After the initial install, the Exch topology services report errors finding/reaching a descent DC. The initial event logs show --- Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1440). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 Out-of-site: --- and after about 20 minutes, it changes to: --- Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1364). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 sara.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 Out-of-site: --- Notes: - I've rebuild the server/OS - IPV6 is on and tested talking on AD DC too. - 2 DCs now (started with one, and wanted to rule it out as a fluke) - AD schema updated, prep'd. dcdiag reports ALL passed. - DNS is on the DC too. Not 100% sure prb isn't there. - pulled out GPO issues, like the Mgmt Logs etc - NETLOGON dependency fix applied. Thank-you so much for anything you can add/suggest I can reproduce this easily. I have a good event log dump, but it is too long to post. Graham

(recent events first) Log Name: Application Source: MSExchange ADAccess Date: 5/12/2010 1:25:55 PM Event ID: 2080 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1364). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 sara.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 Out-of-site: Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange ADAccess" /> <EventID Qualifiers="16388">2080</EventID> <Level>4</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:25:55.000Z" /> <EventRecordID>13008</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data> <Data>1364</Data> <Data>adam.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 sara.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 </Data> <Data> </Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-LoadPerf Date: 5/12/2010 1:15:06 PM Event ID: 1000 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-LoadPerf" Guid="{122EE297-BB47-41AE-B265-1CA8D1886D40}" EventSourceName="LoadPerf" /> <EventID Qualifiers="16384">1000</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:15:06.000Z" /> <EventRecordID>13007</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <UserData> <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="LoadPerf"> <param1>WmiApRpl</param1> <param2>WmiApRpl</param2> <binaryDataSize>16</binaryDataSize> <binaryData>101C0000B61C0000111C0000B71C0000</binaryData> </EventXML> </UserData> </Event> Log Name: Application Source: Microsoft-Windows-LoadPerf Date: 5/12/2010 1:15:06 PM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-LoadPerf" Guid="{122EE297-BB47-41AE-B265-1CA8D1886D40}" EventSourceName="LoadPerf" /> <EventID Qualifiers="16384">1001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:15:06.000Z" /> <EventRecordID>13006</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <UserData> <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="LoadPerf"> <param1>WmiApRpl</param1> <param2>WmiApRpl</param2> <binaryDataSize>12</binaryDataSize> <binaryData>0E1C00000F1C00004C070000</binaryData> </EventXML> </UserData> </Event> Log Name: Application Source: Microsoft-Windows-MSDTC 2 Date: 5/12/2010 1:13:08 PM Event ID: 4202 Task Category: TM Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: MSDTC started with the following settings: Security Configuration (OFF = 0 and ON = 1): Allow Remote Administrator = 0, Network Clients = 0, Trasaction Manager Communication: Allow Inbound Transactions = 0, Allow Outbound Transactions = 0, Transaction Internet Protocol (TIP) = 0, Enable XA Transactions = 0, MSDTC Communications Security = Mutual Authentication Required, Account = NT AUTHORITY\NetworkService, Firewall Exclusion Detected = 0 Transaction Bridge Installed = 0 Filtering Duplicate Events = 1 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-MSDTC 2" Guid="{5D9E0020-3761-4f36-90C8-38CE6511BD12}" EventSourceName="MSDTC 2" /> <EventID Qualifiers="16384">4202</EventID> <Version>0</Version> <Level>4</Level> <Task>2</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:13:08.000Z" /> <EventRecordID>13005</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data Name="param1">0</Data> <Data Name="param2">0</Data> <Data Name="param3">0</Data> <Data Name="param4">0</Data> <Data Name="param5">0</Data> <Data Name="param6">0</Data> <Data Name="param7">1</Data> <Data Name="param8">Mutual Authentication Required</Data> <Data Name="param9">NT AUTHORITY\NetworkService</Data> <Data Name="param10">0</Data> <Data Name="param11">0</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-CertificateServicesClient Date: 5/12/2010 1:12:25 PM Event ID: 1 Task Category: None Level: Information Keywords: User: MCFR\administrator Computer: EVE.mcfr.priv Description: Certificate Services Client has been started successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CertificateServicesClient" Guid="{73370bd6-85e5-430b-b60a-fea1285808a7}" /> <EventID>1</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:12:25.833Z" /> <EventRecordID>13004</EventRecordID> <Correlation /> <Execution ProcessID="3004" ThreadID="1080" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security UserID="S-1-5-21-4020663759-3254667982-1663005577-500" /> </System> <EventData> </EventData> </Event> Log Name: Application Source: Desktop Window Manager Date: 5/12/2010 1:12:25 PM Event ID: 9003 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The Desktop Window Manager was unable to start because a composited theme is not in use Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Desktop Window Manager" /> <EventID Qualifiers="16384">9003</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:12:25.000Z" /> <EventRecordID>13003</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Winlogon Date: 5/12/2010 1:12:25 PM Event ID: 4101 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Windows license validated. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" /> <EventID Qualifiers="16384">4101</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:12:25.000Z" /> <EventRecordID>13002</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>0x00000000</Data> <Data>0x00000001</Data> </EventData> </Event> Log Name: Application Source: VMUpgradeHelper Date: 5/12/2010 1:11:15 PM Event ID: 271 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Restored network configuration. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="VMUpgradeHelper" /> <EventID Qualifiers="0">271</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:15.000Z" /> <EventRecordID>13001</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: VMUpgradeHelper Date: 5/12/2010 1:11:15 PM Event ID: 270 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Not restoring network configuration for adapter with MAC address 00:0C:29:3E:C9:63. The device ID for this adapter is unchanged. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="VMUpgradeHelper" /> <EventID Qualifiers="0">270</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:15.000Z" /> <EventRecordID>13000</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>00:0C:29:3E:C9:63</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Security-Licensing-SLC Date: 5/12/2010 1:11:10 PM Event ID: 902 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The Software Licensing service has started. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" /> <EventID Qualifiers="16384">902</EventID> <Version>0</Version> <Level>0</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:10.000Z" /> <EventRecordID>12999</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Security-Licensing-SLC Date: 5/12/2010 1:11:09 PM Event ID: 1005 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The result of Windows Right consumption is: hr=0x0 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" /> <EventID Qualifiers="16384">1005</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:09.000Z" /> <EventRecordID>12998</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>hr=0x0</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Security-Licensing-SLC Date: 5/12/2010 1:11:09 PM Event ID: 1003 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The Software Licensing service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status= {1,[32b40e5e-0c6d-4c6f-ab12-a031933fd2c6, 8, 0xC004F014,0x0]} {1,[56df4151-1f9f-41bf-acaa-2941c071872b, 0, 0x0,0x0],[0x1,0xC004F034,0x0,0,0,0x0],[0x10,0xC004F030,0x0,0,0,0x0],[0x0,0x0,0x0,0,0,0x10428],[60,3,0x10428]} {1,[94dd1d84-9d70-45ff-ae30-6c1643e583ac, 8, 0xC004F014,0x0]} {1,[a6ad72e3-67a6-4d46-af1c-5f542c22ef7c, 8, 0xC004F014,0x0]} {1,[bb1d27c4-959d-4f82-b0fd-c02a7be54732, 8, 0xC004F014,0x0]} {1,[c1af4d90-d1bc-44ca-85d4-003ba33db3b9, 8, 0xC004F014,0x0]} {1,[c90d1b4e-8aa8-439e-8b9e-b6d6b6a6d975, 8, 0xC004F014,0x0]} Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" /> <EventID Qualifiers="16384">1003</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:09.000Z" /> <EventRecordID>12997</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data> <Data> {1,[32b40e5e-0c6d-4c6f-ab12-a031933fd2c6, 8, 0xC004F014,0x0]} {1,[56df4151-1f9f-41bf-acaa-2941c071872b, 0, 0x0,0x0],[0x1,0xC004F034,0x0,0,0,0x0],[0x10,0xC004F030,0x0,0,0,0x0],[0x0,0x0,0x0,0,0,0x10428],[60,3,0x10428]} {1,[94dd1d84-9d70-45ff-ae30-6c1643e583ac, 8, 0xC004F014,0x0]} {1,[a6ad72e3-67a6-4d46-af1c-5f542c22ef7c, 8, 0xC004F014,0x0]} {1,[bb1d27c4-959d-4f82-b0fd-c02a7be54732, 8, 0xC004F014,0x0]} {1,[c1af4d90-d1bc-44ca-85d4-003ba33db3b9, 8, 0xC004F014,0x0]} {1,[c90d1b4e-8aa8-439e-8b9e-b6d6b6a6d975, 8, 0xC004F014,0x0]} </Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Security-Licensing-SLC Date: 5/12/2010 1:11:09 PM Event ID: 1033 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: These policies are being excluded since they are only defined with override-only attribute. Policy Names=(DFSN-ServerService-StandaloneRootLimit) (MediaServer-EnableAdvancedFeatures) (Microsoft-Windows-AuxiliaryDisplay-EnableAPI) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL_w) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver_w) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP_w) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport_w) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport_w) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport_w) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport_w) (Microsoft-Windows-Fax-Common-DeviceLimit) (Microsoft-Windows-Fax-Common-EnableServerPolicy) (PeerToPeerBase-IdManager-EnabledPolicy) (PeerToPeerBase-IdManager-EnabledPolicy_w) (PeerToPeerBase-Pnrp-EnabledPolicy) (PeerToPeerBase-Pnrp-EnabledPolicy_w) (Printing-Spooler-Pmc-Licensing-Enabled) (Printing-Spooler-Pmc-Licensing-Enabled_w) (SecureStartupFeature-Enabled) (SecureStartupFeature-Enabled-Driver) (SecureStartupFeature-Enabled_w) (SecureStartupFeature-PerfWarning) (TSProxy-EdgeAdapter-MaxConnections) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (nfs-servercmdtools-enabled) (nfs-servercore-enabled) (psync-Enabled) (snis-Enabled) (snis-Enabled_w) (sua-EnableSUA) App Id=55c92734-d682-4d71-983e-d6ec3f16059f Sku Id=56df4151-1f9f-41bf-acaa-2941c071872b Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" /> <EventID Qualifiers="16384">1033</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:09.000Z" /> <EventRecordID>12996</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>(DFSN-ServerService-StandaloneRootLimit) (MediaServer-EnableAdvancedFeatures) (Microsoft-Windows-AuxiliaryDisplay-EnableAPI) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL_w) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver_w) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP_w) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport_w) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport_w) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport_w) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport_w) (Microsoft-Windows-Fax-Common-DeviceLimit) (Microsoft-Windows-Fax-Common-EnableServerPolicy) (PeerToPeerBase-IdManager-EnabledPolicy) (PeerToPeerBase-IdManager-EnabledPolicy_w) (PeerToPeerBase-Pnrp-EnabledPolicy) (PeerToPeerBase-Pnrp-EnabledPolicy_w) (Printing-Spooler-Pmc-Licensing-Enabled) (Printing-Spooler-Pmc-Licensing-Enabled_w) (SecureStartupFeature-Enabled) (SecureStartupFeature-Enabled-Driver) (SecureStartupFeature-Enabled_w) (SecureStartupFeature-PerfWarning) (TSProxy-EdgeAdapter-MaxConnections) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (nfs-servercmdtools-enabled) (nfs-servercore-enabled) (psync-Enabled) (snis-Enabled) (snis-Enabled_w) (sua-EnableSUA) </Data> <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data> <Data>56df4151-1f9f-41bf-acaa-2941c071872b</Data> </EventData> </Event> Log Name: Application Source: MSExchange TransportService Date: 5/12/2010 1:11:07 PM Event ID: 1001 Task Category: ProcessManager Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The service has started successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange TransportService" /> <EventID Qualifiers="16388">1001</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:07.000Z" /> <EventRecordID>12995</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchangeTransport Date: 5/12/2010 1:11:07 PM Event ID: 17010 Task Category: Storage Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The background scan of the transport queue database has completed. 0 message(s) were found. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransport" /> <EventID Qualifiers="16388">17010</EventID> <Level>4</Level> <Task>17</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:07.000Z" /> <EventRecordID>12994</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>0</Data> </EventData> </Event> Log Name: Application Source: MSExchangeTransport Date: 5/12/2010 1:11:06 PM Event ID: 16022 Task Category: Configuration Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: A configuration update has successfully completed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransport" /> <EventID Qualifiers="16388">16022</EventID> <Level>4</Level> <Task>16</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:06.000Z" /> <EventRecordID>12993</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Security-Licensing-SLC Date: 5/12/2010 1:11:05 PM Event ID: 12294 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Publishing the Key Management Service (KMS) to DNS in the 'mcfr.priv' domain is successful. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" /> <EventID Qualifiers="16384">12294</EventID> <Version>0</Version> <Level>0</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:05.000Z" /> <EventRecordID>12992</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>mcfr.priv</Data> </EventData> </Event> Log Name: Application Source: ESE Date: 5/12/2010 1:11:05 PM Event ID: 102 Task Category: General Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: edgetransport (2276) IP Filtering Database: The database engine (8.01.0392.0000) started a new instance (1). For more information, click http://www.microsoft.com/contentredirect.asp. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESE" /> <EventID Qualifiers="0">102</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:05.000Z" /> <EventRecordID>12991</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>edgetransport</Data> <Data>2276</Data> <Data>IP Filtering Database: </Data> <Data>1</Data> <Data>8</Data> <Data>01</Data> <Data>0392</Data> <Data>0000</Data> </EventData> </Event> Log Name: Application Source: MSExchangeTransport Date: 5/12/2010 1:11:05 PM Event ID: 16022 Task Category: Configuration Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: A configuration update has successfully completed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransport" /> <EventID Qualifiers="16388">16022</EventID> <Level>4</Level> <Task>16</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:05.000Z" /> <EventRecordID>12990</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchangeTransport Date: 5/12/2010 1:11:05 PM Event ID: 16022 Task Category: Configuration Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: A configuration update has successfully completed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransport" /> <EventID Qualifiers="16388">16022</EventID> <Level>4</Level> <Task>16</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:05.000Z" /> <EventRecordID>12989</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchange Messaging Policies Date: 5/12/2010 1:11:05 PM Event ID: 4002 Task Category: Rules Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: 'Transport' rule collection was loaded successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange Messaging Policies" /> <EventID Qualifiers="16388">4002</EventID> <Level>4</Level> <Task>4</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:05.000Z" /> <EventRecordID>12988</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>Transport</Data> </EventData> </Event> Log Name: Application Source: ESE Date: 5/12/2010 1:11:04 PM Event ID: 102 Task Category: General Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: edgetransport (2276) Transport Mail Database: The database engine (8.01.0392.0000) started a new instance (0). For more information, click http://www.microsoft.com/contentredirect.asp. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESE" /> <EventID Qualifiers="0">102</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:04.000Z" /> <EventRecordID>12987</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>edgetransport</Data> <Data>2276</Data> <Data>Transport Mail Database: </Data> <Data>0</Data> <Data>8</Data> <Data>01</Data> <Data>0392</Data> <Data>0000</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-CertificateServicesClient Date: 5/12/2010 1:11:02 PM Event ID: 1 Task Category: None Level: Information Keywords: User: SYSTEM Computer: EVE.mcfr.priv Description: Certificate Services Client has been started successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CertificateServicesClient" Guid="{73370bd6-85e5-430b-b60a-fea1285808a7}" /> <EventID>1</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:02.902Z" /> <EventRecordID>12986</EventRecordID> <Correlation /> <Execution ProcessID="2316" ThreadID="2356" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> </EventData> </Event> Log Name: Application Source: SceCli Date: 5/12/2010 1:11:03 PM Event ID: 1704 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Security policy in the Group policy objects has been applied successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="SceCli" /> <EventID Qualifiers="16384">1704</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:03.000Z" /> <EventRecordID>12985</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data> </Data> </EventData> </Event> Log Name: Application Source: MSExchangeTransportLogSearch Date: 5/12/2010 1:11:02 PM Event ID: 7001 Task Category: General Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The Microsoft Exchange Transport Log Search service has started successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchangeTransportLogSearch" /> <EventID Qualifiers="4">7001</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:02.000Z" /> <EventRecordID>12984</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchange EdgeSync Date: 5/12/2010 1:11:02 PM Event ID: 1059 Task Category: Initialization Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: EdgeSync is starting Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange EdgeSync" /> <EventID Qualifiers="16388">1059</EventID> <Level>4</Level> <Task>4</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:02.000Z" /> <EventRecordID>12983</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchange TransportService Date: 5/12/2010 1:11:00 PM Event ID: 1000 Task Category: ProcessManager Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The service is trying to start. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange TransportService" /> <EventID Qualifiers="16388">1000</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:11:00.000Z" /> <EventRecordID>12982</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchange Anti-spam Update Date: 5/12/2010 1:10:59 PM Event ID: 1000 Task Category: Update Service Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: The Microsoft Exchange Anti-spam Update service has started successfully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange Anti-spam Update" /> <EventID Qualifiers="4">1000</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:10:59.000Z" /> <EventRecordID>12981</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-WMI Date: 5/12/2010 1:10:55 PM Event ID: 5617 Task Category: None Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Windows Management Instrumentation Service subsystems initialized successfully Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" /> <EventID Qualifiers="49152">5617</EventID> <Version>0</Version> <Level>0</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:10:55.000Z" /> <EventRecordID>12980</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> </EventData> </Event> Log Name: Application Source: MSExchange ADAccess Date: 5/12/2010 1:10:54 PM Event ID: 2080 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1364). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 sara.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 Out-of-site: Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange ADAccess" /> <EventID Qualifiers="16388">2080</EventID> <Level>4</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:10:54.000Z" /> <EventRecordID>12979</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data> <Data>1364</Data> <Data>adam.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 sara.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 </Data> <Data> </Data> </EventData> </Event> Log Name: Application Source: MSExchange ADAccess Date: 5/12/2010 1:10:54 PM Event ID: 2081 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: EVE.mcfr.priv Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1364). Exchange Active Directory Provider will use the servers from the following list: Domain Controllers: adam.mcfr.priv sara.mcfr.priv Global Catalogs: adam.mcfr.priv sara.mcfr.priv The Configuration Domain Controller is set to adam.mcfr.priv. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange ADAccess" /> <EventID Qualifiers="16388">2081</EventID> <Level>4</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-12T17:10:54.000Z" /> <EventRecordID>12978</EventRecordID> <Channel>Application</Channel> <Computer>EVE.mcfr.priv</Computer> <Security /> </System> <EventData> <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data> <Data>1364</Data> <Data>adam.mcfr.priv sara.mcfr.priv </Data> <Data>adam.mcfr.priv sara.mcfr.priv </Data> <Data>adam.mcfr.priv</Data> </EventData> </Event>

Those zeroes are telling you that Exchange can't talk to the DC. I have no idea what's causing that, but it could be just about anything network-wise. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "McFR" wrote in message news:d7d3fcf8-89b0-48d7-a966-17b6d7803c73... After the initial install, the Exch topology services report errors finding/reaching a descent DC. The initial event logs show --- Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1440). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 7 7 1 0 1 1 7 1 Out-of-site: --- and after about 20 minutes, it changes to: --- Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1364). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: adam.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 sara.mcfr.priv CDG 1 0 0 1 0 0 0 0 0 Out-of-site: --- Notes: - I've rebuild the server/OS - IPV6 is on and tested talking on AD DC too. - 2 DCs now (started with one, and wanted to rule it out as a fluke) - AD schema updated, prep'd. dcdiag reports ALL passed. - DNS is on the DC too. Not 100% sure prb isn't there. - pulled out GPO issues, like the Mgmt Logs etc - NETLOGON dependency fix applied. Thank-you so much for anything you can add/suggest I can reproduce this easily. I have a good event log dump, but it is too long to post. Graham Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

That is the mystery - connectivity seems to be there. Permissions SEEM to be there. ExBPA is happy with it. I have a feeling there is still SOMETHING that gets changed in that 15 minutes, but it isn't GP updates, because it doesn't fail until about 14 minutes after the log entry for SceCli in that window of time. Hmm.. now that I say that out loud.. Error 5/12/2010 1:25:55 PM MSExchange ADAccess 2114 Topology (bad) Information 5/12/2010 1:25:55 PM MSExchange ADAccess 2080 Topology Information 5/12/2010 1:15:06 PM LoadPerf 1000 None Information 5/12/2010 1:15:06 PM LoadPerf 1001 None Information 5/12/2010 1:13:08 PM MSDTC 2 4202 TM Information 5/12/2010 1:12:25 PM CertificateServicesClient 1 None Information 5/12/2010 1:12:25 PM Desktop Window Manager 9003 None Information 5/12/2010 1:12:25 PM Winlogon 4101 None Information 5/12/2010 1:11:15 PM VMUpgradeHelper 271 None Information 5/12/2010 1:11:15 PM VMUpgradeHelper 270 None Information 5/12/2010 1:11:10 PM Security-Licensing-SLC 902 None Information 5/12/2010 1:11:09 PM Security-Licensing-SLC 1005 None Information 5/12/2010 1:11:09 PM Security-Licensing-SLC 1003 None Information 5/12/2010 1:11:09 PM Security-Licensing-SLC 1033 None Information 5/12/2010 1:11:07 PM MSExchange TransportService 1001 ProcessManager Information 5/12/2010 1:11:07 PM MSExchangeTransport 17010 Storage Information 5/12/2010 1:11:06 PM MSExchangeTransport 16022 Configuration Information 5/12/2010 1:11:05 PM Security-Licensing-SLC 12294 None Information 5/12/2010 1:11:05 PM ESE 102 General Information 5/12/2010 1:11:05 PM MSExchangeTransport 16022 Configuration Information 5/12/2010 1:11:05 PM MSExchangeTransport 16022 Configuration Information 5/12/2010 1:11:05 PM MSExchange Messaging Policies 4002 Rules Information 5/12/2010 1:11:04 PM ESE 102 General Information 5/12/2010 1:11:02 PM CertificateServicesClient 1 None Information 5/12/2010 1:11:03 PM SceCli 1704 None Information 5/12/2010 1:11:02 PM MSExchangeTransportLogSearch 7001 General Information 5/12/2010 1:11:02 PM MSExchange EdgeSync 1059 Initialization Information 5/12/2010 1:11:00 PM MSExchange TransportService 1000 ProcessManager Information 5/12/2010 1:10:59 PM MSExchange Anti-spam Update 1000 Update Service Information 5/12/2010 1:10:55 PM WMI 5617 None Information 5/12/2010 1:10:54 PM MSExchange ADAccess 2080 Topology (good) Information 5/12/2010 1:10:54 PM MSExchange ADAccess 2081 Topology That IS about the right timeframe. Any suggestions how to identify the problem coming through GPO? Later on I disabled Apply Policy to this server to try and get it to behave. No luck. Graham

Silly simple question: Do I need to have the KMS server active for this to work? IIRC, this is a KMS license (our first.)

Anyone?