Hi everybody,

The setup is simple: single Exchange server (Exchange 2010 SP3 on 2008 R2 Server, all updated) and Domain Controller (Server 2008 R2, all FSMO roles, GC), both VMs on ESXi 5.5, on the same site. Also there are 4 more DCs on remote sites, all of them do have GCs.

Yesterday after a bunch of new updates followed by an Exchange server reboot I cannot run AD MMCs on it no matter what DC i choose to connect to. ADUC and ADSS fail, however ADSIEdit seems to work. Still all AD MMCs work fine on any other machine, so in general to me it looks like some connectivity issue on Exchange server.

Application log looks mostly good and contains only the following errors from MSExchange SACL Watcher, EventID 6003:

-----
SACL Watcher servicelet encountered an error while monitoring SACL change.
Got error 1722 opening group policy on system DC01.CORP.COMPANY.COM in domain CORP.

-----

I learned that it usually happens when Exchange is trying to connect with demoted/removed DC, which is not our case since nothing is changed except for updates and a reboot.

Fortunately mail flow looks ok, MSExchange ADAccess events are all ok (so no visible troubles with AD topology), DCDIAG on our main controller DC01.CORP.COMPANY.COM is passing all checks, and everybody seems to be vaguely happy with our AD except for Exchange server...

So i'm running out of ideas what to check, can't think of any relevant google keywords, and will be really grateful for any clue.

Here is a list of updates installed this time if you are interested, all of them tested prior to installation in prod environment: KB3067505, KB3057154, KB3070738, KB3069392, KB3070102, KB 3072633, KB3065822, KB3068457, KB3072630, KB3065979, KB3079904, KB890830.

Thanks!

(can't choose Exchange 2010 forums from the list so posting this to 2013, sorry)

• Edited by it_rp 19 hours 50 minutes ago

Hi,

http://www.administrator.de/frage/exchange-2010-sp3-msexchange-sacl-watcher-6003-error-reboot-2tem-domaincontroller-223386.html

policies are indeed retrieved from the Sysvol share, which is accessed through the domain name. So \\ domain.local \ sysvol.
If thy whole Exchange Server DNS server to domain.local asks to come to Sysvol share, one of the stored messages for the domain name is per round robin method returned, so DC1 or DC2. "Purely by chance" you get every now DC2. EVT. from a previous DNS request to the Exchange server in the cache.

 because the Group Policy when you restart the desired DC yes can not be accessed, even if it's a service is "only" that monitors their availability. At an interval of SACL Watchers I could find nothing else, only to problems related to no longer existing DCs. Group Policy is apart from the operating system, regardless of an Exchange service, regularly renewed by default 90 minutes

also you can check your DNS entry on DC 

Thanks,

Even though strangely enough, the solution was found here: http://blog.jasonsherry.net/2012/03/31/how-to-break-the-ad-tools-with-incorrect-nic-settings/

Here we have a bizzare legacy solution with Exchange VM having two NICs on the same subnet, after enabling Client for Microsoft Networks, File and Printer Sharing and IPv6 on the second NIC the MMC issue went away, as well as log errors.

Maybe some day this may save you some time, regards.

• Marked as answer by it_rp 18 hours 39 minutes ago

Manohar,

thank you very much for your reply, it is relevant for this thread and contains valuable info.

Fortunately i seem to have resolved this, please see above.

Best wishes!

• Edited by it_rp 17 hours 1 minutes ago