BlackBerry Forums Support Community - View Single Post - ...---... - BES, Exchange Failover Scenario

LordZordec · 12-08-2009, 12:16 PM

Hello all!

We recently implemented software that automatically replicates data from our local Exchange 2003 front-end and back-end servers to a pair of Exchange servers at a hosted facility about 50 miles away. In the event of a failure of our Exchange servers or a hole in the ground opens and swallows our building, the special failover software will automatically change DNS entries to point email clients to the new servers and then start Exchange services on them.

A few weeks ago, we did a failover test, and as far as the Exchange portion went, the test was smooth as silk. We shut down our local Exchange servers, and in a matter of ten minutes, the failover servers were up and running, and all was well...except the BES.

We could access email via the OWA portal and Microsoft Outlook. However, the BES REFUSED to talk to the failover servers and continue letting email flow.

The local Exchange servers and the failover servers have different names, but there was a DNS forwarding rule put in place that forwards all traffic sent to the original servers over to the failover servers.

So, email clients had no issues with this. The BES refused to work with this arrangement.

The following errors were in the event log:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/XXXX-dc03.XXXX.org. The target name used was HOST/DBSI-MAIL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXXX.ORG) is different from the client domain (XXXX.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Also, for each and every Blackberry user, there was one of these:

User Doe, John not started

{jdoe@XXXX.org} MAPIMailbox::MAPIMailbox - OpenMsgStore (0x8004011d) failed, MailboxDN=/o=XXXX/ou=First Administrative Group/cn=Recipients/cn=ppicarie, ServerDN=/o=XXXX/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XXXX-MAIL/cn=Microsoft Private MDB

We have verified that this is not a permissions issue for the Blackberry administrator account. It does have full rights to the Exchange server and the user mailboxes.

The BES refused to talk to the failover Exchange servers for two hours, and then suddenly started working. However, when we attempted to failover the BES to its mirrored companion at the hosting facility, it wouldnt work at all. We suspect that, since we are getting the same errors on both, its the same issue causing both.

So, what could it be? Any help would be appriciated.

12-08-2009, 12:16 PM	#1
LordZordec New Member Join Date: Sep 2009 Model: NA PIN: N/A Carrier: T-Mobile, Verizon, AT&T Posts: 8	...---... - BES, Exchange Failover Scenario - Major Issues Please Login to Remove! Hello all! We recently implemented software that automatically replicates data from our local Exchange 2003 front-end and back-end servers to a pair of Exchange servers at a hosted facility about 50 miles away. In the event of a failure of our Exchange servers or a hole in the ground opens and swallows our building, the special failover software will automatically change DNS entries to point email clients to the new servers and then start Exchange services on them. A few weeks ago, we did a failover test, and as far as the Exchange portion went, the test was smooth as silk. We shut down our local Exchange servers, and in a matter of ten minutes, the failover servers were up and running, and all was well...except the BES. We could access email via the OWA portal and Microsoft Outlook. However, the BES REFUSED to talk to the failover servers and continue letting email flow. The local Exchange servers and the failover servers have different names, but there was a DNS forwarding rule put in place that forwards all traffic sent to the original servers over to the failover servers. So, email clients had no issues with this. The BES refused to work with this arrangement. The following errors were in the event log: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/XXXX-dc03.XXXX.org. The target name used was HOST/DBSI-MAIL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXXX.ORG) is different from the client domain (XXXX.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Also, for each and every Blackberry user, there was one of these: User Doe, John not started {jdoe@XXXX.org} MAPIMailbox::MAPIMailbox - OpenMsgStore (0x8004011d) failed, MailboxDN=/o=XXXX/ou=First Administrative Group/cn=Recipients/cn=ppicarie, ServerDN=/o=XXXX/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XXXX-MAIL/cn=Microsoft Private MDB We have verified that this is not a permissions issue for the Blackberry administrator account. It does have full rights to the Exchange server and the user mailboxes. The BES refused to talk to the failover Exchange servers for two hours, and then suddenly started working. However, when we attempted to failover the BES to its mirrored companion at the hosting facility, it wouldnt work at all. We suspect that, since we are getting the same errors on both, its the same issue causing both. So, what could it be? Any help would be appriciated.
Offline