How can I allow a 2010 Exchange server to use DC's that don't have presmissions to read the SACL on the ntSecurityDescriptor attribute?
Posted on 2011-02-24
We have a relatively new 2010 Exchange server and 2 new 2008 DC’s. In all there are 3 DC’s but the Exchange server can only see the oldest DC (2003) as a domain controller server and Global Catalog Server.
The new exchange server can see all DC’s in DNS. The old Exchange server (2003) has been decommissioned, I am unsure if the Recipient Update Service was assigned to the new exchange server whilst it was being decommissioned.
On the new exchange server in the Event Viewer under Event ID 2080 I can see that the 2 new DC’s don’t have SACL rights, which from what I understand is needed in order to be used by Exchange 2010. We are in the process of decommissioning the old DC but after testing the environment (shutdown) without the old DC, Exchange services stop (which makes sense as it can’t access the 2 new DC’s).
Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?