Gordon Tin
asked on
How can I solve Event 2112 "The Exchange computer dc02.xxx.com does not have Audit Security Privilege on the domain controller" ?
Background
Exchange 2016
Windows server 2106
DC1/DC2/DC3
Issue: Exchange server using DC1 only. When I shutdown DC1, Exchange server is not functioning. I found event id 2112
BUT it doesn't work for me.
Any other method that I can resolve the issue?
Exchange 2016
Windows server 2106
DC1/DC2/DC3
Issue: Exchange server using DC1 only. When I shutdown DC1, Exchange server is not functioning. I found event id 2112
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2700).
The Exchange computer dc02.xxx.com does not have Audit Security
Privilege on the domain controller dc02.xxx.com. This domain
controller will not be used by Exchange Active Directory Provider.
I tried https://supertekboy.com/2018/01/06/msexchange-adaccess-event-id-2112/ . I added GPO and modified user right assignment >> manage auditing and security log. BUT it doesn't work for me.
Any other method that I can resolve the issue?
Exchange server using DC1 only. When I shutdown DC1, Exchange server is not functioning.
Its because your DC1 is the CDC for exchange server.
Check your NIC settings and make sure DC2 and DC3 IP's are listed under alternate DNS settings.
Also after you shutdown the DC1 check event viewer for event 2080 i.e. example
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC1.domainname.local CDG 1 7 7 1 0 1 1 7 1
DC2.domainname.local CDG 1 0 0 1 0 0 0 0 0
DC3.domainname.local CDG 1 0 0 1 0 0 0 0 0
If DC2 and DC3 are not reachable, then you might see above information.
Does DC1, DC2 and DC3 share the connection in some way?
Yes for me it sounds like a DNS issue
What ip settings are used on exchange sever (DC1, DC2 and DC3 )?
dns, gateway..
Is exchange server also a DC/GC? Or is it pointing to DC1 as it primary DC?
If exchange sever is a DC/GC, then why not configure exchange sever primary DNS server as itself OR DC2's IP.
Its because your DC1 is the CDC for exchange server.
Check your NIC settings and make sure DC2 and DC3 IP's are listed under alternate DNS settings.
Also after you shutdown the DC1 check event viewer for event 2080 i.e. example
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC1.domainname.local CDG 1 7 7 1 0 1 1 7 1
DC2.domainname.local CDG 1 0 0 1 0 0 0 0 0
DC3.domainname.local CDG 1 0 0 1 0 0 0 0 0
If DC2 and DC3 are not reachable, then you might see above information.
Does DC1, DC2 and DC3 share the connection in some way?
Yes for me it sounds like a DNS issue
What ip settings are used on exchange sever (DC1, DC2 and DC3 )?
dns, gateway..
Is exchange server also a DC/GC? Or is it pointing to DC1 as it primary DC?
If exchange sever is a DC/GC, then why not configure exchange sever primary DNS server as itself OR DC2's IP.
ASKER
Bembi 's suggestion works for me.
I deleted the GPO and apply the Audit Security Privilege permission on Local security policy on DC2.
It works well.
Event 2080 shows
DC1.domainname.local CDG 1 7 7 1 0 1 1 7 1
DC2.domainname.local CDG 1 7 7 1 0 1 1 7 1
The other things is that I don't want the Exchange to use DC3 because DC1/DC2/Exchange is on 192.168.100.x Subnet on the Same site. The DC3 is on 10.10.199.x on the Remote Site.
I didn't apply Audit Security Privilege permission on the local security policy on DC3 but I keep getting event ID 2112 saying dc3 is having permission issues.
Any idea that exchange can avoid using DC3 while not getting event ID 2112.
I deleted the GPO and apply the Audit Security Privilege permission on Local security policy on DC2.
It works well.
Event 2080 shows
DC1.domainname.local CDG 1 7 7 1 0 1 1 7 1
DC2.domainname.local CDG 1 7 7 1 0 1 1 7 1
The other things is that I don't want the Exchange to use DC3 because DC1/DC2/Exchange is on 192.168.100.x Subnet on the Same site. The DC3 is on 10.10.199.x on the Remote Site.
I didn't apply Audit Security Privilege permission on the local security policy on DC3 but I keep getting event ID 2112 saying dc3 is having permission issues.
Any idea that exchange can avoid using DC3 while not getting event ID 2112.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Audit Security Privilege permission you should be carefully setting via GPO as these settings overwrite existing permissions and do not add them. So if there are any other accounts, they are overwritten.
I recommend usually to set them in the local security policy, nevertheless a GPO catches also new domain controllers.But can pruce other issues, if there are other accounts for any reason.
Exchange need an DC which acts as global catalog.
And inside the Exchange Management, you can select if a dedicated DC should be used or not.
Have you rebooted the machines?