Exchange 2010 Event Id 9385 Repeating

Exchange 2010 RU9 Enterprise 64 bit
Windows 2008 R2

I am in the middle of upgrading my two DC's to Windows 2012 R2 I have one already done.
I have one Windows 2003 DC that I just removed from the Global Catalog
Exchange event id 2080 reflects that change

But I am now getting event id 9385 every 15 minutes.

Log Name:      Application
Source:        MSExchangeSA
Date:          6/26/2015 10:19:30 AM
Event ID:      9385
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=com/dc=tgcsnet/dc=network/dc=our/ou=Microsoft Exchange Security Groups/cn=Exchange Servers'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group.

If this computer is not a member of the group '/dc=com/dc=tgcsnet/dc=network/dc=our/ou=Microsoft Exchange Security Groups/cn=Exchange Servers', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services.
Event Xml:
<Event xmlns="">
    <Provider Name="MSExchangeSA" />
    <EventID Qualifiers="49152">9385</EventID>
    <TimeCreated SystemTime="2015-06-26T14:19:30.000000000Z" />
    <Security />
    <Data>/dc=com/dc=tgcsnet/dc=network/dc=our/ou=Microsoft Exchange Security Groups/cn=Exchange Servers</Data>

I ran EXBPA and had no errors reported.

I found this

In active directory users and groups I found this group name "Exchange Enterprise Servers"  which has a member of this group " Exchange Domain Servers"  and SERV025 is a member of that group.

It also says to use Exchange Management Console to add the server to this group "Exchange Servers security group"
How do I do that?

Is this because I removed the Global Catalog on my Windows 2003 DC?

Once the Windows 2003 Dc becomes the new Windows 2012 DC this should clear up?

How can I fix this until that happens?

LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Did you restart the Exchange services after removing the domain controller?
Are the new domain controllers global catalogs?

If you didn't restart the services, then do that, so Exchange picks up the change in the domain controller configuration.

If the new domain controllers are not GCs, then make them GCs.

Thomas GrassiSystems AdministratorAuthor Commented:

The DCs were both a global catalog

I removed the GC from the 2003 DC which I am planning to demote.

So when ever we remove a GC we need to restart all the exchange services?


I just made the 2003 Dc a global catalog again and the error stopped

I need to remove certificate services on the 2003 server before I can demote it

I will remove it from the Global catalog again

So when I do that I should restart all my exchange services?

Simon Butler (Sembee)ConsultantCommented:
Exchange will only talk to global catalogs, and that DC is obviously the one it is using.
While it should find another GC on its own, it is not very good at doing so.
Therefore I would ensure that the DNS server configuration in the server itself is set to use the new domain controllers. Then remove the GC role and restart Exchange services. That will force Exchange to find another GC to use.
It is the removal of the GC role that caused the problems - if you are planning to remove a GC you need to check whether Exchange is using it or not.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:

Yes that DC was holding all FSMO Roles it was the PDC but I have since moved all FSMO roles to the Windows 2012 DC.
DNS runs on both DC's but I have changed all DHCP scopes to point to the 2012 DC DNS only
I modified all the servers static ip settings to point to the DNS server on windows 2012

When I am ready to demote DC2 I will remove GC from it and restart all the exchange services

Thanks for the quick help
Will SzymkowskiSenior Solution ArchitectCommented:
If you have an Active Directory environment where you have multiple DC's that are also GC's and if you power one of them off and Exchange stop working, i would highly recommend correcting your AD environment first. As Simon has said that this does not failover well,

I have never had a situation where this has happend when there are multiple DC/GC's in the same active directory site where Exchange is hosted.

Exchange runs better when your AD is properly configured.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.