I found the answer: Since the OLDSERVER (DC, Exchange) is going away, I'm not concerned about it not talking to other DC's / GC's. The NEWSERVER was affected by an SACL that wasn't correct:
"We've had one of our AD Domain Controllers reporting that it didn't have the SACL right. This was logged constantly on event ID 2080. We tried nearly everything but without success. This morning I came up with a solution to fix it, while trying to desperately find the ntSecurityDescriptor property in ADSI Edit and other places. Well, it's more simple than that! On whatever DC, fire up Active Directory Users & Computers, click on the View menu and select Advanced Features. Then browse to Domain Controllers OU, right click on the DC which misses the SACL right and select Properties. Click on the Security tab and select Advanced. Be patient... then on the Permissions tab, click on Add ... Select the Exchange Servers security group and click on OK. You will see a dialog with two tabs: Object and Properties. Select Properties. Then scroll down until you find Read nTSecurityDescriptor. Check Allow, click on OK as much as needed to close the window. Then check your event log after a while. Your DC should now report that it has the SACL right." I re-ran setup /domainprep and now the NEWEXCHANGE server is seeing other DC's / GC's as it should. The OWA front-end server is also seeing the other DC /GC's too. I'm finally able to move on to do some testing to make sure that when the OLDSERVER get dumped mail will flow. -----Original Message----- From: Mike French [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 4:34 PM To: NT System Admin Issues Subject: RE: Exchange on a DC migration I found reference to that a few minutes ago, so maybe a new question is: Should I ignore this and proceed with the exchange removal from the DC and trust that once it's out of the domain that the new exchange member server will finally be able to see the other DC / GC's? -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 4:21 PM To: NT System Admin Issues Subject: RE: Exchange on a DC migration Exchange, when installed on a DC, will NEVER EVER attempt to talk to another DC. I think I cover this in at least 3 different places on my blog. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange -----Original Message----- From: Mike French [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 5:07 PM To: NT System Admin Issues Subject: Exchange on a DC migration This is probably a re-hash but please bear with me.. OLDSERVER - (Domain Controller (The was the first one in the domain)) Windows 2003 STD Native + Exchange 2003 SP2 Native NEWSERVER - (Member Server) Windows 2003 ENT + Exchange 2003 SP2 Native I have moved the Public Folders and Sync'd and moved the Mailboxes. I re-homed RUS and the Default Offline Address List to the NEWSERVER. I moved off all the FSMO roles to my new DC's. I've had the Exchange services disabled on the OLDSERVER for about a month now without any problems. I still have to migrate the DHCP scope over to a different server (Not a big deal). I was planning on removing exchange and demote it to a member server before I remove it from the domain this Friday. Murphy's Law stepped in and I came in to the OLDSERVER with two failed drives on the Raid-5 array, I restored from backup (Fortunately the backup completed before it went south) and got the box back up. What I noticed is that the NEWSERVER dismounted the stores and the MTA service stopped and would not come back up without the OLDSERVER online. The DSAccess was choking according to the logs. After finally getting the OLDSERVER up I restarted the NEWSERVER store and MTA and mail started to flow once again. Digging a little deeper as to why, I went into the ESM on the NEWSERVER got the properties of the NEWSERVER and checked the "Directory Access" tab and all I see is the OLDSERVER entries listed, none of my other DC's, GC's are their (Auto discover is checked). This explained why the NEWSERVER stores and MTA choked, but what I can't confirm is why no other DC's / GC's are discovered? IF I hardcode the other DC's, GC's and config server, I get the DSAccess errors about not being able to reach the defined servers. I turned up logging to MAX for DSAccess Topology, Config, and LDAP and it successfully discovers the other servers but doesn't populate them. I ran NETDIAG without errors, LDAP utility works fine (both on 389 and 3268) from the NEWSERVER. Setspn -l displays the correct info for all the DC's, DNS looks good (SRV records are correct). I also did the tasklist -m dsaccess.dll and it display's the correct PID's (7 of them). Is this inline with the "Don't install Exchange on a DC"? Even though the NEWSERVER is on a member server did it pickup and somehow hardcode the "Directory Access" entries to the OLDSERVER (DC, Exchange)? I'm REAL hesitant to plow forward and finish the removal because I don't want mail down while I try to figure this one out. Any incite would be welcomed, I've been searching Google and TechNet all morning.... MIKE FRENCH NETWORK ENGINEER ~EQUITY BANK Office: 214.231.4565 [EMAIL PROTECTED] Doing IT Right! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
