While reviewing the event logs on your Exchange server you could encounter the following error.
Log Name: Application Source: MSExchange ADAccess Event ID: 2112 Task Category: Topology Description: Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2700). The Exchange computer dc03.supertekboy.com does not have Audit Security Privilege on the domain controller dc03.supertekboy.com. This domain controller will not be used by Exchange Active Directory Provider.
We ran into this recently at a customer. This was an odd error because the description specified the name of one of our domain controllers as an “Exchange Computer”. That aside, my customer was receiving this error for two of their three domain controllers (dc02 & dc03). The error was also repeated across all their Exchange servers.
To make matters worse if the customer shut down the only domain controller not reported in these errors (dc01) Exchange would become completely unavailable. As the error stated, dc02 and dc03 were definitely not being used by the Exchange Active Directory Provider.
Further analysis of the event logs also revealed informational alert MSExchange ADAccess 2080. In this alert we could see our three domain controllers with one striking difference.
Log Name: Application Source: MSExchange ADAccess Event ID: 2080 Task Category: Topology Description: Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: dc01.supertekboy.com CDG 1 7 7 1 0 1 1 7 1 dc02.supertekboy.com CDG 1 7 7 1 0 0 1 7 1 dc03.supertekboy.com CDG 1 7 7 1 0 0 1 7 1
In the eighth column (highlighted), dc01 was reporting a 1 whereas dc02 and dc03 were reporting a 0. All other column data was identical between the three servers. The words in parenthesis are actually the column headers. They don’t line up very well in event viewer but if we count to the eighth word we see the column is titled “SACL right”. What this means is that the Exchange servers are missing the SACL right on the domain controllers marked with a zero. Or more specifically, Exchange is missing the right to manage the security and audit logs of those two domain controllers. [Read more…] about Exchange does not have Audit Security Privilege on the domain controller