Wednesday, April 21, 2010

DSC_E_NO_SUITABLE_CDC error with Exchange Server 2010 (SACL right)

I'm in the middle of a project at a client site where we've completed both the initial preparation tasks and installation of various server roles for an Exchange 2010 implementation. Somewhere between last Tuesday and Friday our three server Exchange 2010 stopped working. The symptoms included:

  • Booting the server would take anywhere from 30 minutes to 1 hour while waiting for "Applying Computer Settings" to finish.
  • Once the CTRL-ALT-DEL screen was available and you authenticated, it would take anywhere from 30 minutes to 1 hour while waiting for the "Applying User Settings" screen to go away.
  • The Microsoft Exchange Information Store service would be stuck in a "starting" state.
  • The Microsoft Exchange Transport service would also be stuck in a "starting" state.
  • The event viewer would show MAD.EXE with an error code of 0x80040a02 (DSC_E_NO_SUITABLE_CDC).
  • Event Viewer would also show MAD.EXE. All Domain Controllers in use are not responding.
  • Event Viewer would show MSEXCHANGEADTOPOLOGYSERVICE.EXE. Topology discovery failed.

As it turns out the organization may have modified their Default Domain Controllers GPO. The modification was in a setting under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. The setting they've changed is "Manage auditing and security log" which contained the global group called "Exchange Enterprise Servers" among others. The key issue here is that it DIDN'T contain the "Exchange Servers" Universal Group.

Over time the DC's will re-apply GPO's and overwrite the security put in place by the setup.com /prepareAD process during setup. I was able to replicate this issue in my lab environment by removing the Universal Group, breaking Exchange 2010, then adding it back to the GPO, and fixing it. The Microsoft TechNet article which discusses the AD preparation tasks http://technet.microsoft.com/en-ca/library/bb125224.aspx shows the process making a change to the "Manage Audit and Security Log" value on the very last bullet on the bottom of the page.

One of the things you can do to determine if you have the same issue is to look for Event ID 2080. This event will show up in a healthy or unhealthy environment and will show you if the SACL right attribute is equal to "1" which is necessary.

The following image shows a "healthy" Event ID 2080 where the SACL right property on the first DC it found is equal to 1. If you count backward from the OS Version, Netlogon, Critical Data attributes (1, 7, 1, then you find the 1 assigned to SACL right).


In an unhealthy situation you will see a zero (0) in the SACL right column.

A word about IPv6 and Exchange Server 2007 and 2010
The biggest red herring I found when troubleshooting this one from articles others had posted was related to IPv6. I see quite a few people suggesting IPv6 is required for Exchange 2007 and 2010. This is NOT true. As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled otherwise simply uncheck the checkbox in TCP/IP properties on all connected interfaces. You don't need to buggar with the registry to "really disable it"....just uncheck the checkbox.

Cheers.

26 comments:

  1. You saved my day, I disabled ip6 and my clean install stopped working. Thanks a lot !!!

    ReplyDelete
  2. I experienced the same symptoms you describe with Exchange 2010 installed on a domain controller, but the "Exchange Servers" group WAS present in the GPO. IPv6 was installed but not bound to the only NIC. I fixed my problem by disabling IPv6 in the registry (changing some key to 0xFFFFFFFF from instructions I found elsewhere) and binding it to the NIC (checking the box). Now the server is fat dumb and happy.

    Thanks much for your tip -- it got me looking at the right things.

    --Jeff

    ReplyDelete
  3. This saved me so much time. I kept on find all these references to IPv6, and it really is a total red-herring

    ReplyDelete
  4. Exact same issue here, Microsoft would be best served by ceasing and resisting trying to push adoption of IPV6 -- it is about 1/3 baked!

    ReplyDelete
  5. Two days I fought with this.. I was convinced I needed IPv6 enabled and almost reversed the setting on my 2008 servers. Made this change in my GPO and now my Exchange 2010 server boots up in no time with all services started! I also couldn't install the Mailbox Role (because the transport service wouldn't start) but that's fixed too.

    Thanks!

    ReplyDelete
  6. Man you just saved my life. I want to send you a fruit basket to show my appreciation!! :-)

    ReplyDelete
  7. "As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled"

    I FUCKIN' LOVE YOU. You saved me from being fired.

    GOD BLESS YOU!

    ReplyDelete
  8. Spot-on, mate...spot on. GP blows, lol. Whomever invented it loves to share pain.

    ReplyDelete
  9. "As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled"


    WOW!! I wish I knew that a day ago. You just solved the problem I spent all night trying to fix. THANKS!!!!!

    ReplyDelete
  10. On my server ipv6 is ticked off, but the GPO does contain the Exchange servers group.
    Is it safe to enable ipv6(it was installed without it), or should I completely disable it?

    Any replies appreciated.

    ReplyDelete
  11. Replies
    1. I've enabled it, and the ExchangeADAccess errors are gone, and my DC is available. :)
      Thanks for this post!!!

      Delete
  12. YOU ARE A GENIUS! After a week of troubleshooting IPv6 from other blogs, I stumbled upon this information and found myself getting excited that all the symptoms were the same. As soon as I added the "Exchange Servers" permissions to my Group Policy, I was back in business. Thanks so much for sharing your knowledge!

    ReplyDelete
  13. Great solution - worked like a charm!

    ReplyDelete
  14. Thanks Jason Shave,

    IPv6 well who would have thought that when all I did was change the IP address on the only adapter to reflect a new network address. MS make things so difficult, MS take a look at IBM i on how to implement an OS!

    ReplyDelete
  15. Thank you so much. Youve saved my head! I guess the difficulty makes the fat pay we earn.

    ReplyDelete
  16. Thanks, enabling IPv6 solved the problem (yes, I try to run Exchange on a DC)

    ReplyDelete
  17. Saved me a lot of time with this article. Thanks!

    ReplyDelete
  18. Dude...GPO...Sucks... Your awesome!

    ReplyDelete
  19. Very nice work. I`m glad its at the top of Google search so I didn`t destroy my Exchange box before finding this excellent solution :)

    ReplyDelete
  20. Thank you very much sir. You saved me another week of mucking about with IPV6 settings in a futile attempt to get Exchange working.
    May many beers be in your future.

    ReplyDelete
  21. Sincerely appreciate the information. We are running 2010 on a DC and not sure how IPv6 became unchecked. Great to know how to resolve this issue.

    ReplyDelete
  22. almost just shat my pants doing an AD project where we demoted the last DC that had this set - the new ones didn't - thanks a bunch for keeping me not fired.

    ReplyDelete