPO
is applied currently, ensure that “Exchange server security group” has been applied the GPO.
5.
We can force DC replication to ensure that all the DCs are in the same status.
Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server
http://support.microsoft.com/kb/896703
Event ID 2080 from MSExchangeDSAccess
http://support.microsoft.com/kb/316300
Xiu
Free Windows Admin Tool Kit Click here and download it now
December 25th, 2011 2:08am