Wednesday, April 21, 2010

DSC_E_NO_SUITABLE_CDC error with Exchange Server 2010 (SACL right)

I'm in the middle of a project at a client site where we've completed both the initial preparation tasks and installation of various server roles for an Exchange 2010 implementation. Somewhere between last Tuesday and Friday our three server Exchange 2010 stopped working. The symptoms included:

  • Booting the server would take anywhere from 30 minutes to 1 hour while waiting for "Applying Computer Settings" to finish.
  • Once the CTRL-ALT-DEL screen was available and you authenticated, it would take anywhere from 30 minutes to 1 hour while waiting for the "Applying User Settings" screen to go away.
  • The Microsoft Exchange Information Store service would be stuck in a "starting" state.
  • The Microsoft Exchange Transport service would also be stuck in a "starting" state.
  • The event viewer would show MAD.EXE with an error code of 0x80040a02 (DSC_E_NO_SUITABLE_CDC).
  • Event Viewer would also show MAD.EXE. All Domain Controllers in use are not responding.
  • Event Viewer would show MSEXCHANGEADTOPOLOGYSERVICE.EXE. Topology discovery failed.

As it turns out the organization may have modified their Default Domain Controllers GPO. The modification was in a setting under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. The setting they've changed is "Manage auditing and security log" which contained the global group called "Exchange Enterprise Servers" among others. The key issue here is that it DIDN'T contain the "Exchange Servers" Universal Group.

Over time the DC's will re-apply GPO's and overwrite the security put in place by the /prepareAD process during setup. I was able to replicate this issue in my lab environment by removing the Universal Group, breaking Exchange 2010, then adding it back to the GPO, and fixing it. The Microsoft TechNet article which discusses the AD preparation tasks shows the process making a change to the "Manage Audit and Security Log" value on the very last bullet on the bottom of the page.

One of the things you can do to determine if you have the same issue is to look for Event ID 2080. This event will show up in a healthy or unhealthy environment and will show you if the SACL right attribute is equal to "1" which is necessary.

The following image shows a "healthy" Event ID 2080 where the SACL right property on the first DC it found is equal to 1. If you count backward from the OS Version, Netlogon, Critical Data attributes (1, 7, 1, then you find the 1 assigned to SACL right).

In an unhealthy situation you will see a zero (0) in the SACL right column.

A word about IPv6 and Exchange Server 2007 and 2010
The biggest red herring I found when troubleshooting this one from articles others had posted was related to IPv6. I see quite a few people suggesting IPv6 is required for Exchange 2007 and 2010. This is NOT true. As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled otherwise simply uncheck the checkbox in TCP/IP properties on all connected interfaces. You don't need to buggar with the registry to "really disable it"....just uncheck the checkbox.