Exchange 2013/16 / DC issues

Wants to share one interesting case.

Customer had 4 DC’s, two of them were on win2k8 and two of them on win2k12.

When they turning off two old DC’s – Exchange is dying. Exchange services are up, you can’t even stop them, and almost everything isn’t working from Exchange side (ECP, OWA, Outlook and so on).

The interesting thing is that Exchange see available DC’s and successfully switching between them.

Issue was solved by editing Microsoft.Exchange.Directory.TopologyService.exe.config (Bin folder):

MinSuitableServer = “1” (by default value is missing on CU11/12)

MinPercentageOfHealthyDC = “10” (by default value is 50)

Advertisements

Send as Permissions automatically disappear from specific users.

I had an case  where the send as permissions for one user cannot be set in ECP. he gets error in ECP and Shell:

Active Directory-Antwort: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

After giving full control on Exchange trusted subsiste over the account we are able to grand send as permissions, but after 20 minutes the permissions are gone and we are again not able to grant them because of the same error.

Solution

Disappearing of permissions let me in direction Protected Groups. There is an Artikel form Microsoft regarding this issue: https://support.microsoft.com/en-us/kb/2983209

it turns out that the customer is member of administrators group, which is a protected Group. It was nested in one other made by customer security group.

This is causing the AdminCount to be increased to 1

admincount

This is causing the permissions reset and also the inheritance for this account is disabled.

inheritance

this is causing the insufficient permissions error.

After removing the user form the administrator group, deleted, the admin count and enabled the inheritance the issue got resolved.

 

Other Protected groups are :

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers