Home » Exchange Server 2010 » Exchange Miscellaneous » MSExchange ADAccess (DSAccess) errors and the “Manage auditing and security” right or SACL rights

Translate:

Archives

MSExchange ADAccess (DSAccess) errors and the “Manage auditing and security” right or SACL rights

In a day to day scenario most of the Exchange Administrator see common error message “Exchange failed to start”, with error message “Process STORE.EXE (PID=5076). Topology discovery failed due to LDAP_SERVER_DOWN error”.

To Isolate such scenarios below are the steps that have to checked.

1: Check the network or DNS issues.

2: Obviously they must all be pointing to an internal DNS server, also we need to confirm that all exchange servers and domain controllers have a single NIC.

3: Also we can run dcdiag.exe on the DC as well as from Exchange.

Note: if you have multiple DC while running dcdiag.exe /s:dcname

In this case, if we had an environment of Exchange 2003, 2007, and 2010. The Exchange 2007 and 2010 servers, with the exception of one Exchange 2007 mailbox server, were throwing errors such as these:

Event Type: Error

Event Source: MSExchange ADAccess

Event Category: Topology

Event ID: 2114

Description:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=4600). Topology discovery failed, error 0x80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)).

Event Type: Error

Event Source: MSExchange ADAccess

Event Category: General

Event ID: 2604

Description:

Process MSEXCHANGEADTOPOLOGY (PID=4600). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object SERVER – Error code=80040a01.

The Exchange Active Directory Topology service will continue with limited permissions.

Event Type: Error

Event Source: MSExchange ADAccess

Event Category: General

Event ID: 2501

Description:

Process MSEXCHANGEADTOPOLOGY (PID=4600). The site monitor API was unable to verify the site name for this Exchange computer – Call=HrSearch Error code=80040a01. Make sure that Exchange server is correctly registered on the DNS server.

 

At this point, the next step is to look for a recent 2080 event and see what the Exchange server was seeing as far as domain controllers were concerned. The 2080 looked like this:

Event Type: Information

Event Source: MSExchange ADAccess

Event Category: Topology

Event ID: 2080

 Description:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2252). Exchange Active Directory Provider has discovered the following servers with the following characteristics:

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:

dc1.netsaints.COM CDG 1 7 7 1 0 0 1 7 1

dc2.netsaints.COM CDG 1 7 7 1 0 0 1 7 1

Out-of-site:

This clearly tells that the Exchange server is missing the SACL (Manage auditing and security log) right on the DC’s.

Solution :

Whenever we get one of these cases, the first thing we need to do is go to one of the Domain Controllers -> Click Administrative tools -> local Security Policy -> Expand Local Policies -> highlight User rights Assignment -> In the right side highlight “Manage Auditing and Security Log” -> Either we can add “Exchagne Servers” group or follow the below step:

 

group policy

 

Here we can see the Manage auditing and security log right, can see what accounts are listed in the right. By default, the Exchange Servers (Exchange 2007 and 2010) group and Exchange Enterprise Servers (Exchange 2003) group are added to this right in the Default Domain Controllers Policy. This occurs during the setup process.

In Exchange 2003, this is done during the setup /domainprep process.

In Exchange 2007 and 2010, this is done during setup /preparedomain process.

If this is the case, you need to make sure that the policy that is responsible for applying the right grants the Exchange Servers (or Exchange Enterprise Servers) group the right, or edit the Group Policy Links for you Domain Controllers OU so that the Default Domain Controllers Policy is applied.

In Case if we are getting only Event ID 2080 apart from any other event

Event Type: Information

Event Source: MSExchange ADAccess

Event Category: Topology

Event ID: 2080

Description:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=2252). Exchange Active Directory Provider has discovered the following servers with the following characteristics:

(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:

dc1.netsaints.COM CDG 1 7 7 1 0 0 1 7 1

dc2.netsaints.COM CDG 1 7 7 1 0 0 1 7 1

Out-of-site:

Then we need to fix the SACL rights error

1: Open default Domain Controller.

2: Open Local Security Policy.

3: Expand Local Policies -> User rights management.

4: Right side or middle of the page find Manage Auditing and security Log in the properties we need add “Exchange Servers” Group, need to add if it’s not present.

If there is a group policy applied on the dc make sure it is not removing this permission. Once replication completes you should see the SACL rights set in the next run of AD discovery by MSExchangeSA.

For More info : http://support.microsoft.com/kb/298879

Praveen

MCTS | Exchange Server


Leave a comment

Translate »