Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server

Article translations Article translations
Article ID: 896703 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When the "Manage auditing and security log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers group on one or more domain controllers in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, one or more of the following issues may occur:
  • One or more Exchange Server-related services may not start.

    If you try to mount the mailbox store or the public folder store, you may receive the following error message:
    The store could not be mounted because the Active Directory information was not replicated yet.
    If you click either Retry or Cancel, you receive the following error message:
    The Microsoft Exchange Information Store service could not find the specified object. ID no:c1041722
    Additionally, one or more of the following events are logged in the Application log:

    Event Type: Error
    Event Source: MSExchangeIS
    Event Category: General
    Event ID: 9518
    Description: Error 0x80004005 starting Storage Group /DC=local/DC=root/CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=Root/CN=Administrative Groups/CN=PureExchange2003/CN=Servers/CN=EX1/CN=InformationStore/CN=First Storage Group on the Microsoft Exchange Information Store. MDB failed to start.

    Event Type: Error
    Event Source: MSExchangeIS Event Category: (6)
    Event ID: 9519
    Description: Error 0x80004005 starting database "First Storage Group\Mailbox Store(<Server>)" on the Microsoft Exchange Information Store. Failed to configure MDB.

    Event Type: Error
    Event Source: MSExchangeFBPublish
    Event Category: (1)
    Event ID: 8197
    Description: Error initializing session for virtual machine DCMAIL. The error number is 0x8004011d. Make sure Microsoft Exchange Store is running.

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: (14)
    Event ID: 9175
    Description: The MAPI call 'OpenMsgStore' failed with the following error: The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0526-00000000

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: (2)
    Event ID: 1005
    Description: Unexpected error <<0xc1050000 - The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0526-00000000>>

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: (3)
    Event ID: 2102
    Description: Process MAD.EXE (PID=1088). All Domain Controller Servers in use are not responding:
    dc1.example.com
    dc2.example.com
    dc3.example.com

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: (1)
    Event ID: 9004
    Description: The Metabase Update service failed to start, error '80040a01'.

    Event Type: Error
    Event Source: MSExchangeMU
    Event Category: (1)
    Event ID: 1002
    Description: Metabase Update agent failed to start. Error code is 80040a01.

    Event Type: Error
    Event Source: MSExchangeMU
    Event Category: General
    Event ID: 1029
    Description: Failed to replicate the security descriptor to the metabase. Users may not be able to read or write data to the metabase. Error code is 8000500d.

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: RFR Interface
    Event ID: 9074
    Description: The Directory Service Referral interface failed to service a client request. RFRI is returning the error code:[0x3f0].

    Event Type: Error
    Event Source: MSExchangeIS
    Event Category: General
    Event ID: 1121
    Description: Error 0x80004005 connecting to the Microsoft Active Directory.

    Event Type: Error Event Source: MSExchangeMTA Event Category: Configuration Event ID: 125 Description: A fatal error occurred reading a value from the directory. No MTA name was found. Contact Microsoft Technical Support. [MTA MAIN BASE 1 12] (16)

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: (3)
    Event ID: 2103
    Description: Process MAD.EXE (PID=1588). All Global Catalog Servers in use are not responding:
    DomainController1.domain.com
    DomainController2.domain.com

    Event Type: Error
    Event Source: MSExchangeIS
    Event Category: (6)
    Event ID: 5000
    Description: Unable to initialize Microsoft Exchange Information Store service. Error 0x80004005.

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: (2)
    Event ID: 9098
    Description: The MAD monitoring thread was unable to read its configuration from the DS, error '0x80041001'.

  • After you apply the Windows 2000 Security Rollup Package 1 (SRP1) that is dated January 2002 to a server that is running Exchange Server, the Exchange System Attendant service does not start. Additionally, the following event is logged in the Application log:

    Event Type: Information
    Event Source: MSExchangeSA
    Event Category: General
    Event ID: 1004
    Description: Microsoft Exchange System Attendant failed to start.

    Note Other events may also be logged in the Application log. For more information about the Windows 2000 Security Rollup Package 1 that is dated January 2002, click the following article number to view the article in the Microsoft Knowledge Base:
    311401 Windows 2000 Security Rollup Package 1, January 2002
  • You may receive the following results after you run the Policytest utility (Policytest.exe):
    Local domain is "example.com" (example)
    Account is "EXAMPLE\Exchange Enterprise Servers"
    
      DC      = "<ComputerName>"
      In site = "<Default-First-Site-Name>"
      !!! Right NOT found !!!
    
    Policytest.exe determines whether the "Manage auditing and security log" permission for the Exchange Enterprise Servers group is missing from a domain controller. Policytest.exe is located in the Support\Utils\I386 folder on the Exchange 2000 Server CD, or in the Support\ExDeploy folder on the Exchange Server 2003 CD.
  • After you run the setup /domainprep command from the Exchange Server CD or from a network installation point, the permissions may not persist. You may have to run the setup /domainprep command again to add the Exchange Enterprise Servers group to the domain that has default permissions.

CAUSE

This issue may occur if the "Manage auditing and security log" permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers group on some domain controllers or on all domain controllers. The Exchange Enterprise Servers group must have the "Manage auditing and security log" permission on all domain controllers in the domain.

RESOLUTION

To resolve this issue, follow these steps:
  1. Use Policytest.exe to troubleshoot permissions issues. Policytest.exe is located in the Support\Utils\I386 folder on the Exchange 2000 Server CD, or in the Support\ExDeploy folder on the Exchange Server 2003 CD. Use Policytest.exe to determine whether the "Manage auditing and security log" permission for the Exchange Enterprise Servers group is missing from a domain controller. A successful result returns information that is similar to the following:
    Local domain is "<example.com>" (example)
    Account is "EXAMPLE\Exchange Enterprise Servers"
    
      DC      = "<ComputerName>"
      In site = "<Default-First-Site-Name>"
      Right found:  "SeSecurityPrivilege"
    
    Note A successful result shows that the "Manage auditing and security log" permission exists. You must have domain administrator rights to run Policytest.exe. For more information about the Policytest.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
    281537 Description of the Policytest.exe utility
  2. Reset the Exchange Enterprise Server default permissions at the domain level. To do this, follow these steps:
    1. Run the setup /domainprep command from the Exchange Server CD or from a network installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to the domain that has default permissions. When you run the setup /domainprep command, the permissions are immediately added to one domain controller. Then, the change replicates to the other domain controllers.
    2. Restore permissions inheritance to other organizational units. Then, wait for the domain controllers to replicate the changes throughout the domain.
    3. Run Policytest.exe. Note which domain controllers return the following successful result:
      Right found: "SeSecurityPrivilege"
      If all domain controllers have the correct permissions, restart the Exchange Server services. If no domain controllers have the correct permissions, go to step 3.
  3. Verify the default domain controllers policy. To do this, follow these steps:
    1. Start the Active Directory Users and Computers snap-in.
    2. Right-click the Domain Controllers container, and then click Properties.
    3. Click the Group Policy tab, and then make sure that Default Domain Controllers Policy is listed in the Group Policy Object Links box.

      Note If Default Domain Controllers Policy is not listed, click Add, click Default Domain Controllers Policy, and then click OK. Then, wait for this change to replicate to all other domain controllers.
    4. Run the setup /domainprep command from the Exchange Server CD or from a network installation point. The setup /domainprep command adds the Exchange Enterprise Servers group to the domain that has default permissions.
    5. Run Policytest.exe. Note which domain controllers return the following successful result:
      Right found: "SeSecurityPrivilege"
      If all domain controllers have the correct permissions, restart the Exchange Server services. If some domain controllers do not have the correct permissions, go to step 4.
  4. Manually add permissions to the domain controller. The File Replication service (FRS) may not replicate the updated security policy to one or more domain controllers after you run the setup /domainprep command. If this problem occurs, you must manually assign the correct permissions to the Exchange Enterprise Servers group. If some domain controllers or all domain controllers do not have the correct permissions, assign the "Manage auditing and security log" permission to the Exchange Enterprise Servers group. Then, wait for the setting to replicate to the other domain controllers. To do this, follow these steps:
    1. Start the Active Directory Users and Computers snap-in.
    2. Right-click the Domain Controllers container, and then click Properties.
    3. Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
    4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    5. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.
    6. In the Add user or group dialog box, click OK. Then, click OK.
    7. Quit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

      Note Sometimes, the Exchange Enterprise Servers group may not be visible when you click Browse in the Add user or group dialog box. If this behavior occurs, add the Exchange Domain Servers group. Then, run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group persist across all domain controllers.

MORE INFORMATION

Before you make policy changes on a domain controller, confirm that FRS replication copied the required policy to that domain controller. Use Policytest.exe so that you do not have to manually check every domain controller in a large domain.

Policytest.exe connects to every domain controller in the domain. Then, Policytest.exe verifies that the Exchange Enterprise Servers group has the "Manage auditing and security log" permission, either directly or through inheritance. You must have domain administrator rights to run Policytest.exe.

Properties

Article ID: 896703 - Last Review: October 25, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Keywords: 
kbexchesm kbprb KB896703

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com