Tuesday, June 2, 2015

EventID 9385 on Exchange 2010 After Demoting DC

I recently demoted an old Domain Controller in an effort to move forward in my domain - it was a 32-bit 2008 Server, and all the rest of the DCs are 2008R2 or 2012R2. I don't have any needs today to move up AD functionality today (we are already on 2008 Forest and Domain Functionality), but it never hurts to be ready.

After demoting an old Domain Controller, I recently started receiving Error 9385 on one of my Exchange 2010 Mailbox servers:

Log Name:      Application
Source:        MSExchangeSA
Date:          6/2/2015 8:43:34 AM
Event ID:      9385
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MailboxSVR.internal.domain
Description:
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=domain/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group. 

If this computer is not a member of the group '/dc=domain/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services. 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeSA" />
    <EventID Qualifiers="49152">9385</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-02T13:43:34.000000000Z" />
    <EventRecordID>2199039</EventRecordID>
    <Channel>Application</Channel>
    <Computer>MailboxSVR.internal.domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data>/dc=com/dc=wmfingrp/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers</Data>
    <Data>8007203a</Data>
  </EventData>
</Event>

After doing some research, most articles said that you need to make sure that it's a member of the group, etc, but all of that was correct. There weren't any references to the old DC in anything I checked (DNS was pointed elsewhere, Domain controllers and Global catalog servers that this Exchange server used were pointed elsewhere, etc). But, I knew it had to do with my demoted DC. For some reason this particular Exchange server was really hoping that the DC would answer his requests. I didn't notice any other performance or user issues during this time, so it looks like the Exchange server was able to get his answer elsewhere after checking here.

Once I was able to take a maintenance window, I rebooted the affected Exchange server, and all was well. It just needed to clear it's head after loosing it's good friend.

------
Dustin Shaw
VCP

4 comments:

  1. Had the same issue after demoting our old AD 2003 servers. For some reasons our Exchange server still want to contact the old DC. You can check that in command line ( ipconfig /displaydns ). We just restart the Microsoft Echange System Attendant service as see in a telnet discussion. No more event ID 9385, no more entry of our old DC in displaydns

    ReplyDelete

  2. Good information. Lucky me I came across your blog by chance (stumbleupon). I have book marked it for later! aol login

    ReplyDelete
  3. In the United States you'll find concepts referred to as the front-end debt ratio and back-end debt ratio which compare the homebuyer's income against their monthly housing expenses along with their total debt service expenses. canadian mortgage calculator The principal from the mortgage will be the present value. mortgage payment calculator

    ReplyDelete
  4. I think that thanks for the valuabe information and insights you have so provided here. 꽁머니

    ReplyDelete