Is it safe to rerun /PrepareDomain after the Exchange 2007 is installed??
Exchange server 2007 reports Topology errors and would not start.
The event id 2080 shows the "SACL right" flag to 0 for allDC in thedomain and exchange cannot start without SACL rights:
srv01.domain.it CDG 1 7 7 1 0 0 1 7 1
srv02.domain.it CDG 1 7 7 1 0 0 1 7 1
My question is: can I rerun the exchange 2007 setup with /PrepareDomain option again tocheck and correct the defualt rights??
Thanks guys!
Ales
October 3rd, 2008 9:54am
Hi Ales,
Yes it is safe to re-run /PrepareAD or /PrepareDomain in existing infrastructure. It verifies that, everything is fine if it finds something corrupted then it will fix it.
But before that I suggest you to give nTSecurityDescriptor Read permission on your GCs/DCs to Exchange Server security group.
Go to Active Directory Users & Computers
First enable Advance Features to see Security Tab.
Now go to Domain Controllers OU
Right click on the DC which gives you 0 in SACL right and select Properties
Security tab and select Advanced.
Permissions tab, click on Add Exchange Servers security group, click on OK
Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow
Click OK until everything closed.
You may need to restart all other Exchange servicesor server.
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2008 8:43pm
Thanks for suggestion;
I follow your directiives but I cannot find the "nTSecurityDescriptor" in the properties tab of advanced permissions on both DC/GC.
I had a problem some days ago with the exchange 2007 server stalling on store.exe process and the event viewer report the id 2080 descripted above.
Then Iadd the server's computer objectin "Domain Admins" group and the server starts adn works regularly.
The eventid 2080 now is "Information" type and shows the "SACL right" flag as 1.
Now I would return to original config taking away the server's computer object from "domain admins" group but I'm worried about what could happen.
So I think to rerun the PrepareDomain to fix potential errors.
What do you think about???
Thanks for your help.
Alessandro
October 9th, 2008 2:23pm
Can you see read nTSecurityDescriptor permission on OU instead of DC with ADSIEdit.msc? Give premission there and check....
Go to ADSIEdit.msc
Domain -> Domain Controller OU
Right click on Domain Controller OU and select Properties.
Security tab and select Advanced.
Permissions tab, click on Add Exchange Servers security group, click on OK
Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow
Click OK until everything closed.
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2008 6:13pm
Thank you, this worked for me.
July 29th, 2009 11:10pm
Hey Amit, we had this issue with another customer and the permissions were actually set properly. Turns out that there was some firewalling happening between the DCs and the Exchange servers, so for anyone else thats having this issue - check that too!
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2009 8:40pm
Hello Amit,Does the Exchage 2007 Server need to be rebooted after adding Allow for the nTSecurityDescriptor on the OU? If not how long should I expect before the changes take effect?Thank you,
January 8th, 2010 10:04pm
I made the change 15 min ago and it is still showing no change for the three DCs 2-4Log Name: ApplicationSource: MSExchange ADAccessDate: 1/8/2010 1:57:36 PMEvent ID: 2080Task Category: TopologyLevel: InformationKeywords: ClassicUser: N/AComputer: .comDescription:Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1316). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site:DC1...com CDG 1 7 7 1 0 1 1 7 1DC2...com CDG 1 7 7 1 0 0 1 7 1DC3...com CDG 1 7 7 1 0 0 1 7 1DC4...com CDG 1 7 7 1 0 0 1 7 1 Out-of-site: Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange ADAccess" /> <EventID Qualifiers="16388">2080</EventID> <Level>4</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-01-08T18:57:36.000Z" /> <EventRecordID>91848</EventRecordID> <Channel>Application</Channel> <Computer>.com</Computer> <Security /> </System> <EventData> <Data>MSEXCHANGEADTOPOLOGYSERVICE.EXE</Data> <Data>1316</Data> <Data>.com CDG 1 7 7 1 0 1 1 7 1.com CDG 1 7 7 1 0 0 1 7 1.com CDG 1 7 7 1 0 0 1 7 1.gallodisplays.com CDG 1 7 7 1 0 0 1 7 1</Data> <Data> </Data> </EventData></Event>
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2010 10:09pm
Dear Amit,I am too having this issue after migration to exchange 2007, the SACL right becomes zero. After few hours and the exchange 2007 database gets dismounted......Further I have tried the
Go to ADSIEdit.msc
Domain -> Domain Controller OU
Right click on Domain Controller OU and select Properties.
Security tab and select Advanced.
Permissions tab, click on Add Exchange Servers security group,------------however I cannot fine the Exchange Servers security group.....is this named as the exchange server group or Exchange Server Security group......please advice......I am confused............ click on OK
Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow
Click OK until everything closed.
January 10th, 2010 10:19pm