So there I was, embarking on a new project to move a customer to Office 365 and Exchange Online. Thinking that I could jump start things with the simple task to install Exchange 2013 CU15 to act as a hybrid server (yes, I know, there is no such role but you know what I mean). Kicking off setup.exe expecting nothing special … BANG! Red, error, setup failed! Whaaaat??!!
The error message was “An exception ocurred while setting shared config DC”. Huh? What does that mean? Google to the rescue. Most blog post seemed to indicate issues with disabled IPv6 but I never disable IPv6 so this wasn’t my issue. Googling along. Found some tech forum replies talking about strange behaviour with Exchange AD Topology Service and the proccess of locating/selecting Domain Controllers. Found a KB-article from Microsoft providing information and a workaround: Exchange 2013 CU6 and later uses out-of-site domain controllers and global catalog servers I tried this, but to no avail. This wasn’t my issue either. Now what?
I kept on googling and reading through a lot of TechNet forum posts. After an hour or so, I stumbled upon this reply here: https://social.technet.microsoft.com/Forums/office/en-US/bb08b38e-a0b5-436d-83ac-a76d7960d87c/exchange-2013-sp1-installation-fails-at-transport-service-97?forum=exchangesvrdeploy
I got to Microsoft Support and here’s what we found:
During the AD Prep stage one of the permissions that is set in the default domain controllers group policy was not transferred to the custom domain controllers policy. Support found a plethora of Event 2112 in Windows Event Viewer that pointed to the permission. Fixed that and Exchange installed just fine.
Going into Event Viewer > Application Log and sure enough …
Opening the Group Policy Management console and looking at the Domain Controllers node, I found this:
Interesting. Maybe we’re onto something here … Comparing the two GPOs revealed one crucial difference:
Specifically the User Right called “Manage auditing and security log” was missing the security group called “<domain>\Exchange Servers” on the custom GPO with Link Order 1, thus taking precedence over the regular “Default Domain Controller Policy” that actually had this user right assingment set.
Solution: Added the group “<domain>\Exchange Servers” to the user right assignment “Manage auditing and security log” on the custom GPO with the higher Link Order (precedence) and Exchange installed just fine after performing GPUpdate on the Domain Controllers.