Hub/CAS Server not working unless in domain admins group
Currently I have an Exchange environment setup with the following characteristics:SCC Clustered Exchange 2007 Mailbox server (2 physical servers)Hub Transport / Client Access Server (1 VM server)Edge Transport Server (1 VM server)All servers are Windows Server 2008 SP2 Enterprise EditionExchange Server 2007 SP1 Enterprise EditionAbout two days ago I noticed that mail was not flowing to the mailbox server from the Hub/CAS, they were hung in queue. I also noticed a bunch of errors in the event log and a service failing, restarting, running, failing again along with a service that would not run at all.The service that failed off and on was the 'Microsoft Exchange Transport' service with the following error in event log (system log):"The Microsoft Exchange Transport service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service."The service that would not run at all was the 'Microsoft Exchange Service Host' but there was no error in the system or application event log when it failed.The errors I was receiving in the application event log are as follows:Log Name: ApplicationSource: MSExchange AutodiscoverEvent ID: 1Task Category: WebLevel: ErrorKeywords: ClassicUser: N/AComputer: hub/cas.domain.comDescription:Unhandled Exception "The Exchange Topology service on server localhost did not return a suitable domain controller."Stack Trace: at Microsoft.Exchange.Data.Directory.DSAccessTopologyProvider.GetConfigDCInfo(Boolean throwOnFailure) at Microsoft.Exchange.Data.Directory.TopologyProvider.PopulateConfigNamingContexts() at Microsoft.Exchange.Data.Directory.TopologyProvider.GetConfigurationNamingContext() at Microsoft.Exchange.Data.Directory.ADSession.GetConnection(String preferredServer, Boolean isWriteOperation, Boolean isNotifyOperation, ADObjectId& rootId) at Microsoft.Exchange.Data.Directory.ADSession.GetReadConnection(String preferredServer, ADObjectId& rootId) at Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator) at Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor) at Microsoft.Exchange.Data.Directory.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties) at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientSession.FindBySid(SecurityIdentifier sId) at Microsoft.Exchange.Autodiscover.Providers.Outlook.OutlookAutoDiscoverProvider..ctor(RequestData requestData)-----------------------------------------------------------------------------------------------------------------Log Name: ApplicationSource: MSExchange ADAccessEvent ID: 2601Task Category: GeneralLevel: WarningKeywords: ClassicUser: N/AComputer: hub/cas.domain.comDescription:Process MSEXCHANGEADTOPOLOGY (PID=1432). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=DC1301662F547445B9C490A52961F8FC,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=80040a01. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.-------------------------------------------------------------------------------------------------------------------Log Name: ApplicationSource: MSExchange ADAccessEvent ID: 2114Task Category: TopologyLevel: ErrorKeywords: ClassicUser: N/AComputer: hub/cas.domain.comDescription:Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1512). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.------------------------------------------------------------------------------------------------------------------Log Name: ApplicationSource: MSExchange ADAccessEvent ID: 2080Task Category: TopologyLevel: InformationKeywords: ClassicUser: N/AComputer: hub/cas.domain.comDescription:Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1512). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site:dc1.domain.com CDG 1 7 7 1 0 0 1 7 1dc2.domain.com CDG 1 7 7 1 0 0 1 7 1Out-of-site:------------------------------------------------------------------------------------------------------------------Log Name: ApplicationSource: MSExchangeFDSEvent ID: 1003Task Category: GeneralLevel: WarningKeywords: ClassicUser: N/AComputer: hub/cas.domain.comDescription:Process MSExchangeFDS.exe (PID=2692). Temporarily unable to connect to Active Directory to read configuration data for object OAB (The Exchange Topology service on server localhost did not return a suitable domain controller.). Will wait for 60 seconds and retry. -------------------------------------------------------------------------------------------------------------------These errors have been filling my application event log for the last couple days. My Exchange Management Console would also hang on this server each time I tried to start it and no settings were available from this server on any other server's management console.I have installed the Update Rollup 9 to try and fix this. I have added all the appropriate subnets in AD's Sites and Services. I have verified that IPv6 is enabled on my nic. I rebooted the server in between each and every change to see if it started to work. There is no anti-virus running right now on this server. I have done a ton of reading online to see if someone had a resolution and reviewed all the possiblities that I found. Nothing I did made the least bit of difference in what I was seeing.I came across a forum thread that people talked about adding the hub/cas AD computer account to their Domain Admins group which they said took care of the problem. I added my server to the Domain Admins group in AD to see if it made a difference then rebooted the server. After the server came back online I had no errors, no dead services, no hung management console, all my settings were there, everything was accessible and mail was once again flowing.So my question is why did that fix it and what can I do to fix it without leaving the computer account in the Domain Admins group. I'm assuming this would not be a best practice nor recommended but right now its the only thing I've found to get the server running again. Any thoughts, ideas or fixes would be appreciated. Please let me know if you need any additional information.Thanks,Sean
August 13th, 2009 5:37pm

First, check Manage auditing and security log settings.... a.Open theDefault Domain Controllers Security Settingssnap-in on the domain controller specified in the event description. b.In the console tree, underSecurity Settings, expandLocal Policies, and then clickUser Rights Assignments. c.In the results pane, double-clickManage auditing and security log. Verify that both theExchange Serversgroup and theExchange Enterprise Serversgroup are listed. Second, make sure that Exchange server is member of proper groups... Make sure that the Exchange server is still a member of theExchange Domain Serversgroup and make sure that Exchange Domain Serversgroup is a member ofExchange Enterprise Serversgroup. Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2009 5:58pm

Out of curiosity, what other groups is your CAS server in?Did you run the BPA?Karl
August 13th, 2009 6:01pm

Amit, thank you for your reply, it took care of my issues with the following exception/differences. I do not have an Exchange Enterprise Servers group within AD (Exchange Organization, Public Folder, Recipient andView Only Administrators, Exchange Servers and Exchange Legacy Interop groups is all I have) and no Exchange Domain Servers (Exchange Servers) group. For whatever reason the Exchange Servers group was not part of the 'Manage Audting and Security Log'. Is that something that should have been set automatically during the Schema/AD prep or installation of Exchange?After I made that change I rebooted the server and all was well except I was getting an new error: "Microsoft Exchange couldn't register the service principal name SMTP: Access is denied"With a little research I found (on this forum) the following steps that fixed that error as well: Resolution: Please ensure SELF account has required permissions on the DC computer account a. Go to ADUC b. In the Domain Controllers container, right-click the DC account, select Properties c. In the Security tab, find SELF account, make sure it has the following rights Create All Child Objects Delete All Child Objects Validated Write to DNS Host Name Validated Write to Service Principal Name (this being the right we need to validate the SPN) Troubleshooting: 1. Please verify that SPN has been recorded a. Launch the ADSIEditor (Start->run-> ADSIEditor.msc) b. Expand Domain->DC=DomainName,DC=com->OU=Domain Controllers c. In the right-pane, right-click the DC account, select Properties d. In the Attribute Editor tab, double-click serviceprincipalName attribute, make sure it has the following values SMTP/ServerNameofDC SMTP/FQDNofDC SmtpSvc/ServerNameofDC SmtpSvc/FQDNofDC 2. Please verify that log on account for transport service is Network Service 3. Please check if DC computer account is in the default Domain Controllers OU 4. Please check the registry key below and see if the accounts have proper rights a. Go to regedit b. Expand to \HKLM\System\CurrentControlSet\Services\Tcpip\Parameters c. Right-click Parameters folder, select Permissions, see if the following accounts have rights Users (Read) Administrators (Full, Read) System (Full, Read) LocalService (Read) NetworkService (Full, Read) Network Configuration Operators (Read, Special Permissions I reviewed/made the appropriate changes to both of my DCs then rebooted the hub/cas server again and am currently NOT getting any errors in the event log and I have also removed the hub/cas computer account from the domain admins group. I would like to thank you for your assistance. Now I can go back to finishing this deployment for my customer.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2009 7:36pm

Exchange Domain/Enterprise Servers are group for legacy Exchange (2000/2003) which I guess you don't have in your environment and it might be a native 2007 environment. Great that you have found the path ahead for next errors and thanks for sharing resolution... :)Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
August 13th, 2009 9:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics