Solved

X64 2008 Server missing "SACL right"

Posted on 2008-10-20
4
1,928 Views
Last Modified: 2010-04-21
How do I add the "SACL right" to my X64 2008 Domain Controller?  

Domain has 7 2003 R2 DC's and one X64 2008 DC.  All are global catiloge servers.
Exchange 2003 SP2 running on a 2003 R2 member server.

From the Exchange server log...

Process INETINFO.EXE (PID=1240). DSAccess has discovered the following servers with the following characteristics:
 (Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
dc01fin.Raygraham.org      CDG 7 7 1 0 1 1 7 1
DC08FIN.Raygraham.org      CDG 7 7 1 0 0 1 7 1
 Out-of-site:
dc01eld.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01han.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01lis.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01lom.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01ful.Raygraham.org      CDG 7 7 1 0 1 1 7 1
dc01slc.Raygraham.org      CDG 7 7 1 0 1 1 7 1

Please note: "DC08FIN.Raygraham.org      CDG 7 7 1 0 0 1 7 1"  this is my 2008 server and is missing SACL rights.
 
Aditional Facts:
-All DC's have been restarted
-Have rerun both Forestprep and Domainprep form the Exchange 2003 member server

Any ideas woud be great.  Thanks
0
Comment
Question by:JAVidmar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 500 total points
ID: 22762435
Wish i could think of something quick, however all i can suggest is

1) DIsable IPv6 on W2k8 box for a while
2) Check for replication errors (if any) on W2k8 box.
3) The most usual step - check for manage auditing and security rights membership from w2k8 box and dc01fin.

4) If possible please reboot w2k8 box so that Exchange pulls up new information forced by reboot of this box.

0
 
LVL 9

Expert Comment

by:abdulzis
ID: 22764669
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22764900
The information of ntSecurityDescriptor should have been populated by running domain prep.

"DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G), that is reachable for that role (the appropriate bit flag connected by an OR value in the Reachability column), and that shows 1 in the SACL right column. If you do not have these servers, confirm that the domain controller that shows 0 in the SACL right column has been domain-prepped, and then confirm that your Recipient Update Services are configured properly."

http://support.microsoft.com/kb/316300

However, the steps outlined in the post above can be checked - well written blog.
0
 

Author Closing Comment

by:JAVidmar
ID: 31507998
Setting the manage auditing and security rights and restarting all DC's resolved the issue.  Thanks Exchange Geek.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question