Exchange – Event ID 205 and Event ID 16025

KB ID 0001251 

Problem

At a client this week, they were having a LOT of mail flow problems. Looking at the queue viewer, I could see that all their mail was sat in queues waiting to go into their mails stores. There was a queue for each mail store, and the error on each was “451 4.4.0 DNS query failed Exchange Server error in message queue“. Looking in the Application log it was full of Event ID 205, and 16025 Errors Stating;

Source MSExchange Common

No DNS servers could be retrieved from network adapter {GUID} Check that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

OR

No DNS servers could be retrieved from network adapter {GUID}. Verify that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

Solution

First you need to get the ‘Identity” of your actual network card with a Get-NetworkConnectionInfo command, (make sure the correct DNS settings are set for this NIC, i.e. it’s not pointing to a PUBLIC DNS server!)  Once you have it, change the Transport service to use this new ID, with a Set-TransportServer command.

[box]Set-TransportServer {Name-Of-Server} -InternalDNSAdapterGUID {GUID} -ExternalDNSAdapterGUID {GUID}[/box]

Then Restart the Microsoft Exchange Transport Service and the Microsoft Exchange Mailbox Transport Service.

Related Articles, References, Credits, or External Links

NA

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001248

Problem

When attempting to connect a host to a Certificate Enrolment Policy Server I got this error;

The URI Entered above had ID : “{Random-GUID}”. This ID conflict with an existing ID

Solution

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos, (yours may not end with kerberos) > Application Settings.

Open the ID field, and add a character to the end of it > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Related Articles, References, Credits, or External Links

NA

Event ID 1202

KB ID 0000123 

Problem

Security policies are propagated with warning. 0x5 : Access is denied. Please look for more details in Troubleshooting section in Security Help.

This error typically occurs when the system has not been granted the correct permissions to update the access control list of a service. This may occur if the Administrator defines permissions for a service in a policy but does not grant the System account Full Control permissions.

Solution

1.         Start > run > regedit {enter}

2.         Navigate to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonGPExtensions{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

3.         Create a new DWORD Value called ExtensionDebugLevel set its value to 2

4.         This creates a winlogon.log file that logs service logon errors.

5.         Refresh the machine policy secedit /refreshpolicy machine_policy /enforce

6.         Start > run > cmd {enter}

7.         Execute the following command find /i “error opening” %SYSTEMROOT%securitylogswinlogon.log

8.         This will tell you the name of the faulting service (get its name and google it to find out what it is eg IsmServ is the Microsoft Server Intersite Messaging service)

9.         If you only have one policy (default domain policy skip to Step 13

10.       Find out which policy is misconfigured on this service by executing the following command find /i “service” %SYSTEMROOT%securitytemplatespoliciesgpt*.*”

NB replace service with the service name you discovered in step 7

11.       Take a note of the GUID of the policy

for example for

GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}MACHINE

The GUID is {6AC1786C-016F-11D2-945F-00C04FB984F9}

12.       In the 2K resource kit is a tool called gptool that will list the GUIDS and friendly names of all the policies to execute it “gpotool /verbose” locate the GUID and it will give you the policy name.

13        Start > run > dsa.msc {enter} > Right click domain > properties > group policy

14.       Open the appropriate group policy

15.       Navigate to Computer ConfigurationWindows SettingsSecurity SettingsSystem Services

16.       Locate the service you identified in step 8 > Right click > Properties > Edit Security

17.       Add the administrators group and SYSTEM and give both Full control > Exit Group Policy Editor

18.       Start > Run > Regedit {enter} Navigate to HKEY_LOCAL_MACHINESYSTEMControlSetServices

v19.       Below the services Key there is a subkey for every service locate the one for the service you identified in step 8

20.       Expand the appropriate key for the faulting service key and delete the “Security” subkey.

21.       Reboot the server.

Related Articles, References, Credits, or External Links

NA

WDS – Unattended file – Joining a Domain Automatically

KB ID 0000494 

Problem

During a large rollout the more things you can automate the better, before you continue though be aware of one thing…

You can only automatically join a client to a domain if it has an auto generated random machine name!*

*Note: This is not 100% true, if you pre-stage the computer objects into Active Directory with the GUID of the machine (you can see this on the screen at pXe boot time, or get it from the BIOS) Then you can auto join the machines and they will come in with the correct name. However, if you have a large number of machines to build, this is more time consuming than simply renaming them after they have been imaged.

Solution

Before you begin make sure you are clued up on working with WDS unattended files, run through my instructions here.

The following procedure needs to be added to the images unattended file NOT the WDS Unattended file, (again run through KB0000180 if you are unsure.)

1. While editing your unattended answerfile you need to locate, “Microsoft-Windows-Shell-Setup_neutral”, add it to pass 4 (Specialize) and set the ComputerName entry to * (an asterisk).

Note: In this section you can also enter to windows product code, and owner details, as well as your time zone.

2. Then locate, “Microsoft-Windows-UnattendedJoin”, add it to pass 4 (Specialize). Set the JoinDomain entry to the name of your domain. Set UnsecureJoin to “true”.

4. This procedure will add the following to your unattended file.

 

Related Articles, References, Credits, or External Links

Windows Deployment Services (On Server 2008 R2) Deploying Windows 7

Windows Deployment Services (Server 2003) Deploying Windows XP