Solved

How can I allow a 2010 Exchange server to use DC's that don't have presmissions to read the SACL on the ntSecurityDescriptor attribute?

Posted on 2011-02-24
6
930 Views
Last Modified: 2012-08-14
We have a relatively new 2010 Exchange server and 2 new 2008 DC’s. In all there are 3 DC’s but the Exchange server can only see the oldest DC (2003) as a domain controller server and Global Catalog Server.

The new exchange server can see all DC’s in DNS. The old Exchange server (2003) has been decommissioned, I am unsure if the Recipient Update Service was assigned to the new exchange server whilst it was being decommissioned.

On the new exchange server in the Event Viewer under Event ID 2080 I can see that the 2 new DC’s don’t have SACL rights, which from what I understand is needed in order to be used by Exchange 2010. We are in the process of decommissioning the old DC but after testing the environment (shutdown) without the old DC, Exchange services stop (which makes sense as it can’t access the 2 new DC’s).

Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
0
Comment
Question by:aztechcomms
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:vicoso
ID: 34970361
We can Powershell to force the Exchange 2010 to use a preferred local domain controller:
"Set-ADServerSettings –PreferredServer "mydomaincontrollername.domainname.local"
0
 

Author Comment

by:aztechcomms
ID: 34970450
We have already tried forcing this but this didn't work - Exchange will only use a DC that has permissions to read the SACL on the attribute as mentioned above.
0
 
LVL 3

Expert Comment

by:vicoso
ID: 34973662
Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:aztechcomms
ID: 34977701
The last paragraph of the initial question;

Is there a workaround to give the new DC’s permissions to read the SACL on the ntSecurityDescriptor attribute so that the Exchange server can use them when we get rid of the old DC?
0
 

Accepted Solution

by:
aztechcomms earned 0 total points
ID: 35009228
The new DC's were built after the Exchange server and the FSMO roles transferred from the PDC to the new DC. Ran domain prep again (for the new DC) and the SACL permissions were granted.
0
 

Author Closing Comment

by:aztechcomms
ID: 35045597
This has fixed the issue
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question