Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 828
  • Last Modified:

Exchange 2003 Server Lost Default Permissions (SeSecurityPrivilege)

Background
The requirement was to harden Active Directory as close to the Secure Domains recommendations in the SSLF documentation. Part of this requirement was to restrict the Manage Security and Auditing user right, which knocked out Exchange Enterprise Servers from the list. One Exchange server was rebooted.

Problem
All messages on the server started queuing up - both SMTP and MSExchangeMTA. The various messages on local and remote servers included "unable to bind to DNS", "client attempted to use LOCAL AUTHORITY/ANONYMOUS LOGON".

Remediation

SMTP queues were cleared by setting up one of the other Exchange servers as a smart host.  This short-circuits the internal Exchange<>Exchange comms (and authentication) and uses pure SMTP.
Relevant user rights are back in place and DC replication is working.
Attempts to trick MTA service into using service, user or computer accounts failed.
/domainprep and /forestprep have been re-run.
PolicyTest has been run and confirms SeSecurityPrivilege is present on all DCs.

Request
Please focus on specifics of the problem, rather than general offers of AD/Exchange health. I am looking for an alternative method of confirming / testing / reapplying the standard security necessary at domain level for correct functioning of Exchange.

For example, would reinstalling troubled Exchange Server perform anything that /domainprep and /forestprep don't; or, are there Registry settings which could silently override GPO settings at DC Def Policy etc.

Thank you in advance.
0
Nenadic
Asked:
Nenadic
  • 4
  • 3
1 Solution
 
Renato Montenegro RusticiIT SpecialistCommented:
Do you have a System State backup older than the configuration you did? It's the best way to return the permissions the way they were.
0
 
NenadicAuthor Commented:
Thanks, rmrustice. That approach would constitute a DR, so isn't being considered. The server will be forcefully decommissioned and data lost before AD restore will be considered.
0
 
Renato Montenegro RusticiIT SpecialistCommented:

Performing an Authoritative Restore of Active Directory Objects
http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Renato Montenegro RusticiIT SpecialistCommented:
If that is not an option, let's wait for other experts. I think you should consider opening a case with Microsoft. They will work with you to the end.
0
 
NenadicAuthor Commented:
It's in the process. However, it will take another few hours before we're set for it. I'm just seeing if EE comes through as it often does.
0
 
NenadicAuthor Commented:
The solution was to expose the MTA protocol permissions on target servers and allow ANONYMOUS LOGON to have Send As and Receive As permission.

The exact details can be found on:
http://support.microsoft.com/kb/824054
0
 
NenadicAuthor Commented:
Own solution found using MS KB.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now