Exchange Recipient Update Service creation may autoselect a domain controller that is not available

When you install Microsoft Exchange 2000 server, two Recipient Update Services are created during the installation process. The Enterprise Configuration Recipient Update Service is used to update the configuration context in Active Directory. The second Recipient Update Service is used to update the objects in the domain context in Active Directory. There are situations in which you may want to create additional Recipient Update Services.
When you create a new Recipient Update Service in a domain that contains multiple domain controllers, a connection is created to the first domain controller that responds to this request. If this domain controller is then unavailable when you click Finish, you may receive the following error message in the Exchange System Manager:

The Recipient Update Service only lets you specify the domain that will be updated by the service. The domain controller is automatically selected, before the process of creating the new Recipient Update Service is completed.

There are two options for working around this issue.

Method 1

Do not create the Recipient Update Service until that domain controller is available, or delete the domain controller's server object from Active Directory if it is no longer available.

Method 2

Make the domain controller temporarily unavailable when the Recipient Update Service is created. You do this by modifying the permissions to the domain controller server object. To do this, follow these steps.

Warning If you use the Active Directory Service Interfaces (ADSI) Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require that you reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Note the domain controller that was listed in the summary of the Recipient Update Service object before you click Finish. This is the domain controller that is not available.
2. Log on by using the same user account that you used when you created the Recipient Update Service object, and then start the ADSI Edit snap-in.
   
   Note ADSI Edit is included with the Microsoft Windows 2000 Support Tools. To install the Windows 2000 Support Tools, run Setup.exe from the Support\Tools folder on the Microsoft Windows 2000 CD.
3. Connect to the domain where you want to create the new Recipient Update Service object. To do this, right-click ADSI Edit, and then click Connect to. Under Computer, type or select the domain or computer, and then click OK.
4. Under Domain NC [servername.yourdomainname.com] (where servername.yourdomainname.com is the fully qualified domain name of the server), expand DC=yourdomainname, expand DC=com, and then expand OU=Domain Controllers.
5. Right-click CN=Servername (where Servername is the domain controller that is not available when you try to create the Recipient Update Service object), and then click Properties.
6. On the Security tab, click Advanced.
7. Click Add, click the account that you used to try to create the new Recipient Update Service object, and then click OK.
   
   Note Make sure that you select the correct domain when you select your user account.
8. On the Properties tab, click to select the Read servicePrincipalName check box in the Deny column of the Permissions list, and then click OK.
   
   Note When you click to select the Read servicePrincipalName check box in the Deny column, you deny read permissions to the servicePrincipalName attribute.
9. Click OK, click Yes in the Caution! Deny entries take priority over Allow entries box, and then click OK.
10. Exit the ADSI Edit snap-in, and then wait for the new permissions to replicate throughout the forest.
11. Start Exchange System Manager, and then create the new Recipient Update Service object. When you create the new Recipient Update Service object, the object creation process is forced to select a different domain controller because you have denied Read permissions to the domain controller that is not available.
12. When you finish creating the Recipient Update Service object, remove the Deny access control entry (ACE) that you previously set.

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.