Very involved Global Catalog issue - HELP!

duckduckduckduckduckduck Posts: 45Member ■■□□□□□□□□
Any help would be VERY appreciated!

What we have is a forest consisting of a root and 3 child domains, the Exchange server (2K7) is in one of the child domains.

root=mat.airport,
child1=mac.mat.airport (this is where exchange resides),
child2=airsideops.mat.airport,
child3=environment.mat.airport

The Exchange cluster is macmail.mac.mat.airport

The DC that Exchange is trying to connect to is in the root: mac-arf-dc1.mat.airport. This is not a GC it is the infrastructure master. We have 9 GC spread out throughout the forest, the server it is trying to connect to is not one of them.

Originally when doing the setup /pad it succeeded but complained about not having a RUS for mat, we were told that was ok, during the actual setup of exchange it would not complete without a RUS, we temporarily set the mat-arf-dc1 as a GC, but being it is the infrastructure master. This is against best practices, so after the install, we removed the GC from that server. The latest issue comes when trying to add users to the built in Exchange administrative groups through the Exchange console. The error message below shows that it cannot complete because it is attempting to contact the mat-arf-dc1.mat.airport DC.

Error Message:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


Add-ExchangeAdministrator
Failed

Error:
Active Directory operation failed on mat-arf-dc1.mat.AIRPORT. This error is not retriable. Additional information: The specified group type is invalid.
Active directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0


The server cannot handle directory requests.

Exchange Management Shell command attempted:
Add-ExchangeAdministrator -Identity 'MAC.MAT.AIRPORT/DataCenters/GO/Users/Administrative accounts/Suche, Ivana (Chg)' -Role 'ViewOnlyAdmin'

Elapsed Time: 00:00:00

I can add users to the Exch Adm groups using the add users and computers mmc, they do get the right "rights" to the exchange org. However it is important to the big cheese that we get this working correctly. Thanks!!

Comments

  • ClaymooreClaymoore Posts: 1,637Member
    Is there another GC in the AD site of the Exchange server? There needs to be a GC in every site that has an Exchange server.

    Exchange 2007 System Requirements

    Some of the EMS cmdlets have the ability to specify a domain controller against which the command should run, but you really need to have a GC available so the server can parse distribution lists and reliably perform other Global catalog lookups.
  • undomielundomiel Posts: 2,818Member
    As claymoore mentions I would verify that a GC is available in that site. I would also check into DNS and make sure that the _msdcs has correct entries for GCs for that site. I have run across the problem before with incorrect DNS records.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • blargoeblargoe Posts: 4,165Member ■■■■■■■■■□
    Related - Is the Exchange server on a subnet that has been defined in AD at all?
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
  • HeroPsychoHeroPsycho Posts: 1,940Inactive Imported Users
    It is not against best practices in a multidomain forest for infrastructure masters to be GC's provided that ALL domain controllers are GC's. Considering how little data there is in a global catalog, it's pretty hard to argue against all DC's being GC's.
    Good luck to all!
  • blargoeblargoe Posts: 4,165Member ■■■■■■■■■□
    Are you absolutely certain AD replication is working correctly?

    Go to Server Configuration - Mailbox, go to the properties of the mailbox server and look at the System Settings tab. This will tell you for certain which servers it's trying to use for GC.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
  • blargoeblargoe Posts: 4,165Member ■■■■■■■■■□
    HeroPsycho wrote: »
    It is not against best practices in a multidomain forest for infrastructure masters to be GC's provided that ALL domain controllers are GC's. Considering how little data there is in a global catalog, it's pretty hard to argue against all DC's being GC's.

    True that, it's sooo much simpler to manage if you just go ahead and make them all GC's if you don't have a reason NOT to.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
Sign In or Register to comment.