Hi, I have an existing Exchange Server 2007 instance installed. Everything is running great and we have 3 DC's which are also GC's in the Exchange site. I want to have Exchange polling all 3 of these servers, one of our servers (the only 2K8 DC) does not have the SACL right set. I have followed this and enabled it: Go to ADSIEdit.msc Domain -> Domain Controller OU Right click on Domain Controller OU and select Properties. Security tab and select Advanced . Permissions tab, click on Add Exchange Servers security group, click on OK Select Properties. Find Read nTSecurityDescriptor Check Mark on Allow Click OK until everything closed. When I do an effective permissions for that DC, it says that it has the Read nTSecurityDescriptor permission, however Exchange still reports it as a 0. Any ideas? In-site: DC01 CDG 1 7 7 1 0 1 1 7 1 DC03 CDG 1 7 7 1 0 1 1 7 1 DC02 CDG 1 7 7 1 0 0 1 7 1 DC02 is having the issue, DC02 also has all the roles running from it. Regards, TerryTerry http://www.sucked-in.com

Verify "Manage Auditing and Security Log" settings explained in below article, this happens if server is not member of Exchange groups or Exchange groups are not added into Manage Auditing and Security Log... http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=2102&EvtSrc=MSExchange%20ADAccess&LCID=1033 Similar Thread: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/a908baa1-3ba1-4dc3-9197-ee75bbef9350 Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

Hi Amit, I have looked through all of these before and have done everything stipulated. The SACL right is still 0 for that DC and I am running out of ideas :( Any other ideas? Regards, TerryTerry http://www.sucked-in.com

Anyone else have any ideas? I still have no idea why this is occuring. It seems to be happening across the board with out Win2K8 Domain Controllers. I have also re-ran setup /domainprep to no avail.Terry http://www.sucked-in.com

as mentioned on the other thread, i experienced this issue when some network ports were blocked between Exchange and DCs

After a lot of screwing around, I found out that for some reason the Default Domain Controller's policy was corrupted and not linking correctly.I re-reated the policy, re-linked it and all is good now.Terry http://www.sucked-in.com

I also saw this issue in an environment that had unlinked the “Default Domain Controllers Policy” from the Domain Controllers OU. They used a custom GPO instead. Adding (manually) the Exchange Servers USG to their new GPO solved the issue. 1. To verify that this step (PrepareAD) completed successfully, confirm the following: · You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. Note: To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features. · The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain. · On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy. http://technet.microsoft.com/en-us/library/bb125224.aspx Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator