Exchange Management Tools from Active Directory site with no Exchange Servers
Hi! I have an environment with one Active Directory forest and two domains; One root domain and one sub-domain. The Active Directory forest got three Active Directory sites, Site A, B and C. All Exchange servers (pure 2010) are installed in site A in the sub-domain. I`m trying to connect using Exchange Management Tools from a management-workstation located in Site B. Using either the Management Console or Management Shell I get the following error: Exception calling "GetComputerSite" with "0" argument(s): "Logon failure: unknown user name or bad password. " At C:\Program Files\Microsoft\Exchange Server\V14\bin\ConnectFunctions.ps1:149 char:92 + $localSite=[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException The user account I use are an Exchange Organization Administrator, and I have no problems running the Management Tools from a local Exchange server in Site A. "nltest /dsgetsite" returns "Site B". Trying to manually specify a connectionURI from the Management Shell returns the following: [PS] C:\Windows\system32>New-PSSession -Name session01 -ConfigurationName Microsoft.Exchange -ConnectionUri https://exchsrv01,subdomain.rootdomain.local/PowerShell [exchsrv01.subdomain.rootdomain.local] Connecting to remote server failed with the following error message : Access is denied. F or more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc eption + FullyQualifiedErrorId : PSSessionOpenFailed The user account are RemotePowerShell-enabled. Any ideas? Is this behaviour "by design" since there are no local Exchange servers in the AD Site I`m running the Management Tools from?Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
April 27th, 2010 11:15pm

Hi Jan, It should discover and connect to servers in adjacent sites automatically. The logon failure and access denied errors look like the problem. Can you authenticate to other resources in Site A without any issues?
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 12:12am

Yes, i.e. "Enter-PSSession -Computername exchsrv01" or remoting to any other server in Site A works just fine. So does all other sorts of access, e.g. remote file shares (\\servername\share).Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
April 28th, 2010 12:16am

Does this work? $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchsrv01.subdomain.rootdomain.local/PowerShell -Authentication Kerberos Import-PSSession $session Also, there is a function called Connect-ExchangeServer that gets loaded when you start EMS, you can try connecting to a server in another site manually: Connect-ExchangeServer -fqdn exchsrv01.subdomain.rootdomain.local If it doesn't work, maybe it will give a better error message to work with.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 12:25am

Both of your suggestions works just fine (when I removed the -Credential). In addition, if I open a standard Windows PowerShell promt and run "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010" all the Exchange-cmdlets works fine. What Exchange-server does the snapin communicate with? However, the computer are supposed to be used by helpdesk technicians, and they would primarily use the Exchange Management Console. The default "Microsoft Exchange On-Premises" returns the error mentioned in the first post. If I add a forest manually using "Add Exchange Forest" it also works fine when specifying an Exchange-server FQDN. So I guess we have a few workarounds, however, it would be nice to determine the root cause of this issue. Could SPN`s be a possible source for the problems? Obviusly the problem occurs when communicating with IIS. The exchsrv01 server got the follwing SPNs: "MSServerClusterMgmtAPI/exchsrv01.subdomain.rootdomain.local;MSServerClusterMgmtAPI/exchsrv01;exchangeMDB/exchsrv01; exchangeMDB/exchsrv01.subdomain.rootdomain.local;WSMAN/exchsrv01.subdomain.rootdomain.local;WSMAN/exchsrv01;TERMSRV/exchsrv01; TERMSRV/exchsrv01.subdomain.rootdomain.local;RestrictedKrbHost/exchsrv01;HOST/exchsrv01;RestrictedKrbHost/exchsrv01.subdomain.rootdomain.local; HOST/exchsrv01.subdomain.rootdomain.local"Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
April 28th, 2010 12:54am

I didn't notice earlier, but the logon failure is happening when trying to determine the current site: #line 149 in ConnectFunctions.ps1 $localSite=[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() I guess that explains why manually connecting to a server works fine. If you can resolve that I think it should fix the problem, I'll also see if I can find a solution. On a side note, I just installed the Exchange tools on a PC in a site with no Exchange servers and both EMC/EMS function properly.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 3:27am

Ok, thanks for the information. Then it should be possible to make it work. This is a newly installed domain, so I`ll do some verifications on the domain setup. I`ll let you know if I`m able to resolve the issue.Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
April 28th, 2010 3:36am

I`ve now resolved this issue. I noticed that the Exchange-servers were using the domain controllers in the root-domain, which they shouldn`t since they rely in a different site and a different domain from the Exchange-servers. Looking at the 2080 events in the Application-log I noticed that the domain controllers in the subdomain didn`t have the necessary SACL right: Log Name: Application Source: MSExchange ADAccess Date: 28.04.2010 10:42:42 Event ID: 2080 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: EXCHSRV01.subdomain.rootdomain.local Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1348). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: SRVDC05.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1 SRVDC06.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1 Out-of-site: SRVMDC01.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVMDC02.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVMDC03.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1 SRVMDC04.subdomain.rootdomain.local CDG 1 7 7 1 0 0 1 7 1 This permission are described at the bottom of this article: http://technet.microsoft.com/en-us/library/bb125224.aspx "On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy." I ran setup /PrepareAllDomains prior to installing Exchange, but I guess something didn`t complete properly. However, I set the permission manually and the Exchange-servers were now starting to use the expected domain controllers in the same site. Also the 2080 events now show the correct permissions: Log Name: Application Source: MSExchange ADAccess Date: 29.04.2010 01:14:19 Event ID: 2080 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: EXCHSRV01.subdomain.rootdomain.local Description: Process STORE.EXE (PID=2856). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: SRVDC05.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVDC06.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 Out-of-site: SRVMDC01.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVMDC02.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVMDC03.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 SRVMDC04.subdomain.rootdomain.local CDG 1 7 7 1 0 1 1 7 1 Now I`m also able to use the Exchange Management Tools from another site with no Exchange-servers without problems. Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 5:08pm

interesting...glad you found a solution.
April 29th, 2010 7:27pm

Can you give us more detail about this : However, I set the permission manually and the Exchange-servers were now starting to use the expected domain controllers in the same site.
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2010 9:43am

I assigned the 'Exchange Servers' group the user right 'Manage Auditing & Security Logs' on the Default Domain Controller Policy (Group Policy object on the Domain Controllers organizational unit).Jan Egil Ring Blog: http://blog.powershell.no Twitter: http://twitter.com/janegilring
September 19th, 2010 8:08am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics