The Exchange computer srv-vm-ad-11.msk.fbk.ru does not have Audit Security Privilege on the domain controller srv-vm-ad-11.msk.fbk.ru. This domain controller will not be used by Exchange Active Directory Provider.
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2224). The Exchange computer srv-vm-ad-11.msk.fbk.ru does not have Audit Security Privilege on the domain controller srv-vm-ad-11.msk.fbk.ru. This domain controller will not be used by Exchange Active Directory Provider.
_________________________________________________________________________________
Process w3wp.exe (AirSync) (PID=12780). WCF request (GetServerFromDomainDN DC=msk,DC=fbk,DC=ru) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details
No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
at Microsoft.Exchange.Directory.TopologyService.RemoteDomainServerDiscovery.<FindSuitableDomainController>d__12.MoveNext()
at Microsoft.Exchange.Extensions.TaskFactoryExtensions.<>c__DisplayClass4_0`1.<Iterate>b__1(Task unusedAntecedentTask)
_________________________________________________________________________________
Exchange ActiveSync experienced a transient error when it tried to access Active Directory information for user "FBK-USERS\GopkaloKE". Exchange ActiveSync will try this operation again. If this event occurs infrequently, no user action is required. If this event occurs frequently, check network connectivity using PING or PingPath. You can also use the Test-ActiveSyncConnectivity cmdlet. More information:
Microsoft.Exchange.Data.Directory.ADTransientException: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
. ---> System.ServiceModel.FaultException`1[Microsoft.Exchange.Data.Directory.TopologyDiscovery.TopologyServiceFault]: No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Exchange.Data.Directory.TopologyDiscovery.ITopologyClient.GetServerFromDomainDN(String domainDN)
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.<>c__DisplayClass17_0.<GetServerFromDomainDN>b__0(IPooledServiceProxy`1 proxy)
at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetServerFromDomainDN(String distinguishedName, NetworkCredential credential)
at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, ADObjectId domain, String serverName, Int32 port, NetworkCredential credential)
at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, NetworkCredential networkCredential, ADObjectId domain)
at Microsoft.Exchange.Data.Directory.ADDataSession.GetConnection(String preferredServer, Boolean isWriteOperation, String optionalBaseDN, ADObjectId& rootId, ADScope scope)
at Microsoft.Exchange.Data.Directory.ADDataSession.InternalFind[TResult](ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects)
at Microsoft.Exchange.Data.Directory.ADDataSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects)
at Microsoft.Exchange.Data.Directory.ADDataSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.AirSync.Common.ADDeviceManager.<>c__DisplayClass33_0.<GetActiveSyncDeviceContainer>b__0()
at Microsoft.Exchange.Data.Directory.ADNotificationAdapter.RunADOperation(ADOperation adOperation, Int32 retryCount)
at Microsoft.Exchange.AirSync.Common.ADDeviceManager.GetActiveSyncDeviceContainer()
at Microsoft.Exchange.AirSync.Common.Command.UpdateADDevice(IGlobalInfo iGlobalInfo, Lazy`1 adDeviceManager, DeviceIdentity deviceIdentity, Boolean isConsumerOrganizationUser, ADObjectId userOriginalId, SyncStateStorage syncStateStorage, TimeSpan adDataSyncInterval, String& logValue, String userName, Object objectToHash, Boolean isAirSync, IAirSyncContext context, Boolean isNewSyncStateStorage)
at Microsoft.Exchange.AirSync.Common.Command.UpdateADDevice(IGlobalInfo iGlobalInfo)
at Microsoft.Exchange.AirSync.Common.Command.CompleteDeviceAccessProcessing(IOrganizationSettingsData& organizationSettingsData)
_________________________________________________________________________________
Process w3wp.exe (AirSync) (PID=12780). WCF request (GetServerFromDomainDN DC=msk,DC=fbk,DC=ru) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details
No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
at Microsoft.Exchange.Directory.TopologyService.RemoteDomainServerDiscovery.<FindSuitableDomainController>d__12.MoveNext()
at Microsoft.Exchange.Extensions.TaskFactoryExtensions.<>c__DisplayClass4_0`1.<Iterate>b__1(Task unusedAntecedentTask)
_________________________________________________________________________________
Exchange ActiveSync experienced a transient error when it tried to access Active Directory information for user "FBK-USERS\GopkaloKE". Exchange ActiveSync will try this operation again. If this event occurs infrequently, no user action is required. If this event occurs frequently, check network connectivity using PING or PingPath. You can also use the Test-ActiveSyncConnectivity cmdlet. More information:
Microsoft.Exchange.Data.Directory.ADTransientException: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
. ---> System.ServiceModel.FaultException`1[Microsoft.Exchange.Data.Directory.TopologyDiscovery.TopologyServiceFault]: No suitable domain controller was found in domain 'msk.fbk.ru'. Errors:
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Exchange.Data.Directory.TopologyDiscovery.ITopologyClient.GetServerFromDomainDN(String domainDN)
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.<>c__DisplayClass17_0.<GetServerFromDomainDN>b__0(IPooledServiceProxy`1 proxy)
at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetServerFromDomainDN(String distinguishedName, NetworkCredential credential)
at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, ADObjectId domain, String serverName, Int32 port, NetworkCredential credential)
at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, NetworkCredential networkCredential, ADObjectId domain)
at Microsoft.Exchange.Data.Directory.ADDataSession.GetConnection(String preferredServer, Boolean isWriteOperation, String optionalBaseDN, ADObjectId& rootId, ADScope scope)
at Microsoft.Exchange.Data.Directory.ADDataSession.InternalFind[TResult](ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects)
at Microsoft.Exchange.Data.Directory.ADDataSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects)
at Microsoft.Exchange.Data.Directory.ADDataSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.AirSync.Common.ADDeviceManager.<>c__DisplayClass33_0.<GetActiveSyncDeviceContainer>b__0()
at Microsoft.Exchange.Data.Directory.ADNotificationAdapter.RunADOperation(ADOperation adOperation, Int32 retryCount)
at Microsoft.Exchange.AirSync.Common.ADDeviceManager.GetActiveSyncDeviceContainer()
at Microsoft.Exchange.AirSync.Common.Command.UpdateADDevice(IGlobalInfo iGlobalInfo, Lazy`1 adDeviceManager, DeviceIdentity deviceIdentity, Boolean isConsumerOrganizationUser, ADObjectId userOriginalId, SyncStateStorage syncStateStorage, TimeSpan adDataSyncInterval, String& logValue, String userName, Object objectToHash, Boolean isAirSync, IAirSyncContext context, Boolean isNewSyncStateStorage)
at Microsoft.Exchange.AirSync.Common.Command.UpdateADDevice(IGlobalInfo iGlobalInfo)
at Microsoft.Exchange.AirSync.Common.Command.CompleteDeviceAccessProcessing(IOrganizationSettingsData& organizationSettingsData)
We ran into this recently at a customer. This was an odd error because the description specified the name of one of our domain controllers as an “Exchange Computer”. That aside, my customer was receiving this error for two of their three domain controllers (dc02 & dc03). The error was also repeated across all their Exchange servers.
To make matters worse if the customer shut down the only domain controller not reported in these errors (dc01) Exchange would become completely unavailable. As the error stated, dc02 and dc03 were definitely not being used by the Exchange Active Directory Provider.
Further analysis of the event logs also revealed informational alert MSExchange ADAccess 2080. In this alert we could see our three domain controllers with one striking difference.
Log Name: Application Source: MSExchange ADAccess Event ID: 2080 Task Category: Topology Description: Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: dc01.supertekboy.com CDG 1 7 7 1 0 1 1 7 1 dc02.supertekboy.com CDG 1 7 7 1 0 0 1 7 1 dc03.supertekboy.com CDG 1 7 7 1 0 0 1 7 1
In the eighth column (highlighted), dc01 was reporting a 1 whereas dc02 and dc03 were reporting a 0. All other column data was identical between the three servers. The words in parenthesis are actually the column headers. They don’t line up very well in event viewer but if we count to the eighth word we see the column is titled “SACL right”. What this means is that the Exchange servers are missing the SACL right on the domain controllers marked with a zero. Or more specifically, Exchange is missing the right to manage the security and audit logs of those two domain controllers.We actually discussed this same root cause back in September for a different problem. In that article the missing SACL right was preventing an Exchange schema update (and in turn a cumulative update) from completing. Needless to say the fix in that article is the same for this error.Fixing ‘MSExchange ADAccess Event ID 2112’
We discovered that the Default Domain Controllers Policy (which is a group policy assigned to the domain controllers OU) had been deleted. It was uncertain when this may have happened but it was clear that the policy existed for dc01 but had been deleted prior to the existence of dc02 and dc03. The absence of this policy was not the issue. More-so it was a setting that comes predefined by that policy. The error we were receiving was due to the absence of the User Rights Assignment, Manage auditing and security logs. This right is granted to the Exchange Servers and Administrators builtin groups.The fix was to create a new policy with these permissions defined. Let’s explore those steps._____________________________________________________________Note: Alternatively, you can replace the entire missing Default Domain Controller Policy by running the DCGPOFIX command:dcgpofix /ignoreschema /target:dcSpecial Thanks: Michael B. Smith_____________________________________________________________From the Group Policy Management Console, expand the domain and right click on the Domain Controllers OU. From the context menu select Create a GPO in this domain, and Link it here. Give the new policy a name and click Ok. In our case we called it User Rights Assignment for Exchange.Right click on the new policy and select Edit. This will launch the Group Policy Management Editor. Expand the following nodes.Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights AssignmentUnder User Rights Assignments double-click Manage auditing and security log.Check the box Define these policy settings. Click Add User or Group and then Browse. From the Select Users and Computers dialog add Exchange Servers. Repeat this process to add Administrators. Click Ok.Allow time for Active Directory to replicate. You may also want to speed up the addition of the new policy by running GPUPDATE /FORCE from the command line on the problem domain controllers.Once applied, this should mitigate error “MSExchange ADAccess 2112”. You should also see informational alert 2080 update the domain controller entries with a 1 in the SACL column.Description: Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: dc01.supertekboy.com CDG 1 7 7 1 0 1 1 7 1 dc02.supertekboy.com CDG 1 7 7 1 0 1 1 7 1 dc03.supertekboy.com CDG 1 7 7 1 0 1 1 7 1
Комментарии
Отправить комментарий