- Booting the server would take anywhere from 30 minutes to 1 hour while waiting for "Applying Computer Settings" to finish.
- Once the CTRL-ALT-DEL screen was available and you authenticated, it would take anywhere from 30 minutes to 1 hour while waiting for the "Applying User Settings" screen to go away.
- The Microsoft Exchange Information Store service would be stuck in a "starting" state.
- The Microsoft Exchange Transport service would also be stuck in a "starting" state.
- The event viewer would show MAD.EXE with an error code of 0x80040a02 (DSC_E_NO_SUITABLE_CDC).
- Event Viewer would also show MAD.EXE. All Domain Controllers in use are not responding.
- Event Viewer would show MSEXCHANGEADTOPOLOGYSERVICE.EXE. Topology discovery failed.
As it turns out the organization may have modified their Default Domain Controllers GPO. The modification was in a setting under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. The setting they've changed is "Manage auditing and security log" which contained the global group called "Exchange Enterprise Servers" among others. The key issue here is that it DIDN'T contain the "Exchange Servers" Universal Group.
Over time the DC's will re-apply GPO's and overwrite the security put in place by the setup.com /prepareAD process during setup. I was able to replicate this issue in my lab environment by removing the Universal Group, breaking Exchange 2010, then adding it back to the GPO, and fixing it. The Microsoft TechNet article which discusses the AD preparation tasks http://technet.microsoft.com/en-ca/library/bb125224.aspx shows the process making a change to the "Manage Audit and Security Log" value on the very last bullet on the bottom of the page.
One of the things you can do to determine if you have the same issue is to look for Event ID 2080. This event will show up in a healthy or unhealthy environment and will show you if the SACL right attribute is equal to "1" which is necessary.
The following image shows a "healthy" Event ID 2080 where the SACL right property on the first DC it found is equal to 1. If you count backward from the OS Version, Netlogon, Critical Data attributes (1, 7, 1, then you find the 1 assigned to SACL right).
In an unhealthy situation you will see a zero (0) in the SACL right column.
A word about IPv6 and Exchange Server 2007 and 2010
The biggest red herring I found when troubleshooting this one from articles others had posted was related to IPv6. I see quite a few people suggesting IPv6 is required for Exchange 2007 and 2010. This is NOT true. As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled otherwise simply uncheck the checkbox in TCP/IP properties on all connected interfaces. You don't need to buggar with the registry to "really disable it"....just uncheck the checkbox.
Cheers.
You saved my day, I disabled ip6 and my clean install stopped working. Thanks a lot !!!
ReplyDeleteI experienced the same symptoms you describe with Exchange 2010 installed on a domain controller, but the "Exchange Servers" group WAS present in the GPO. IPv6 was installed but not bound to the only NIC. I fixed my problem by disabling IPv6 in the registry (changing some key to 0xFFFFFFFF from instructions I found elsewhere) and binding it to the NIC (checking the box). Now the server is fat dumb and happy.
ReplyDeleteThanks much for your tip -- it got me looking at the right things.
--Jeff
This saved me so much time. I kept on find all these references to IPv6, and it really is a total red-herring
ReplyDeleteGlad to be of help!
ReplyDeleteExact same issue here, Microsoft would be best served by ceasing and resisting trying to push adoption of IPV6 -- it is about 1/3 baked!
ReplyDeleteTwo days I fought with this.. I was convinced I needed IPv6 enabled and almost reversed the setting on my 2008 servers. Made this change in my GPO and now my Exchange 2010 server boots up in no time with all services started! I also couldn't install the Mailbox Role (because the transport service wouldn't start) but that's fixed too.
ReplyDeleteThanks!
Man you just saved my life. I want to send you a fruit basket to show my appreciation!! :-)
ReplyDelete"As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled"
ReplyDeleteI FUCKIN' LOVE YOU. You saved me from being fired.
GOD BLESS YOU!
Good work man. Nice one.
ReplyDeleteTHANK YOU!!!!!
ReplyDeleteSpot-on, mate...spot on. GP blows, lol. Whomever invented it loves to share pain.
ReplyDelete"As a matter of fact, if the server hosting Exchange 2007 or 2010 is a DC, then IPv6 must be enabled"
ReplyDeleteWOW!! I wish I knew that a day ago. You just solved the problem I spent all night trying to fix. THANKS!!!!!
On my server ipv6 is ticked off, but the GPO does contain the Exchange servers group.
ReplyDeleteIs it safe to enable ipv6(it was installed without it), or should I completely disable it?
Any replies appreciated.
Keep it enabled.
ReplyDeleteI've enabled it, and the ExchangeADAccess errors are gone, and my DC is available. :)
DeleteThanks for this post!!!
YOU ARE A GENIUS! After a week of troubleshooting IPv6 from other blogs, I stumbled upon this information and found myself getting excited that all the symptoms were the same. As soon as I added the "Exchange Servers" permissions to my Group Policy, I was back in business. Thanks so much for sharing your knowledge!
ReplyDelete