question

TyronSilk-4543 avatar image
0 Votes"
TyronSilk-4543 asked JeffYang-MSFT commented

one root forest, 2 tree domains, Exchange Certificate not visable in ECP on second exchange for that domain

Hi, first time posting so bear with me.

We have built a root forest with 2 tree domains off it all on Server 2019. Exchange 2019 installed on tree domain1.local and works fine, i can see the certificates in the ECP console and on EMS powershell. On tree domain2.local, we installed exchange 2019 and installs fine. The ECP console can see both servers and we can create users on either exchange server etc.
The issue is the certificates. if i go to the certificate tab on ECP and select domain2.local from the drop down box, i get an error "Cannot connect to the remote procedure call service on the server named DOMAIN2. Verify that a valid computer name was used and the Microsoft Exchange Service Host service is started." If i select DOMAIN1, certificates are there and showing. On EMS powershell, i can see the certificates on both exchange servers.

DOMAIN2:
PS] C:\Windows\system32>Get-ExchangeCertificate -server DOMAIN2

Thumbprint Services Subject


4DD9EA84B830FFB53B66DB9EA836E06C77D3663C IP.WS.. CN=DOMAIN2SERVER
976CD6219C2552E09CF4494E65CE1D2F3DE300B4 ....... CN=WMSvc-SHA2-DOMAIN2SERVER

DOMAIN1:
[PS] C:\Windows\system32>Get-ExchangeCertificate -server DOMAIN1

Thumbprint Services Subject


AEAB8153CEA7FEF17BFE7CC557B5A29641AD8C38 ....S.. CN=Microsoft Exchange Server Auth Certificate
D4E02D2FDDCAD534F8C8E48E588FF05E573CD792 IP.WS.. CN=DOMAIN1SERVER
9365EDA837EA47E7B03ABB14A53882501579440A ....... CN=WMSvc-SHA2-DOMAIN1SERVER

Both Exchanges live on thier own servers in their respective domains and they are not domain controllers. Replication between domains is working fine without errors. All servers at same level and patch wise

Is there anything I am missing here? This may be normal but i cant find anything googleing that represents the same problem i have with the same setup. Any help would be greatly appreciated.

Regards

Tyron

office-exchange-server-administrationoffice-exchange-server-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ManuPhilip avatar image
0 Votes"
ManuPhilip answered JeffYang-MSFT commented

The issue described is mostly related to a network configuration and not with the certificates. First check the DNS console of the domain and see the IP addresses, names of each servers are correct. Visit the TCP/IP4 config of each servers and check everything is assigned correctly and identical. Do a ping test between each servers. Ping -a <ip> will print the server names and verify those

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi ManuPhilip,

all DNS servers are correct. Each tree domain and forest root domain have the FW zones and reverse zones of each domain and all ip addresses and host names exist and are correct. NIC properties all good on IP, GW and subnet.
DNS on NICs on AD servers point to its domain partner and itself and then the forest root domain controlers. The exchange boxes point to the tree domain controllers for its domain and then the root forest controllers.
using ping to do icmp checks resolve to the correct names ( fqdn) on each domain), Ping -a resolves to the fqdn. Pinging the netbios and fqdn of the servers works on each tree domain but only works to fqdn when doing it between domains.

NSLOOKUP results are correct. Repadmin /replsum all good, largest delta is a few minutes old. DCDIAG results all good. I could post these here if needed but they are clean.

Most results pointed to the same conclusion that it was a network or DNS, yet i have tried many suggestions and the problem remains. I even tried registering the SPNs again as per another forum. I am wondering now if this is not possible or exchange does not support this type of topology,

Any suggestions are welcome, i am stumped by this.



0 Votes 0 ·

Still need to figure out the exact issue. Check, any indication of connectivity issues popped up in event viewer of any of the servers. Meantime, as a workaround add entries of three servers in host file (under (C:\Windows\System32\drivers\etc) of each servers and see if it helps
ipaddress servername

0 Votes 0 ·

adding the servers to the host file was one of the first things i tried but for good measure i will try again. No network errors, dns etc. in event logs.

This is a pretty fresh install so not much could break things like 3rd part software, antivirus or other stuff.

Going to try some changes to permissions to test some ideas as well, I still think this is a permissions issue somehow because of the tree / forest setup an something is missing permissions.

0 Votes 0 ·

Just another try to make sure the view settings across the forest by running the following PS command from each domains

 Set-ADServerSettings -ViewEntireForest:$True
0 Votes 0 ·

Something else i got from following the Set-ADServersettings from ManuPhilip, is i see the following below. This looks wrong as it is searching all over for information on global catalog and prefered servers. Should they not query the same servers besides themselves? (hope that makes sense)

DOMAIN1:
[PS] C:\Windows\system32>Get-ADServerSettings | fl


RunspaceId :
DefaultGlobalCatalog : domain1-AD-01.domain1.local
PreferredDomainControllerForDomain : {}
DefaultConfigurationDomainController : rootdomain-AD-02.rootdomain.local
DefaultPreferredDomainControllers : {domain1-AD-01.domain1.local, rootdomain-AD-01.rootdomain.local}
UserPreferredGlobalCatalog :
UserPreferredConfigurationDomainController :
UserPreferredDomainControllers : {}
DefaultConfigurationDomainControllersForAllForests : {<rootdomain.local, rootdomain-AD-02.rootdomain.local>}
DefaultGlobalCatalogsForAllForests : {<rootdomain.local, domain1-AD-01.domain1.local>}
RecipientViewRoot : domain1.local
ViewEntireForest : False
WriteOriginatingChangeTimestamp : False
WriteShadowProperties : False
Identity :
IsValid : True
ObjectState : New


0 Votes 0 ·
Show more comments

Hi @TyronSilk-4543,

May I know from which server did you log into the ECP and view the certificate? And can this error be reproduced if you try the same operation from another server?

By the way, considering that the error message you provided mainly points to the remote procedure call service on the server named DOMAIN2. I would suggest you to restart services related to the remote procedure call feature and see if this issue would have any difference.

0 Votes 0 ·

Hi JeffYang,

i tested out what happens when i log into the different domains. I log into DOMAIN1 exchange with DOMAIN1 administrator account account and it can see the certs for DOMAIN1 but not DOMAIN2 on ECP. I log in with the root forest administrator account on DOMAIN1, i can see the DOMAIN1 certs but not DOMAIN2.
If i log onto DOMAIN2 exchange with its administrator account, i can now see the DOMAIN2 certs on ECP but not DOMAIN1. If i log into DOMAIN2 with the root forest domain account, i cannot see DOMAIN1 certs in ECP but i can see DOMAIN1 certs. Now i am pretty sure that is a rights issue, but where?



0 Votes 0 ·
Show more comments