Quick method to diagnose Exchange Active Directory Access & Service Startup Issues

Background:

My colleague Jedidiah Hammond wrote a great post awhile back on troubleshooting Exchange Service start-up issues. One of the main areas of focus of the post were issues with Active Directory Global Catalog servers. This can be considered an ad-on to that post as I’ll describe a useful method to troubleshoot Exchange permissions in Active Directory; more specifically, verifying Exchange has the proper access to the Global Catalog servers in and out of it’s respective Active Directory site.

Scenario:

Suppose you find that the Microsoft Exchange Active Directory Topology Service isn’t starting; or the System Attendant, or the Information Store service. Or perhaps the Exchange Management Console or Exchange Management Shell will not connect and is complaining of Active Directory/Global Catalog issues.
Often times this is a result of a port being blocked by Anti-V/Firewall between the Exchange Server and your Global Catalog. Or possibly a configuration issue on the network stack (IP/DNS/etc); maybe someone even powered your GC off much to your dismay. Assuming you have already worked through the above scenarios, one useful tool to verify Exchange/AD functionality is actually a very commonly used one; Event Viewer.

When you first deploy Exchange and run “setup /PrepareAD” (or you let the GUI setup do it for you) it is actually setting many of these permissions in AD. (For a list of all of these changes see this Technet article).

Steps:

Below is an excerpt from MSExchange ADAccess Informational Event ID 2080. You’ll find it occurring roughly every 15min on your Exchange Servers.
Description:
Process STORE.EXE (PID=3376). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
Austin.ASH.ORG CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
Houston.ASH.ORG CDG 1 7 7 1 0 1 1 7 1

This is an example of what the output should look like. You might be asking what those series of numbers represent. Well buried deep within the land of Exchange 2000 there lies a KB article explaining just that.

After reading the article you’ll find that these numbers are basically describing Exchange’s understanding of the Global Catalog servers made available to it; along with whether or not it has the proper ACLs set to be able to utilize them. If you find yourself pulling your hair out as to why Exchange is showing the symptoms I listed earlier, then look for this event on your Exchange server and you just might see something like the following:

Notice it ends with “0171” instead of “1171”. If we reference the above KB article then this tells us Exchange lacks the proper ACL’s in AD.

I’ve seen this many times with customers who have modified the Default Domain Controllers Group Policy or somehow blocked it’s use. I’ve also seen similar issues arise from unchecking “Include Inheritable Permissions from this Object’s Parent” in AD for various objects. If this is the case then please see the post I referenced earlier on how to resolve that. In addition, I’ve found re-running “setup.com /PrepareAD” to be a very useful troubleshooting step in situations such as these where you feel AD permissions may be at fault. Some customers have been weary of running this but honestly their fears stem from ignorance because “it just sounds scary” ; a quick read over the article I referenced earlier will tell you that running it again will only re-add the permissions Exchange has needed all along.
However, be aware that re-running PrepareAD may only resolve the issue temporarily as any bad Group Policies may find themselves being re-applied in about 15min so fixing the actual source of the issue should be the ultimate goal.

An additional note here is if you’re utilizing AD Split permissions with Exchange, there may be additional precautions to be taken before running PrepareAD again.

8 thoughts on “Quick method to diagnose Exchange Active Directory Access & Service Startup Issues”

Once I had this issue at particular site where Exchange 2003 was unable to discover local site DC and it went to remote DC’s @DCAccess tab everytime the service started.

The event id 2080 helped us actually stating the local DC’s iws missing with Exchange security groups in to local policy for Manage auditing and security logs.

One has to really know where to look for troubleshooting.

Tom Robertson

August 8, 2013 at 7:40 am

I had a similar issue with migrating to Exchange 2010. The issue was the informationstore service wouldn’t start. The pretests passed (AD/Exchange BPA on 2003) and thus I went forward with installing Exchange 2010.

I went to the EMC on 2010 server and ran a BPA/permissions check and I discovered that and handful of AD objects had inheritance blocked.

Once the issues were corrected the infostore service started and I was able to perform the migration.

Reply

Pingback: NeWay Technologies – Weekly Newsletter #18 – November 22, 2012NeWay | NeWay

I’ve seen a great many articles that reference that Exchange servers need the “Read nTSecurityDescriptor” right inherited through the “Manage auditing and security logs” User right but I have yet to see anyone explain why this right is needed. Why does exchange need to read security logs on DCs?

In exchange 2013 there is now a setting that requires you to have at least 50% of your domain controllers global catalog servers. Without 50% of your DC’s being GC’s you will get event id 2080 and exchange will fail to find other global catalogs in your organization. Took me 80 hours to fix this problem. Thought id share and save others some headaches.