Microsoft KB Archive/328646

= XADM: System Attendant Service Does Not Start After Windows 2000 Security Rollup Package 1 Installation =

Article ID: 328646

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server

-



This article was previously published under Q328646



SYMPTOMS
After you update your Exchange 2000 Server-based computer with the &quot;Windows 2000 Security Rollup Package 1 (SRP1), January 2002&quot;, you may experience one or more of the following symptoms:  The Exchange System Attendant service does not start. The following four events are added to the Event Viewer Application log:

Event Type: Error

Event Source: MSExchangeSA

Event Category: General

Event ID: 1005

Date:

Time:

User: N/A

Computer:

Description:

Unexpected error An unknown error has occurred. ID no: 80040a01 Microsoft Exchange System Attendant occurred.

For more information, click

http://search.support.microsoft.com/search/?adv=1.

Event Type: Error

Event Source: MSExchangeSA

Event Category: General

Event ID: 9004

Date:

Time:

User: N/A

Computer:

Description:

The Metabase Update service failed to start, error '80040a01'.

For more information, click

http://search.support.microsoft.com/search/?adv=1.

Event Type: Information

Event Source: MSExchangeSA

Event Category: General

Event ID: 1004

Date:

Time:

User: N/A

Computer:

Description:

Microsoft Exchange System Attendant failed to start.

For more information, click

http://search.support.microsoft.com/search/?adv=1.

Event Type: Error

Event Source: MSExchangeDSAccess

Event Category: Topology

Event ID: 2102

Date:

Time:

User: N/A

Computer:

Description:

Process MAD.EXE (PID=1524). All Domain Controller Servers in use are not responding:

For more information, click

http://search.support.microsoft.com/search/?adv=1.

 You may receive the following results after you run the Policytest utility (Policytest.exe):

================================================ Local domain is &quot; .com&quot; (EXAMPLE) Account is &quot;EXAMPLE\Exchange Enterprise Servers&quot;

=
=========== DC      = &quot;&quot; In site = &quot;&quot; !!! Right NOT found !!!

You may have run Policytest.exe to determine if the &quot;Manage auditing and security logs&quot; permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder.



CAUSE
This issue may occur if the Exchange Enterprise Servers security group does not have &quot;Manage auditing and security logs&quot; permissions on the domain controller. The Exchange Enterprise Servers group must have &quot;Manage auditing and security logs&quot; permissions on all of the domain controllers in the domain.



RESOLUTION
To resolve this issue:  Use the Policytest tool (Policytest.exe) to troubleshoot permissions. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder. Use Policytest to determine if the &quot;Manage auditing and security logs&quot; permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. A successful result returns information that is similar to the following:

<pre class="fixed_text">================================================ Local domain is &quot;<example.com>&quot; (EXAMPLE) Account is &quot;EXAMPLE\Exchange Enterprise Servers&quot;

=
=========== DC      = &quot;<ComputerName>&quot; In site = &quot;<Default-First-Site-Name>&quot; Right found: &quot;SeSecurityPrivilege&quot;

NOTE: A successful result shows that the &quot;Manage auditing and security logs&quot; permissions exist. You must have domain administrator rights to run Policytest successfully.For additional information about the Policytest utility, click the article number below to view the article in the Microsoft Knowledge Base:

281537 XADM: Purpose and Use of the Policytest.exe Utility

</li> Reset the Exchange Enterprise Server default permissions at the domain level: <ol style="list-style-type: lower-alpha;"> Run the setup /domainprep command from the Exchange 2000 Server CD-ROM, or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain with default permissions. When you run this command, the permissions are immediately added to one domain controller. The change then replicates to the other domain controllers.</li> Restore permissions inheritance to other organizational units. Wait for the domain controllers to replicate the changes throughout the domain.</li> Run Policytest and note which domain controllers return the following successful result:

Right found: &quot;SeSecurityPrivilege&quot;

If all of the domain controllers have the correct permissions, restart the Exchange services. If none of the domain controllers have the appropriate permissions, continue to the next step.</li></ol> </li> Verify the default domain controllers policy: <ol style="list-style-type: lower-alpha;"> Start the Active Directory Users and Computers snap-in.</li> Right-click the Domain Controllers container, and then click Properties.</li> Click the Group Policy tab, and then make sure that &quot;Default Domain Controllers Policy&quot; is listed in the Group Policy Object Links box. If it is not, click Add, click Default Domain Controllers Policy, and then click OK. After you do so, wait for this change to replicate to all other domain controllers.</li> Run the setup /domainprep command from the Exchange 2000 Server CD-ROM, or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain with default permissions.</li> Run Policytest and note which domain controllers return the following successful result:

Right found: &quot;SeSecurityPrivilege&quot;

If all of the domain controllers have the correct permissions, restart the Exchange services. If some of the domain controllers do not have the correct permissions, continue to the next step.</li></ol> </li> Manually add permissions to the domain controller. The File Replication Service (FRS) may not replicate the updated security policy to one or more domain controllers after you run the setup /domainprep command. If this occurs, you must manually assign the correct permissions to the Exchange Enterprise Servers group. If some or all of the domain controllers do not have the correct permissions, assign the Exchange Enterprise Servers group the &quot;Manage auditing and security logs&quot; permission, and then wait for the setting to replicate to the other domain controllers: <ol style="list-style-type: lower-alpha;"> Start the Active Directory Users and Computers snap-in.</li> Right-click the Domain Controllers container, and then click Properties.</li> Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.</li> <li>In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.</li> <li>In the Add user or group box, click OK, and then click OK.</li> <li>Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

NOTE: Sometimes, the Exchange Enterprise Servers group may not be visible when you click Browse in the Add user or group dialog box. If this occurs, add the Exchange Domain Servers group, and then run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group by the setup /domainprep command persist across all domain controllers.</li></ol> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Before you make policy changes on a domain controller, confirm that FRS replication has copied the necessary policy to that domain controller. Use Policytest so that you do not have to manually check every domain controller in a large domain. Policytest connects to every domain controller in the domain, and then verifies that the Exchange Enterprise Servers group has the rights to manage the security and auditing log, either directly or through inheritance. You must have domain administrator rights to run Policytest successfully.

For additional information about the Windows 2000 Security Rollup Package 1 (SRP1), January 2002, click the article number below to view the article in the Microsoft Knowledge Base:

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002

Keywords: kbenv kberrmsg kbprb KB328646

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.