Hi all, I hope someone on here can help me. Some back story.
Last week we demoted the last 2003 domain controller from our network. We are now running 3 2008r2 standard domain controllers for the root domain and 2 2008r2 in the child domain.
Everything went well with the demotion. Thought to myself “job well done” that went pretty smooth :) Oh did that come back to haunt me.
A few hours later, calls started coming in. First off OWA users could not access email. Then phones and devices stopped sending receiving email. Then finely outlook clients went off line.
Logged onto the exchange server (Exchange 2010) and found a lot of “MSExchange ADAccess” Errors Event ID 2130 in application event viewer. Also around the same time, I see “GroupPolicy” 1006 errors in System logs.
The only way to get exchange working again was to restart all the services.
That gave me some breathing room to do some digging. What I found was this only happened when the exchange server connect to one of the child DCs.
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=10188). The Configuration Domain Controller has been changed from ROOT.DC.com to CHILD.DC.com.
The reason it changes is
Process Microsoft.Exchange.Search.ExSearch.exe (PID=7684). Exchange Active Directory Provider lost contact with domain controller ROOT.DC.com. Error was 0x51 (ServerDown) (Active directory response: The LDAP server is unavailable.). Exchange Active Directory Provider will attempt to reconnect with this domain controller when it is reachable.
I thought maybe the exchange server does not have the correct permissions in the child domain. So I checked the default domain controllers policy for “Manage auditing and security log” and made sure “MyDomain\Exchange Servers, BUILTIN\Administrators, MyDomin\Exchange Enterprise Servers” was included.
Ok so this is where I am. Anyone run into this before? Or have any suggestions on what to do from here?
Thanks in advance.