I was asked to troubleshoot an issue at a customer site where the Exchange 2010 servers stopped working. As usual, everything was working fine the previous evening!
The servers were throwing the following error message.
Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Level: Error
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=8000). Topology discovery failed, error 0×80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
The KB article mentioned gave outdated information (applicable to Windows 2000) and proved useless.
An information entry was logged in the event viewer just before the error.
Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2080
User: N/A
Computer:
Description:
Process MSEXCHANGETOPLOGYSERVICE.EXE (PID=8000). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC1.FQDN CDG 1 7 7 1 0 0 1 7 1
DC2.FQDN CDG 1 7 7 1 0 0 1 7 1
As the SACL Right was showing as zero, I quickly figured out that the exchange servers are not having the correct permissions to access the domain controllers.
Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G) and that shows 1 in the SACL right column.
I quickly checked the "Default Domain Controllers Policy" to see whether exchange servers had permissions on the "Manage Auditing and Security" under User Rights Assignment and that was fine.
I checked the NIC settings to see whether IPv6 was disabled and it was. I checked the registry to see whether it was fully disabled and it wasn’t. Hence I enabled IPv6 to be on the safe side. But, that didn’t fix the issue.
After looking around for a while, I found the cause of the issue. Someone had actually removed all Exchange servers from the default "Exchange Servers" group as part of AD "cleanup" process. Luckily, the group was still there. I added all the Exchange servers to the group and rebooted them to pick up the changes immediately.
Everything started working once the servers were back online!
Thanks! You Saved the day! Corrupted GPO was the culprit! :-)
Thanks Mats
GREAT POST! I had one of the guys on my team P2V a CAS\HUB then delete it out of AD. Can you say NIGHTMARE? This saved me a lot of stress (well after I started google’n). All about permissions.
Glad to help Zen.
You are my hero Rajith… Been busy for hours with all TechNET/MSDN, ExpertsExchange etc website solutions involving creating new topology structures, NTDSUtil, NTDSEdit etc etc, None worked.
Then tried your ‘easy’ solution – only adding the server to the Exchange Servers Group, rebooted the server (for the tenth time this evening already) and it worked!!! (Don’t know why it was removed dough).
Thanks Vincent. Spread the word ;-)
You saved my day! After putting a new Exchange 2010 Server to our organization (only one Ex 2003 server) without problems, almost all Exchange services at the new server refused to start after the first reboot. I was struggeling for 3 days…
It turned out, that the issue described above within the default domain controllers policy was the problem. The old Exchange server was a member of the security group ‘Exchange Domain Servers’, while the new Exchange server was a member of the security group ‘Exchange Server’ – that one didn’t have the appropiate permission.
Glad to help Matthias
Thanks for the update Carlos.
The policy was my problem. The Exchange Server group wasn't in the policy. Thanks for the solution.
Microsoft should include this as part of the ExBPA.
Carlos Márquez
We have the same problem!
Sadly the servers were in the group still.
Re-running setup /PrepareAD resolved the problem for a while but it has returned! (within hours)
Any ideas