X64 2008 Server missing "SACL right"

How do I add the "SACL right" to my X64 2008 Domain Controller?  

Domain has 7 2003 R2 DC's and one X64 2008 DC.  All are global catiloge servers.
Exchange 2003 SP2 running on a 2003 R2 member server.

From the Exchange server log...

Process INETINFO.EXE (PID=1240). DSAccess has discovered the following servers with the following characteristics:
 (Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
dc01fin.Raygraham.org      CDG 7 7 1 0 1 1 7 1
DC08FIN.Raygraham.org      CDG 7 7 1 0 0 1 7 1
 Out-of-site:
dc01eld.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01han.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01lis.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01lom.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01ful.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01slc.Raygraham.org      CDG 7 7 1 0 1 1 7 1

Please note: "DC08FIN.Raygraham.org      CDG 7 7 1 0 0 1 7 1"  this is my 2008 server and is missing SACL rights.
 
Aditional Facts:
-All DC's have been restarted
-Have rerun both Forestprep and Domainprep form the Exchange 2003 member server

Any ideas woud be great.  Thanks
JAVidmarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Exchange_GeekCommented:
Wish i could think of something quick, however all i can suggest is

1) DIsable IPv6 on W2k8 box for a while
2) Check for replication errors (if any) on W2k8 box.
3) The most usual step - check for manage auditing and security rights membership from w2k8 box and dc01fin.

4) If possible please reboot w2k8 box so that Exchange pulls up new information forced by reboot of this box.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Exchange_GeekCommented:
The information of ntSecurityDescriptor should have been populated by running domain prep.

"DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G), that is reachable for that role (the appropriate bit flag connected by an OR value in the Reachability column), and that shows 1 in the SACL right column. If you do not have these servers, confirm that the domain controller that shows 0 in the SACL right column has been domain-prepped, and then confirm that your Recipient Update Services are configured properly."

http://support.microsoft.com/kb/316300

However, the steps outlined in the post above can be checked - well written blog.
0
JAVidmarAuthor Commented:
Setting the manage auditing and security rights and restarting all DC's resolved the issue.  Thanks Exchange Geek.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.