Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How can I allow a 2010 Exchange server to use DC's that don't have presmissions to read the SACL on the ntSecurityDescriptor attribute?

Posted on 2011-02-24
Medium Priority
Last Modified: 2012-08-14
We have a relatively new 2010 Exchange server and 2 new 2008 DC’s. In all there are 3 DC’s but the Exchange server can only see the oldest DC (2003) as a domain controller server and Global Catalog Server.

The new exchange server can see all DC’s in DNS. The old Exchange server (2003) has been decommissioned, I am unsure if the Recipient Update Service was assigned to the new exchange server whilst it was being decommissioned.

On the new exchange server in the Event Viewer under Event ID 2080 I can see that the 2 new DC’s don’t have SACL rights, which from what I understand is needed in order to be used by Exchange 2010. We are in the process of decommissioning the old DC but after testing the environment (shutdown) without the old DC, Exchange services stop (which makes sense as it can’t access the 2 new DC’s).

Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
Question by:aztechcomms
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Expert Comment

ID: 34970361
We can Powershell to force the Exchange 2010 to use a preferred local domain controller:
"Set-ADServerSettings –PreferredServer "mydomaincontrollername.domainname.local"

Author Comment

ID: 34970450
We have already tried forcing this but this didn't work - Exchange will only use a DC that has permissions to read the SACL on the attribute as mentioned above.

Expert Comment

ID: 34973662
Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 34977701
The last paragraph of the initial question;

Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?

Accepted Solution

aztechcomms earned 0 total points
ID: 35009228
The new DC's were built after the Exchange server and the FSMO roles transferred from the PDC to the new DC. Ran domain prep again (for the new DC) and the SACL permissions were granted.

Author Closing Comment

ID: 35045597
This has fixed the issue

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question