Microsoft KB Archive/328646

From BetaArchive Wiki
Knowledge Base


XADM: System Attendant Service Does Not Start After Windows 2000 Security Rollup Package 1 Installation

Article ID: 328646

Article Last Modified on 2/27/2007


APPLIES TO

  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Exchange 2000 Enterprise Server


This article was previously published under Q328646

SYMPTOMS

After you update your Exchange 2000 Server-based computer with the "Windows 2000 Security Rollup Package 1 (SRP1), January 2002", you may experience one or more of the following symptoms:

  • The Exchange System Attendant service does not start.
  • The following four events are added to the Event Viewer Application log:

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: General
    Event ID: 1005
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:
    Unexpected error An unknown error has occurred. ID no: 80040a01 Microsoft Exchange System Attendant occurred.

    For more information, click
    http://search.support.microsoft.com/search/?adv=1.

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: General
    Event ID: 9004
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:
    The Metabase Update service failed to start, error '80040a01'.

    For more information, click
    http://search.support.microsoft.com/search/?adv=1.

    Event Type: Information
    Event Source: MSExchangeSA
    Event Category: General
    Event ID: 1004
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:
    Microsoft Exchange System Attendant failed to start.

    For more information, click
    http://search.support.microsoft.com/search/?adv=1.

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: Topology
    Event ID: 2102
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:
    Process MAD.EXE (PID=1524). All Domain Controller Servers in use are not responding:
    DomainController1.domain.com
    DomainController2.domain.com

    For more information, click
    http://search.support.microsoft.com/search/?adv=1.

  • You may receive the following results after you run the Policytest utility (Policytest.exe): 
    ================================================
Local domain is "<example>.com" (EXAMPLE)
Account is "EXAMPLE\Exchange Enterprise Servers"
========================
  DC      = "<ComputerName>"
  In site = "<Default-First-Site-Name>"
  !!! Right NOT found !!!
    You may have run Policytest.exe to determine if the "Manage auditing and security logs" permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder.


CAUSE

This issue may occur if the Exchange Enterprise Servers security group does not have "Manage auditing and security logs" permissions on the domain controller. The Exchange Enterprise Servers group must have "Manage auditing and security logs" permissions on all of the domain controllers in the domain.

RESOLUTION

To resolve this issue:

  1. Use the Policytest tool (Policytest.exe) to troubleshoot permissions. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder. Use Policytest to determine if the "Manage auditing and security logs" permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. A successful result returns information that is similar to the following: 
    ================================================
Local domain is "<example.com>" (EXAMPLE)
Account is "EXAMPLE\Exchange Enterprise Servers"
========================
  DC      = "<ComputerName>"
  In site = "<Default-First-Site-Name>"
  Right found:  "SeSecurityPrivilege"

    NOTE: A successful result shows that the "Manage auditing and security logs" permissions exist. You must have domain administrator rights to run Policytest successfully.For additional information about the Policytest utility, click the article number below to view the article in the Microsoft Knowledge Base:

    281537 XADM: Purpose and Use of the Policytest.exe Utility

  2. Reset the Exchange Enterprise Server default permissions at the domain level:
    1. Run the setup /domainprep command from the Exchange 2000 Server CD-ROM, or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain with default permissions. When you run this command, the permissions are immediately added to one domain controller. The change then replicates to the other domain controllers.
    2. Restore permissions inheritance to other organizational units. Wait for the domain controllers to replicate the changes throughout the domain.
    3. Run Policytest and note which domain controllers return the following successful result:

      Right found: "SeSecurityPrivilege"

      If all of the domain controllers have the correct permissions, restart the Exchange services. If none of the domain controllers have the appropriate permissions, continue to the next step.
  3. Verify the default domain controllers policy:
    1. Start the Active Directory Users and Computers snap-in.
    2. Right-click the Domain Controllers container, and then click Properties.
    3. Click the Group Policy tab, and then make sure that "Default Domain Controllers Policy" is listed in the Group Policy Object Links box. If it is not, click Add, click Default Domain Controllers Policy, and then click OK. After you do so, wait for this change to replicate to all other domain controllers.
    4. Run the setup /domainprep command from the Exchange 2000 Server CD-ROM, or from a network installation point. This command adds the Exchange Enterprise Servers group to the domain with default permissions.
    5. Run Policytest and note which domain controllers return the following successful result:

      Right found: "SeSecurityPrivilege"

      If all of the domain controllers have the correct permissions, restart the Exchange services. If some of the domain controllers do not have the correct permissions, continue to the next step.
  4. Manually add permissions to the domain controller. The File Replication Service (FRS) may not replicate the updated security policy to one or more domain controllers after you run the setup /domainprep command. If this occurs, you must manually assign the correct permissions to the Exchange Enterprise Servers group. If some or all of the domain controllers do not have the correct permissions, assign the Exchange Enterprise Servers group the "Manage auditing and security logs" permission, and then wait for the setting to replicate to the other domain controllers:
    1. Start the Active Directory Users and Computers snap-in.
    2. Right-click the Domain Controllers container, and then click Properties.
    3. Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
    4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    5. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.
    6. In the Add user or group box, click OK, and then click OK.
    7. Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

      NOTE: Sometimes, the Exchange Enterprise Servers group may not be visible when you click Browse in the Add user or group dialog box. If this occurs, add the Exchange Domain Servers group, and then run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group by the setup /domainprep command persist across all domain controllers.


MORE INFORMATION

Before you make policy changes on a domain controller, confirm that FRS replication has copied the necessary policy to that domain controller. Use Policytest so that you do not have to manually check every domain controller in a large domain. Policytest connects to every domain controller in the domain, and then verifies that the Exchange Enterprise Servers group has the rights to manage the security and auditing log, either directly or through inheritance. You must have domain administrator rights to run Policytest successfully.

For additional information about the Windows 2000 Security Rollup Package 1 (SRP1), January 2002, click the article number below to view the article in the Microsoft Knowledge Base:

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002


Keywords: kbenv kberrmsg kbprb KB328646



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/328646&oldid=331494
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki