Exchange 2010 Errors 9385 8365 & 6006 After DCPROMO Please hep
Exchange 2010 RU9 Enterprise 64 bit
Windows 2008 R2 64 Bit server
Windows 2003 Active Directory Domain
Have two Windows 2003 DC servers ran DCPROMO on my DC1
DC1 had no FSMO roles
DC2 is a global catalog server
After DCPROMO completed I restarted DC1
On my Exchange server Windows 2008 I started getting theses errors over and over.
These are the errors
Log Name: Application
Source: MSExchangeAL
Date: 6/18/2015 11:00:58 AM
Event ID: 8365
Task Category: Service Control
Level: Error
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Could not read the Security Descriptor from the Exchange Server object with guid=6DE5D6233AB5444EB53DB
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeAL" />
<EventID Qualifiers="49152">8365</E
<Level>2</Level>
<Task>4</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195636</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>6DE5D6233AB5444EB53D
</EventData>
</Event>
Log Name: Application
Source: MSExchangeSA
Date: 6/18/2015 11:00:58 AM
Event ID: 9385
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=com/dc=tgcsnet/dc=net
If this computer is not a member of the group '/dc=com/dc=tgcsnet/dc=net
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeSA" />
<EventID Qualifiers="49152">9385</E
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195637</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>/dc=com/dc=tgcsnet/d
<Data>8007203a</Data>
</EventData>
</Event>
Log Name: Application
Source: MSExchange SACL Watcher
Date: 6/18/2015 11:10:49 AM
Event ID: 6006
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-3054588571-134145
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange SACL Watcher" />
<EventID Qualifiers="32768">6006</E
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195638</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>SeSecurityPrivilege<
<Data>S-1-5-21-3054588571-
</EventData>
</Event>
What am I missing?
Windows 2008 R2 64 Bit server
Windows 2003 Active Directory Domain
Have two Windows 2003 DC servers ran DCPROMO on my DC1
DC1 had no FSMO roles
DC2 is a global catalog server
After DCPROMO completed I restarted DC1
On my Exchange server Windows 2008 I started getting theses errors over and over.
These are the errors
Log Name: Application
Source: MSExchangeAL
Date: 6/18/2015 11:00:58 AM
Event ID: 8365
Task Category: Service Control
Level: Error
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Could not read the Security Descriptor from the Exchange Server object with guid=6DE5D6233AB5444EB53DB
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeAL" />
<EventID Qualifiers="49152">8365</E
<Level>2</Level>
<Task>4</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195636</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>6DE5D6233AB5444EB53D
</EventData>
</Event>
Log Name: Application
Source: MSExchangeSA
Date: 6/18/2015 11:00:58 AM
Event ID: 9385
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=com/dc=tgcsnet/dc=net
If this computer is not a member of the group '/dc=com/dc=tgcsnet/dc=net
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeSA" />
<EventID Qualifiers="49152">9385</E
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195637</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>/dc=com/dc=tgcsnet/d
<Data>8007203a</Data>
</EventData>
</Event>
Log Name: Application
Source: MSExchange SACL Watcher
Date: 6/18/2015 11:10:49 AM
Event ID: 6006
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-3054588571-134145
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange SACL Watcher" />
<EventID Qualifiers="32768">6006</E
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-06-18T15:
<EventRecordID>195638</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>SeSecurityPrivilege<
<Data>S-1-5-21-3054588571-
</EventData>
</Event>
What am I missing?
Amit
Run ExBPA first and check for the errors. Also, you ran DCpromo to decom DC1? Which DC hold FSMO?
ASKER
Amit,
First thank you for responding.
Also, you ran DCpromo to decom DC1? YES
Which DC hold FSMO? DC2 holds all FSMO roles
Ran exbpa health check had two DNS errors could not find A Record on DNS server
DC1 was a DNS server now is not
On the network adapters I removed the DC1 DNS server entries
Reran exbpa and now no DNS errors in the report.
The 8365 seems to stop after I did this
Primary group for the Exchange server should be set to "Domain Computers". If it is already, set Primary group to something else (for example "Exchange Servers"), apply, and then change it back to "Domain Computers". Restart Exchange System Attendant service and watch the event log. The error should be gone.
For the 6006 I tried this
Open GPMC.msc
open the default domain controllers policy.
go to computer config, windows settings, security setting user rights assignment
then add Exchange enterprise servers and Exchange servers under
Manage audit and security log
Run gpupdate /force
Still getting the event Id 6006 every so many minutes.
Thoughts
First thank you for responding.
Also, you ran DCpromo to decom DC1? YES
Which DC hold FSMO? DC2 holds all FSMO roles
Ran exbpa health check had two DNS errors could not find A Record on DNS server
DC1 was a DNS server now is not
On the network adapters I removed the DC1 DNS server entries
Reran exbpa and now no DNS errors in the report.
The 8365 seems to stop after I did this
Primary group for the Exchange server should be set to "Domain Computers". If it is already, set Primary group to something else (for example "Exchange Servers"), apply, and then change it back to "Domain Computers". Restart Exchange System Attendant service and watch the event log. The error should be gone.
For the 6006 I tried this
Open GPMC.msc
open the default domain controllers policy.
go to computer config, windows settings, security setting user rights assignment
then add Exchange enterprise servers and Exchange servers under
Manage audit and security log
Run gpupdate /force
Still getting the event Id 6006 every so many minutes.
Thoughts
Have you restarted the Exchange server or at least the Exchange services?
DNS server correct - should be the live domain controllers.
Exchange will hook on to a specific DC and when it goes away it should find another one, but doesn't always do so on its own. Restarting the Exchange services will usually fix that, UNLESS the domain controller has been hard coded inside Exchange.
Simon.
DNS server correct - should be the live domain controllers.
Exchange will hook on to a specific DC and when it goes away it should find another one, but doesn't always do so on its own. Restarting the Exchange services will usually fix that, UNLESS the domain controller has been hard coded inside Exchange.
Simon.
ASKER
Simon
Take a look at my last post
I did restart exchange system attendant
Any cmd lets to check this?
Take a look at my last post
I did restart exchange system attendant
Any cmd lets to check this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Simon
Yes only the SA
Yes nothing else
which event log entry I can look for it
Note
Email is working
The only DC DC2 is up and running no problems
I just restarted all the exchange services
Saw no errors will check the logs in a few minutes and post again
Yes only the SA
Yes nothing else
which event log entry I can look for it
Note
Email is working
The only DC DC2 is up and running no problems
I just restarted all the exchange services
Saw no errors will check the logs in a few minutes and post again
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys
Looks like restarting all the exchange services did the trick
No error in over an hour when it was appearing every 5 minutes before
Exchange event 2080 also picks up just the one DC
DC1 is being upgraded to Windows 2012 now and will be DC1 again
Looks like restarting all the exchange services did the trick
No error in over an hour when it was appearing every 5 minutes before
Exchange event 2080 also picks up just the one DC
DC1 is being upgraded to Windows 2012 now and will be DC1 again
Changing DNS IP and Restart fixed this issue. Make sure to enable GC on DC 1 again.