Exchange 2007 and Group Polices

This is has been the pain in my butt for the last couple of days.  I have been installing Exchange 2007 in to an Active Directory that has been “played” with.  The AD boys basically disabled the Default Domain Controller Security Policy and created a new one.

So the Exchange Servers group didn’t get added to the “Manage auditing and security log” GPO setting of the new GPO.  What is strange is that the error you get is pants.

When you run setup it fails like this:

D:>setup /mode:install /roles:MB, CA, HT, MT
Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

The following server roles will be installed

Management Tools
Hub Transport Role
Client Access Role
Mailbox Role

Performing Microsoft Exchange Server Prerequisite Check

Hub Transport Role Checks ……………………. COMPLETED
Client Access Role Checks ……………………. COMPLETED
Mailbox Role Checks ……………………. COMPLETED

If Outlook Web Access is in use, you should replicate the free/busy folder on t
his server to every other free/busy server in the organization. This step should
be performed once Setup completes.

Configuring Microsoft Exchange Server

Copying Exchange files ……………………. COMPLETED
Hub Transport Server Role ……………………. FAILED

Service ‘MSExchangeTransport’ failed to start. Check the event log for poss
ible reasons for the service start failure.
The Exchange Server setup operation did not complete. Visit http://support.micro
soft.com and enter the Error ID to find more information.
Exchange Server setup encountered an error.

The Application Event Log come back with these:

Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2099
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2608). Exchange Active Directory Provider will use the Configuration Domain Controller (gbrpsminw00001.gbl.barwealth.net) specified in a call to SetConfigDCName.

 

Event Type: Warning
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2101
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2608). The configuration domain controller specified in a call to SetConfigDCName (gbrpsminw00001.gbl.barwealth.net) is unreachable. Exchange Active Directory Provider will select the configuration domain controller from the list of available domain controllers.

 

Event Type: Information
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2080
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2608). Exchange Active Directory Provider has discovered the following servers with the following characteristics:

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:

dc1.bob.net CDG 1 7 7 1 0 0 1 7 1
dc2.bob.net CDG 1 7 7 1 0 0 1 7 1

Out-of-site:

Event Type: Error
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2114
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2608). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

So you can see that the SACL right is 0, and all the KB’s, newsgroups and googled results say “it’s not in a GPO”

Make sure the Exchange Servers group has the “Manage auditing and security log” rights in the correct GPO and bobs your uncle!

Leave a Reply

%d bloggers like this: