Questions

Access Denied on RDP on file server & Cannot access MS-Exchange via Outlook

+
0 Votes
Locked

Access Denied on RDP on file server & Cannot access MS-Exchange via Outlook

jeff
We recently needed to down our servers ??? 2003 R2 SBS & file server 2003 R2. The file server (also a domain controller) was downed for some time and then lost its NIC which we replaced after removing the dead NICs drivers. The file server is up and running but since then:

1. We get Access denied when attempting to RDP to the file server. The file system & shares are available on the network ??? we just can???t remote desktop to it. The file server (not SBS/exchange server) has Kerberos Errors:
KRB_AP_ERR_MODIFIED error from the server host/sbs01.abc.local. The target name used was DNS/sbs01.abc.local.
KRB_AP_ERR_MODIFIED error from the server host/sbs01.abc.local. The target name used was exchangeMDB/sbs01.abc.local

No passwords were changed on either server. The SBS domain controller has replication errors which we expected whilst the file server (alternate domain controller) was out of action. RDP to the SBS works perfectly.

2. Outlook shows Exchange (on the SBS) as offline although the MS-Exchange store is mounted & no errors on info store or Exchange startup or event viewer. On the same PCs that Outlook show Exchange as being offline, we can use OWA to access the users mailbox, proving the info store is accessible.

Does Active Directory or DNS keeps a record of the NIC hardware that was replaced, which is causing these problems problem or whether it???s because ADs on both servers failed replication beyond the tombstone period?

I???m wondering whether these problems are related and best resolution steps.
  • +
    0 Votes
    robo_dev

    Check the settings for the order of DNS resolution in the TCP/IP properties on the mail server.

    I would bet these are messed up, or got changed with a new adapter.

    if DNS is all messed up, the whole Kerberos ticket-granting process breaks.

    With a new adapter mac address, you need to flush all places where DNS could be cached, such as the server, the client, etc.

    Do a ipconfig /flushdns followed by ipconfig /registerdns

    For RDP, there are also certificates stored on the client side in the PC registry. It may or may not help to reset the certificates on the client side.

    HKLM\System\CurrentControlSet\Services\TermServices\Parameters

    delete registry keys named Certificate, X500 Certificate and X509 Certificate ID values. (These keys will get auto generated after system restart with system default values, which is actually needed)

    But....the more likely root cause is if the DNS settings or cached DNS info is messed up, since certificates only work if they can validate who the host is.

    +
    0 Votes
    markp24

    Hi

    definitly agree with what Robo said,

    +
    0 Votes
    Charles Bundy

    Whilst there may be some DNS issues (see thoughts below) I'd start with the RDP port (3389) and work my way back.

    WRT to Outlook: As the SBS would be authoritative FSMO and you don't mention any HW/SW changes to that box I'd look client side first. Did you try 'work online'? I also assume that box supplies DNS & DHCP, thus I'd be surprised at DNS problems.

    PS: I did find this related (tho not exact) link.

    http://ask.wireshark.org/questions/652/connection-to-microsoft-exchange-has-been-lost-outlook-will-restore-the-connection-when-possible

  • +
    0 Votes
    robo_dev

    Check the settings for the order of DNS resolution in the TCP/IP properties on the mail server.

    I would bet these are messed up, or got changed with a new adapter.

    if DNS is all messed up, the whole Kerberos ticket-granting process breaks.

    With a new adapter mac address, you need to flush all places where DNS could be cached, such as the server, the client, etc.

    Do a ipconfig /flushdns followed by ipconfig /registerdns

    For RDP, there are also certificates stored on the client side in the PC registry. It may or may not help to reset the certificates on the client side.

    HKLM\System\CurrentControlSet\Services\TermServices\Parameters

    delete registry keys named Certificate, X500 Certificate and X509 Certificate ID values. (These keys will get auto generated after system restart with system default values, which is actually needed)

    But....the more likely root cause is if the DNS settings or cached DNS info is messed up, since certificates only work if they can validate who the host is.

    +
    0 Votes
    markp24

    Hi

    definitly agree with what Robo said,

    +
    0 Votes
    Charles Bundy

    Whilst there may be some DNS issues (see thoughts below) I'd start with the RDP port (3389) and work my way back.

    WRT to Outlook: As the SBS would be authoritative FSMO and you don't mention any HW/SW changes to that box I'd look client side first. Did you try 'work online'? I also assume that box supplies DNS & DHCP, thus I'd be surprised at DNS problems.

    PS: I did find this related (tho not exact) link.

    http://ask.wireshark.org/questions/652/connection-to-microsoft-exchange-has-been-lost-outlook-will-restore-the-connection-when-possible