Urgent: Exchange System Attendant won't start, and it's not finding a domain controller.
Posted on 2013-05-15
This is somewhat long and involved.
I just signed up with an IT company for a cloud backup. They needed the ability to dial into my server. I set up a user in Active Directory, but they weren't able to dial in. They got a message when they tried to login saying that they weren't a member of a group with the ability to log in, and that if they weren't in the Administrator's group (which they are) then the ability to dial in could be granted by changing the User Rights Assignment in the Local Computer Policy.
The server they're trying to log into is my Domain Controller, and it also has Active Directory. Another of my servers supposedly set up as a secondary Active Directory, but I have no confidence that the consultant who did that set it up right, because any time communication is lost to my main AD server, nothing works.
I should mention that I know nothing at all about our policies - they were set up by someone else and I've never changed them. But I poked around, I Googled, and finally I found where in User Rights Assignments it showed who had the ability to RDP in, and only the Admin (me) was listed. It also said that this was controlled by the Default Domain Policy. After a little more poking around, I found how to edit this setting, and I added the user I had set up for the IT company. I still wasn't able to log in as them, though. I rebooted my AD server, thinking that might be necessary to make the change to into effect, and when it came back up, and I went to verify the change was still there, when I went into My Computer > Manage, and tried to look at the Default Domain Policy, I got a popup that said it was looking for Group Policy, and it just kept cycling, not finding anything.
At the same time, my users lost internet connectivity and emails weren't going out or coming in.. I was able to restore inernet access by changing the DNS settings for all users. We had the AD server set as the primary DNS, and the (supposed) backup AD server set as the secondary. I changed the secondary to our ISP's secondary DNS, and that restored internet. Once I also changed the secondary DNS for the Exchange server, email started flowing again.
Meantime, I had called the IT company to take a look at this for me, since I was pretty sure I'd screwed something up and didn't know how to fix it - the AD server finally stopped looking, and told me there was no group policy to load. The IT company ended up telling me that they couldn't really fix this for me, because so many of our settings were non-standard that they were concerned that any changes they made would only make things worse. Eventually they told me that the Default Domain Policy finally loaded, but they weren't sure what they did to make that happen. When I took a look at it, it didn't look the same as it had before - there were a lot fewer Local Security Policies listed.
Meantime, email and internet were working, so I figured we had workarounds, even though the problem wasn't solved. A few hours later, I got a call that users weren't getting email on their phones, which I verified. Went back to the office, looked around, and ended up rebooting Exchange. When it came back up, the Exchange System Attendant won't start in Services. I tried starting it manually, but it times out. Rebooted several times, and can't get it to start automatically or manually. When I check the Event Viewer, it says that it's not finding a Domain Controller.
At this point, we have no email at all. And the IT company doesn't appear to be any help with this.
I don't know for a fact that my adding a user to the User Rights Assignments caused all this, but the timing sure seems to indicate that it did.
I asked the IT company if doing a System Restore on the AD server would help, but they said that wouldn't restore my Domain Policy. One thing that occurred to me is that I still have the old server in storage that the Policies were copied over from. Is there a way to import the Default Domain Policy from the old server to the new server?
At this point, email for the entire company is out.
AD server is runnind Server 2008. Exchange server is running Server 2003.
Any help greatly appreciated.