Hi Zoran, Exchange 2010 is using AD Sites and Services for Site discovery. You're saying that you have a DC in the site where you want to install the HUB/CAS server? Is your Exchange 2010 HUB/CAS server that you try to install in the correct AD site (the same as where the local site DC is)? And is the DC configured as Global Catalog for that site? You need to have a global catalog in every site where you want to have an Exchange server. Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard

Hi Cor, Yes, there is a DC/GC server in the DR site and yes the DR HUB/CAS-to-be is in the same site. All DCs on the system are also GCs. Thanks

Okay, I think I might have something. Even though the Exchange Servers group has proper permissions over "Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log", I found that the DC container has "block inheritance" on, so this could actually prevent the GPO setting from updating the group membership list with the new server. We recently had an issue with applying a password policy because the GP inheritance was blocked at the DC container. I will need to leave this for Monday, as I'm not sure why these guys have it on and will probably need to raise a CR, and will let you know if this caused the issue, once I turn it off and retry the installation. Thanks

Super! No problem and good luck in solving this issue.Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard

Hi guys, I've been trying to install a DR Hub Transport/CAS (Exchange 2010 SP1 on Windows 2008 R2 Enterprise SP1) on a DR site, but the installation keeps failing. There are several errors and warnings logged in the application log at every atempt. These are the logegd events: Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:32:08 AM Event ID: 2101 Task Category: Topology Level: Warning Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). The configuration domain controller specified in a call to SetConfigDCName (local_dc_server) is unreachable. Exchange Active Directory Provider will select the configuration domain controller from the list of available domain controllers. Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:32:08 AM Event ID: 2102 Task Category: Topology Level: Error Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). All Domain Controller Servers in use are not responding: Local_dc_server Remote_dc_server Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:32:08 AM Event ID: 2114 Task Category: Topology Level: Error Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2536). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers. Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:33:07 AM Event ID: 2601 Task Category: General Level: Warning Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGY (PID=2536). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E39D35ABE5747B979FFC0C6E5EA26,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=80040a01. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:33:07 AM Event ID: 2501 Task Category: General Level: Error Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGY (PID=2536). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server. Log Name: Application Source: MSExchange ADAccess Date: 11/11/2011 9:34:07 AM Event ID: 2604 Task Category: General Level: Error Keywords: Classic User: N/A Computer: localhost Description: Process MSEXCHANGEADTOPOLOGY (PID=2536). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object localhost - Error code=80040a01. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. The local DC and all remote DCs are up and accessible. The server is registered in DNS. IPv6 is enabled. The server has only 1 NIC and a static IP. It's a VM on EXS 4.1. There is no AV software installed. The same set of GP settings applies to the production HT/CAS and DR HT/CAS. Windows OS is fully patched. All Exchange prerequisites for Windows 2008 R2 have been installed as per http://technet.microsoft.com/en-us/library/bb691354.aspx. I'm running the installation under an account which is Domain/Enterprise/Schema admin. The production Exchange servers run without any issues. There are 30 servers on the DR site (DC/apps/DBs/backup etc) and they all run without any issues. Any idea? Thanks

Hi Zoran, Exchange 2010 is using AD Sites and Services for Site discovery. You're saying that you have a DC in the site where you want to install the HUB/CAS server? Is your Exchange 2010 HUB/CAS server that you try to install in the correct AD site (the same as where the local site DC is)? And is the DC configured as Global Catalog for that site? You need to have a global catalog in every site where you want to have an Exchange server. Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard

Hi Cor, Yes, there is a DC/GC server in the DR site and yes the DR HUB/CAS-to-be is in the same site. All DCs on the system are also GCs. Thanks

Okay, I think I might have something. Even though the Exchange Servers group has proper permissions over "Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log", I found that the DC container has "block inheritance" on, so this could actually prevent the GPO setting from updating the group membership list with the new server. We recently had an issue with applying a password policy because the GP inheritance was blocked at the DC container. I will need to leave this for Monday, as I'm not sure why these guys have it on and will probably need to raise a CR, and will let you know if this caused the issue, once I turn it off and retry the installation. Thanks

Super! No problem and good luck in solving this issue.Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard

Hi, How is the issue now? For the issue, we can troubleshoot via the following steps. 1. we can run NLtest /dsgetsite to verify the subnet of the site 2. Check if we have enable IPV6 on connected NIC and in registry 3. Under manage audit and security logs, we need have Exchange servers security group 4. We can run rsop.msc to verify which GPO is applied currently, ensure that “Exchange server security group” has been applied the GPO. 5. We can force DC replication to ensure that all the DCs are in the same status. Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server http://support.microsoft.com/kb/896703 Event ID 2080 from MSExchangeDSAccess http://support.microsoft.com/kb/316300 Xiu

Hi Xiu, I ran nltest, dcdiag and netdiag tests and they all came back ok. nltest returned the DR site. As I said, the client already has 2 Exchange servers in production and they are running fine as well as several other AD ingrated apps running in the DR site. The group Exchange Servers was granted access to DCs (Manage auditing and security log) through a GPO at the DC container. IPv6 is on as this is a fresh installation. I did try disabling it, including adding DisabledComponents "ffffffff" value in the registry, but that didn't help. I'm still waiting for a CR to be approved and then I will remove the "block inheritance" option at the DC container. I believe this is what's been blocking the DCs to see an updated group membership for the group Exchange Servers. We've recently enforced a new password policy and it failed to apply because the "block inheritance" was set over the DC container. Once that was lifted, the policy applied successfully. Then they set the blockage back, even though the guys who manage the system have no idea who set it nor why. They just don't want to get rid of it as they are afraid it could break something. So, once I get ok from the CM, I will try it again and let you know how it went. Thanks

Ok. Please feel free to update here. Xiu

Hi, You can Try Following Things:- 1) Disable IPv6 if it is disable then enable & Try to Install Exchange Hub Transport Server Role 2) Turn Off/On (Vice Versa) Your Firewall & Try to Install Exchange Hub Transport Server Role 3) Delete your Server Host A Record from DNS Server (If Dns Entry is Static then Recreate it manually) If It is Dynamic then Try to Reregister DNS Entry with following Command IPCONFIG /Registerdns 4) Check Your firewall settings from your Active Directory To Hub Transport Server http://technet.microsoft.com/en-us/library/bb331973.aspx

Hi, You can Try Following Things:- 1) Disable IPv6 if it is disable then enable & Try to Install Exchange Hub Transport Server Role 2) Turn Off/On (Vice Versa) Your Firewall & Try to Install Exchange Hub Transport Server Role 3) Delete your Server Host A Record from DNS Server (If Dns Entry is Static then Recreate it manually) If It is Dynamic then Try to Reregister DNS Entry with following Command IPCONFIG /Registerdns 4) Check Your firewall settings from your Active Directory To Hub Transport Server http://technet.microsoft.com/en-us/library/bb331973.aspx

Hi Xiu, I ran nltest, dcdiag and netdiag tests and they all came back ok. nltest returned the DR site. As I said, the client already has 2 Exchange servers in production and they are running fine as well as several other AD ingrated apps running in the DR site. The group Exchange Servers was granted access to DCs (Manage auditing and security log) through a GPO at the DC container. IPv6 is on as this is a fresh installation. I did try disabling it, including adding DisabledComponents "ffffffff" value in the registry, but that didn't help. I'm still waiting for a CR to be approved and then I will remove the "block inheritance" option at the DC container. I believe this is what's been blocking the DCs to see an updated group membership for the group Exchange Servers. We've recently enforced a new password policy and it failed to apply because the "block inheritance" was set over the DC container. Once that was lifted, the policy applied successfully. Then they set the blockage back, even though the guys who manage the system have no idea who set it nor why. They just don't want to get rid of it as they are afraid it could break something. So, once I get ok from the CM, I will try it again and let you know how it went. Thanks

Hi Xiu, Please close the thread as these guys want to log a call with Microsoft because they don't understand why would "block inheritance" cause an issue if the group was already granted access. I will reopen if I get more info. Thanks

Ok. Please feel free to update here. Xiu

Hi, How is the issue now? For the issue, we can troubleshoot via the following steps. 1. we can run NLtest /dsgetsite to verify the subnet of the site 2. Check if we have enable IPV6 on connected NIC and in registry 3. Under manage audit and security logs, we need have Exchange servers security group 4. We can run rsop.msc to verify which GPO is applied currently, ensure that “Exchange server security group” has been applied the GPO. 5. We can force DC replication to ensure that all the DCs are in the same status. Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server http://support.microsoft.com/kb/896703 Event ID 2080 from MSExchangeDSAccess http://support.microsoft.com/kb/316300 Xiu