Previously, I was at a client to deploy Exchange 2007 . After having everything configured flawlessly, we shut down Exchange 2007, and brought it to the co-location office nearby. When we started it up, it took a couple hours for it to come up and we saw services were stuck in a failing state. The odd thing, is this server had a direct private link directly to where we configured the server, and the server was still on the same subnet but had a firewall in between the locations. At first, I thought the issue might be a firewall issue, but it was not.
So lots of troubleshooting ensued which involved checking ports, checking connectivity, and several other things. The painful thing, was that we had to reboot the server many times to test and wait for it to finally time out and allow us to log in. This client had four domain controllers, two of which were Windows 2000 Server and two of which were Windows Server 2003 SP1.
The first thing I did was use the following command to ensure ADAccess was using only the two available Server 2003 SP1 Domain Controllers:
Set-ExchangeServer -identity Exch01 -DomainController dc01.domain.com -StaticDomainControllers ‘dc01.domain.com’, ‘dc02.domain.com’ -StaticGlobalCatalogs ‘dc01.domain.com’, dc02.domain.com’ -StaticConfigDomainController ‘dc01.domain.com’, ‘dc02.domain.com’
Note: If you need to reverse this, you can run the following command:
Set-ExchangeServer -identity Exch01 -staticDomainControllers $NULL -staticGlobalCatalogs $NULL -staticConfigDomainController $NULL
To be quite honest, the command above should not be needed and I recommend against it since the Topology service should automatically find SP1 Domain Controllers and use those Domain Controller’s accordingly after Exchange 2007 is installed. You should ensure that your Active Directory Sites and Subnets are all properly defined. Exchange 2007’s Topology service will choose the appropriate DC/GC to use for ADAccess.
As a side note, for the installation of Exchange 2007, the installer is not intelligent enough to find Server 2003 SP1 Domain Controllers, so you will need to use the command prompt to install Exchange 2007 so you can specify a Server 2003 SP1 Domain Controller. With Exchange 2007 SP1 (which contains the install binaries on it), the installer has been revised to automatically use a Server 2003 SP1 Domain Controller in a mixed environment if you’re using the GUI.
So the next step I did, was researching. I found some information to check whether the Exchange Servers group had the ability to “Manage auditing and security log” in the Default Domain Controllers Policy. The Exchange Servers group was NOT in this policy. I added the Exchange Servers group to this group policy setting, waited 5 minutes for the Domain Controllers to apply the new policy (gpupdate /force if you’re impatient), and then I decided to reboot Exchange 2007.
During the reboot, I prayed that Exchange 2007 would come back up normally instead of the usual 2 hour wait. Fortunately, Exchange 2007 did come up as if it never had problems. I checked services.msc to ensure that all services were working as intended; and fortunately, they were. We went ahead and checked Outlook Web Access, SMTP, POP3S, IMAP4S, etc.. Everything worked! To be safe, I rebooted Exchange 2007 again to ensure it would come back up normally, which it did.