Greetings

I have Active Directory 2003 Setup and Exchange 2007 single server solution.

Recently, I promoted a new Domain Controller on Windows Server 2012 R2. Transferred all FSMO Roles to the new Windows 2012 R2 DC. Both the DC (Windows 2003 and Windows 2012 R2) holds Global Catalog.

I have changed the Configuration DC in Exchange Management Console pointing to new Windows 2012 R2 DC.

The issue is when i shutdown the Old Windows 2003 DC, the Exchange goes down and i see the error in Event logs that Exchange is unable to find the Global Catalog.

Kindly suggest.

Thanks in advance.

Hello

ru13 installed on exchange?
https://technet.microsoft.com/library/ff728623%28v=exchg.150%29.aspx

Thanks for prompt reply.

Currently, I am on Exchange 2007 SP2. So, I need to first upgrade to SP3 and then update Roll up 13 or higher.

Am i right ?

Hello

yes, but need power on old server when install update.

Thanks for the advise.

I have upgraded to Exchange 2007 SP3 RU15, But still no success.

Looks like there is some issue within Domain Controllers.

Can you please sug

try cycling AD Topology (do this during a maintenance window as it effects ALL Exchange Services) and see if you are picking up the new domain controller.

You should look for Event ID 2080 for MSExchange ASAccess you should see both Domain Controllers listed as In-Site and the output should look similar to below:

       Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5544). Exchange Active Directory Provider has discovered the following servers with the following characteristics:       
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)       
In-site:
oldDC.domain.com CDG 1 7 7 1 0 1 1 7 1
newDC.domain.com CDG 1 7 7 1 0 1 1 7 1       

Have you gone into Active Directory Sites and Services and made sure that the new DC has the "Global Catalog" option enabled in the "NTDS Settings"?

Does the Exchange server have the new DC listed as the DNS server and is DNS functioning correctly on the new DC?

Hi K 2,

Any update ?

Best regards,

I have tried recycyling the Exchange AD Topology Service.

And have checked the new DC is listed as Preferred DNS and it is a Gloabl Catalog as well.

Still no lu

What happens if you uncheck the Global Catalog option for the old 2003 DC while it's still running? Does Exchange start logging errors? 

If the old 2003 domain controller is still enabled as a GC in AD Sites and Services, then that could explain why Exchange gets cranky when the 2003 server is powered off.

I tried unchecking the Global Catalog on Windows 2003 DC already before.

And restarted the Exchange Server, but it got stuck while login. As exchange was not able to find the Global Catalog.

I see below mentioned event, when i uncheck the GC for Win 2003 DC

Event Type: Error
Event Source: MSExchange System Attendant Mailbox
Event Category: General 
Event ID: 4001
Date: 6/19/2015
Time: 12:23:48 AM
User: N/A
Computer: EXCHANGE SERVER
Description:
A transient failure has occurred. The problem may resolve itself in awhile. The service will retry in 56 seconds. Diagnostic information:

Could not find any available Global Catalog in forest abc.com.
Microsoft.Exchange.Data.Directory.ADTransientException: Could not find any available Global Catalog in forest abc.com.
   at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, ADObjectId domain, String serverName, Int32 port, NetworkCredential credential)
   at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType)
   at Microsoft.Exchange.Data.Directory.ADSession.GetConnection(String preferredServer, Boolean isWriteOperation, Boolean isNotifyOperation, ADObjectId& rootId)
   at Microsoft.Exchange.Data.Directory.ADSession.GetReadConnection(String preferredServer, ADObjectId& rootId)
   at Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator)
   at Microsoft.Exchange.Data.Directory.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor)
   at Microsoft.Exchange.Data.Directory.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties)
   at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientSession.FindByLegacyExchangeDN(String legacyExchangeDN)
   at Microsoft.Exchange.Servicelets.SystemAttendantMailbox.Servicelet.Work()

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Now this has become critical issue.

Have tried so many things, but no success.

Kindly su

How is your network and AD sites configured?  Is the 2003 DC and 2012 DC in the same AD site?  Is the firewall enabled on the 2012 DC?  The only thing I can think of that would cause this would be Exchange and the 2012 domain controller in different AD sites or the firewall on the DC being enabled and blocking access to the Global Catalog port, or a routing issue between the exchange server and the 2012 DC.

Try to telnet to the 2012 DC on port 3268 from the exchange server and see if you can connect to the GC port.  You might have to go into features and install the telnet client on the exchange server.

• Edited by Corey Riley 10 hours 53 minutes ago

How is your network and AD sites configured?  Is the 2003 DC and 2012 DC in the same AD site?  Is the firewall enabled on the 2012 DC?  The only thing I can think of that would cause this would be Exchange and the 2012 domain controller in different AD sites or the firewall on the DC being enabled and blocking access to the Global Catalog port, or a routing issue between the exchange server and the 2012 DC.

Try to telnet to the 2012 DC on port 3268 from the exchange server and see if you can connect to the GC port.  You might have to go into features and install the telnet client on the exchange server.

• Edited by Corey Riley Thursday, June 18, 2015 8:35 PM

I did test run the Telnet for Win 2012 DC which is successful.

Also i see the below mentioned events which says that Exchange identifies the GC on Win 2012 DC.

  

Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology 
Event ID: 2080
Date: 6/19/2015
Time: 12:05:46 PM
User: N/A
Computer: Exchange Server
Description:
Process MAD.EXE (PID=3024). Exchange Active Directory Provider has discovered the following servers with the following characteristics: 
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) 
In-site:
Win2003DC CDG 1 7 7 1 0 1 1 7 1
Win2012DC CDG 1 7 7 1 0 0 1 7 1
 Out-of-site:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Issue is when i shutdown the Win2003 DC, Exchange can not see the Win2012DC.

Can it be related to DNS ?

• Edited by K 2 Friday, June 19, 2015 8:23 AM

I'm going to assume you are using AD integrated DNS now, but yea if you don't change the DNS settings on the NIC to point to the 2012r2 server that can certainly cause this issue.

It looks like Exchange doesn't have permissions to read the SACL on the nTSecurityDescriptor attribute on the 2012 domain controller.  In that event you posted, the 2012 DC has a "0" under "SACL right".  Exchange will not use a GC that it cannot read this property on.

Check your default domain controllers group policy.  Under computer configuration-->Policies-->Windows Settings-->Security Settings-->User Rights Assignment, make sure "Manage auditing and security log" has the "Exchange Servers" group assigned to it.

From the 2012 DC make sure the "Default Domain Controller Policy" is being applied to it.  Open command prompt as administrator and run "gpresult /scope computer /r"

There are lots of posts I found about Exchange and SACL issues that will give you some more information.

See this thread:

https://social.technet.microsoft.com/Forums/exchange/en-US/d57c4227-ab6b-4833-93b5-99616b52a2af/win2k8-dc-does-not-have-sacl-right?forum=exchangesvrgenerallegacy

• Edited by Corey Riley Friday, June 19, 2015 12:59 PM
• Proposed as answer by Corey Riley Friday, June 19, 2015 8:18 PM

Thanks everyone for valuable suggestions.

However, I run the /preparead using Exchange 2007 setup on the new GC.

Which resolved the issue.

Thanks again everyone.

• Edited by K 2 Friday, June 19, 2015 6:22 PM
• Marked as answer by K 2 Friday, June 19, 2015 9:54 PM