Hi Guys, I have been trying to fix an issue in my environemnt. I have 2 DCs (2003) in my environment. If I shutdown one DC (total-server01) then exchagne doesnt work. On Exchange (2007) box I can see the event log Event Type: Information Event Source: MSExchange ADAccess Event Category: Topology Event ID: 2080 Date: 02/11/2010 Time: 21:46:12 User: N/A Computer: TTL-S09 Description: Process STORE.EXE (PID=4360). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: TOTAL-server01.TOTALFX.local CDG 1 7 7 1 0 1 1 7 1 TTL-2k3SL01.TOTALFX.local CDG 1 7 7 1 0 0 1 7 1 Out-of-site: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Now I think the problem is here .... column SASL is 0 for my new DC (TTL-2k3SL01) that means Excahnge DSAccess issue for new domain controller (TTL-2k3SL01). I found a good link to fix this issue .... http://www.kamshin.com/?p=47 I can not find "Read nTSecurityDescriptor" in Exchange Organization Objects, Exchagne Server Objects, Exchagne Server Policy Objects in new DC (TTL-2k3SL01).. I can find "Read nTSecurityDescriptor" in Exchange Organization Objects in old DC (total-server01). On exchange box, I see only old domain controller and GC (total-server01) is being used in server configuration, properties of the exchange server, under system settings. I have initialized/added manually DC with "modify configuration domain controller" on server configuration in exchange management console. but still can't see the new domain contoller (TTL-2K3SL01) in domain controllers and GC in system setting of Exchange container properties in server configuration in exchange management console. I have run setup.com /prepareDomain, setup.com /prepareallDomains, gpupdate /force on new DC (TTL-2k3SL01), all commands went successfully but still I am getting the same in event log which shows SACL is 0 for new DC (TTL-2k3SL01). Can any body help me to sort out this issue? Waiting for any response.

Is Exchange on a domain controller? Is the other domain controller also a global catalog? Exchange will only use GCs. Furthermore, Exchange will not go looking for another GC/DC when the one it is using goes away for anything up to 35 minutes. It isn't instant failover. Has Exchange been locked to use a specific domain controller? Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Initially there was one windows2003 (TOTAL-SERVER01) server which was being used DC, DNS, DHCP and Exchange(2007). I installed/migrated Exchange2007 on another box leaving this machine as DC and stopped all exchange services on this old DC (TOTAL-SERVER01). It worked fine for few months. I decided to rebuild DC(TOTAL-SERVER01) so installed win2k3 on a new box (TTL-2K3SL01) and made it ADC initially then GC and then moved FSMO roles, DNS, DHCP on it from old box. Now both old DC (TOTAL-SERVER01) and new DC(TTL-2K3SL01) are GC. So I have three servers as mentioned below Old DC (TOTAL-SERVER01) ~ DC, GC. New DC (TTL-2K3SL01) ~ DC, GC, FSMO, DNS, DHCP. Excahnge box (TTL-Exch01) On Exchange machine (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: TOTAL-server01.TOTALFX.local CDG 1 7 7 1 0 1 1 7 1 TTL-2k3SL01.TOTALFX.local CDG 1 7 7 1 0 0 1 7 1 Which show to me both servers are DC, and CG. On your comment "Furthermore, Exchange will not go looking for another GC/DC when the one it is using goes away for anything up to 35 minutes. It isn't instant failover." What should I do for that? When I take old server (total-server01) down exchagne dosent work... Has Exchange been locked to use a specific domain controller? how can I check and verify this?

To check if the DCs have been statically set: get-exchangeserver <server> -status

Here is the output [PS] C:\>get-exchangeserver -status WARNING: An error occurred while accessing the registry of the specified server: "TOTAL-server02.TOTALFX.local". The error message: "The network path was not found. ". Name Site ServerRole Edition AdminDisplayVersion ---- ---- ---------- ------- ------------------- TOTAL-SERVER02 None Standard Version 6.5 (Bui... TOTAL-SERVER01 EatonRow Mailbox,... Standard Version 8.1 (Bui... TTL-EXCH01 EatonRow Mailbox,... Standard Version 8.1 (Bui... [PS] C:\> TOTAL-SERVER02 doesnt exist any more. TOTAL-SERVER01 is the old DC, TTL-EXCH01 is exchange server.

Did you remove Exchange before rebuilding that machine? It would appear that you still have the traces of an Exchange 2003 system in the domain, so either Exchange wasn't installed correctly, or something else has gone wrong. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi Sembee, Thanks for reply. Which machine? Are you talking about the old DC (TOTAL-SERVER01)? I haven't rebuilt the machine yet. It is still there. We didn't install Exchange2003 in office environment. I am using Exchange2007. Would you please highlight your comments in more detail? In your previous reply you mentioned "Furthermore, Exchange will not go looking for another GC/DC when the one it is using goes away for anything up to 35 minutes. It isn't instant failover." please tell me What should I do for that? When I take old server (total-server01) down exchagne dosent work... Has Exchange been locked to use a specific domain controller? how can I check and verify this? May be these test can give me better idea

This: TOTAL-SERVER02 None Standard Version 6.5 (Bui... Appears to indicate Exchange 2003. Exchange 2003 is Exchange 6.5. Therefore there are some traces in there somewhere this is being detected by Exchange and will cause problems. Next, you have said this is a domain controller but also has Exchange installed on it: TOTAL-SERVER01 EatonRow Mailbox,... Standard Version 8.1 (Bui... When Exchange is installed on a domain controller, Exchange will only use that domain controller - and that goes for other Exchange servers as well. You need to remove Exchange from that machine. Note that carefully - remove Exchange from the domain controller, NOT domain controller functionality from the Exchange server. Running DCPROMO on a server with Exchange installed is not supported and will usually break Exchange. DCs being statically set is already covered above. However that is probably a moot point as you have an existing Exchange installation on a DC. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Simon, Thanks for replying. How can I remove TOTAL-SERVER02 enteries from Exchange and other DCs? Just to make it more clear what i understood ... I should uninstall exchange from old Domain Controller (total-server01). Is the following method recommended to remove Exchange from domain controller? Log into old DC (total-server01) -> Control Panel -> Add or Remove Programs -> Microsoft Exchange Server 2007 & Microsfot Full Text indexing Engine for Excahgne -> Remove. Here I will ask one more question. I installed new exchange2007, created mail connectors and migrated all the mailboxes from old DC/Exchange box (total-server01) to new exchagne box (TTL-Exch01). Also replicated public folders to from old DC/Exchange box (total-server01) to new exchagne box (TTL-Exch01). I believe no more mailbox is left on this box but still what checks I should do before uninstalling this exchange2007 from old DC/Exchange box (total-server01)? Should I take any backups? Uninstalling exchange from old DC (TOTAL-SERVER01) will resolve the issue of SACL rights on new DC? Many thanks again. waiting for reply.

The uninstaller does a check and if something has been left on the system it will tell you. It doesn't just uninstall with mailboxes, public folders etc left on the server. You can obviously check manually through EMC for mailboxes and get-publicfolderstatistics in EMS on the server you are removing. Otherwise check the uninstall Technet article. With regards to the other server that has traces of Exchange 2003 on it, I would first check whether ESM is installed on that machine. Then you have two choices. 1. Find Exchange 2003 installation media, install the management tools so you can remove the server. 2. Manually remove the server. That is quite dangerous to the live environment because if you make an error you can stop those servers from working correctly. My personal preference would be option 1. If you must do option 2 then instructions on the Microsoft support site. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi Guys, I werent feeling well and wasnt been to office for last couple of days. My insecurity is as I am aware when I take server (TOTAL-SERVER01) down, my new excahgne server doesnt work, and probably the issue is as exchange doesnt have SACL rights on new DC. To handle this you guys suggest to uninstall Exchage from old DC(TOTAL-SERVER01). I was thinking as in case if I uninstall Excahnge from old DC (TOTAL-SERVER01) successfully and lets assume my exchange still doesnt look new DC then how I am coping this at that time? Of course I can't take downtime for more than 4/5 hours time. Can any body suggest in that case how can I forcely mark exchange box to look the new DC? Any command as Exchange Console Management won't come up and all services will fail again. Can someone please reply to this?

After removing Exchange from that server also remove the global catalog role. Then restart the Exchange services. Exchange will then look for another DC with the GC role to use. You can then remove that original DC as a domain controller by running dcpromo. Exchange will only use global catalog domain controllers, so you need to ensure that you have another one in the domain for it to use. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

How much time I should keep in mind that new exchange will take to look the new DC/GC after uninstalling exchange from old DC(total-server01)? As last time when I disconnected this old DC (tatol-server01) my exchange was stoped working and I tried to restart the exchange services so it might pick up the new DC but they were getting failed and failed. many thanks.

Hi Simon, you mentioned previously "Furthermore, Exchange will not go looking for another GC/DC when the one it is using goes away for anything up to 35 minutes. It isn't instant failover." So should I assume I should keep 1 hour time in mind that after uninstalling the exchange from old DC(total-server01) the exchagne box will look the new DC? thanks

Remove Exchange from the server. Then remove the GC role. Immediately restart the Exchange services on other any other Exchange server/s. This will force Exchange to look for anotehr GC immediately. Then run DCPROMO. All the time Exchange is installed, Exchange will not look for another DC. You need to remove Exchange before you do anything else. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Simon, Thanks for replying. My worries are new exchange box recognized the old and new DC as GC as listed in event id 2080 On Exchange machine (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: TOTAL-server01.TOTALFX.local CDG 1 7 7 1 0 1 1 7 1 TTL-2k3SL01.TOTALFX.local CDG 1 7 7 1 0 0 1 7 1 Which show to me both servers are DC, and CG. more outputs On Exchange box: C:\Documents and Settings\Administrator.TOTALFX>dsquery server -isgc "CN=TOTAL-SERVER01,CN=Servers,CN=EatonRow,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local" "CN=TTL-2K3SL01,CN=Servers,CN=EatonRow,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local" ### On new DC (TTL-2K3SL01) C:\Program Files\Support Tools>dcdiag /v Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine TTL-2k3SL01, is a DC. * Connecting to directory service on server TTL-2k3SL01. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: EatonRow\TTL-2K3SL01 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... TTL-2K3SL01 passed test Connectivity Doing primary tests Testing server: EatonRow\TTL-2K3SL01 Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... TTL-2K3SL01 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC TTL-2K3SL01. * Security Permissions Check for DC=ForestDnsZones,DC=TOTALFX,DC=local (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=TOTALFX,DC=local (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=TOTALFX,DC=local (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=TOTALFX,DC=local (Configuration,Version 2) * Security Permissions Check for DC=TOTALFX,DC=local (Domain,Version 2) ......................... TTL-2K3SL01 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\TTL-2K3SL01\netlogon Verified share \\TTL-2K3SL01\sysvol ......................... TTL-2K3SL01 passed test NetLogons Starting test: Advertising The DC TTL-2K3SL01 is advertising itself as a DC and having a DS. The DC TTL-2K3SL01 is advertising as an LDAP server The DC TTL-2K3SL01 is advertising as having a writeable directory The DC TTL-2K3SL01 is advertising as a Key Distribution Center The DC TTL-2K3SL01 is advertising as a time server The DS TTL-2K3SL01 is advertising as a GC. ......................... TTL-2K3SL01 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=Eaton Row,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Domain Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=Eaton Row,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role PDC Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow ,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Rid Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow ,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Infrastructure Update Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=S ervers,CN=EatonRow,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local ......................... TTL-2K3SL01 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 4609 to 1073741823 * TTL-2k3SL01.TOTALFX.local is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 4109 to 4608 * rIDPreviousAllocationPool is 4109 to 4608 * rIDNextRID: 4114 ......................... TTL-2K3SL01 passed test RidManager Starting test: MachineAccount Checking machine account for DC TTL-2K3SL01 on DC TTL-2K3SL01. * SPN found :LDAP/TTL-2k3SL01.TOTALFX.local/TOTALFX.local * SPN found :LDAP/TTL-2k3SL01.TOTALFX.local * SPN found :LDAP/TTL-2K3SL01 * SPN found :LDAP/TTL-2k3SL01.TOTALFX.local/TOTALFX * SPN found :LDAP/14c1f0ab-0c22-40a5-98b0-0f61297085b4._msdcs.TOTALFX. local * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/14c1f0ab-0c22-40a5-98 b0-0f61297085b4/TOTALFX.local * SPN found :HOST/TTL-2k3SL01.TOTALFX.local/TOTALFX.local * SPN found :HOST/TTL-2k3SL01.TOTALFX.local * SPN found :HOST/TTL-2K3SL01 * SPN found :HOST/TTL-2k3SL01.TOTALFX.local/TOTALFX * SPN found :GC/TTL-2k3SL01.TOTALFX.local/TOTALFX.local ......................... TTL-2K3SL01 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... TTL-2K3SL01 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated TTL-2K3SL01 is in domain DC=TOTALFX,DC=local Checking for CN=TTL-2K3SL01,OU=Domain Controllers,DC=TOTALFX,DC=local in domain DC=TOTALFX,DC=local on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow,CN= Sites,CN=Configuration,DC=TOTALFX,DC=local in domain CN=Configuration,DC=TOTAL FX,DC=local on 1 servers Object is up-to-date on all servers. ......................... TTL-2K3SL01 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... TTL-2K3SL01 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... TTL-2K3SL01 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minut es. ......................... TTL-2K3SL01 passed test kccevent Starting test: systemlog * The System Event log test An Error Event occured. EventID: 0x00000457 Time Generated: 11/05/2010 12:55:30 (Event String could not be retrieved) ......................... TTL-2K3SL01 failed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=TTL-2K3SL01,OU=Domain Controllers,DC=TOTALFX,DC=local and backlink on CN=TTL-2K3SL01,CN=Servers,CN=EatonRow,CN=Sites,CN=Configuration,DC=TTLT ONFX,DC=local are correct. The system object reference (frsComputerReferenceBL) CN=TTL-2K3SL01,CN=Domain System Volume (SYSVOL share),CN=File Replicati on Service,CN=System,DC=TOTALFX,DC=local and backlink on CN=TTL-2K3SL01,OU=Domain Controllers,DC=TOTALFX,DC=local are correct. The system object reference (serverReferenceBL) CN=TTL-2K3SL01,CN=Domain System Volume (SYSVOL share),CN=File Replicati on Service,CN=System,DC=TOTALFX,DC=local and backlink on CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow,CN=Sites,CN=Conf iguration,DC=TOTALFX,DC=local are correct. ......................... TTL-2K3SL01 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : TOTALFX Starting test: CrossRefValidation ......................... TOTALFX passed test CrossRefValidation Starting test: CheckSDRefDom ......................... TOTALFX passed test CheckSDRefDom Running enterprise tests on : TOTALFX.local Starting test: Intersite Skipping site EatonRow, this site is outside the scope provided by the command line arguments provided. ......................... TOTALFX.local passed test Intersite Starting test: FsmoCheck GC Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd PDC Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd Time Server Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd Preferred Time Server Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd KDC Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd ......................... TOTALFX.local passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS C:\Program Files\Support Tools> #### On old DC (TOTAL-SERVER01) C:\>dcdiag /v Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine TOTAL-server01, is a DC. * Connecting to directory service on server TOTAL-server01. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: EatonRow\TOTAL-SERVER01 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... TOTAL-SERVER01 passed test Connectivity Doing primary tests Testing server: EatonRow\TOTAL-SERVER01 Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=TOTALFX,DC=local Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... TOTAL-SERVER01 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC TOTAL-SERVER01. * Security Permissions Check for DC=ForestDnsZones,DC=TOTALFX,DC=local (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=TOTALFX,DC=local (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=TOTALFX,DC=local (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=TOTALFX,DC=local (Configuration,Version 2) * Security Permissions Check for DC=TOTALFX,DC=local (Domain,Version 2) ......................... TOTAL-SERVER01 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\TOTAL-SERVER01\netlogon Verified share \\TOTAL-SERVER01\sysvol ......................... TOTAL-SERVER01 passed test NetLogons Starting test: Advertising The DC TOTAL-SERVER01 is advertising itself as a DC and having a DS. The DC TOTAL-SERVER01 is advertising as an LDAP server The DC TOTAL-SERVER01 is advertising as having a writeable directory The DC TOTAL-SERVER01 is advertising as a Key Distribution Center The DC TOTAL-SERVER01 is advertising as a time server The DS TOTAL-SERVER01 is advertising as a GC. ......................... TOTAL-SERVER01 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=Eaton Row,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Domain Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=Eaton Row,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role PDC Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow ,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Rid Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=Servers,CN=EatonRow ,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local Role Infrastructure Update Owner = CN=NTDS Settings,CN=TTL-2K3SL01,CN=S ervers,CN=EatonRow,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local ......................... TOTAL-SERVER01 passed test KnowsOfRoleHolder s Starting test: RidManager * Available RID Pool for the Domain is 4609 to 1073741823 * TTL-2k3SL01.TOTALFX.local is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2609 to 3108 * rIDPreviousAllocationPool is 2609 to 3108 * rIDNextRID: 2803 ......................... TOTAL-SERVER01 passed test RidManager Starting test: MachineAccount Checking machine account for DC TOTAL-SERVER01 on DC TOTAL-SERVER01. * SPN found :LDAP/TOTAL-server01.TOTALFX.local/TOTALFX.local * SPN found :LDAP/TOTAL-server01.TOTALFX.local * SPN found :LDAP/TOTAL-SERVER01 * SPN found :LDAP/TOTAL-server01.TOTALFX.local/TOTALFX * SPN found :LDAP/c641bcf2-491a-442a-854c-761b524c5e95._msdcs.TOTALFX. local * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/c641bcf2-491a-442a-85 4c-761b524c5e95/TOTALFX.local * SPN found :HOST/TOTAL-server01.TOTALFX.local/TOTALFX.local * SPN found :HOST/TOTAL-server01.TOTALFX.local * SPN found :HOST/TOTAL-SERVER01 * SPN found :HOST/TOTAL-server01.TOTALFX.local/TOTALFX * SPN found :GC/TOTAL-server01.TOTALFX.local/TOTALFX.local ......................... TOTAL-SERVER01 passed test MachineAccount Starting test: Services * Checking Service: Dnscache Dnscache Service is stopped on [TOTAL-SERVER01] * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... TOTAL-SERVER01 failed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated TOTAL-SERVER01 is in domain DC=TOTALFX,DC=local Checking for CN=TOTAL-SERVER01,OU=Domain Controllers,DC=TOTALFX,DC=lo cal in domain DC=TOTALFX,DC=local on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=TOTAL-SERVER01,CN=Servers,CN=EatonRow ,CN=Sites,CN=Configuration,DC=TOTALFX,DC=local in domain CN=Configuration,DC=CA XTONFX,DC=local on 1 servers Object is up-to-date on all servers. ......................... TOTAL-SERVER01 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... TOTAL-SERVER01 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... TOTAL-SERVER01 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minut es. ......................... TOTAL-SERVER01 passed test kccevent Starting test: systemlog * The System Event log test An Error Event occured. EventID: 0x00000457 Time Generated: 11/05/2010 14:07:21 (Event String could not be retrieved) ......................... TOTAL-SERVER01 failed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=TOTAL-SERVER01,OU=Domain Controllers,DC=TOTALFX,DC=local and backlink on CN=TOTAL-SERVER01,CN=Servers,CN=EatonRow,CN=Sites,CN=Configuration,DC= TOTALFX,DC=local are correct. The system object reference (frsComputerReferenceBL) CN=TOTAL-SERVER01,CN=Domain System Volume (SYSVOL share),CN=File Repli cation Service,CN=System,DC=TOTALFX,DC=local and backlink on CN=TOTAL-SERVER01,OU=Domain Controllers,DC=TOTALFX,DC=local are correct. The system object reference (serverReferenceBL) CN=TOTAL-SERVER01,CN=Domain System Volume (SYSVOL share),CN=File Repli cation Service,CN=System,DC=TOTALFX,DC=local and backlink on CN=NTDS Settings,CN=TOTAL-SERVER01,CN=Servers,CN=EatonRow,CN=Sites,CN= Configuration,DC=TOTALFX,DC=local are correct. ......................... TOTAL-SERVER01 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : TOTALFX Starting test: CrossRefValidation ......................... TOTALFX passed test CrossRefValidation Starting test: CheckSDRefDom ......................... TOTALFX passed test CheckSDRefDom Running enterprise tests on : TOTALFX.local Starting test: Intersite Skipping site EatonRow, this site is outside the scope provided by the command line arguments provided. ......................... TOTALFX.local passed test Intersite Starting test: FsmoCheck GC Name: \\TOTAL-server01.TOTALFX.local Locator Flags: 0xe00001fc PDC Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd Time Server Name: \\TOTAL-server01.TOTALFX.local Locator Flags: 0xe00001fc Preferred Time Server Name: \\TTL-2k3SL01.TOTALFX.local Locator Flags: 0xe00003fd KDC Name: \\TOTAL-server01.TOTALFX.local Locator Flags: 0xe00001fc ......................... TOTALFX.local passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS

I am still looking for a way without uninstalling the old exchange from old DC(TOTAL-SERVER01) as I can not take business down for long time. All our applications work on exchange. I followed a proper way to migrate exchange from DC first and then introduced an ADC and then migrated the FSMO, DNS roles, marked the new server GC which is being identified from exchange. Exchagne can see both DCs, GC as you can see in the above output. I appreciate all your and others effort but still I believe there would be a way to handle this scenario as people do recover stuff from disasters, and in my scenario every thing is up and running, all I need to get rid of one DC(total-server01). Would someone suggest, should I create a new environment for one DC and one exchange restoring the domain stuff and exchange databases on them?

It isn't possible. All the time that Exchange is installed on that machine it will be used by the other servers. You have got to remove Exchange from that machine before you can do anything else with it. There is no magic method to resolving this issue unless you have invented time travel and can stop whoever installed Exchange on to a domain controller in the first place from doing so. I wouldn't go anywhere near doing a restoration because that isn't required and wouldn't get you anywhere. You would still have to restore the domain controller first, and then the Exchange server. Backup/Restore is not a method to break this link - the ONLY way is to remove Exchange and then restart the Exchange services on the production system. If you are not confident to do so, then get a consultant in, or call Microsoft, pay their support fee and get someone there to do it for you. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Yes Simon, I think that is the only option left. Microsoft suggests the same http://support.microsoft.com/kb/925822 I will update when I can get a chance to have downtime. Many thanks again. Sam