Exchange 2010 SP1 System Attendent Service is not starting
-
Monday, August 29, 2011 12:28 PM
Dear Team,
I am having SBS 2003 SP2 Server with Exchange Server 2003 SP2 & I am migration it to Windows Server 2008 R2 Domain Controller & Exchange Server 2010 SP1. I have configured 2008 R2 SP1 as a addition domain controller & Keep it ready.
I have run all the prerequisits & Installed Exchange 2010 SP1 Setup on another Windows Server 2008 R2 SP1 Server, where i was getting error as System Attendent Service is trying to start but its stop responding & Mailbox Server roles installation Cancled but HUB / CAS Installed successfully. I have modified Settings in ADSI Edit & rerun the setup & Mailbox Server is also installed.
But System Attendent Service is not starting & generating Event ID 9157 as
"Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure that the computer account is a member of the "Exchange Servers" and "Exchange Install Domain Servers" security groups."
Can you pls help me on this???
Regards,,,
Vishal
All Replies
-
Monday, August 29, 2011 12:43 PMModerator
Does it have the necessary permissions per that message?
What settings did you modify in adsiedit?
-
Monday, August 29, 2011 1:10 PM
Post the event id 2080 from application log.
Event ID 9157, it's a generic event, you can ignore it.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Monday, August 29, 2011 1:59 PM
Thanks Gulab,
Please find the event id 2080...
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1240). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
test.domain.local CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
-
Monday, August 29, 2011 1:59 PM
Yes...Mail Server & Exchange Groups are having necessary permission, I checked all the permissions..
Regards,,,
Vishal
-
Monday, August 29, 2011 2:02 PM
Hi,
Replicate the domain controllers and run setup.com /preparead and proceed with installation.
Post the update.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Monday, August 29, 2011 2:07 PMI have already done with that...
-
Monday, August 29, 2011 2:13 PM@Gulab
Not much to replicate if theres only one DC/GC.
@Vishal
You never answered AndyD´s question "What settings did you modify in adsiedit?"
Martina Miskovic -
Monday, August 29, 2011 2:16 PM
I have given Permission to Mail Server as full Access into Configuration partition....bcos Installation was also not happening....& Yes we are having only one DC & GC, so not much to replicate.
Regards,,,
Vishal
-
Monday, August 29, 2011 2:20 PM
What was the error message you were getting prior to doing changes in Adsiedit? (If you remember)
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Monday, August 29, 2011 2:23 PM
The event 9157 in Event Viewer & In Exchange Installation Console it was "MSExchangeSA failed to reach status 'Running' on this Server"
Regards
Vishal
-
Monday, August 29, 2011 2:26 PM
I got a question. Are you able to open up EMC? If yes than check the services console and try to start the service and if it fails than you should have some event generated.
Post how many services do you see, are there any services missing?
MY BAD ABOUT THAT REPLICATING DC'S ;)
Post those events.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Monday, August 29, 2011 2:33 PM
Yes I am able to open EMC, the running services are: -
MSExchangeADTopology, MSExchangeAB, MSExchangeAntispamUpdate, MSExchangeEdgeSync, MSExchangeFDS, MSExchangeFBA, MSExchangeIS, MSExchangeMailSubmission, MSExchangeMailboxAssistants, MSExchangeMailboxReplication, MSExchangeProtectedServiceHost, MSExchangeRepl, MSExchangeRPC, MSExchangeSearch, MSExchangeServiceHost, MSExchangeThrottling, MSExchangeTransport, MSExchangeTransportLogSearch,
& MSExchangeSA (Stuck @ Starting)... & Generate Event ID 9157..
Also again I run setup /PrepareAD, please find report of that: -
F:\>setup /prepareAD
Welcome to Microsoft Exchange Server 2010 Unattended Setup
Preparing Exchange Setup
Copying Setup Files COMPLETED
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation COMPLETED
The Microsoft Exchange Server setup operation completed successfully.
Regards,,
Vishal
-
Monday, August 29, 2011 4:24 PM
Any Update Team???
Rgds,,,
Vishal
-
Monday, August 29, 2011 4:36 PMI think you problem lies in this --> I have given Permission to Mail Server as full Access into Configuration partition
That is someting that never should be needed.
I would guess that inheritance is turned off somewhere in CN=Exchange Server. Make sure you have inheritance set!
Exchange Best Practice Analyzer might tell you wants wrong, so if you haven´t run it already you should.
Martina Miskovic -
Monday, August 29, 2011 5:12 PM
I have run the same but not getting any permission error...& the given permission to mail server, as per the suggested blogs by MS....I am error before I have modified the settings...Any thing Else...?
Regards,,,
Vishal
-
Monday, August 29, 2011 5:35 PM
You need to make sure that inheritance is enabled in the configuration --> CN=Services,CN=Exchange Server,CN=etc etc..
As I see it, giving the server object full access permission in the CN=Configuration,CN=etc etc is just a bad workaround.
Martina Miskovic -
Tuesday, August 30, 2011 5:31 AM
Dear,,
inheritance is enabled in the CN=Services,CN=Exchange Server,CN=Domain.com.
Anything else which I need to check or modify...
Regards,,,
Vishal
-
Tuesday, August 30, 2011 5:43 AM
Dear,,
inheritance is enabled in the CN=Services,CN=Exchange Server,CN=Domain.com.
Anything else which I need to check or modify...
Regards,,,
Vishal
Yes, you can check the settings for MSExchangeSA in the registry.
Post what you see there.
Martina Miskovic -
Tuesday, August 30, 2011 5:50 AM
You can refer this link http://technet.microsoft.com/en-us/library/ff360340(EXCHG.140).aspx
To resolve this error, do one or more of the following:
- Wait for Exchange 2010 PrepareAD replication to complete. For more information about PrepareAD and PrepareDomain, see Prepare Active Directory and Domains.
- Make sure the computer account is a member of the Exchange Servers and Exchange Install Domain Servers groups.
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 5:51 AM
Martina, thanks for quick reply, which registry you want to from MSExchangeSA??
Regards,,,
Vishal
-
Tuesday, August 30, 2011 5:53 AM
Thanks Mihir, My Mail Server is member of both the groups & AD Replication is done...
Regards,,,
Vishal
-
Tuesday, August 30, 2011 5:55 AM
Hi,
It might sound weird but can you post the fulll Event ID 9157.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 5:55 AMCan´t you create a picture and create a link to it on Skydrive and post it here?
Martina Miskovic -
Tuesday, August 30, 2011 5:57 AM
@Gulab,
Log Name: Application
Source: MSExchangeSA
Date: 30-08-2011 11:25:49
Event ID: 9157
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: mail.domain.local
Description:
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure that the computer account is a member of the "Exchange Servers" and "Exchange Install Domain Servers" security groups.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeSA" />
<EventID Qualifiers="32768">9157</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-08-30T05:55:49.000000000Z" />
<EventRecordID>11306</EventRecordID>
<Channel>Application</Channel>
<Computer>mail.triconhome.local</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event> -
Tuesday, August 30, 2011 6:00 AM
Thanks Mihir, My Mail Server is member of both the groups & AD Replication is done...
Regards,,,
Vishal
Just to be sure...
The computer account is also a member of "Exchange Trusted Subsystem", right?
Martina Miskovic -
Tuesday, August 30, 2011 6:01 AM
@Matrina,
Created picture of Registry Sesstins & uploaded...thnxs
-
Tuesday, August 30, 2011 6:02 AM
@Matrina,
Created picture of Registry Sesstins & uploaded...thnxs
Ok, but where is the link? :=)
Martina Miskovic -
Tuesday, August 30, 2011 6:03 AMsee my previous reply,,,upload Image is there.
-
Tuesday, August 30, 2011 6:03 AM
@Matrina,
Created picture of Registry Sesstins & uploaded...thnxs
Ok, but where is the link? :=)
Martina Miskovic
Hehehe, blame it on TechNet ;)
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 6:05 AM
Thanks Mihir, My Mail Server is member of both the groups & AD Replication is done...
Regards,,,
Vishal
Just to be sure...
The computer account is also a member of "Exchange Trusted Subsystem", right?
Martina Miskovic
Check this one as well.Please please ensure the replication is completed successfully.
I have posted above a KB for your reference for the same event ID 9157.
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 6:06 AMRun the Exbpa on the server and post the result if you get any error in it.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 6:08 AM
@Mihir,
Yes, Computer is also member of Exchange Trusted Subsystem, & only one DC/GC is there so replication is done...
Regards,,,
Vishal
-
Tuesday, August 30, 2011 6:10 AM
Check this article:
http://technet.microsoft.com/en-us/library/bb288907(EXCHG.80).aspxSpecifically Verification portion of the article:
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 6:10 AM
@Gulab,
I have run the Exbpa but not getting any error in that..Those are the basic troubleshotting which I have done...
-
Tuesday, August 30, 2011 6:11 AMhe he, I see it now and everything looks good.
Now you need to verify that the computer is a member of "Exchange Trusted Subsystem" and that this group is a member of the local administrator group.
Martina Miskovic -
Tuesday, August 30, 2011 6:13 AM
Ok, but the issue is only happens when GC is not reachable, can you restart your GC and see if it helps.
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 6:16 AM
@Martina,
Mail Server is member of Exchange Trusted SubSystem & This groups is also member of Local Administrator Group....Any thing else...?
-
Tuesday, August 30, 2011 6:18 AM
@Mihir.....Restart is best solution for Every IT Person so every one known this thing, GC is able to ping & telnet and also restarted 8 to 10 times,,,,
-
Tuesday, August 30, 2011 6:23 AM
@Martina,
Mail Server is member of Exchange Trusted SubSystem & This groups is also member of Local Administrator Group....Any thing else...?
Ok Good!!
Let´s go back to the permissions...(or lack of it)Please run the following command and post the output (replace the bold ones with your info)
get-adpermission "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YOUDOMAIN,DC=COM" | ft -autosizeget-adpermission "CN=YOUR_EXORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YOUDOMAIN,DC=COM" | ft -autosize
Martina Miskovic -
Tuesday, August 30, 2011 6:23 AM
Hi Vishal,
That's Great :)
Can you make this entry in registry and restart the server ?
ServicesPipeTimeout
60000
hklm\system\courrent_con_set\control
dword 32 bit decimal
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 6:34 AM
@Martina,,
Identity User Deny Inherited
-------- ---- ---- ---------
Microsoft Exchange NT AUTHORITY\Authenticated Users False False
Microsoft Exchange Domain\Administrator False False
Microsoft Exchange Domain\SBS Mail Operators False False
Microsoft Exchange Domain\Exchange Domain Servers False False
Microsoft Exchange Domain\Organization Management False False
Microsoft Exchange Domain\Public Folder Management False False
Microsoft Exchange Domain\Delegated Setup False False
Microsoft Exchange Domain\Exchange Servers False False
Microsoft Exchange Domain\Exchange Trusted Subsystem False False
Microsoft Exchange Domain\MAIL$ False False
Microsoft Exchange Domain\migration False False
Microsoft Exchange Domain\Enterprise Admins False True
Microsoft Exchange Domain\Domain Admins False True
Cheers,,, Vishal C. Kalal -
Tuesday, August 30, 2011 6:37 AM@Mihir, Created, let me restart the server,,
Cheers,,, Vishal C. Kalal -
Tuesday, August 30, 2011 6:38 AM
Ok best of luck.
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 6:48 AMMihir, no luck Same error.....also getting this error something "
Process w3wp.exe () (PID=5368). Failed to read property AdminDisplayName (System.String) to generate automatic constraints. LDAP attribute: adminDisplayName.
Vishal C. Kalal -
Tuesday, August 30, 2011 6:55 AMAny Update Mihir, Gulab & Martina??
Vishal C. Kalal -
Tuesday, August 30, 2011 7:05 AM
Check this article:
http://technet.microsoft.com/en-us/library/bb288907(EXCHG.80).aspxSpecifically Verification portion of the article:
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 7:06 AM
-
Tuesday, August 30, 2011 7:10 AMany update
--------Abhi----------------- Exchange Specialist------------- ------------------ Please remember to click “Mark as Answer” on the post that helps you. This can be beneficial to other community members reading the thread. -
Tuesday, August 30, 2011 7:16 AM
One more thing I want you to check is, in Microsoft Exchange Security Object container in ADUC...Exchange Install Domain Servers...make sure that you have your Exchange server added in Members. And in Members Of, make sure you have Exchange Server group listed.
Post the update.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 7:17 AMNothing like an issue on this....
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:35 AM
@Vishal you wrote above
I have modified Settings in ADSI Edit & rerun the setup & Mailbox Server is also installed.
WHAT SETTING YOU HAVE MODIFIED ?
You have a very strange issue, can check ADSIEDIT and see if any changes you have made whch may restrict this service to start.
Thanks
Mihir Nayak -
Tuesday, August 30, 2011 7:38 AM@Gulab, Groups are available in AD, but Microsoft Exchange System Objects is avaible in Domain Container not in ADUC...would you like to move that???
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:40 AM
No, no need to move anything, Yes it's on the DC but you can add the snap ins and can use ADUC on exchange Server. Anyways.
Check on the DC in ADUC and make sure these two things are there.Post the update.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 7:41 AM
@Mihir,
I have checked all the settings & I don't think that is the issue bcos I have followed some blogs of MS & according to that I have modified & reviewed the settings...
I escaleted the call to MS Support team for the same now waiting for their revert.
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:43 AMExchange Domain Servers & Enterprise Server Groups are available in to ADUC...and mail server is part of both groups...
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:49 AMI didn't asked for EES and EDS, I asked for this:
In ADUC... Microsoft Exchange Security Object container ...Exchange Install Domain Servers...make sure that you have your Exchange server added in Members. And in Members Of, make sure you have Exchange Server group listed.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 7:52 AM
@Mihir,
I have checked all the settings & I don't think that is the issue bcos I have followed some blogs of MS & according to that I have modified & reviewed the settings...
I escaleted the call to MS Support team for the same now waiting for their revert.
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008
So please update the status after MS resolve this issue, which may help others.Thanks
Mihir Nayak -
Tuesday, August 30, 2011 7:53 AMYa..that one is also there....
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:54 AM
@Mihir,
I have checked all the settings & I don't think that is the issue bcos I have followed some blogs of MS & according to that I have modified & reviewed the settings...
I escaleted the call to MS Support team for the same now waiting for their revert.
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008
Two hours of wait time, I am sure you will update the thread in 3-4 hours. :)Cheers,
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com -
Tuesday, August 30, 2011 7:57 AMMartina or Mihir any update from your ends????
Vishal C. Kalal | MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 7:59 AM
@Mihir,
I have checked all the settings & I don't think that is the issue bcos I have followed some blogs of MS & according to that I have modified & reviewed the settings...
I escaleted the call to MS Support team for the same now waiting for their revert.
Vishal C. Kalal MCITP: Exchange 2010-2007 | Windows Server 2008
Two hours of wait time, I am sure you will update the thread in 3-4 hours. :)Cheers,
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
Surely....if resolved:)
Vishal C. Kalal | MCITP: Exchange 2010-2007 | Windows Server 2008 -
Tuesday, August 30, 2011 2:03 PM
Guys...
My problem is resolve please have looks at workaround: -
>> Checked the permission of Exchange servers using ADSIEDIT. The permission were more than what it was required. So left it as it was.
>> Disjoined the machine from domain.
>> Reset Exchange machine account.
>> Rejoined the domain.
>> As logging on would take long time, we disabled Exchange servers.
>> Changed the startup type to default, then ran preparelegacyexhangepermissions,preparead,preparedomain.
>> Then Connected to Schema container- "cn=schema,cn=configuration,dc=<your domain>,dc=<your domain>", changed the “Apply To” to “This object and all descendant objects” for Authenticated users.>> MSExchangeSA service started successfully.Enjoy....
Thanks a lot to support me...
Vishal C. Kalal | MCITP: Exchange 2010-2007 | Windows Server 2008- Proposed As Answer by Martina_MiskovicMicrosoft Community Contributor Tuesday, August 30, 2011 4:32 PM
- Marked As Answer by Simon_WuMicrosoft Contingent Staff, Moderator Wednesday, August 31, 2011 4:56 AM
-
Tuesday, August 30, 2011 4:36 PM
Hi Vishal C,
Thanks for sharing the solution to your problem!
It will very helpful to others who might face the same problem.
Please mark your last post as the Answer.
Martina Miskovic -
Tuesday, August 30, 2011 4:37 PMThanks for the update and sharing the resolution.
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
.png)
