Exchange 2010 Can’t Find Site Global Catalog

Exchange-2010logo

Exchange-2010logo (Photo credit: Wikipedia)

Related articles for permission required by Exchange, “Manage Auditing and Security Log”, in Default Domain Controllers Policy. If this is not granted to all Exchange servers connecting to the DC, BAD things will happen (Exchange services not starting, etc). Updated September 2012.

After moving our Exchange 2010 server to a data center with new AD site and accompanying domain controller, Exchange was having recurring errors about being unable to find a local site Global Catalog or Domain Controller.

After a lot of digging, the cause was determined to be a Group Policy problem (surprise surprise!). I found the problem using the following commands in EMS (Exchange Management Shell):

  • Get-EventLogLevel “MSExchange ADAccess”
  • Set-EventLogLevel “MSExchange ADAccess\Topology” -Level High

After the logging change, the following error showed up in Event Viewer:

Log Name: Application
Source: MSExchange ADAccess
Date: 5/30/2012 2:48:59 AM
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: MyExchange.MyDomain.com
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1652). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DataCenterDC1.MyDomain.com CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
MainSiteDC1.MyDomain.com CDG 1 7 7 1 0 1 1 7 1
MainSiteDC2.MyDomain.com CDG 1 7 7 1 0 1 1 7 1

By close inspection, you can see that the pattern for DataCenterDC1 has a 0 (zero) for SACL right. Apparently Exchange needs this to be a 1 (one) and the “Default Domain Controllers Policy” shipped with Windows enables this right correctly.

Unknown to me, one of our admins had “cleaned up” our directory by moving all domain controller objects to a complex OU hierarchy and moving the domain controllers policy GPO (Group Policy Object) away from the default “Domain Controllers” container and linking it only to the non-standard OU’s where the other domain controllers objects were placed. The problem with this? … Windows creates all new Domain Controllers in the default “Domain Controllers” container at the root of the directory. Without the necessary GPO linked there, Exchange didn’t have the appropriate access permissions on the new data center domain controller.

To fix the problem, I re-linked the domain controllers GPO to the default domain controllers container and then ran “gpupdate” on the domain controller. Shortly after, Exchange detected the correct permissions on the local site DC and started using it.

I put the logging settings back the way I found them and verified that exchange was using the correct domain controller / global catalog server.

  • Set-EventLogLevel “MSExchange ADAccess\Topology” -Level Low
  • Get-EventLogLevel “MSExchange ADAccess”
  • Get-ExchangeServer MyExchange -Status | Format-List name,current*

If the correct server is being used, that last command should have output similar to:

Name : MyExchange
CurrentDomainControllers : {DataCenterDC1.MyDomain.com}
CurrentGlobalCatalogs : {DataCenterDC1.MyDomain.com}
CurrentConfigDomainController : DataCenterDC1.MyDomain.com

Another pesky problem solved. This is a good argument to leave as much of Group Policy and Active Directory as clean, simple, and pristine as possible. Stick to the “KISS” principle to make troubleshooting problems easier.

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s