Exchange server 2007 reports Topology errors and would not start. The event id 2080 shows the "SACL right" flag to 0 for allDC in thedomain and exchange cannot start without SACL rights: srv01.domain.it CDG 1 7 7 1 0 0 1 7 1 srv02.domain.it CDG 1 7 7 1 0 0 1 7 1 My question is: can I rerun the exchange 2007 setup with /PrepareDomain option again tocheck and correct the defualt rights?? Thanks guys! Ales

Hi Ales, Yes it is safe to re-run /PrepareAD or /PrepareDomain in existing infrastructure. It verifies that, everything is fine if it finds something corrupted then it will fix it. But before that I suggest you to give nTSecurityDescriptor Read permission on your GCs/DCs to Exchange Server security group. Go to Active Directory Users & Computers First enable Advance Features to see Security Tab. Now go to Domain Controllers OU Right click on the DC which gives you 0 in SACL right and select Properties Security tab and select Advanced. Permissions tab, click on Add Exchange Servers security group, click on OK Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow Click OK until everything closed. You may need to restart all other Exchange servicesor server.

Thanks for suggestion; I follow your directiives but I cannot find the "nTSecurityDescriptor" in the properties tab of advanced permissions on both DC/GC. I had a problem some days ago with the exchange 2007 server stalling on store.exe process and the event viewer report the id 2080 descripted above. Then Iadd the server's computer objectin "Domain Admins" group and the server starts adn works regularly. The eventid 2080 now is "Information" type and shows the "SACL right" flag as 1. Now I would return to original config taking away the server's computer object from "domain admins" group but I'm worried about what could happen. So I think to rerun the PrepareDomain to fix potential errors. What do you think about??? Thanks for your help. Alessandro

Can you see read nTSecurityDescriptor permission on OU instead of DC with ADSIEdit.msc? Give premission there and check.... Go to ADSIEdit.msc Domain -> Domain Controller OU Right click on Domain Controller OU and select Properties. Security tab and select Advanced. Permissions tab, click on Add Exchange Servers security group, click on OK Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow Click OK until everything closed.

Thank you, this worked for me.

Hey Amit, we had this issue with another customer and the permissions were actually set properly. Turns out that there was some firewalling happening between the DCs and the Exchange servers, so for anyone else thats having this issue - check that too!

Hello Amit,Does the Exchage 2007 Server need to be rebooted after adding Allow for the nTSecurityDescriptor on the OU? If not how long should I expect before the changes take effect?Thank you,

I made the change 15 min ago and it is still showing no change for the three DCs 2-4Log Name: ApplicationSource: MSExchange ADAccessDate: 1/8/2010 1:57:36 PMEvent ID: 2080Task Category: TopologyLevel: InformationKeywords: ClassicUser: N/AComputer: .comDescription:Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1316). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site:DC1...com CDG 1 7 7 1 0 1 1 7 1DC2...com CDG 1 7 7 1 0 0 1 7 1DC3...com CDG 1 7 7 1 0 0 1 7 1DC4...com CDG 1 7 7 1 0 0 1 7 1 Out-of-site: Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange ADAccess" /> <EventID Qualifiers="16388">2080</EventID> <Level>4</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-01-08T18:57:36.000Z" /> <EventRecordID>91848</EventRecordID> <Channel>Application</Channel> <Computer>.com</Computer> <Security /> </System> <EventData> <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data> <Data>1316</Data> <Data>.com CDG 1 7 7 1 0 1 1 7 1.com CDG 1 7 7 1 0 0 1 7 1.com CDG 1 7 7 1 0 0 1 7 1.gallodisplays.com CDG 1 7 7 1 0 0 1 7 1</Data> <Data> </Data> </EventData></Event>

Dear Amit,I am too having this issue after migration to exchange 2007, the SACL right becomes zero. After few hours and the exchange 2007 database gets dismounted......Further I have tried the Go to ADSIEdit.msc Domain -> Domain Controller OU Right click on Domain Controller OU and select Properties. Security tab and select Advanced. Permissions tab, click on Add Exchange Servers security group,------------however I cannot fine the Exchange Servers security group.....is this named as the exchange server group or Exchange Server Security group......please advice......I am confused............ click on OK Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow Click OK until everything closed.