Wednesday, October 07, 2009 11:59 PMHi,
I have an existing Exchange Server 2007 instance installed. Everything is running great and we have 3 DC's which are also GC's in the Exchange site.
I want to have Exchange polling all 3 of these servers, one of our servers (the only 2K8 DC) does not have the SACL right set.
I have followed this and enabled it:
Go to ADSIEdit.msc
Domain -> Domain Controller OU
Right click on Domain Controller OU and select Properties.
Security tab and select Advanced .
Permissions tab, click on Add Exchange Servers security group, click on OK
Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow
Click OK until everything closed.
When I do an effective permissions for that DC, it says that it has the Read nTSecurityDescriptor permission, however Exchange still reports it as a 0.
DC01 CDG 1 7 7 1 0 1 1 7 1
DC03 CDG 1 7 7 1 0 1 1 7 1
DC02 CDG 1 7 7 1 0 0 1 7 1
DC02 is having the issue, DC02 also has all the roles running from it.
Thursday, October 08, 2009 3:40 AMVerify "Manage Auditing and Security Log" settings explained in below article, this happens if server is not member of Exchange groups or Exchange groups are not added into Manage Auditing and Security Log...http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=2102&EvtSrc=MSExchange%20ADAccess&LCID=1033
Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Thursday, October 08, 2009 10:37 PMHi Amit,
I have looked through all of these before and have done everything stipulated.
The SACL right is still 0 for that DC and I am running out of ideas :(
Any other ideas?
Monday, October 12, 2009 3:57 AMAnyone else have any ideas?
I still have no idea why this is occuring.
It seems to be happening across the board with out Win2K8 Domain Controllers.
I have also re-ran setup /domainprep to no avail.
Monday, November 02, 2009 4:07 PMas mentioned on the other thread, i experienced this issue when some network ports were blocked between Exchange and DCs
Monday, November 09, 2009 11:32 PMAfter a lot of screwing around, I found out that for some reason the Default Domain Controller's policy was corrupted and not linking correctly.
I re-reated the policy, re-linked it and all is good now.
- Marked As Answer by Tabmow Monday, November 09, 2009 11:32 PM
Thursday, March 18, 2010 6:22 PM
I also saw this issue in an environment that had unlinked the “Default Domain Controllers Policy” from the Domain Controllers OU. They used a custom GPO instead. Adding (manually) the Exchange Servers USG to their new GPO solved the issue.
1. To verify that this step (PrepareAD) completed successfully, confirm the following:
· You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.
To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.
· The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
· On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.
Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator