promoted exchange 2k7 to DC, autodiscover broken

Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory

Author: moondoggie PostPosted: Tue Feb 15, 2011 8:26 am    Post subject: promoted exchange 2k7 to DC, autodiscover broken
    ----
server 2008 with exchange 2007, PDC used to be server 2003 until an outage forced me to elevate the 2008 box to BDC (yes i know the names are not used this way anymore Smile ). long story short, 2003 machine was restored, then 2008 was elevated once the AD was functional. this was 2 weeks ago.

at the time, when i elevated the 2008 box i had to remove the AD certificate authority services in order to promote the machine to a DC. i made a backup of the CA and private key and registry settings of the server before promotion. after promotion, i restored the files i created into the server and the only problem seemed to be that internal domain users were getting random certificate warnings. i thought this was caused by the certificate being 3rd party, so i used the exchange management console to change the internal URLs for autodiscover to the external website and verified the internal DNS was set up to handle the redirection to the exchange server properly.

come in today, there are errors in NTfrs, DNS and NTDS on server 2003. i managed to solve the NTfrs replication issue, but i am still getting errors on the old DC (2003 server). also, new profiles are not able to be configured in outlook. when i try to configure them, i get prompted for my credentials which are never allowed to authenticate. it just keeps prompting until i hit cancel. at this point i get the error "Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Outlook must be online or connected to complete this action."

when i click OK here, the server name is the correct internal FQDN of the exchange server but the mailbox says "=SMTP:username@domain.local" and if i cancel at this point, it tries to authenticate me against the server again. some established domain users are getting prompted for credentials but if they enter their credentials properly (domain\username) they are able to get to their mail.

i'm not sure if it's related, but i have the following errors in my 2003 box:

Event Type: Error
Event Source: NTDS ISAM
Event Category: Database Corruption
Event ID: 467
Date: 2/14/2011
Time: 10:08:02 PM
User: N/A
Computer: SBSERVER
Description:
NTDS (444) NTDSA: Index DRA_USN_index of table datatable is corrupted (0).


Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 2/14/2011
Time: 10:08:02 PM
User: N/A
Computer: SBSERVER
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-02080490, problem 5012 (DIR_ERROR), data -1414". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 00 00 ....


TL;DR -- exchange 2007 is now a DC and autodiscover doesn't work. also, some random certificate warnings in outlook. can someone point me in a direction that will help me fix this problem?

Author: krugger PostPosted: Tue Feb 15, 2011 2:34 pm    Post subject:
    ----
disclaimer: these are only pointers, as I haven't had a similar problem

Are people able to autenticate in the Active Directory?

I would say you need to start by fixing the AD:
http://support.microsoft.com/kb/816120

AD should be in recovery mode.

To show you where the files are at:
ntdsutil files info

Then fix the database:
esentutl /g "<path>\ntds.dit"

Still this is a high risk operation, so back things up as this can completely wipe your AD. I would almost say reinstall and restore AD from backup. I hope there is a backup.

Are you sure replication is ok? With a corrupt database, what are you replicating? That DNS problem also points towards replication failure.
repadmin /replsummary
repadmin /showcert dsa
repadmin /viewlist
etc

Author: moondoggie PostPosted: Tue Feb 15, 2011 6:07 pm    Post subject:
    ----
authentication to the domain seems to be fine, as i had reformatted a PC yesterday during all the time i spent on the server and i was able to authenticate with two separate domain accounts. i will be working on AD at a later date for sure, but for now it doesn't seem like AD is a problem. and yes, there is at least a week's worth of backups Smile

Author: krugger PostPosted: Tue Feb 15, 2011 7:18 pm    Post subject:
    ----
DNS:

http://support.microsoft.com/kb/252695/en-us

Author: ryansuttonLocation: San Francisco, California PostPosted: Tue Feb 15, 2011 10:07 pm    Post subject:
    ----
Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.

Author: moondoggie PostPosted: Wed Feb 16, 2011 12:41 am    Post subject:
    ----
krugger wrote:
DNS:

http://support.microsoft.com/kb/252695/en-us


um, (a) wrong OS (b) wrong error. but thanks for trying...

ryansutton wrote:
Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.


SAN only shows the external name, but i tracked down a copy of the cert from before promoting Exchange to a DC and it also only has the external name in the SAN. i.e. - SAN shows the publicly configured DNS name and not the internal, and does not have autodiscover listed. this same cert worked before the promotion to DC, so i'm hoping it will still work now.

i am going onsite before hours tomorrow to fix the AD, so at least i can rule that out after tomorrow. if you have that list of Exchange and IIS configurations i'd very much appreciate it Smile

Author: ryansuttonLocation: San Francisco, California PostPosted: Wed Feb 16, 2011 5:56 am    Post subject:
    ----
These links have the powershell commands & DNS configuration you need:
http://technet.microsoft.com/en-us/library/bb201695.aspx
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-outlook-2007-exchange-server-2007.html
http://www.msexchange.org/tutorials/Uncovering-New-Outlook-2007-Discover-Service.html

Author: moondoggie PostPosted: Wed Feb 16, 2011 6:10 am    Post subject:
    ----
i found out i had the wrong cert enabled for autodiscover/smtp. when i enabled the 3rd party cert autodiscover began allowing authentication again. i'm still getting prompted for password, but at least it's autofilling the entries correctly now.

Author: ryansuttonLocation: San Francisco, California PostPosted: Wed Feb 16, 2011 9:29 pm    Post subject:
    ----
Make sure the trusted 3rd party cert is also configured correctly in your IIS bindings.

Author: moondoggie PostPosted: Fri Feb 18, 2011 5:21 am    Post subject:
    ----
the 3rd party cert was always listed in the bindings correctly, but when local (domain) users opened outlook, it would prompt them warning about the cert coming from the local FQDN instead of the external, saying the cert was not valid. as of right now, i am not getting any more AD errors, but users are still getting prompted for credentials when they open outlook.

Author: moondoggie PostPosted: Thu Mar 03, 2011 7:44 am    Post subject:
    ----
well, two weeks later and i think the issues are fixed. i had a scare moment when i created a new user for one of our remote offices and their outlook didn't configure correctly. apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Mar 03, 2011 9:11 am    Post subject:
    ----
moondoggie wrote:
apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.


Nothing should have to be done on the user PC before autodiscover configures Outlook, assuming it is working properly. What are the results of an Autodiscover test from the client? You can run the test by shift + right clicking the sys tray icon, IIRC.

Ryan

Author: mickdonald37 PostPosted: Sat May 14, 2011 9:50 am    Post subject:
    ----
Still this is a high risk operation, so back things up as this can completely wipe your AD. I would almost say reinstall and restore AD from backup. I hope there is a backup.



Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group