Microsoft KB Archive/919089

= Exchange services do not start, and event IDs 2114 and 2112 are logged in the Application log in Exchange Server 2003 or in Exchange 2000 Server =

Article ID: 919089

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition

-





SUMMARY
''This article describes a problem that may occur when the Directory Service Access (DSAccess) component cannot communicate with the Active Directory directory service. To resolve this problem, you must verify the following:''


 * The default domain policy or the default domain controllers policy is not blocked by a &quot;No override&quot; configuration on an organizational unit object or on the domain object.
 * The Manage Auditing Security Privilege user right in the default domain controllers policy is applied to the Exchange Enterprise Servers group.
 * The computer account of the affected Exchange server is included in the Exchange Domain Servers group.



SYMPTOMS
When you start or restart the computer that is running Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server, the Exchange services may not start. Additionally, the following event is logged to the Application log: Event ID : 2114

Event Category : Topology

Event Source : MSExchangeDSAccess

Event Type : Error

Computer :

Description : Process. Topology Discovery failed, error 0x80040a02.

For more information, click http://search.support.microsoft.com/search/?adv=1.

Additionally, you may find that the following warning events were logged in the Application log earlier: Event ID : 2112

Event Category : Topology

Event Source : MSExchangeDSAccess

Event Type : Warning

Computer : Server_Name

Description : Process. Exchange Server  does not have Audit Security Privilege on Domain Controller. This Domain Controller will not be used by DSAccess.

For more information, click http://search.support.microsoft.com/search/?adv=1.



CAUSE
This problem occurs because the Exchange security groups do no have the appropriate user rights to enable the Directory Service Access (DSAccess) component to communicate with Active Directory.



RESOLUTION
To resolve this problem, verify the following:
 * The default domain policy or the default domain controllers policy is not blocked by a &quot;No override&quot; configuration on an organizational unit object or on the domain object.
 * The Manage Auditing Security Privilege user right in the default domain controllers policy is applied to the Exchange Enterprise Servers group.
 * The computer account of the affected Exchange server is included in the Exchange Domain Servers group.

To do this, follow these steps.

Note You must perform the steps that are described in step 1 only if you have additional group policies other than the default policies configured in the organization. If you do not have additional group policies configured, go to step 2.  Verify that the default domain policy or the default domain controllers policy is not blocked.  Start the Active Directory Users and Computers snap-in. Right-click  , and then click Properties. Click the Group Policy tab. In the Current Group Policy Object Links for  window, click a Group Policy entry other than the Default Domain Group Policy entry. Click Options.</li> Verify that the No Override: prevents other Group Policy objects from overriding policy set in this one check box is not selected. If it is selected, click to clear this check box after you make sure that the effective policy settings that you want are not changed when the default domain policy is applied.</li> Click OK two times.</li> Repeat steps 1d to 1f for any other group policies that you have configured.</li> Repeat steps 1b to 1g for any organizational unit object that is located in your environment.</li> Right-click Domain Controllers, and then click Properties.</li> In the Current Group Policy Object Links Domain Controllers window, click a Group Policy entry other than the Default Domain Controllers Group Policy entry.</li> Verify that the No Override: prevents other Group Policy objects from overriding policy set in this one check box is not selected. If it is selected, click to clear this check box after you make sure that the effective policy settings that you want are not changed when the default domain controllers policy is applied.</li> Click OK two times.</li> Exit the Active Directory Users and Computers snap-in.</li> Wait for this change to replicate to all other domain controllers.</li></ol> </li> Use the Policytest tool (Policytest.exe) to troubleshoot permissions. Policytest.exe is located on the Exchange Server 2003 or Exchange 2000 Server CD in the Support\Utils\I386 folder. Use Policytest.exe to determine whether the Manage auditing and security logs permission for the Exchange Enterprise Servers group is missing on any of the domain controllers. A successful result returns information that resembles the following:

<pre class="fixed_text">Local domain is&quot;<example.com>&quot; (EXAMPLE) Account is&quot;EXAMPLE\Exchange Enterprise Servers&quot; ======================== DC =&quot;<ComputerName>&quot; In site =&quot;<Default-First-Site-Name>&quot; Right found:&quot;SeSecurityPrivilege&quot;

Note A successful result shows that the Manage auditing and security logs permission exists. You must have domain administrator rights to run Policytest.exe successfully. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

281537 Description of the Policytest.exe utility

</li> Reset the Exchange Enterprise Server default permissions at the domain level: <ol style="list-style-type: lower-alpha;"> Run the setup /domainprep command from the Exchange Server 2003 or Exchange 2000 Server CD or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain together with default permissions. When you run this command, the permissions are immediately added to one domain controller. The change then replicates to the other domain controllers.</li> Restore permissions inheritance to other organizational units. Then, wait for the domain controllers to replicate the changes throughout the domain.</li> Run Policytest.exe, and then note which domain controllers return the following successful result:

Right found:&quot;SeSecurityPrivilege&quot;

If all the domain controllers have the correct permissions, restart the Exchange services. If no domain controllers have the appropriate permissions, go to step 4.</li></ol> </li> <li>Verify the default domain controllers policy: <ol style="list-style-type: lower-alpha;"> <li>Start the Active Directory Users and Computers snap-in.</li> <li>Right-click the Domain Controllers container, and then click Properties.</li> <li>Click the Group Policy tab, and then make sure that Default Domain Controllers Policy is listed in the Current Group Policy Object Links for  window. If it is not, click Add, click Default Domain Controllers Policy, and then click OK. Then, wait for this change to replicate to all other domain controllers.</li> <li>Run the setup /domainprep command from the Exchange Server 2003 or Exchange 2000 Server CD or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain together with default permissions.</li> <li>Run Policytest.exe, and then note which domain controllers return the following successful result:

Right found:&quot;SeSecurityPrivilege&quot;

If all the domain controllers have the correct permissions, restart the Exchange services. If some domain controllers do not have the correct permissions, go to step 5.</li></ol> </li> <li>Manually add permissions to the domain controller.

The File Replication service (FRS) may not replicate the updated security policy to one or more domain controllers after you run the setup /domainprep command. If this occurs, you must manually assign the correct permissions to the Exchange Enterprise Servers group. If some or all domain controllers do not have the correct permissions, assign the Exchange Enterprise Servers group the Manage auditing and security logs permission. Then, wait for the setting to replicate to the other domain controllers. <ol style="list-style-type: lower-alpha;"> <li>Start the Active Directory Users and Computers snap-in.</li> <li>Right-click the Domain Controllers container, and then click Properties.</li> <li>Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.</li> <li>Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.</li> <li>In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.</li> <li>In the Add user or group dialog box, click OK, and then click OK again.</li> <li>Exit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

Note Sometimes, you may not be able to see the Exchange Enterprise Servers group when you click Browse in the Add user or group dialog box. If this occurs, add the Exchange Domain Servers group, and then run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group by the setup /domainprep command persist across all domain controllers.</li> <li>Restart the Exchange services.</li></ol> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Before you make policy changes on a domain controller, confirm that FRS replication has copied the necessary policy to that domain controller. Use Policytest.exe so that you do not have to manually check every domain controller in a large domain. Policytest.exe connects to every domain controller in the domain. Then, Policytest.exe verifies that the Exchange Enterprise Servers group has the rights to manage the security and auditing log, either directly or through inheritance. You must have domain administrator rights to run Policytest.exe successfully.

<div class="references_section">