How can I allow a 2010 Exchange server to use DC's that don't have presmissions to read the SACL on the ntSecurityDescriptor attribute?
We have a relatively new 2010 Exchange server and 2 new 2008 DC’s. In all there are 3 DC’s but the Exchange server can only see the oldest DC (2003) as a domain controller server and Global Catalog Server.
The new exchange server can see all DC’s in DNS. The old Exchange server (2003) has been decommissioned, I am unsure if the Recipient Update Service was assigned to the new exchange server whilst it was being decommissioned.
On the new exchange server in the Event Viewer under Event ID 2080 I can see that the 2 new DC’s don’t have SACL rights, which from what I understand is needed in order to be used by Exchange 2010. We are in the process of decommissioning the old DC but after testing the environment (shutdown) without the old DC, Exchange services stop (which makes sense as it can’t access the 2 new DC’s).
Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
The new exchange server can see all DC’s in DNS. The old Exchange server (2003) has been decommissioned, I am unsure if the Recipient Update Service was assigned to the new exchange server whilst it was being decommissioned.
On the new exchange server in the Event Viewer under Event ID 2080 I can see that the 2 new DC’s don’t have SACL rights, which from what I understand is needed in order to be used by Exchange 2010. We are in the process of decommissioning the old DC but after testing the environment (shutdown) without the old DC, Exchange services stop (which makes sense as it can’t access the 2 new DC’s).
Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
ASKER
We have already tried forcing this but this didn't work - Exchange will only use a DC that has permissions to read the SACL on the attribute as mentioned above.
Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller.
ASKER
The last paragraph of the initial question;
Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This has fixed the issue
"Set-ADServerSettings –PreferredServer "mydomaincontrollername.do