Solved

Exchange 2003 Server Lost Default Permissions (SeSecurityPrivilege)

Posted on 2011-03-22
7
788 Views
Last Modified: 2012-05-11
Background
The requirement was to harden Active Directory as close to the Secure Domains recommendations in the SSLF documentation. Part of this requirement was to restrict the Manage Security and Auditing user right, which knocked out Exchange Enterprise Servers from the list. One Exchange server was rebooted.

Problem
All messages on the server started queuing up - both SMTP and MSExchangeMTA. The various messages on local and remote servers included "unable to bind to DNS", "client attempted to use LOCAL AUTHORITY/ANONYMOUS LOGON".

Remediation

SMTP queues were cleared by setting up one of the other Exchange servers as a smart host.  This short-circuits the internal Exchange<>Exchange comms (and authentication) and uses pure SMTP.
Relevant user rights are back in place and DC replication is working.
Attempts to trick MTA service into using service, user or computer accounts failed.
/domainprep and /forestprep have been re-run.
PolicyTest has been run and confirms SeSecurityPrivilege is present on all DCs.

Request
Please focus on specifics of the problem, rather than general offers of AD/Exchange health. I am looking for an alternative method of confirming / testing / reapplying the standard security necessary at domain level for correct functioning of Exchange.

For example, would reinstalling troubled Exchange Server perform anything that /domainprep and /forestprep don't; or, are there Registry settings which could silently override GPO settings at DC Def Policy etc.

Thank you in advance.
0
Comment
Question by:Nenadic
  • 4
  • 3
7 Comments
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35189887
Do you have a System State backup older than the configuration you did? It's the best way to return the permissions the way they were.
0
 
LVL 12

Author Comment

by:Nenadic
ID: 35189934
Thanks, rmrustice. That approach would constitute a DR, so isn't being considered. The server will be forcefully decommissioned and data lost before AD restore will be considered.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35189938

Performing an Authoritative Restore of Active Directory Objects
http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35189975
If that is not an option, let's wait for other experts. I think you should consider opening a case with Microsoft. They will work with you to the end.
0
 
LVL 12

Author Comment

by:Nenadic
ID: 35190190
It's in the process. However, it will take another few hours before we're set for it. I'm just seeing if EE comes through as it often does.
0
 
LVL 12

Accepted Solution

by:
Nenadic earned 0 total points
ID: 35232779
The solution was to expose the MTA protocol permissions on target servers and allow ANONYMOUS LOGON to have Send As and Receive As permission.

The exact details can be found on:
http://support.microsoft.com/kb/824054
0
 
LVL 12

Author Closing Comment

by:Nenadic
ID: 35304254
Own solution found using MS KB.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now