Exchange Server with Credential Guard – No Good!

I recently worked thru a support scenario where Exchange 2016 had been deployed into a DAG across two data centers. On a regular schedule the Exchange servers would become unresponsive, we would see events indicating timeouts attempting to reach the domain controllers, applications pools would crash, and then services would begin crashing.

Key among the events was Event ID 2080 – MSExchagneDSAccess. To begin with, these events occur on a regular basis on the Exchange servers as the AD Topology manager determines which domain controllers are online and operating and available to the Exchange servers. This is also necessary to determine which domain controllers are within an Exchange server’s site.Take a look at the Microsoft support article listed above for a sample. However, we finding that they were happening a lot, but with no discernible pattern. Each server would show these events at random intervals.

This resulted users then reconnecting to partner Exchange servers and the process would continue, eventually bringing down an entire site of highly powerful physical Exchange servers. For some time we were concerned we had a network issue. However, that wasn’t it at all. The issue was actually rooted in a recently enabled security protection feature.

The culprit turned out to be Credential Guard.

Upon disabling Credential Guard, services returned to normal operations. A case was opened and a support request submitted to the product group at Microsoft. At the end of the day, Exchange with Credential Guard was determined to be not supported.

If you are running Credential Guard on an Exchange server, and you start to experience significant delays with LDAP and authentication calls to your domain controllers, disable Credential Guard and test some more.