Very involved Global Catalog issue - HELP!

Any help would be VERY appreciated!

What we have is a forest consisting of a root and 3 child domains, the Exchange server (2K7) is in one of the child domains.

root=mat.airport,
child1=mac.mat.airport (this is where exchange resides),
child2=airsideops.mat.airport,
child3=environment.mat.airport

The Exchange cluster is macmail.mac.mat.airport

The DC that Exchange is trying to connect to is in the root: mac-arf-dc1.mat.airport. This is not a GC it is the infrastructure master. We have 9 GC spread out throughout the forest, the server it is trying to connect to is not one of them.

Originally when doing the setup /pad it succeeded but complained about not having a RUS for mat, we were told that was ok, during the actual setup of exchange it would not complete without a RUS, we temporarily set the mat-arf-dc1 as a GC, but being it is the infrastructure master. This is against best practices, so after the install, we removed the GC from that server. The latest issue comes when trying to add users to the built in Exchange administrative groups through the Exchange console. The error message below shows that it cannot complete because it is attempting to contact the mat-arf-dc1.mat.airport DC.

Error Message:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

Add-ExchangeAdministrator
Failed

Error:
Active Directory operation failed on mat-arf-dc1.mat.AIRPORT. This error is not retriable. Additional information: The specified group type is invalid.
Active directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

The server cannot handle directory requests.

Exchange Management Shell command attempted:
Add-ExchangeAdministrator -Identity 'MAC.MAT.AIRPORT/DataCenters/GO/Users/Administrative accounts/Suche, Ivana (Chg)' -Role 'ViewOnlyAdmin'

Elapsed Time: 00:00:00

I can add users to the Exch Adm groups using the add users and computers mmc, they do get the right "rights" to the exchange org. However it is important to the big cheese that we get this working correctly. Thanks!!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Claymoore

Is there another GC in the AD site of the Exchange server? There needs to be a GC in every site that has an Exchange server.

Exchange 2007 System Requirements

Some of the EMS cmdlets have the ability to specify a domain controller against which the command should run, but you really need to have a GC available so the server can parse distribution lists and reliably perform other Global catalog lookups.

undomiel

As claymoore mentions I would verify that a GC is available in that site. I would also check into DNS and make sure that the _msdcs has correct entries for GCs for that site. I have run across the problem before with incorrect DNS records.

blargoe

Related - Is the Exchange server on a subnet that has been defined in AD at all?

HeroPsycho

It is not against best practices in a multidomain forest for infrastructure masters to be GC's provided that ALL domain controllers are GC's. Considering how little data there is in a global catalog, it's pretty hard to argue against all DC's being GC's.

blargoe

Are you absolutely certain AD replication is working correctly?

Go to Server Configuration - Mailbox, go to the properties of the mailbox server and look at the System Settings tab. This will tell you for certain which servers it's trying to use for GC.

blargoe

HeroPsycho wrote: »

It is not against best practices in a multidomain forest for infrastructure masters to be GC's provided that ALL domain controllers are GC's. Considering how little data there is in a global catalog, it's pretty hard to argue against all DC's being GC's.

True that, it's sooo much simpler to manage if you just go ahead and make them all GC's if you don't have a reason NOT to.