Exchange and the Default Domain Controllers GPO

Exchange and the Default Domain Controllers GPO | E-Mail | Chicago IT | Equilibrium | EQInc.comI recently ran across an issue with an Exchange 2010 server that was configured for a hybrid Office 365 setup. The on-premises Exchange 2010 server had the majority of mailboxes migrated to Office 365 and was serving primarily as an onsite SMTP relay and CAS server. 

This article covers how Exchange and the Default Domain Controllers GPO are inter-related. The service desk at my client had started to receive complaints that scan-to-email and other relays were not working.  In addition, they were not able to provision new employee MS Outlook profiles using Autodiscover and existing users were receiving prompts in Outlook regarding connectivity. The client was not aware of any specific changes to the environment.

They did edit a GPO, but stated it was only a minor change that would not have this effect. Reviewing the status of the Exchange server, there were numerous errors regarding MSExchange ADAccess, MSExchange Mailbox Replication, and other critical Exchange services.  The Exchange Management Console would not enumerate successfully, citing a Kerberos authentication error.  The event viewer also showed the following helpful errors:

    MAD.EXE. All Domain Controllers in use are not responding.
    error code 0x80040a02 (DSC_E_NO_SUITABLE_CDC)
    MSEXCHANGEADTOPOLOGYSERVICE.EXE. Topology discovery failed.
    error code 0x80040a02 (DSC_E_NO_SUITABLE_CDC)

      A quick online search led me to this helpful article, which suggested checking group policies for the Mange auditing and security log user rights assignment, affecting the domain controllers.  According to Microsoft, the AD Prep operation of the Exchange 2010 setup takes care of this:

      On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

      The Default Domain Controllers Policy is supposed to be pushing this setting out, granting permissions on the domain controllers to the Exchange server(s).  However, this was not happening as indicated by checking the SACL right value in following event: Application | MSExchange ADAccess | 2080 | Topology Here's an example showing the lack of required permissions (SACL right = 0)

      ExchEvent2080 BadSACL 300x115

       

      Here's an example showing the correct required permissions (SACL right = 1)

      ExchEvent2080 GoodSACL 300x111

       

      Resolution The Default Domain Controllers Policy setting was configured correctly, however running GP Results against the domain controllers showed that the Default Domain Policy setting had taken preference over the Default Domain Controllers Policy setting.

      GPO AuditingSetting

       

      This was confirmed by viewing the Group Policy Inheritance on the Domain Controllers OU using the GPMC, as shown below.

      GPO Inheritance 300x140

       

      The Domain Controllers OU had inheritance set to blocked, however the Default Domain policy was set to enforced, which took precedence over other policies.  Removing the enforced setting, running GP Update on the domain controllers, and restarting the Exchange services (or server) cleared up the issue right away!

    Follow Us:

    EQ Linked-In | VMware Chicago IT | Equilibrium IT | EQInc.com  EQ Facebook | VMware  | Chicago IT | Equilibrium IT | EQInc.com  EQ Google+ | Exchange | Chicago IT | Equilibrium IT | EQInc.com  EQ Twitter | Exchange | Chicago IT | Equilibrium IT | EQInc.com

     

    Questions?  Call us today in Chicago at 773-205-0200 | Email us at  | Request a FREE Consultation

     

    Contact Us

    Call today! 773.205.0200 or use the form below.