Results 1 to 9 of 9

Thread: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

  1. #1
    Join Date
    Jan 2012
    Posts
    40

    Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    Well I am having couple of Domain Controllers. Both of them are having GCs with DNS. I noticed that first Domain Controller is falling because of memory pool errors and it was not able process any request. However users are able to authenticate domain but they are not able to authenticate with their Exchange accounts. Replications are getting passed when I have checked. Event 2080 displaying that one of the domain controller are outside of the site.
    I am getting below mentioned events into Exchange server.
    8365 - MSExchange AL
    6003 - SACL Watcher
    9385 - MSCxchange SA
    However I have managed to get back DC1 online immediately but now I am not able to figure out why DC2 is not able to authenticate Exchange? Can you tell why above mentioned issue is happening? Thanks a lot in advance.

  2. #2
    Join Date
    Mar 2011
    Posts
    442

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    Looking at the situation I wanted to see 2080 event log entry. So provide the same over here. for what amount of time DC was out of service? Normally failover continues for several minutes on different kind of Domain Controller. you can also restart Exchange sever to resolve the thing.
    Another thing I wanted tell you that you should run DCdiag from Exchange so that you will be able to find out what test are getting pass from DC2. You should also try to implement DC replication. If any of above mentioned thing is not working then you should try to configure domain controller manually and select domain controller as per your requirement and see whether problem is persisting.

  3. #3
    Join Date
    Jan 2012
    Posts
    40

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    I am posting log file of 2080 Event.

    Log Name: Application
    Source: MSExchange ADAccess
    Date: 4/23/2012 2:50:52 PM
    Event ID: 2080
    Task Category: Topology
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: ES1.mydomain.WC
    Description:
    Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1504). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
    (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
    In-site:
    DC1.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    DC2.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    Out-of-site:
    DC3.mydomain.WC CD- 1 6 6 0 0 1 1 6 1

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="MSExchange ADAccess" />
    <EventID Qualifiers="16388">2080</EventID>
    <Level>4</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-23T21:50:52.000000000Z" />
    <EventRecordID>223415</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ES1.mydomain.WC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data>
    <Data>1504</Data>
    <Data>DC1.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    DC2.mydomain.WC CDG 1 7 7 1 0 1 1 7 1
    </Data>
    <Data>DC3.mydomain.WC CD- 1 6 6 0 0 1 1 6 1
    </Data>
    </EventData>
    </Event>
    I noticed that DC1 prompting with memory pool problem while I was taking backup in morning. Even after several hour there was no change in the situation. at 12.01PM DHCP Server on DC1 was failed when I given a look on directory server. 12.09PM event ID 5787 - global catalog no longer automatically covers remote site for forest.
    Event Type: Warning
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5781
    Date: 4/20/2012
    Time: 1:09:48 PM
    User: N/A
    Computer: DC1
    Let me know if you can help me out after having above mentioned problem.

  4. #4
    Join Date
    May 2011
    Posts
    460

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    According to me below mentioned are the root cause of failure.

    Could be TCP/IP properties of network connection of said computer might be having wrong IP address for both preferred and alternative DNS servers.
    You have mentioned preferred and alternate DNS servers which are not running at all.
    Preferred or alternate DNS servers are configured with having wrong root hints.
    Parent DNS zone is having incorrect delegation for child zone authoritative for DNS records which has been notified for failed registration .
    In order to resolve above mentioned issue I am suggesting that simply run 'nltest.exe /dsregdns' from command prompt or restart Net Logon service in order to delete DNS record and begin with registration. You can find out Nltest.exe from Microsoft Windows Server Resource Kit CD.

    Finally make sure that time should be appropriately sync between both DC and clients.

  5. #5
    Join Date
    May 2011
    Posts
    428

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    You should simply clean old DC record from DNS server which are listed under sites in _msdcs folder . the same folder you can find out into DNS as well. you should take care of the thing that DNS IP address should be updated on both clients and servers. So that it would point out towards new DNS address.

  6. #6
    Join Date
    May 2011
    Posts
    443

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    If above mentioned solution wont work then have look on below mentioned thing.

    • You should see that you have installed both domain controllers on DNS.
    • See that every single DNS and DC are pointing towards the IP address of other DC and it should work as primary DNS server. the Private IP should work as secondary IP.
    • After that you have to execute ipconfig /registerdns command on command prompt and restart netlogon on both domain controller.
    • You should take care that ports are opened for AD replication on both DCs. You should check the same by using PortQry v2. You should also use nslookup to figure out whether everything is working fine with DNS resolution

  7. #7
    Join Date
    May 2011
    Posts
    271

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    There should be a subnet in which domain member computers and DC2 are supposed to reside. That particular subnet should be associated with new site. DC2 should be appearing in new site when you are viewing from Active Directory Sites and Services. Clients should be able to detect site membership by executing NLTEST /DSGETSITE command. site-specific SRV records are getting registered by using domain controllers and it supposed to show site membership.

    You should check and confirm Client Side DNS entries and make an attempt to ping Domain name through client. also see that where it is getting connected.

  8. #8
    Join Date
    Jun 2011
    Posts
    454

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    I think you will need to change Static IP address on Domain Controller and you can use following steps to do the same.
    1. You should log on system console locally on desire domain controller whose IP you are looking to change. In case you are not able to log on domain controller by making use of domain. You might need to start domain controller in Directory Services Restore Mode.
    2. Now got for Desktop and you have to right click on My Network Places and go for Properties.
    3. From Network Connections you have to right click on Local Area Connection and again click on Properties.
    4. Now you have to double click on Internet Protocol (TCP/IP) from Local Area Connection Properties.
    5. You have to enter new address in IP address box available into Internet Protocol (TCP/IP) Properties.
    6. You should enter Subnet mask in Subnet mask window. Now enter default gateway into Default gateway.
    7. Now you will need to enter ip address of e DNS server and computers contacts into Preferred DNS server windows.
    8. After that you should go for Alternate DNS server. here you should enter DNS server address and computer contacts in case preferred server is not available.
    9. In case domain controller are using WINS servers then you should click on Advanced and open Advanced TCP/IP Settings box and click on Wins.
    10. If you have found that Address in not proper then click on Edit.
    11. Repeat above mentioned 3 steps into order to modify addresses. Now you have to click on OK couple of times so that you can close TCP/IP WINS Server as well as Advanced TCP/IP Settings dialog box.
    12. Finally click on Ok button in order to close Internet Protocol (TCP/IP) Properties dialog box.
    13. Once you have changed IP address you should simply execute ipconfig /registerdns so that it can get register with host record. After that you should execute dcdiag /fix command. It will allow you to confirm that service records are registered with DNS in proper manner.

  9. #9
    Join Date
    May 2011
    Posts
    315

    Re: Unable to authenticate secondary Domain Controller on Microsoft Exchange 2010

    You should see that sites are configured are properly and they should be available into correct subnets. Check and verify that entries are correctly defined into configuration partition. You can get the same into below mentioned places.
    Code:
    cn=sites,cn=Configuration,dc=<ForestRootDomain> (information about your sites)
    cn=Subnets,cn=Sites,cn=Configuration,dc=<ForestRootDomain> (information about your definied subnets)
    you should use ldp.exe in order to verify those entries.
    Another thing which you can do with resigtry.
    You should go for following reisgyrty key into registry editor.
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    Here you should add SiteName entry and it should be of REG_SZ data type. DynamicSiteName entry will not be used whenever value is present in SiteName entry.

Similar Threads

  1. Unable to Migrate UM from Exchange 2007 to Exchange 2010
    By Bengal Tiger in forum Windows Software
    Replies: 3
    Last Post: 28-04-2012, 07:30 AM
  2. Replies: 5
    Last Post: 24-08-2010, 03:12 AM
  3. Replies: 4
    Last Post: 11-08-2010, 09:22 PM
  4. How i can backup windows 2008 domain controller (primary and secondary)
    By jeddah_1981 in forum Networking & Security
    Replies: 1
    Last Post: 04-01-2010, 09:54 PM
  5. Replies: 2
    Last Post: 24-05-2007, 09:46 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,710,841,478.59980 seconds with 16 queries