CertificateAuthority errorspreceding Exchange IS dismount and Exchange errors
Tony Vrolyk
this morning. In looking into it I found that there were several
CertficateAuthority errors just prior to all the Exchange errors which
appears to be when the IS service shut down . I don't know if they are the
first symptom of a bigger problem or the problem themselves. I was able to
successfully restart the IS service and they are up and running now
They occur in the following order all with CertificateAuthority as the
source
Error #91
Warning #94
Error #44
Information #26
The followed almost immediately by a number of Exchange errors and the IS
service shutting down. I have searched on the Certificate Authority errors
but have found nothing so far. I am thinking that this is just the first
symptom of another problem and the CertificateAuthority isa bel to recover
(Info #26) but when Exchange runs into the error it cannot recover.
Below is text of the cert errors. I stripped out the the XML for easier
reading but can provide it if necessary.
Thanks
Tony
Error #91
------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 4/24/2010 11:33:38 PM
Event ID: 91
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: xxxxxx.local
Description:
Could not connect to the Active Directory. Active Directory Certificate
Services will retry when processing requires Active Directory access.
Warning #94
------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 4/24/2010 11:33:38 PM
Event ID: 94
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: xxxxxxx
Description:
Active Directory Certificate Services xxxxxxx-CA can not open the
certificate store at CN=NTAuthCertificates,CN=Public Key
Services,CN=Services in the Active Directory's configuration container.
Error #44
------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 4/24/2010 11:33:38 PM
Event ID: 44
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: xxxxxx.local
Description:
The "Windows default" Policy Module "Initialize" method returned an error.
The specified domain either does not exist or could not be contacted. The
returned status code is 0x8007054b (1355). The Active Directory containing
the Certification Authority could not be contacted.
Informational #26
------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 4/24/2010 11:33:38 PM
Event ID: 26
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: xxxxxx.local
Description:
Active Directory Certificate Services for xxxxxx-CA was started. DC=
1st Exchange error
------------------------------------------------------------
Log Name: Application
Source: MSExchange ADAccess
Date: 4/24/2010 11:34:17 PM
Event ID: 2501
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx.local
Description:
Process MSEXCHANGEADTOPOLOGY (PID=2468). The site monitor API was unable to
verify the site name for this Exchange computer - Call=HrSearch Error
code=80040a01. Make sure that Exchange server is correctly registered on the
DNS server.
2nd Exchange error
------------------------------------------------------------
Log Name: Application
Source: MSExchange ADAccess
Date: 4/24/2010 11:35:06 PM
Event ID: 2114
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: xxxx.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2468). Topology discovery
failed, error 0x80040952 (LDAP_LOCAL_ERROR (Client-side internal error or
bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP)
error code specified in the event description. To do this, use Microsoft
Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the
information in that article to learn more about the cause and resolution to
this error. Use the Ping or PathPing command-line tools to test network
connectivity to local domain controllers.
3rd Exchange error
------------------------------------------------------------
Log Name: Application
Source: MSExchangeIS
Date: 4/24/2010 11:35:19 PM
Event ID: 1121
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: xxxx.local
Description:
Error 0x96f connecting to the Microsoft Active Directory.
and they continue from there...
Tony Vrolyk
I can spell!
"Tony Vrolyk" <no_...@microsoft.com> wrote in message
news:uPZ3MyU5...@TK2MSFTNGP05.phx.gbl...
Ace Fekay [MVP - Directory Services, MCT]
<no_...@microsoft.com> wrote:
>I am working on an SBS 2008 SP1 server and found the Exchange IS store down
>this morning. In looking into it I found that there were several
>CertficateAuthority errors just prior to all the Exchange errors which
>appears to be when the IS service shut down . I don't know if they are the
>first symptom of a bigger problem or the problem themselves. I was able to
>successfully restart the IS service and they are up and running now
>
>They occur in the following order all with CertificateAuthority as the
>source
>Error #91
>Warning #94
>Error #44
>Information #26
>
>The followed almost immediately by a number of Exchange errors and the IS
>service shutting down. I have searched on the Certificate Authority errors
>but have found nothing so far. I am thinking that this is just the first
>symptom of another problem and the CertificateAuthority isa bel to recover
>(Info #26) but when Exchange runs into the error it cannot recover.
>
>Below is text of the cert errors. I stripped out the the XML for easier
>reading but can provide it if necessary.
>
>Thanks
>Tony
>
<snipped>
>
>3rd Exchange error
>------------------------------------------------------------
>Log Name: Application
>Source: MSExchangeIS
>Date: 4/24/2010 11:35:19 PM
>Event ID: 1121
>Task Category: General
>Level: Error
>Keywords: Classic
>User: N/A
>Computer: xxxx.local
>Description:
>Error 0x96f connecting to the Microsoft Active Directory.
>
>
>and they continue from there...
The one error that concerns me, which the others reference, is AD is
down, or rather, nothing can communicate to AD. Exchange *requires* AD
to be functional, for it stores the directory service (user accounts
and groups Exchange uses), as well as stores Exchange's configuration
information. Without it, Exchange is useless.
To help diagnose this, please provide:
1. Unedited ipconfig /all of the SBS 2008 server
2. Sample workstation ipconfig /all
Thanks,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Tony Vrolyk
workstations right now though I don't see how that would be a factor since
the issue is contained inside this server which is SBS2008. And I did edit
out the server name and AD domain name as I am not going to post domain name
information about a customer site for all the world to see.
This issue is not constant. The last time it happened was 4/17 and after
restarting the Exchange IS all is good. so that is why I believe the issue
is a short lived one and Exchange just can't take it and shuts down the IS.
I have configured the IS service Recovery to restart on failure so that may
be enough to prevent this from affecting users in the future.
Thanks for your assistance.
Tony
Windows IP Configuration
Host Name . . . . . . . . . . . . : SERVERNAME
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-22-19-61-CF-0E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-00-00-00-00-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::7a28:a5de:fd2d:4cc2%10(Preferred)
Link-local IPv6 Address . . . . . :
fe80::fc2a:36c6:ac7d:c4f7%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.253
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{36FE9091-E4EB-4773-8B1A-BBB0FA4D9
5B0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{CB6A5E5A-DE3D-4F99-AE2E-B10CB5916
F7A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
"Ace Fekay [MVP - Directory Services, MCT]" <ace...@mvps.RemoveThisPart.org>
wrote in message news:4bcbt59pb1tok3r5t...@4ax.com...
kj [SBS MVP]
Area Connection 2:" - not just leave it unconnected.
The adapter MAC (physical address) being 00-00-00 is concerning as well, but
perhaps they were edited.
--
/kj
Tony Vrolyk
Yes - I edited out the MAC address
Tony
"kj [SBS MVP]" <Kevin...@SPAMFREE.gmail.com> wrote in message
news:#5y#Opv5KH...@TK2MSFTNGP02.phx.gbl...
kj [SBS MVP]
after setup?
Start by disabling the unised NIC, restart, then probably need some wizard
work, but post back the new ipconfig and perhaps you'll get lucky. Watch for
default gateway settings.
--
/kj
Tony Vrolyk
while except this occasional problem - which has not been all that
problematic to tell you the truth. I have disabled the unused NIC and will
restart at next opportunity which may be a while.
Thanks for the suggestions
Tony
"kj [SBS MVP]" <Kevin...@SPAMFREE.gmail.com> wrote in message
news:uGWEaYw5...@TK2MSFTNGP02.phx.gbl...
Ace Fekay [MVP - Directory Services, MCT]
Honestly, I've re-ran the wizard multiple times for one of my customer
systems, and sometimes not intentionally (trying to look at it's
options not realizing I had not choice but to hit next), but every
time it ran, things came out like a charm.
If you have to run it, run it. It will be fine. Just make sure you
have the NIC you want to use enabled, and all others disabled, and you
should be fine.
Ace
Tony Vrolyk
with SBS 2008 to this point and I was expecting the wizard to do a lot more
like it did in SBS 2003
Here is the updated ipconfig /all (edited for server name, domain name and
MAC address - don't ask me why I edited out the MAC address, it just made me
feel better.)
As I previously said I set the recover mode on the Exchange IS service to
restart on the first two failures. I will monitor the event logs to see if
it happens again.
Thanks
Tony
Windows IP Configuration
Host Name . . . . . . . . . . . . : SERVER
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-00-00-00-00-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::7a28:a5de:fd2d:4cc2%10(Preferred)
Link-local IPv6 Address . . . . . :
fe80::fc2a:36c6:ac7d:c4f7%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.253
DNS Servers . . . . . . . . . . . : fe80::7a28:a5de:fd2d:4cc2%10
192.168.10.6
192.168.2.10
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{36FE9091-E4EB-4773-8B1A-BBB0FA4D9
5B0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
"Ace Fekay [MVP - Directory Services, MCT]" <ace...@mvps.RemoveThisPart.org>
wrote in message news:4vjlt517nhfn84488...@4ax.com...