locked
FSW error RRS feed

  • Question

  • I keep getting this error. I have tried changing the FSW server, but the error persists. I have the FSW on a domain controller. 

     

    The error is showing the the event viewer. The source is "MSExchRepl". Here is the error. 

    Failed to get the boot time of witness server 'servername.domain.com'. Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

     

     

    Monday, August 22, 2011 5:50 AM

Answers

  • You get this error because you have place the FSW on a DC, this is not recommended. But to get this to work you need to do the following:

    1. Add your domain controller’s computer account to Exchange Trusted Subsystem group in AD.
    2. Add the Exchange Trusted Subsystem group to the Builtin\Administrators group of the domain.

    Again, not ideal and not recommended. I would suggest that you use a HUB or CAS server instead of the DC.


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Proposed as answer by superJazz Monday, August 22, 2011 8:26 AM
    • Marked as answer by Skalinator Tuesday, August 23, 2011 9:50 PM
    Monday, August 22, 2011 6:49 AM
  • Have you restared services etc after you performed those steps?

    The recommendation to not use domain controllers as FSW is based on security implications, you can find the recommendations in various TechNet articles. Here for Example: http://64.4.11.252/en-us/library/gg598215.aspx

     


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Marked as answer by Skalinator Tuesday, August 23, 2011 9:50 PM
    Tuesday, August 23, 2011 6:44 AM
  • There is no local administrators group, only builtin since its a domain controller ;)

    but your suggestion to restart the services has done the trick, i overlooked that.

    I am not getting the error in the event viewer any more. 


    Thank you for your help

    • Marked as answer by emma.yoyo Wednesday, August 24, 2011 2:00 AM
    Tuesday, August 23, 2011 10:41 PM

All replies

  • You get this error because you have place the FSW on a DC, this is not recommended. But to get this to work you need to do the following:

    1. Add your domain controller’s computer account to Exchange Trusted Subsystem group in AD.
    2. Add the Exchange Trusted Subsystem group to the Builtin\Administrators group of the domain.

    Again, not ideal and not recommended. I would suggest that you use a HUB or CAS server instead of the DC.


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Proposed as answer by superJazz Monday, August 22, 2011 8:26 AM
    • Marked as answer by Skalinator Tuesday, August 23, 2011 9:50 PM
    Monday, August 22, 2011 6:49 AM
  • Hi,

    In Exchange 2010 DAC mode for DAG's with 2 members the boot time of the witness server is compared to the time when the DACP bit was set to 1.It seems there is some permission issue in getting the boot time of the DC where your FSW is placed.  

    Mahendra

    Monday, August 22, 2011 7:03 AM
  • I have done both those steps already. 

     

    Do you have any links to documentation on the FSW on a DC not being recommended? These servers have all roles installed, including failover clustering (dag) so the hub transport as the FSW is not an option. 

    Monday, August 22, 2011 8:07 PM
  • Have you restared services etc after you performed those steps?

    The recommendation to not use domain controllers as FSW is based on security implications, you can find the recommendations in various TechNet articles. Here for Example: http://64.4.11.252/en-us/library/gg598215.aspx

     


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Marked as answer by Skalinator Tuesday, August 23, 2011 9:50 PM
    Tuesday, August 23, 2011 6:44 AM
  • Another thing, are your sure that you have added Exchange Trusted Subsystem group to the Builtin/Administrators and not to local Administrators?
    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Tuesday, August 23, 2011 7:47 AM
  • Hi Skalinator,

    If you change the FSW to another Windows server(e.g File share server), what's the result?

    Please note: "If the witness server you specify isn't an Exchange 2010 server, you must add the Exchange Trusted Subsystem universal security group to the local Administrators group on the witness server."

    Create a Database Availability Group
    More information:
    Witness Server Warning Message When Using Certain Database Availability Group Tasks

    http://blogs.technet.com/b/scottschnoll/archive/2011/06/08/witness-server-warning-message-when-using-certain-database-availability-group-tasks.aspx

    Frank Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 23, 2011 7:57 AM
  • And you might aswell check the permissions on your FSW folder to make sure that it is set correctly:

    NTFS
    Exchange Trusted Subsystem group should have Owner permissions
    Exchange Trusted Subsystem group should also have Full Control permissions

    Share
    The sharename must be <dagname>.<fqdn>
    The <dagname> computer account should have Full Control permissions

     


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Tuesday, August 23, 2011 8:09 AM
  • There is no local administrators group, only builtin since its a domain controller ;)

    but your suggestion to restart the services has done the trick, i overlooked that.

    I am not getting the error in the event viewer any more. 


    Thank you for your help

    • Marked as answer by emma.yoyo Wednesday, August 24, 2011 2:00 AM
    Tuesday, August 23, 2011 10:41 PM
  • Hi all, I know this is an old thread but we also encountered this issue.  We're not on a DC ,but a 2-node DAG.  What we ended up noticing was that our clocks albeit in sync, were out in total by 8 minutes.  When we updated the NTP configuration on the DC and updated the servers, the small skew time took things out of sync with Exchange.

    After restarting the passive node, everything came good.

    Jason.


    Consultant | Nerd | Visionary. http://www.ethertech.com.au/ | http://www.deeperstates.com.au

    Tuesday, January 21, 2014 11:13 AM
  • why you supposed the error appear if the FWS on DC,  I have some case same error and the FWS on the File server 
    Thursday, July 13, 2017 8:31 AM