Greetings all and thanks in advance,

Migrating from EX2007 to EX2013 (CU7), in a Co-Existence type mode.  I have a flat domain, with several domain controllers at various branches across the state.  I ran setup.exe /prepareAD and /PrepareDomain prior to the installation at the location where the Exchange server is held.  Install completed and for the most part I'm operational.  The EX2013 server is giving me the Event 2112 for many, if not all of my other domain controllers in our environment:

  Log Name:      Application
  Source:        MSExchange ADAccess
  Date:          4/1/2015 7:19:07 AM
  Event ID:      2112
  Task Category: Topology
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      E15M01.HALFF.AD
  Description:
  Process Microsoft.Exchange.Directory.TopologyService.exe (PID=3676). The Exchange computer     DomainController02.Domain.AD does not have Audit Security Privilege on the domain controller   DomainController02.Domain.AD. This domain controller will not be used by Exchange Active Directory Provider.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

I manually ran setup.exe /PrepareDomain on one of the DC's that was showing up in the event log.  After running this on that DC, Exchange was no longer reporting the 2112 error for that DC. 

What have I missed during the installation?  Doesn't sound like the domain is properly replicating this to the other domain controllers.  When I manually ran setup /preparedomain on another DC outside of this branch, I was prompted that "Windows Management Framework 3.0" was not installed.  Setup completed as expected after this component was installed.  If the other DCs are missing this component, could this perhaps be the reason why the Exchange info was not replicated to the other DCs?

Thanks,

Willis

Hello

tip:

• in Default Domain Controllers Policy ,Expand Computer Configuration, expand   Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
• In the right pane, double-click Manage auditing and security log, click Add, click   Browse, and then add the Exchange Enterprise Servers group.

Hello,

Thanks for the reply.  your English is just fine.

Exchange Enterprise Servers group is already listed in the location you suggested.  FYI:  my new Exchange server is not a member of the Exchange Enterprise Servers group. Should it be?

Willis

Hello

Add server, and after reboot, check event.

Hello,

Yeah, adding the server to the group did not prevent the event errors as shown in the first thread here.

I appreciate your help.

Willis

Hi Willis,

According to event log, I notice that the Exchange server install on a Domain controller. Its not recommend, please refer to:
http://technet.microsoft.com/en-us/library/ms.exch.setupreadiness.warninginstallexchangerolesondomaincontroller(v=exchg.150).aspx

Basic on event code, I find an article about it. for your reference:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=2112&EvtSrc=MSExchange+ADAccess
It looks like the SACL rights are missing on at least one of your DCs.  Here's a good overview of the issue and some clues about where to start looking.
http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx

Thanks

So all of this was in place, however, I discovered that the Default Domain Controller Group Policy was/is disabled.  ?????  Not sure why this is.  Perhaps the proverbial ghost in our machines all these years.

Willis