Exchange and the Default Domain Controllers GPO
I recently ran across an issue with an Exchange 2010 server that was configured for a hybrid Office 365 setup. The on-premises Exchange 2010 server had the majority of mailboxes migrated to Office 365 and was serving primarily as an onsite SMTP relay and CAS server. The service desk at my client had started to receive complaints that scan-to-email and other relays were not working. In addition, they were not able to provision new employee MS Outlook profiles using Autodiscover and existing users were receiving prompts in Outlook regarding connectivity.
The client was not aware of any specific changes to the environment. They did edit a GPO, but stated it was only a minor change that would not have this effect.
Reviewing the status of the Exchange server, there were numerous errors regarding MSExchange ADAccess, MSExchange Mailbox Replication, and other critical Exchange services. The Exchange Management Console would not enumerate successfully, citing a Kerberos authentication error. The event viewer also showed the following helpful errors:
- MAD.EXE. All Domain Controllers in use are not responding
- error code 0x80040a02 (DSC_E_NO_SUITABLE_CDC)
- MSEXCHANGEADTOPOLOGYSERVICE.EXE. Topology discovery failed.
- error code 0x80040a02 (DSC_E_NO_SUITABLE_CDC)
A quick online search led me to this helpful article, which suggested checking group policies for the Mange auditing and security log user rights assignment, affecting the domain controllers. According to Microsoft, the AD Prep operation of the Exchange 2010 setup takes care of this:
On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.
The Default Domain Controllers Policy is supposed to be pushing this setting out, granting permissions on the domain controllers to the Exchange server(s). However, this was not happening as indicated by checking the SACL right value in following event:
Application | MSExchange ADAccess | 2080 | Topology
Here’s an example showing the lack of required permissions (SACL right = 0)
Here’s an example showing the correct required permissions (SACL right = 1)
Resolution
The Default Domain Controllers Policy setting was configured correctly, however running GP Results against the domain controllers showed that the Default Domain Policy setting had taken preference over the Default Domain Controllers Policy setting.
This was confirmed by viewing the Group Policy Inheritance on the Domain Controllers OU using the GPMC, as shown below.
The Domain Controllers OU had inheritance set to blocked, however the Default Domain policy was set to enforced, which took precedence over other policies. Removing the enforced setting, running GP Update on the domain controllers, and restarting the Exchange services (or server) cleared up the issue right away!
You must be logged in to post a comment.