Exchange & Trusts

We have a Lucent Cajun switch with two VLANS "“ 170.60.51.x and 192.168.15.x. There are two domains with a PDC on each. The PDC on the 170 VLAN is also running Exchange 5.5 w/SP4. We have installed Veritas BackupExec 8.0 on the 192 PDC and the Exchange agents on the Exchange box.

We created a one-way trust relationship where 170 (resource domain) trusts 192 (accounts domain) which works fine. We can successfully assign permissions to the BackupExec Service Account from 192 to the Configuration and Recipients container in Exchange. Backup Exec is quite happy to come over the trust and backup C$ and F$ of the Exchange box. The BE service account has "logon locally" and "logon as a service" permissions (as detailed in the BE documentation).

After 15 minutes or so users are unable to access their mailboxes "“ they are told they don’t have permissions to logon. Destroying the trust makes everything OK again.

From the 192 domain we can use BE to browse Network Neighborhood and see the Exchange box and can even select the Exchange Directory Services and Information store. When we try and do a mailbox level backup it prompts for a unique mailbox name. We have created a mailbox and set the user to be the BE service account from the 192 domain. This can open Outlook and login without a problem. There is a MAPI client on both machines.

We’re unable to perform an individual mailbox backup and there is the problem with users not having permissions to access their accounts after 15 minutes after the trust is made.

 

Are you running the two networks on the same wire? As in not routed?

 

Couple of quick thoughts :

I'm assuming that we are talking NT 4 here

Are the two servers at the same service pack level ?- even if they are I'd re-apply the service pack as the problem sounds netowrk stack related and the Ip stack in Nt 4 could get really confused if the files were out of sync

Cant offhand remember how BE licensing works - if its like ARCServe you'll need to be running an Enterprise edition to back up more than one server - I'll check this with a BE specialist when I'm at work.

The Brick-Level (individual mailbox) backup on Exchange 5.5 was always iffy to say the least - have you tried putting the tape drive in the Exchange server, installing BE and trying a backup from there ?

If you cant get a local backup, the chances of pulling one over the wire are none

Id certainly try this first (if possible) as we currently have a lot of unknowns involved

Post any results/thoughts and we'll continue the process. I hate mysteries (but I do like Bon Jovi)

 

Newt: they're both on the same wire, they use a gateway because the network is a bit odd. They have some Apple zones and 2 firms merged which is why they have Virtual LANS but I don't think that's the cause. Apart from the Exchange backup problem all other communication between VLANS (servers, workstations, printers etc) is fine.

AndyO: yep, is't NT 4. Both servers with SP6a.Good idea about the IP stack, I thought of that myself but held off reinstalling the service pack as all other communication (even to the Exchange server, albeit different drives) was OK. Definatley something to consider though.

We have BE enterprise. if I recall, the guy who owns the network actually has more licenses than currently needed to allow for growth. Can't put the tape drive on the pysical Exchange server I'm afraid as it's all racked up and bolted down

There's one or two stop errors in the event log complaining about licensing but that's nothing new. I'm going to stop the licesning service anyway.

I'm not too familiar with Backup Exec but I've been thinking about assigning the BE service account permissions to the actual server in Exchange Admin to see if that helps at all. There's something happening in that 15 minute window to stop users logging into their mailboxes that's worrying me. Perhaps some permissions are synchronising over the trust or something?

A thinker for sure. Thanks for the suggestions so far, it helps to bat ideas around

P.S Good taste in music!

 

thought I'd post an update on this in case anyone ever has similar problems.

It turned out to be a few things but mainly boiled down to WINS replication. The event logs said everything was replicating but it wasn't. In the end I had to remove WINS from all but one server in wach domain (all that's really needed anyway IMO) then set these to be push/pull partners of each other.

During this the NIC of one server died but in a very strange way over a period of time so that needed a few hours to sort out.

Now we have one server on each domain replicating WINS and a trust between them where the Exchange domain trusts the accounts domain. Setup BE to have permissions to the site and server containers and put the remote agent on Exchange. A bit of fiddling around later we now have daily backups of each server plus the DS, IS and individual mailboxes. Phew.

Just going through and tidying up now, locking down permissions on Exchange etc but the largest stumbling block is gone

cheers

 

Glad to hear that its sorted

"WINS - it just works" as I always say to people - until it doesnt

one WINS per domain is fine as you say, go totally 2K and do away with it !!