Avatar of Ian-DEC
Ian-DECFlag for United States of America asked on

MSExchange ADAccess - Event 2080 Issues

Aloha,

I've been struggling with an ongoing issue, in which I have a decommissioned Exchange 2003 install on what was the PDC for an organization.  I installed and configured Server 2008 R2, and followed the steps for adding Exchange and promoting it to become the new PDC.  I then removed Exchange 2003, and mail flow has been fully functional for nearly a year.

However, when the Windows 2003 server is offline or slow to restart, both login attempts across the domain and directed to Exchange 2010 fail.  I have noted that within ESM on the Hub Transport role the previous server is the only item shown within 'Domain controller servers being used by Exchange' and 'Global catalog servers'.  After digging into the Application log, I have the below report from Event 2080:

Process STORE.EXE (PID=6428). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
OldWin2K3.XXX.int      CDG 1 7 7 1 0 1 1 7 1
Win2K8.XXX.int      CDG 1 0 0 1 0 0 0 0 0
 Out-of-site:

I can obviously see that the system is not operating correctly, however I'm at a loss as to proving the roles are migrated and that the new server is really capable of fielding these requests.  Additionally, when I have gone to migrate the formal GC away from the old server, the systems do not function even after appropriate replication has taken place (many hours and restarts later).  Moving GC back restores services.

A DCDiag report shows all tests having passed, with the exception of:

Win2K8.XXX.int ..... failed test NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=XXX,DC=int
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=XXX,DC=int

However this is only related to RODC, correct?

Let’s get cracking.  Thanks!
ExchangeWindows Server 2008Active Directory

Avatar of undefined
Last Comment
Ian-DEC

8/22/2022 - Mon
consultkhan

i think your FSMO roles are not propoerly pointing.

1.run NETDOM/query FSMO
and check where all the roles are pointing & whether any parituclar role is down.
use ntdsutil to transfer the roles to new 2008R2 dc and verify functionality again using
netdom/query fsmo

your exchange should automatically  use the new FSMO role owner,if not restart the server.
--consultkhan
ASKER
Ian-DEC

Thanks for the prompt response, however:

Schema master                  Win2K8.XXX.int      
Domain naming master      Win2K8.XXX.int      
PDC                                   Win2K8.XXX.int      
RID pool manager             Win2K8.XXX.int      
Infrastructure master         Win2K8.XXX.int      
The command completed successfully.
MegaNuk3

Try
Setup.com /prepareAD

And then
Setup.com /prepareAllDomains
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Ian-DEC

Are there any concerns to running those commands at this point?  Anything which could be overwritten or altered negatively?

Isn't this a prerequisite for even installing Exchange?
MegaNuk3

There should be no concerns/issues with doing this.

If you add new DCs then you have to prepare them for exchange to use and that's what those commands will do.
ASKER
Ian-DEC

Alrighty, I executed the above Setup.com /prepareAD & Setup.com /prepareAllDomains results in only the following being show:

Welcome to Microsoft Exchange Server 2010 Unattended Setup

Preparing Exchange Setup

Copying Setup Files

It then exists out with no error messages.  I'm running this from an Administrative prompt on the Exchange server.  Nothing showing in the event logs.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
MegaNuk3

Has the 2080 event changed or is it still showing the same now?
MegaNuk3

ASKER
Ian-DEC

Event 2080 is unchanged.  I'm really not under the impression that Setup.com /prepareAD executed correctly.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Ian-DEC

In response to MegaNuk3:

===============================================
Local domain is "XXX.int" (HRC)
Account is "XXX\Exchange Enterprise Servers"
========================
  DC      = "Win2K3"
  In site = "Default-First-Site-Name"
  Right found:  "SeSecurityPrivilege"
========================
  DC      = "Win2K8"
  In site = "Default-First-Site-Name"
  Right found:  "SeSecurityPrivilege"
ASKER CERTIFIED SOLUTION
Ian-DEC

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Ian-DEC

IPv6 FTW.