none
Win2K8 DC does not have SACL right

    Question

  • Hi,

    I have an existing Exchange Server 2007 instance installed. Everything is running great and we have 3 DC's which are also GC's in the Exchange site.
    I want to have Exchange polling all 3 of these servers, one of our servers (the only 2K8 DC) does not have the SACL right set.

    I have followed this and enabled it:

    Go to ADSIEdit.msc

    Domain -> Domain Controller OU

    Right click on Domain Controller OU and select Properties.

    Security tab and select Advanced .

    Permissions tab, click on Add Exchange Servers security group, click on OK

    Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow

    Click OK until everything closed.


    When I do an effective permissions for that DC, it says that it has the Read nTSecurityDescriptor permission, however Exchange still reports it as a 0.

    Any ideas?

     

    In-site:
    DC01    CDG 1 7 7 1 0 1 1 7 1
    DC03    CDG 1 7 7 1 0 1 1 7 1
    DC02    CDG 1 7 7 1 0 0 1 7 1

     

    DC02 is having the issue, DC02 also has all the roles running from it.

     

    Regards,

    Terry
    Terry http://www.sucked-in.com
    Wednesday, October 07, 2009 11:59 PM

Answers

  • After a lot of screwing around, I found out that for some reason the Default Domain Controller's policy was corrupted and not linking correctly.
    I re-reated the policy, re-linked it and all is good now.
    Terry http://www.sucked-in.com
    • Marked as answer by Tabmow Monday, November 09, 2009 11:32 PM
    Monday, November 09, 2009 11:32 PM

All replies

  • Verify "Manage Auditing and Security Log" settings explained in below article, this happens if server is not member of Exchange groups or Exchange groups are not added into Manage Auditing and Security Log...


    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    Thursday, October 08, 2009 3:40 AM
  • Hi Amit,

    I have looked through all of these before and have done everything stipulated.
    The SACL right is still 0 for that DC and I am running out of ideas :(

    Any other ideas?

    Regards,

    Terry
    Terry http://www.sucked-in.com
    Thursday, October 08, 2009 10:37 PM
  • Anyone else have any ideas?
    I still have no idea why this is occuring.
    It seems to be happening across the board with out Win2K8 Domain Controllers.
    I have also re-ran setup /domainprep to no avail.

    Terry http://www.sucked-in.com
    Monday, October 12, 2009 3:57 AM
  • as mentioned on the other thread, i experienced this issue when some network ports were blocked between Exchange and DCs
    Monday, November 02, 2009 4:07 PM
  • After a lot of screwing around, I found out that for some reason the Default Domain Controller's policy was corrupted and not linking correctly.
    I re-reated the policy, re-linked it and all is good now.
    Terry http://www.sucked-in.com
    • Marked as answer by Tabmow Monday, November 09, 2009 11:32 PM
    Monday, November 09, 2009 11:32 PM
  • I also saw this issue in an environment that had unlinked the “Default Domain Controllers Policy” from the Domain Controllers OU.  They used a custom GPO instead.  Adding (manually) the Exchange Servers USG to their new GPO solved the issue.


    1.     To verify that this step (PrepareAD) completed successfully, confirm the following:

    ·         You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.

    Note:

    To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.

    ·         The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.

    ·         On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

    http://technet.microsoft.com/en-us/library/bb125224.aspx


    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Thursday, March 18, 2010 6:22 PM