Exchange Auth breaks when no local GC

1

I ran into a problem while installing our Exchange 2010 server where client access authentication does not work unless the server is configured as a domain controller with global catalogue.

I went to production with this because of time constraints but I really need to fix it now. I have no idea where the problem could be or how to identify the problem.

My question(s) is(are):

What could cause this issue? How could I test it and repair it?

I don't really know what information would be relevant to the issue but;

Server OS is Win 2008 R2 and all DCs are the same. Exchange server has CAS, Hub Transport and Mailbox Server roles. External mail is received by another exchange 2010 server running the Edge role in the DMZ. (this works okay and Edge server is not a DC... obviously ;) )

Please let me know what additional information could be added to improve this question. I will add it as soon as I can.

This is a follow-on question from this.


dcsdiag /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DC2, is a Directory Server. 
   Home Server = DC2
   * Connecting to directory service on server DC2.
   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Brisbane\DC2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... DC2 passed test Connectivity

Doing primary tests

   Testing server: Brisbane\DC2
      Starting test: Advertising
         The DC DC2 is advertising itself as a DC and having a DS.
         The DC DC2 is advertising as an LDAP server
         The DC DC2 is advertising as having a writeable directory
         The DC DC2 is advertising as a Key Distribution Center
         The DC DC2 is advertising as a time server
         The DS DC2 is advertising as a GC.
         ......................... DC2 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test 
         Skip the test because the server is running DFSR.
         ......................... DC2 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log. 
         ......................... DC2 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... DC2 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DC2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         ......................... DC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DC2 on DC DC2.
         * SPN found :LDAP/DC2.corp.domain/corp.domain
         * SPN found :LDAP/DC2.corp.domain
         * SPN found :LDAP/DC2
         * SPN found :LDAP/DC2.corp.domain/corpdomain
         * SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain
         * SPN found :HOST/DC2.corp.domain/corp.domain
         * SPN found :HOST/DC2.corp.domain
         * SPN found :HOST/DC2
         * SPN found :HOST/DC2.corp.domain/corpdomain
         * SPN found :GC/DC2.corp.domain/corp.domain
         ......................... DC2 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=corp,DC=domain
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=corp,DC=domain
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=corp,DC=domain
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=corp,DC=domain
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=corp,DC=domain
            (Domain,Version 3)
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC2\netlogon
         Verified share \\DC2\sysvol
         ......................... DC2 passed test NetLogons
      Starting test: ObjectsReplicated
         DC2 is in domain DC=corp,DC=domain
         Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers
            Object is up-to-date on all servers.
         ......................... DC2 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=corp,DC=domain
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=corp,DC=domain
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=corp,DC=domain
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=corp,DC=domain
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=corp,DC=domain
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC2 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 3102 to 1073741823
         * DC2.corp.domain is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1602 to 2101
         * rIDPreviousAllocationPool is 1602 to 2101
         * rIDNextRID: 1818
         ......................... DC2 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC2 passed test Services
      Starting test: SystemLog
         * The System Event log test
         An error event occurred.  EventID: 0x80000003
            Time Generated: 03/19/2013   13:15:51
            Event String:
            A Kerberos Error Message was received:
             on logon session 
             Client Time: 
             Server Time: 3:15:51.0000 3/19/2013 Z
             Error Code: 0xd KDC_ERR_BADOPTION
             Extended Error: 0xc00000bb KLIN(0)
             Client Realm: 
             Client Name: 
             Server Realm: CORP.domain
             Server Name: dc2$@CORP.domain
             Target Name: dc2$@CORP.domain@CORP.domain
             Error Text: 
             File: 9
             Line: f09
             Error Data is in record data.
         An error event occurred.  EventID: 0x80000003
            Time Generated: 03/19/2013   13:30:51
            Event String:
            A Kerberos Error Message was received:
             on logon session 
             Client Time: 
             Server Time: 3:30:51.0000 3/19/2013 Z
             Error Code: 0xd KDC_ERR_BADOPTION
             Extended Error: 0xc00000bb KLIN(0)
             Client Realm: 
             Client Name: 
             Server Realm: CORP.domain
             Server Name: dc2$@CORP.domain
             Target Name: dc2$@CORP.domain@CORP.domain
             Error Text: 
             File: 9
             Line: f09
             Error Data is in record data.
         An error event occurred.  EventID: 0x80000003
            Time Generated: 03/19/2013   13:45:52
            Event String:
            A Kerberos Error Message was received:
             on logon session 
             Client Time: 
             Server Time: 3:45:52.0000 3/19/2013 Z
             Error Code: 0xd KDC_ERR_BADOPTION
             Extended Error: 0xc00000bb KLIN(0)
             Client Realm: 
             Client Name: 
             Server Realm: CORP.domain
             Server Name: dc2$@CORP.domain
             Target Name: dc2$@CORP.domain@CORP.domain
             Error Text: 
             File: 9
             Line: f09
             Error Data is in record data.
         An error event occurred.  EventID: 0x80000003
            Time Generated: 03/19/2013   13:53:46
            Event String:
            A Kerberos Error Message was received:
             on logon session 
             Client Time: 
             Server Time: 3:53:46.0000 3/19/2013 Z
             Error Code: 0x29 KRB_AP_ERR_MODIFIED
             Extended Error: 
             Client Realm: 
             Client Name: 
             Server Realm: CORP.domain
             Server Name: dc2$
             Target Name: 
             Error Text: 
             File: 3
             Line: 576
             Error Data is in record data.
         An error event occurred.  EventID: 0x80000003
            Time Generated: 03/19/2013   14:00:52
            Event String:
            A Kerberos Error Message was received:
             on logon session 
             Client Time: 
             Server Time: 4:0:52.0000 3/19/2013 Z
             Error Code: 0xd KDC_ERR_BADOPTION
             Extended Error: 0xc00000bb KLIN(0)
             Client Realm: 
             Client Name: 
             Server Realm: CORP.domain
             Server Name: dc2$@CORP.domain
             Target Name: dc2$@CORP.domain@CORP.domain
             Error Text: 
             File: 9
             Line: f09
             Error Data is in record data.
         ......................... DC2 failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and
         backlink on
         CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         are correct. 
         The system object reference (serverReferenceBL)
         CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
         and backlink on
         CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
         are correct. 
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
         and backlink on
         CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are
         correct. 
         ......................... DC2 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : corp
      Starting test: CheckSDRefDom
         ......................... corp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... corp passed test CrossRefValidation

   Running enterprise tests on : corp.domain
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\DC2.corp.domain
         Locator Flags: 0xe00031fd
         PDC Name: \\DC2.corp.domain
         Locator Flags: 0xe00031fd
         Time Server Name: \\DC2.corp.domain
         Locator Flags: 0xe00031fd
         Preferred Time Server Name: \\DC2.corp.domain
         Locator Flags: 0xe00031fd
         KDC Name: \\DC2.corp.domain
         Locator Flags: 0xe00031fd
         ......................... corp.domain passed test
         LocatorCheck
      Starting test: Intersite
         Skipping site Brisbane, this site is outside the scope provided by the
         command line arguments provided. 
         ......................... corp.domain passed test Intersite

dcsdiag /test:topology

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests

   Testing server: Brisbane\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests

   Testing server: Brisbane\DC2
      Starting test: Topology
         ......................... DC2 passed test Topology


   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : corp

   Running enterprise tests on : corp.domain

dcsdiag /test:replications

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests

   Testing server: Brisbane\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests

   Testing server: Brisbane\DC2
      Starting test: Replications
         ......................... DC2 passed test Replications


   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : corp

   Running enterprise tests on : corp.domain

dnslint /ad 10.1.1.21 /s 10.1.1.21

DNSLint Report

System Date: Tue Mar 19 14:43:20 2013 

Command run: 

c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21

Root of Active Directory Forest: 

    corp.domain

Active Directory Forest Replication GUIDs Found:

DC: DC2
GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7

DC: DC3
GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346

DC: MX1
GUID: 579be28b-006e-4f1c-911a-780458c5d081


Total GUIDs found: 3

--------------------------------------------------------------------------------

The following 2 DNS servers were checked for records related to AD forest replication:

DNS server: dc2.corp.domain
IP Address: 10.1.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: dc2.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21

CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22

CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25


Total number of CNAME records found on this server: 3

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: dc3.corp.domain
IP Address: 10.1.1.22
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: dc3.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21

CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22

CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25


Total number of CNAME records found on this server: 3

Total number of CNAME records missing on this server: 0

dnscmd /zoneinfo corp.domain

Zone query result:

Zone info:
    ptr                   = 0000000000197AB0
    zone name             = corp.domain
    zone type             = 1
    shutdown              = 0
    paused                = 0
    update                = 2
    DS integrated         = 1
    read only zone        = 0
    in DS loading queue   = 0
    currently DS loading  = 0
    data file             = (null)
    using WINS            = 0
    using Nbstat          = 0
    aging                 = 0
      refresh interval    = 168
      no refresh          = 168
      scavenge available  = 0
    Zone Masters    NULL IP Array.
    Zone Secondaries    NULL IP Array.
    secure secs           = 1
    directory partition   = AD-Domain     flags 00000015
    zone DN               = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain
Command completed successfully.

repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Brisbane\DC2
DSA Options: IS_GC 
Site Options: (none)
DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b

==== INBOUND NEIGHBORS ======================================

DC=corp,DC=domain
    Brisbane\MX1 via RPC
        DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
        Last attempt @ 2013-03-19 14:58:35 was successful.
    Brisbane\DC3 via RPC
        DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
        Last attempt @ 2013-03-19 14:59:08 was successful.

CN=Configuration,DC=corp,DC=domain
    Brisbane\DC3 via RPC
        DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
        Last attempt @ 2013-03-19 14:55:31 was successful.
    Brisbane\MX1 via RPC
        DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
        Last attempt @ 2013-03-19 14:55:31 was successful.

CN=Schema,CN=Configuration,DC=corp,DC=domain
    Brisbane\DC3 via RPC
        DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
        Last attempt @ 2013-03-19 14:55:31 was successful.
    Brisbane\MX1 via RPC
        DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
        Last attempt @ 2013-03-19 14:55:31 was successful.

DC=DomainDnsZones,DC=corp,DC=domain
    Brisbane\DC3 via RPC
        DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
        Last attempt @ 2013-03-19 14:55:31 was successful.

DC=ForestDnsZones,DC=corp,DC=domain
    Brisbane\DC3 via RPC
        DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
        Last attempt @ 2013-03-19 14:55:31 was successful.

repadmin /replsummary

Replication Summary Start Time: 2013-03-19 14:59:31

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 DC2                       12m:51s    0 /   8    0  
 DC3                       12m:51s    0 /   8    0  
 MX1                       11m:11s    0 /   6    0  


Destination DSA     largest delta    fails/total %%   error
 DC2                       04m:00s    0 /   8    0  
 DC3                       11m:11s    0 /   8    0  
 MX1                       12m:51s    0 /   6    0  

repadmin /kcc

Repadmin: running command /kcc against full DC localhost
Brisbane
Current Site Options: (none)
Consistency check on localhost successful.

Netdom -query fsmo

Schema master               DC2.corp.domain
Domain naming master        DC2.corp.domain
PDC                         DC2.corp.domain
RID pool manager            DC2.corp.domain
Infrastructure master       DC2.corp.domain
The command completed successfully.
active-directory
windows-server-2008-r2
exchange-2010
asked on Server Fault Mar 18, 2013 by Ablue • edited Apr 13, 2017 by Community

2 Answers

1

Exchange 2010 servers requires a domain controller with a GC in the same site.

Also, running Exchange on a domain controller is not recommended. And you definitely can't promote an Exchange server to a domain controller.

It sounds like from your description you broken at least two of these rules, if not all three.

answered on Server Fault Mar 20, 2013 by longneck
0

Solution offered by ashdrewness


It's not supported to run dcpromo on a server after exchange is installed. It's also not supported to do an in-place upgrade from std to ent with exchange installed. You have to uninstall exchange or perform a disaster recovery install of exchange (setup.com /recoverserver).

From http://technet.microsoft.com/en-us/library/aa996719(v=exchg.141).aspx

Installing Exchange 2010 on Directory Servers

For security and performance reasons, we recommend that you install Exchange 2010 only on member servers and not on Active Directory directory servers. However, you can't run DCPromo on a computer running Exchange 2010. After Exchange 2010 is installed, changing its role from a member server to a directory server, or vice versa, isn't supported.

answered on Server Fault Mar 20, 2013 by Ablue • edited Mar 20, 2013 by longneck

User contributions licensed under CC BY-SA 3.0