Exchange 2010 does not recognize a global catalog server
An AD domain with two domain controllers, one of them is running Windows Server 2008 R2 (DC01), and the second one is running Windows Server 2008 (DC02). Both are the global catalog servers. Four Exchange 2010 SP1 server, two mailbox servers and two client access servers. All the current patches and hotfixes are installes (WSUS is in use). All of the Exchange servers cannot recognize DC02 as a global catalog server. All of them have the following events in Application log: Event: 2080 Source: MSExchange ADAccess Process MAD.EXE (PID=3704). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: DC01.DOMAIN CDG 1 7 7 1 0 1 1 7 1 DC02.DOMAIN CDG 1 7 7 1 0 0 1 7 1 Out-of-site: (0 in the 6th position means that the server is not a global catalog) DC02 IS a global catalog. All the SRV records in DNS are in place. DCDIAG does not find any errors in AD. This is a major issue because there are no redundant GC servers for Exchange, and if DC01 is offline the entire Exchange organization is going to crash. Is it possible to fix it?
September 27th, 2011 11:32pm
Hi, Please try to run PrepareAD on the problematic GC. Please check the Manage Audit and Security Logs policy setting (at Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) in Default Domain Controller Policy. We need to have Administrators and Exchange Enterprise Servers but Exchange servers group there. MSExchange ADAccess (DSAccess) errors and the “Manage auditing and security” right http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx Xiu Zhang Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact firstname.lastname@example.org.
September 27th, 2011 11:40pm
Is this true from all the exchange servers...? Do you see that Event ID 2080 has "GC capable" value zero on all the exchange servers for DC02.. Try to ping on port 3268 from the problem servers. Try restarting AD Topology Discovery Service. Run ExBPA and see if that has any pointers... You can also use DCDIAG to troubleshoot this issue better & also share the result please... Disable IPV6 please.....(Weird!! but it messes stuff) If nothing works you can statically bind DC/GC to exchange servers ....(It is not recommended but you can use it interim until we figure out why learning is not automatic) http://technet.microsoft.com/en-us/library/bb123716.aspx http://searchexchange.techtarget.com/tutorial/Set-ExchangeServer-cmdlet-can-ease-domain-controller-workloadsRegards, Pushkal MishrA
September 28th, 2011 12:59am
Xui, Exchange Servers security group does have the specified right. I cannot run Exchange setup on the DC in question because it is running x32 version of Windows Server, and setup.com is x64.
September 28th, 2011 1:23am
Pushkal, Yes. All the servers cannot recognize the second GC. Port 3268 on the GC in question is accessible. The server was restarted today. Best Practices analyser shows that all the Exchange servers can see only one GC in the AD site. DCDIAG shows no errors (in whole and in the specific tests like LocatorCheck and KnowsOfRoleHolders). IPv6 is not bound to interfaces of all the servers (including Exchange servers and DCs). I even disabled IPv6 completely on one of the servers and rebooted it. No luck. DC02 is still not recognized.
September 28th, 2011 2:42am
Strange. I did not change a bit, but now all the servers recognize the second DC as a GK. Event 2080: DC01.DOMAIN CDG 1 7 7 1 0 1 1 7 1 DC02.DOMAIN CDG 1 7 7 1 0 1 1 7 1 I wonder what is happening inside our AD forest...
September 28th, 2011 2:49am
From the information above, I do see that SACL rights are processing....not sure what's your point with running PrepareAD ...???? @Evgeniy, Is DC02 pingable from exchange ?.....I wonder any windows firewall rule causing anything here !! Reset the GC option in DC02 by unchecking it, applying it & then checking it back & apply. Post that restart AD Topology Discovery on the exchange server and validate fresh(latest) 2080 event. Also like I said above, static binding of DC is also an option if nothing works. Regards, Pushkal MishrA
September 28th, 2011 2:55am
My money for sure is on "Network issues"....They manifest something like that.....& some reboot or service restart set something right somewhere !! Regards, Pushkal MishrA
September 28th, 2011 3:04am
Pushkal. You've lost your money. :) Definetely this is not a network issue. All the servers are connected to the same switch and to the same VLAN. There is not even a single echo request lost. I implement and support AD and Exchange for many years, but I've never encountered such a strange situation before. Maybe this is an issue with the DC in question. I'll monitor the situation. If I find something, I'll post it here.
September 28th, 2011 3:14am
Well, you have to prove that point first ;-) Glad to see things are OK and look forward to your post :-)Regards, Pushkal MishrA
September 28th, 2011 4:29am