Office Servers and Services

"La connaissance ne vaut que si elle est partagée" / "An effective Knowledge is a shared one"

Exchange 2013 SP1 : Unable to connect with PS and ECP on a fresh Exchange installation [SOLVED]

Posted by Teruin laurent sur juillet 21, 2014


Version : Exchange 2013 SP1
PLateform : 2012 Std R2 Us
Language : US


HI we just install a fresh copy of Exchange 2013 SP1 without any issue and warning. But we can’t connect on Exchange with ECP and Powershell

We got this : EBSMEYDEVA06.d1.ad.local


The endpointconfiguration with the http://schemas.microsoft.com/powershell/Microsoft.exchange identifier is not in a valid initial session state on the remote computer

After checking the exchange setup log we found this

Start installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.This option is not supported on this version of the operating system. Administrators should instead install/uninstall ASP.NET 4.5 with IIS8 using the « Turn Windows Features On/Off » dialog, the Server Manager management tool, or the dism.exe command line tool. For more details please see http://go.microsoft.com/fwlink/?LinkID=216771.Finished installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.

The worse is that no warning appears during the installation process. We decided to uninstall Exchange 2013 and follow the http://go.microsoft.com/fwlink/?LinkID=216771

Our Error ?? We just go to technet and copy and paste the following cmd let

linstall-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Set automatic mode for (Was disabled by the customer Windows 202 R2 Master)

Computer browser
Internet connexion Sharing
Offlinefiles
Routing and remote access
Smartcard
Ssdp discovery
Upnp Device host
WinMgmt,

Adding ASP.net 3.5 As the article http://go.microsoft.com/fwlink/?LinkID=216771 precise. And reboot the server and try to install again exchange 2013 SP1

After one hour … we have edited the Setup log and find again this : not particularly encouraging !!!! waiting for the end of the setup process.

07/21/2014 14:28:13.0482] [2] Active Directory session settings for ‘Start-SetupProcess’ are: View Entire Forest: ‘True’, Configuration Domain Controller: ‘EBSMEY003.d1.xxx.xxx, Preferred Global Catalog: ‘EBSMEYXXX.d1.xxx.XXX, Preferred Domain Controllers: ‘{ EBSMEYXXX.d1.xx.XXX }’
[07/21/2014 14:28:13.0482] [2] User specified parameters: -Name:’C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe’ -Args:’-ir -enable’
[07/21/2014 14:28:13.0482] [2] Beginning processing Start-SetupProcess
[07/21/2014 14:28:13.0498] [2] Starting: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe with arguments: -ir –enable
[07/21/2014 14:28:13.0638] [2] Process standard output: Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Start installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.
This option is not supported on this version of the operating system. Administrators should instead install/uninstall ASP.NET 4.5 with IIS8 using the « Turn Windows Features On/Off » dialog, the Server Manager management tool, or the dism.exe command line tool. For more details please see http://go.microsoft.com/fwlink/?LinkID=216771.
Finished installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net
.
[07/21/2014 14:28:13.0638] [2] Process standard error:
[07/21/2014 14:28:13.0638] [2] Ending processing Start-SetupProcess

After rebooting we try to log on on ECP and after waiting we’ve got this

Server Error in ‘/ecp’ Application.

Request timed out.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Request timed out.
Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpException (0x80004005): Request timed out.]

 

I have searched in the event log and found this

Log Name: ApplicationSource: MSExchange ADAccess
Date: 7/21/2014 7:56:45 PM
Event ID: 4027
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: EBSMEYDEVA06.d1.xx.xxxx
Description: Process w3wp.exe (RemotePS) (PID=8508). WCF request (GetServerFromDomainDN DC=xx,DC=xxx,DC=xxx) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details

System.TimeoutException: This request operation sent to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService did not receive a reply within the configured timeout (00:02:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

After veryfing .. the Exchange server have access to a DC .. net view is working and DSA.MSC is working well from the Exchange Server

We also checked the site and service configuration and the site is correctly declared with the correct subnet.

State of Exchange Service


JULY 22 2014

We stop the Windows FW but the issue is the same .

We discover that the Msexcange ADservice discover correctly the Domain controllers in the site

Log Name: Application
Source: MSExchange ADAccess
Date: 7/22/2014 3:06:53 PM
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: XSBMEYDEVA06.xx.xx.xxx
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2188). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:
XSBMEY001.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC005.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEY002.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC006.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC007.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEYPDC008.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEY003.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEYPDC009.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEY004.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1

This is below some explanation.

  • Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.
  • Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.
  • Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
  • Synchronized: The fourth column shows whether the « isSynchronized » flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.
  • GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.
  • PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.
  • SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.
  • Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.
  • Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).
    OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.

IT appears that none of the DC in the Domain where Exchange 2013 is running have the value 1 for SACL right

We just discover that a Legacy Domain controller Gpo was responsible for this situation. After removing this GPO and relaunch the MS Exchange AD Service the issue was solved .


 

Laisser un commentaire

Choisissez une méthode de connexion pour poster votre commentaire:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s

 
%d blogueurs aiment cette page :