Exchange Management Tools from Active Directory site with no Exchange Servers
Hi!
I have an environment with one Active Directory forest and two domains; One root domain and one sub-domain.
The Active Directory forest got three Active Directory sites, Site A, B and C.
All Exchange servers (pure 2010) are installed in site A in the sub-domain. I`m trying to connect using Exchange Management Tools from a management-workstation located in Site B.
Using either the Management Console or Management Shell I get the following error:
Exception calling "GetComputerSite" with "0" argument(s): "Logon failure: unknown user name or bad password.
"
At C:\Program Files\Microsoft\Exchange Server\V14\bin\ConnectFunctions.ps1:149 char:92
+ $localSite=[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite <<<< ()
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
The user account I use are an Exchange Organization Administrator, and I have no problems running the Management Tools from a local Exchange server in Site A.
"nltest /dsgetsite" returns "Site B".
Trying to manually specify a connectionURI from the Management Shell returns the following:
[PS] C:\Windows\system32>New-PSSession -Name session01 -ConfigurationName Microsoft.Exchange -ConnectionUri
https://exchsrv01,subdomain.rootdomain.local/PowerShell
[exchsrv01.subdomain.rootdomain.local] Connecting to remote server failed with the following error message : Access is denied. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed
The user account are RemotePowerShell-enabled.
Any ideas? Is this behaviour "by design" since there are no local Exchange servers in the AD Site I`m running the Management Tools from?Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
April 27th, 2010 11:15pm
Hi Jan,
It should discover and connect to servers in adjacent sites automatically. The logon failure and access denied errors look like the problem. Can you authenticate to other resources in Site A without any issues?
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 12:12am
Yes, i.e. "Enter-PSSession -Computername exchsrv01" or remoting to any other server in Site A works just fine.
So does all other sorts of access, e.g. remote file shares (\\servername\share).Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
April 28th, 2010 12:16am
Does this work?
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchsrv01.subdomain.rootdomain.local/PowerShell -Authentication Kerberos
Import-PSSession $session
Also, there is a function called Connect-ExchangeServer that gets loaded when you start EMS, you can try connecting to a server in another site manually:
Connect-ExchangeServer -fqdn exchsrv01.subdomain.rootdomain.local
If it doesn't work, maybe it will give a better error message to work with.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 12:25am
Both of your suggestions works just fine (when I removed the -Credential).
In addition, if I open a standard Windows PowerShell promt and run "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010" all the Exchange-cmdlets works fine. What Exchange-server does the snapin communicate with?
However, the computer are supposed to be used by helpdesk technicians, and they would primarily use the Exchange Management Console.
The default "Microsoft Exchange On-Premises" returns the error mentioned in the first post. If I add a forest manually using "Add Exchange Forest" it also works fine when specifying an Exchange-server FQDN.
So I guess we have a few workarounds, however, it would be nice to determine the root cause of this issue. Could SPN`s be a possible source for the problems? Obviusly the problem occurs when communicating with IIS.
The exchsrv01 server got the follwing SPNs:
"MSServerClusterMgmtAPI/exchsrv01.subdomain.rootdomain.local;MSServerClusterMgmtAPI/exchsrv01;exchangeMDB/exchsrv01;
exchangeMDB/exchsrv01.subdomain.rootdomain.local;WSMAN/exchsrv01.subdomain.rootdomain.local;WSMAN/exchsrv01;TERMSRV/exchsrv01;
TERMSRV/exchsrv01.subdomain.rootdomain.local;RestrictedKrbHost/exchsrv01;HOST/exchsrv01;RestrictedKrbHost/exchsrv01.subdomain.rootdomain.local;
HOST/exchsrv01.subdomain.rootdomain.local"Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
April 28th, 2010 12:54am
I didn't notice earlier, but the logon failure is happening when trying to determine the current site:
#line 149 in ConnectFunctions.ps1
$localSite=[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
I guess that explains why manually connecting to a server works fine. If you can resolve that I think it should fix the problem, I'll also see if I can find a solution.
On a side note, I just installed the Exchange tools on a PC in a site with no Exchange servers and both EMC/EMS function properly.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 3:27am
Ok, thanks for the information. Then it should be possible to make it work.
This is a newly installed domain, so I`ll do some verifications on the domain setup. I`ll let you know if I`m able to resolve the issue.Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
April 28th, 2010 3:36am
I`ve now resolved this issue.
I noticed that the Exchange-servers were using the domain controllers in the root-domain, which they shouldn`t since they rely in a different site and a different domain from the Exchange-servers.
Looking at the 2080 events in the Application-log I noticed that the domain controllers in the subdomain didn`t have the necessary SACL right:
Log Name: Application
Source: MSExchange ADAccess
Date: 28.04.2010 10:42:42
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: EXCHSRV01.subdomain.rootdomain.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1348). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
SRVDC05.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1
SRVDC06.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
SRVMDC01.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVMDC02.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVMDC03.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1
SRVMDC04.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1
This permission are described at the bottom of this article:
http://technet.microsoft.com/en-us/library/bb125224.aspx
"On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy."
I ran setup /PrepareAllDomains prior to installing Exchange, but I guess something didn`t complete properly.
However, I set the permission manually and the Exchange-servers were now starting to use the expected domain controllers in the same site.
Also the 2080 events now show the correct permissions:
Log Name: Application
Source: MSExchange ADAccess
Date: 29.04.2010 01:14:19
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: EXCHSRV01.subdomain.rootdomain.local
Description:
Process STORE.EXE (PID=2856). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
SRVDC05.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVDC06.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
SRVMDC01.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVMDC02.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVMDC03.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
SRVMDC04.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1
Now I`m also able to use the Exchange Management Tools from another site with no Exchange-servers without problems.
Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 5:08pm
interesting...glad you found a solution.
April 29th, 2010 7:27pm
Can you give us more detail about this :
However, I set the permission manually and the Exchange-servers were now starting to use the expected domain controllers in the same site.
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2010 9:43am
I assigned the 'Exchange Servers' group the user right 'Manage Auditing & Security Logs' on the Default Domain Controller Policy (Group Policy object on the Domain Controllers organizational unit).Jan Egil Ring
Blog: http://blog.powershell.no
Twitter: http://twitter.com/janegilring
September 19th, 2010 8:08am