On a customer site recently, I installed the first Exchange 2010 CAS server which was initially functioning correctly. After a reboot, a number of Exchange services failed to start, including the Exchange Service Host, Exchange Protected Service Host and the Exchange RPC Client Access Service.
Logged in the System Event Logs were the usual Event 7000 and 7009 relating to services not starting. In the Application Event Logs were logged the following:
Event 2114: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1256). Topology discovery failed, error 0×80040a02 (DSC_E_NO_SUITABLE_CDC)
Event2080: Process MSEXCHANGETOPLOGYSERVICE.EXE (PID=1204). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
DC1.Domain CDG 1 7 7 1 0 0 1 7 1
DC2.Domain CDG 1 7 7 1 0 0 1 7 1
The zeroes four character from the right, relate to the SACL right, and imply the DCs will not be used by Exchange. The SACL right entry should read 1.
This relates to a non-standard Domain Controllers Policy. It seems the Exchange setup process adds permissions to the ‘Manage Auditing and Security Log’ under user rights assignment in the Default Domain Controllers Policy. If a custom policy has been created in its place (as was the case for me) the correct rights are not assigned to the DCs. Once this had been highlighted, a quick amendment to the custom policy, and the CAS was back up and running again.
To resolve: edit
Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Mange auditing and security log
And add the ‘Exchange Servers’ group.