Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server (896703)
The information in this article applies to:
- Microsoft Exchange 2000 Server
SYMPTOMSWhen the "Manage auditing and security log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers group in Microsoft Exchange 2000 Server, one or more of the following issues may occur: - One or more Exchange 2000 Server-related services may not start.
If you try to mount the mailbox store or the public folder store, you
may receive the following error message: The store could
not be mounted because the Active Directory information was not replicated yet. If you click either Retry or
Cancel, you receive the following error message:
The Microsoft Exchange Information Store service could
not find the specified object. ID no:c1041722 Additionally, one or more of the following events are logged in the Application log:Event Type: Error Event Source: MSExchangeIS
Event Category: (6) Event ID: 9519 Description: Error 0x80004005 starting database "First Storage Group\Mailbox
Store(<Server>)" on the Microsoft Exchange Information Store. Failed to configure MDB. Event Type: Error Event Source: MSExchangeFBPublish Event Category: (1) Event ID: 8197 Description: Error initializing session for virtual machine DCMAIL. The error number
is 0x8004011d. Make sure Microsoft Exchange Store is running. Event Type: Error Event Source: MSExchangeSA Event Category: (14) Event ID: 9175 Description: The MAPI call 'OpenMsgStore' failed with the following error:
The Microsoft Exchange Server computer is not available. Either there are network problems
or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider
failed. Microsoft Exchange Server Information Store ID no: 8004011d-0526-00000000 Event Type: Error Event Source: MSExchangeSA Event Category: (2) Event ID: 1005 Description: Unexpected error <<0xc1050000 - The Microsoft Exchange Server computer is
not available. Either there are network problems or the Microsoft Exchange Server computer is
down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information
Store ID no: 8004011d-0526-00000000>> Event Type: Error Event Source: MSExchangeDSAccess Event Category: (3) Event ID: 2102 Description: Process MAD.EXE (PID=1088). All Domain Controller Servers in use are not responding: dc1.example.com dc2.example.com dc3.example.com Event Type: Error Event Source: MSExchangeSA Event Category: (1) Event ID: 9004 Description: The Metabase Update service failed to start, error '80040a01'. Event Type: Error Event Source: MSExchangeMU Event Category: (1) Event ID: 1002 Description: Metabase Update agent failed to start. Error code is 80040a01. Event Type: Error Event Source: MSExchangeMU Event Category: General Event ID: 1029 Description: Failed to replicate the security descriptor to the metabase. Users may not be able
to read or write data to the metabase. Error code is 8000500d. Event Type: Error Event Source: MSExchangeSA Event Category: RFR Interface Event ID: 9074 Description: The Directory Service Referral interface failed to service a client request. RFRI is
returning the error code:[0x3f0]. Event Type: Error Event Source: MSExchangeIS Event Category: General Event ID: 1121 Description: Error 0x80004005 connecting to the Microsoft Active Directory. Event Type: Error
Event Source: MSExchangeMTA
Event Category: Configuration
Event ID: 125
Description: A fatal error occurred reading a value from the directory. No MTA name was
found. Contact Microsoft Technical Support. [MTA MAIN BASE 1 12] (16) Event Type: Error Event Source: MSExchangeDSAccess Event Category: (3) Event ID: 2103 Description:
Process MAD.EXE (PID=1588). All Global Catalog Servers in use are not responding:
DomainController1.domain.com DomainController2.domain.com Event Type: Error Event Source: MSExchangeIS Event Category: (6) Event ID: 5000 Description:
Unable to initialize Microsoft Exchange Information Store service. Error 0x80004005.
Event Type: Error Event Source: MSExchangeSA Event Category: (2) Event ID: 9098 Description:
The MAD monitoring thread was unable to read its configuration from the DS, error
'0x80041001'. - After you apply the Windows 2000 Security Rollup Package 1 (SRP1) that is dated January 2002 to a server that is running Exchange 2000 Server, the Exchange
System Attendant service does not start. Additionally, the following event is logged in the Application log:
Event Type: Information Event Source: MSExchangeSA Event Category: General Event ID: 1004 Description:
Microsoft Exchange System Attendant failed to start. Note Other events may also be logged in the Application log.
For more information about the Windows 2000 Security Rollup Package 1 that is dated January 2002, click the following article number to view the article in the Microsoft Knowledge Base:
311401
Windows 2000 Security Rollup Package 1 (SR about the Windows 2000 Security Rollup Package 1 that is dated January 2002), January 2002
- You may receive the following results after you run the Policytest
utility (Policytest.exe):
Local domain is "example.com" (example)
Account is "EXAMPLE\Exchange Enterprise Servers"
DC = "<ComputerName>"
In site = "<Default-First-Site-Name>"
!!! Right NOT found !!!
Policytest.exe determines whether the "Manage
auditing and security log" permission for the Exchange Enterprise Servers group
is missing from a domain controller. Policytest.exe is located in the Support\Utils\I386 folder on
the Exchange 2000 Server CD. - After you run the setup /domainprep command from the Exchange 2000 Server CD or from a network
installation point, the permissions may not persist. You may have to run the setup /domainprep command again to add the Exchange Enterprise Servers group to the domain that has
default permissions.
CAUSEThis issue may occur if the "Manage auditing and security
log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise
Servers group on some domain controllers or on all domain controllers. The Exchange Enterprise
Servers group must have the "Manage auditing and security log" permission on all domain controllers in the domain.RESOLUTIONTo resolve this issue, follow these steps:
- Use Policytest.exe to troubleshoot permissions issues. Policytest.exe is located in the Support\Utils\I386 folder on the Exchange 2000 Server
CD. Use Policytest.exe to determine whether
the "Manage auditing and security log" permission for the Exchange Enterprise
Servers group is missing from a domain controller. A successful
result returns information that is similar to the following:
Local domain is "<example.com>" (example)
Account is "EXAMPLE\Exchange Enterprise Servers"
DC = "<ComputerName>"
In site = "<Default-First-Site-Name>"
Right found: "SeSecurityPrivilege"
Note A successful result shows that the "Manage auditing and
security log" permission exists. You must have domain administrator rights to
run Policytest.exe.
For more information about the Policytest.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
281537
Description of the Policytest.exe utility
- Reset the Exchange Enterprise Server default permissions at the domain level. To do this, follow these steps:
- Run the setup /domainprep command from the Exchange 2000 Server CD or from a network
installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to
the domain that has default permissions. When you run the setup /domainprep command, the permissions
are immediately added to one domain controller. Then, the change replicates to
the other domain controllers.
- Restore permissions inheritance to other organizational
units. Then, wait for the domain controllers to replicate the changes throughout the
domain.
- Run Policytest.exe. Note which domain controllers return
the following successful result:
Right found: "SeSecurityPrivilege" If all domain controllers have the correct permissions,
restart the Exchange Server services. If no domain controllers have the
correct permissions, go to step 3.
- Verify the default domain controllers policy. To do this, follow these steps:
- Start the Active Directory Users and
Computers snap-in.
- Right-click the Domain Controllers
container, and then click Properties.
- Click the Group Policy tab, and then
make sure that Default Domain Controllers Policy is listed in
the Group Policy Object Links box.
Note If Default Domain Controllers Policy is not listed, click
Add, click Default Domain Controllers Policy, and then click OK. Then, wait for
this change to replicate to all other domain controllers. - Run the setup /domainprep command from the Exchange 2000 Server CD or from a network
installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to
the domain that has default permissions.
- Run Policytest.exe. Note which domain controllers return
the following successful result:
Right found: "SeSecurityPrivilege" If all domain controllers have the correct permissions,
restart the Exchange Server services. If some domain controllers do not have
the correct permissions, go to step 4.
- Manually add permissions to the domain controller. The File Replication service (FRS) may not replicate the
updated security policy to one or more domain controllers after you run the setup /domainprep command. If this problem occurs, you must manually assign the
correct permissions to the Exchange Enterprise Servers group. If some domain controllers or all
domain controllers do not have the correct permissions, assign the "Manage auditing and security log" permission to the Exchange
Enterprise Servers group. Then, wait for the setting to replicate to the other domain controllers. To do this, follow these steps:
- Start the Active Directory Users and
Computers snap-in.
- Right-click the Domain Controllers
container, and then click Properties.
- Click the Group Policy tab, click
Default Domain Controllers Policy in the Group Policy
Object Links box, and then click Edit.
- Expand Computer Configuration, expand
Windows Settings, expand Security Settings,
expand Local Policies, and then click User Rights
Assignment.
- In the right pane, double-click Manage auditing
and security log, click Add, click
Browse, and then add the Exchange Enterprise
Servers group.
- In the Add user or group dialog box, click
OK. Then, click OK.
- Quit the Group Policy snap-in, and
then click OK in the Domain Controllers
Properties dialog box.
Note Sometimes, the Exchange Enterprise Servers group may not be
visible when you click Browse in the Add user or group dialog box. If this
behavior occurs, add the Exchange Domain Servers group. Then, run the setup /domainprep command again. This process makes the addition of the Exchange
Enterprise Servers group persist across all domain controllers.
MORE INFORMATIONBefore you make policy changes on a domain controller,
confirm that FRS replication copied the required policy to that domain
controller. Use Policytest.exe so that you do not have to manually check every
domain controller in a large domain. Policytest.exe connects to every domain
controller in the domain. Then, Policytest.exe verifies that the Exchange Enterprise
Servers group has the "Manage auditing and security log" permission, either
directly or through inheritance. You must have domain administrator rights to
run Policytest.exe.
Modification Type: | Major | Last Reviewed: | 7/6/2005 |
---|
Keywords: | kbexchESM kbprb KB896703 kbAudDeveloper |
---|
|