I was asked to troubleshoot an issue at a customer site where the Exchange 2010 servers stopped working. As usual, everything was working fine the previous evening!
The servers were throwing the following error message.
Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=8000). Topology discovery failed, error 0×80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
The KB article mentioned gave outdated information (applicable to Windows 2000) and proved useless.
An information entry was logged in the event viewer just before the error.
Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2080
Process MSEXCHANGETOPLOGYSERVICE.EXE (PID=8000). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
DC1.FQDN CDG 1 7 7 1 0 0 1 7 1
DC2.FQDN CDG 1 7 7 1 0 0 1 7 1
As the SACL Right was showing as zero, I quickly figured out that the exchange servers are not having the correct permissions to access the domain controllers.
Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G) and that shows 1 in the SACL right column.
I quickly checked the "Default Domain Controllers Policy" to see whether exchange servers had permissions on the "Manage Auditing and Security" under User Rights Assignment and that was fine.
I checked the NIC settings to see whether IPv6 was disabled and it was. I checked the registry to see whether it was fully disabled and it wasn’t. Hence I enabled IPv6 to be on the safe side. But, that didn’t fix the issue.
After looking around for a while, I found the cause of the issue. Someone had actually removed all Exchange servers from the default "Exchange Servers" group as part of AD "cleanup" process. Luckily, the group was still there. I added all the Exchange servers to the group and rebooted them to pick up the changes immediately.
Everything started working once the servers were back online!