a vitalised multi role Exchange 2010 server was randomly loosing access
to Active Directory. There were two Active Directory Domain Controllers
with the Global Catalog role in the same Active Directory site as the
Exchange 2010 server with highspeed 1gbps LAN between the servers.
When the issue occured Exchange 2010 would begin spitting the generic errors you receive whenever there is no Active Directory domain controller available. Some of these errors include:
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 8:58:37 AM
Event ID: 2114
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process STORE.EXE (PID=3788). Topology discovery failed, error 0x80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:01:56 AM
Event ID: 2103
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1468). All Global Catalog Servers in forest DC=internal,DC=domain,DC=com are not responding:
DC1.domain.local
DC2.domain.local
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:04:56 AM
Event ID: 2604
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGY (PID=1468). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object Exchange2010 - Error code=80040934.
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:07:56 AM
Event ID: 2501
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGY (PID=1468). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040934. Make sure that Exchange server is correctly registered on the DNS server.
This resolved the problem.
Only run these commands on your Exchange 2010 server if you are sure that there is a Active Directory Domain Controller in the same Active Directory site as your Exchange 2010 server and the Exchange 2010 server is able to communicate with the Active Directory domain controller. Ensure you diagnose all other possible resolutions first such as network/storage/cpu/memory bottlenecks.
When the issue occured Exchange 2010 would begin spitting the generic errors you receive whenever there is no Active Directory domain controller available. Some of these errors include:
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 8:58:37 AM
Event ID: 2114
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process STORE.EXE (PID=3788). Topology discovery failed, error 0x80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:01:56 AM
Event ID: 2103
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1468). All Global Catalog Servers in forest DC=internal,DC=domain,DC=com are not responding:
DC1.domain.local
DC2.domain.local
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:04:56 AM
Event ID: 2604
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGY (PID=1468). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object Exchange2010 - Error code=80040934.
The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
Log Name: Application
Source: MSExchange ADAccess
Date: 13/08/2012 9:07:56 AM
Event ID: 2501
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Exchange2010.domain.local
Description:
Process MSEXCHANGEADTOPOLOGY (PID=1468). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040934. Make sure that Exchange server is correctly registered on the DNS server.
When this issue was occuring I verified that the Exchange 2010 server
was successfully talking to a domain controller in the same Active
Directory site by issuing the following command from a command prompt:
NLTEST /DSGETDC:domain.local
The problem was with the Exchange 2010 application itself randomly loosing access to Active Directory.
After further diagnosing I made the following changes to the Windows TCP Network stack on the Exchange2010 server:
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
netsh int tcp set global taskoffload=disabled
netsh int tcp set global autotuninglevel=disabled
Only run these commands on your Exchange 2010 server if you are sure that there is a Active Directory Domain Controller in the same Active Directory site as your Exchange 2010 server and the Exchange 2010 server is able to communicate with the Active Directory domain controller. Ensure you diagnose all other possible resolutions first such as network/storage/cpu/memory bottlenecks.
Comments