• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

promoted exchange 2k7 to DC, autodiscover broken

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Tue Feb 15, 2011 8:26 am    Post subject: promoted exchange 2k7 to DC, autodiscover broken Reply with quote

server 2008 with exchange 2007, PDC used to be server 2003 until an outage forced me to elevate the 2008 box to BDC (yes i know the names are not used this way anymore Smile ). long story short, 2003 machine was restored, then 2008 was elevated once the AD was functional. this was 2 weeks ago.

at the time, when i elevated the 2008 box i had to remove the AD certificate authority services in order to promote the machine to a DC. i made a backup of the CA and private key and registry settings of the server before promotion. after promotion, i restored the files i created into the server and the only problem seemed to be that internal domain users were getting random certificate warnings. i thought this was caused by the certificate being 3rd party, so i used the exchange management console to change the internal URLs for autodiscover to the external website and verified the internal DNS was set up to handle the redirection to the exchange server properly.

come in today, there are errors in NTfrs, DNS and NTDS on server 2003. i managed to solve the NTfrs replication issue, but i am still getting errors on the old DC (2003 server). also, new profiles are not able to be configured in outlook. when i try to configure them, i get prompted for my credentials which are never allowed to authenticate. it just keeps prompting until i hit cancel. at this point i get the error "Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Outlook must be online or connected to complete this action."

when i click OK here, the server name is the correct internal FQDN of the exchange server but the mailbox says "=SMTP:username@domain.local" and if i cancel at this point, it tries to authenticate me against the server again. some established domain users are getting prompted for credentials but if they enter their credentials properly (domain\username) they are able to get to their mail.

i'm not sure if it's related, but i have the following errors in my 2003 box:

Event Type: Error
Event Source: NTDS ISAM
Event Category: Database Corruption
Event ID: 467
Date: 2/14/2011
Time: 10:08:02 PM
User: N/A
Computer: SBSERVER
Description:
NTDS (444) NTDSA: Index DRA_USN_index of table datatable is corrupted (0).


Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 2/14/2011
Time: 10:08:02 PM
User: N/A
Computer: SBSERVER
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-02080490, problem 5012 (DIR_ERROR), data -1414". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 00 00 ....


TL;DR -- exchange 2007 is now a DC and autodiscover doesn't work. also, some random certificate warnings in outlook. can someone point me in a direction that will help me fix this problem?
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Tue Feb 15, 2011 2:34 pm    Post subject: Reply with quote

disclaimer: these are only pointers, as I haven't had a similar problem

Are people able to autenticate in the Active Directory?

I would say you need to start by fixing the AD:
http://support.microsoft.com/kb/816120

AD should be in recovery mode.

To show you where the files are at:
ntdsutil files info

Then fix the database:
esentutl /g "<path>\ntds.dit"

Still this is a high risk operation, so back things up as this can completely wipe your AD. I would almost say reinstall and restore AD from backup. I hope there is a backup.

Are you sure replication is ok? With a corrupt database, what are you replicating? That DNS problem also points towards replication failure.
repadmin /replsummary
repadmin /showcert dsa
repadmin /viewlist
etc
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Tue Feb 15, 2011 6:07 pm    Post subject: Reply with quote

authentication to the domain seems to be fine, as i had reformatted a PC yesterday during all the time i spent on the server and i was able to authenticate with two separate domain accounts. i will be working on AD at a later date for sure, but for now it doesn't seem like AD is a problem. and yes, there is at least a week's worth of backups Smile
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Tue Feb 15, 2011 7:18 pm    Post subject: Reply with quote

DNS:

http://support.microsoft.com/kb/252695/en-us
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Tue Feb 15, 2011 10:07 pm    Post subject: Reply with quote

Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Wed Feb 16, 2011 12:41 am    Post subject: Reply with quote

krugger wrote:
DNS:

http://support.microsoft.com/kb/252695/en-us


um, (a) wrong OS (b) wrong error. but thanks for trying...

ryansutton wrote:
Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.


SAN only shows the external name, but i tracked down a copy of the cert from before promoting Exchange to a DC and it also only has the external name in the SAN. i.e. - SAN shows the publicly configured DNS name and not the internal, and does not have autodiscover listed. this same cert worked before the promotion to DC, so i'm hoping it will still work now.

i am going onsite before hours tomorrow to fix the AD, so at least i can rule that out after tomorrow. if you have that list of Exchange and IIS configurations i'd very much appreciate it Smile
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed Feb 16, 2011 5:56 am    Post subject: Reply with quote

These links have the powershell commands & DNS configuration you need:
http://technet.microsoft.com/en-us/library/bb201695.aspx
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-outlook-2007-exchange-server-2007.html
http://www.msexchange.org/tutorials/Uncovering-New-Outlook-2007-Discover-Service.html
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Wed Feb 16, 2011 6:10 am    Post subject: Reply with quote

i found out i had the wrong cert enabled for autodiscover/smtp. when i enabled the 3rd party cert autodiscover began allowing authentication again. i'm still getting prompted for password, but at least it's autofilling the entries correctly now.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed Feb 16, 2011 9:29 pm    Post subject: Reply with quote

Make sure the trusted 3rd party cert is also configured correctly in your IIS bindings.
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Fri Feb 18, 2011 5:21 am    Post subject: Reply with quote

the 3rd party cert was always listed in the bindings correctly, but when local (domain) users opened outlook, it would prompt them warning about the cert coming from the local FQDN instead of the external, saying the cert was not valid. as of right now, i am not getting any more AD errors, but users are still getting prompted for credentials when they open outlook.
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Thu Mar 03, 2011 7:44 am    Post subject: Reply with quote

well, two weeks later and i think the issues are fixed. i had a scare moment when i created a new user for one of our remote offices and their outlook didn't configure correctly. apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Thu Mar 03, 2011 9:11 am    Post subject: Reply with quote

moondoggie wrote:
apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.


Nothing should have to be done on the user PC before autodiscover configures Outlook, assuming it is working properly. What are the results of an Autodiscover test from the client? You can run the test by shift + right clicking the sys tray icon, IIRC.

Ryan
Back to top
View user's profile Send private message
mickdonald37
Link Spammer
Link Spammer


Joined: 14 May 2011
Posts: 16777215


Offline

PostPosted: Sat May 14, 2011 9:50 am    Post subject: Reply with quote

Still this is a high risk operation, so back things up as this can completely wipe your AD. I would almost say reinstall and restore AD from backup. I hope there is a backup.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register