Article ID: 896703
Article Last Modified on 10/25/2007
APPLIES TO
- Microsoft Exchange 2000 Server Standard Edition
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
SYMPTOMS
When the "Manage auditing and security log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers group on one or more domain controllers in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, one or more of the following issues may occur:
One or more Exchange Server-related services may not start.
If you try to mount the mailbox store or the public folder store, you may receive the following error message:If you click either Retry or Cancel, you receive the following error message:
Additionally, one or more of the following events are logged in the Application log:
Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9518
Description: Error 0x80004005 starting Storage Group /DC=local/DC=root/CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=Root/CN=Administrative Groups/CN=PureExchange2003/CN=Servers/CN=EX1/CN=InformationStore/CN=First Storage Group on the Microsoft Exchange Information Store. MDB failed to start.Event Type: Error
Event Source: MSExchangeIS Event Category: (6)
Event ID: 9519
Description: Error 0x80004005 starting database "First Storage Group\Mailbox Store(<Server>)" on the Microsoft Exchange Information Store. Failed to configure MDB.Event Type: Error
Event Source: MSExchangeFBPublish
Event Category: (1)
Event ID: 8197
Description: Error initializing session for virtual machine DCMAIL. The error number is 0x8004011d. Make sure Microsoft Exchange Store is running.Event Type: Error
Event Source: MSExchangeSA
Event Category: (14)
Event ID: 9175
Description: The MAPI call 'OpenMsgStore' failed with the following error: The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0526-00000000Event Type: Error
Event Source: MSExchangeSA
Event Category: (2)
Event ID: 1005
Description: Unexpected error <<0xc1050000 - The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0526-00000000>>Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: (3)
Event ID: 2102
Description: Process MAD.EXE (PID=1088). All Domain Controller Servers in use are not responding:
dc1.example.com
dc2.example.com
dc3.example.comEvent Type: Error
Event Source: MSExchangeSA
Event Category: (1)
Event ID: 9004
Description: The Metabase Update service failed to start, error '80040a01'.Event Type: Error
Event Source: MSExchangeMU
Event Category: (1)
Event ID: 1002
Description: Metabase Update agent failed to start. Error code is 80040a01.Event Type: Error
Event Source: MSExchangeMU
Event Category: General
Event ID: 1029
Description: Failed to replicate the security descriptor to the metabase. Users may not be able to read or write data to the metabase. Error code is 8000500d.Event Type: Error
Event Source: MSExchangeSA
Event Category: RFR Interface
Event ID: 9074
Description: The Directory Service Referral interface failed to service a client request. RFRI is returning the error code:[0x3f0].Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 1121
Description: Error 0x80004005 connecting to the Microsoft Active Directory.Event Type: Error Event Source: MSExchangeMTA Event Category: Configuration Event ID: 125 Description: A fatal error occurred reading a value from the directory. No MTA name was found. Contact Microsoft Technical Support. [MTA MAIN BASE 1 12] (16)
Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: (3)
Event ID: 2103
Description: Process MAD.EXE (PID=1588). All Global Catalog Servers in use are not responding:
DomainController1.domain.com
DomainController2.domain.comEvent Type: Error
Event Source: MSExchangeIS
Event Category: (6)
Event ID: 5000
Description: Unable to initialize Microsoft Exchange Information Store service. Error 0x80004005.Event Type: Error
Event Source: MSExchangeSA
Event Category: (2)
Event ID: 9098
Description: The MAD monitoring thread was unable to read its configuration from the DS, error '0x80041001'.After you apply the Windows 2000 Security Rollup Package 1 (SRP1) that is dated January 2002 to a server that is running Exchange Server, the Exchange System Attendant service does not start. Additionally, the following event is logged in the Application log:
Event Type: Information
Event Source: MSExchangeSA
Event Category: General
Event ID: 1004
Description: Microsoft Exchange System Attendant failed to start.Note Other events may also be logged in the Application log. For more information about the Windows 2000 Security Rollup Package 1 that is dated January 2002, click the following article number to view the article in the Microsoft Knowledge Base:
311401 Windows 2000 Security Rollup Package 1, January 2002
You may receive the following results after you run the Policytest utility (Policytest.exe):
Local domain is "example.com" (example) Account is "EXAMPLE\Exchange Enterprise Servers" DC = "<ComputerName>" In site = "<Default-First-Site-Name>" !!! Right NOT found !!!
Policytest.exe determines whether the "Manage auditing and security log" permission for the Exchange Enterprise Servers group is missing from a domain controller. Policytest.exe is located in the Support\Utils\I386 folder on the Exchange 2000 Server CD, or in the Support\ExDeploy folder on the Exchange Server 2003 CD.
- After you run the setup /domainprep command from the Exchange Server CD or from a network installation point, the permissions may not persist. You may have to run the setup /domainprep command again to add the Exchange Enterprise Servers group to the domain that has default permissions.
CAUSE
This issue may occur if the "Manage auditing and security log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers group on some domain controllers or on all domain controllers. The Exchange Enterprise Servers group must have the "Manage auditing and security log" permission on all domain controllers in the domain.
RESOLUTION
To resolve this issue, follow these steps:
Use Policytest.exe to troubleshoot permissions issues. Policytest.exe is located in the Support\Utils\I386 folder on the Exchange 2000 Server CD, or in the Support\ExDeploy folder on the Exchange Server 2003 CD. Use Policytest.exe to determine whether the "Manage auditing and security log" permission for the Exchange Enterprise Servers group is missing from a domain controller. A successful result returns information that is similar to the following:
Local domain is "<example.com>" (example) Account is "EXAMPLE\Exchange Enterprise Servers" DC = "<ComputerName>" In site = "<Default-First-Site-Name>" Right found: "SeSecurityPrivilege"
Note A successful result shows that the "Manage auditing and security log" permission exists. You must have domain administrator rights to run Policytest.exe. For more information about the Policytest.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
281537 Description of the Policytest.exe utility
- Reset the Exchange Enterprise Server default permissions at the domain level. To do this, follow these steps:
- Run the setup /domainprep command from the Exchange Server CD or from a network installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to the domain that has default permissions. When you run the setup /domainprep command, the permissions are immediately added to one domain controller. Then, the change replicates to the other domain controllers.
- Restore permissions inheritance to other organizational units. Then, wait for the domain controllers to replicate the changes throughout the domain.
- Run Policytest.exe. Note which domain controllers return the following successful result:
If all domain controllers have the correct permissions, restart the Exchange Server services. If no domain controllers have the correct permissions, go to step 3.
Right found: "SeSecurityPrivilege"
- Verify the default domain controllers policy. To do this, follow these steps:
- Start the Active Directory Users and Computers snap-in.
- Right-click the Domain Controllers container, and then click Properties.
- Click the Group Policy tab, and then make sure that Default Domain Controllers Policy is listed in the Group Policy Object Links box.
Note If Default Domain Controllers Policy is not listed, click Add, click Default Domain Controllers Policy, and then click OK. Then, wait for this change to replicate to all other domain controllers. - Run the setup /domainprep command from the Exchange Server CD or from a network installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to the domain that has default permissions.
- Run Policytest.exe. Note which domain controllers return the following successful result:
If all domain controllers have the correct permissions, restart the Exchange Server services. If some domain controllers do not have the correct permissions, go to step 4.
Right found: "SeSecurityPrivilege"
- Manually add permissions to the domain controller. The File Replication service (FRS) may not replicate the updated security policy to one or more domain controllers after you run the setup /domainprep command. If this problem occurs, you must manually assign the correct permissions to the Exchange Enterprise Servers group. If some domain controllers or all domain controllers do not have the correct permissions, assign the "Manage auditing and security log" permission to the Exchange Enterprise Servers group. Then, wait for the setting to replicate to the other domain controllers. To do this, follow these steps:
- Start the Active Directory Users and Computers snap-in.
- Right-click the Domain Controllers container, and then click Properties.
- Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
- In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.
- In the Add user or group dialog box, click OK. Then, click OK.
- Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.
Note Sometimes, the Exchange Enterprise Servers group may not be visible when you click Browse in the Add user or group dialog box. If this behavior occurs, add the Exchange Domain Servers group. Then, run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group persist across all domain controllers.
MORE INFORMATION
Before you make policy changes on a domain controller, confirm that FRS replication copied the required policy to that domain controller. Use Policytest.exe so that you do not have to manually check every domain controller in a large domain.
Policytest.exe connects to every domain controller in the domain. Then, Policytest.exe verifies that the Exchange Enterprise Servers group has the "Manage auditing and security log" permission, either directly or through inheritance. You must have domain administrator rights to run Policytest.exe.
Additional query words: XADM
Keywords: kbexchesm kbprb KB896703
