Exchange Attendant Can't log in, 2 errors

[kimble]

I keep getting two errors which i think are part of the same thing here is the first


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 9/19/2001
Time: 1:37:29 PM
User: NT AUTHORITY\SYSTEM
Computer: BTV-01
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).

---SECOND---

Event Type: Warning
Event Source: MSExchangeSA
Event Category: General
Event ID: 9157
Date: 9/19/2001
Time: 12:46:28 PM
User: N/A
Computer: BTV-01
Description:
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.

For more information, click

http://www.microsoft.com/contentredirect.asp.

The problem is that I don't know how to fix System Attendant problem. how can i change the rights?

I have full privileges.

 

[PRW2000]

If the SA is unable to start i would go into services in control pannel and go down the list until you find the exchange System attendent service and check to see which account it is using to start the service!

The account needs to be one with sufficient rights to start services on your server.

This error happens usualy if you specify an account to start services and then change the rights/password of that account

Check the other exchange services why you are there because SA is the first service to start!

Regards


Peter

 

[PRW2000]

PS

You may also want to put the account that starts the services for echange into the exchange admin groups etc in Active Directory!

 

[kimble]

Logon is set to LocalSystem and I'm logged in as administrator? Should that not work? Any other ideas?

 

[PRW2000]

Have you checked that all the service that the SA depend on are started?

If they are perhaps just try starting the service with the admin account just to test to see if it is a problem with the account it is using at the moment

But thats about all i can think of at the moment

regards

Peter

 

[kimble]

All the services that System Attendant are dependent on are up and running. So I tried to start System Attendant. It seems to get stuck saying its starting. So after 10 minutes I shut down and restarted. I've logged back in as admin. I checked services and once again it says its starting. I checked the event log again and the only additional error to the two I posted above is the following.

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2001
Time: 9:40:35 AM
User: N/A
Computer: BTV-01
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Please look for more details in TroubleShooting section in Security Help.

Also the services that SA depends on are started, so that doesn't seem to be the problem. SA was set to do nothing upon failure, so I set it to restart after the first failure. Login is set to LocalSystem and I'm Admin so I don't think there should be anything up with that.

I do know I removed a few admin user accounts which I guess I shouldn't have. Any other ideas where I should look to make sure nothing is trying to log on with one of those old accounts?

Yet if I look at services....all services say they log on with LocalSystem. Could I be missing something here?

Thanks again for all the help thus far.

 

[PRW2000]

did the service use to start before you removed these accounts?

 

[kimble]

yes, I'm pretty sure it has to do with the deletion of one of the accounts. Everything worked fine before it. I may have removed a group also. There were a bunch of user accounts setup with my Small Business Server product that I removed because I thought they were not being used, ie I'm the only admin/IT/Do it all guy here, and I thought that it would be easier on me if I removed all the accounts I didn't need. I'll assume now that a few things were configured around the installation I didn't know about and now I can't get SA to run. SA and its dependents look to be the only services I can't get to start. Doesn't being in the Admin group give you all permissions?

Everytime I try to start the sevice I get error 1053 (timed out?) and the application log shows these errors

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2001
Time: 9:40:35 AM
User: N/A
Computer: BTV-01
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Please look for more details in TroubleShooting section in Security Help.

&


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 9/19/2001
Time: 1:37:29 PM
User: NT AUTHORITY\SYSTEM
Computer: BTV-01
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).


Yet I don't know what they mean or how I can find out if they even are part of the problem.

 

[PRW2000]

i know that being in the admin group didn't use to give you admin rights to exchange in 5.5 and once agin if you install exchange server 2k it creats a lot of groups for exchange admins etc!

you used to have to specify a service account as i recall or it gave the admin rights the usere who installed it!

Are you running win 2k server or nt4.0? and exchange 5.5 or 2k?

Did you try changing the properties on the sa service to allow a different user to start it?

 

[PRW2000]

Have a look at this link may be of help contains info on the errors you are reporting!

http://support.microsoft.com/support/kb/articles/Q279/4/32.ASP

hope this helps!

Regards

Peter

 

[kimble]

Thank you for that link. It looks that should be my problem and the solution, but its not

Here is what I have done:
Checked the Domain Controllers and it contained the Default Domain Controllers policy

Then I checked out the policy. The policy had Domain Admin group in it. I checked to make sure Admin is part of Domain admin. yup. I let domain admin have full control over that item. Then for good luck i restarted.

On restart I still get the error. so I went into the exchange delegate control wizard. Admin is the only Full Exchange Admin and the only user with any rights to exchange. So I added a second admin and made that user Full Exchange Admin too. Then I logged in as that user and still got the error. yet SA is still set to LocalSystem, but i think that is fine? anyway the only other thing I can think of is my user "krbtgt" is disabled. I am not able to enable it. Might this account have anything to do with it?? Its the Key Distributions Center Service Account. I don't know exactally what it does, but maybe that is is??

Thanks again for any input. You've been great at helping me learn what the heck I'm doing.

 

[yizhar]

HI!

If you have a good backup from before the changes, it is now best time to use it.
Follow this:

* Ask for an experienced IT person to asist you. Could be from the company that installed the server or from other place.
This will help you do things the best and fastest way.
Don't think too much about the direct costs - making mistakes can cost a lot more, and you can't do and know everything.

* Schedule down time of the server for maintanance.
Plan for atleast 1 day.

* Create a full backup of the server (in its current status) using your tape backup software.
Make sure everything on server is selected.
You won't be able to use Exchange agent Brick-Level and database backup, since the SA isn't working, but you should make a full "normal" file based backup.
Make sure the backup shows successful, or with minor errors like few system files that were in use (this is normal).
DON'T OVERWRITE THE TAPES YOU MIGHT NEED LATER!
BUY NEW MEDIA IF NEEDED!

* Create another full backup, just to make sure.
Use Win2K integral backup program, and backup "Everything on my computer" to a file (instead of tape). Copy this big file to a workstation hard-drive if you can.

* Use your tape backup software to restore the operating system (or "System State&quot, without restoring the data.

* Restart the server.
Exchange might fail to load now for other reasons.
An experienced Exchange administrator should know the procedure to bring it back. The main technique is:
Check event viewer.
Search MS KB for the specific errors you have and what to do next.


* After the server works again, you should take some books and/or class courses about Win2K, Exchange and other things, or at least contract some one to come to your site to advice and asist you once a week/month.


If you found faster specific solutions - that's OK also...


Good luck

Yizhar


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kimble]

Thanks for the concern but nothing mission critical is going on here. This server was just purchased and nothing has been implemented yet. I'm running myself through a crash course in what to do and not do. The whole thing can be reformatted/reinstalled. I just need to make sure when I go ahead and implement it I know what I am doing.

At the moment I think I know what i did. It looks like I deleted the Domain Controller Machine Account, or atleast I think so. That is why Exchange can't start. This is a stand alone server acting as an Exchange Server/Internet Connection/Back Up Center for a small business that is starting to expand.

My question now is, if this is what I did should I just go head and do a reinstall of SBS 2000?


I would think I would learn more in the process to if i did it, incase the machine get's hosed in the future I'll know what i am doing. ??

 

[yizhar]

HI!

First - good for you!
Piloting a new product is a very good thing to do before production use.
Reinstalling the product seems to me a good way to start with the right foot in your case.

Now, check your network design and planning:
Is there going to be a firewall on the Internet connection?
If you are planning to use the SBS ISA as the firewall, it is a bad plan for 2 major reasons:
1) A firewall must be dedicated, otherwise it is not secure.
(and also performance issues but that a second concern).
Running Exchange, IIS and other stuff on a FireWall cannot be considered a reasonable design.

2) A firewall must be designed and implemented by professionals in that field.
Your ISP might help with this.

OK, so now you know that if your original plan didn't include another FW machine, you should change it.


About the server itself, one of the most important things is the backup.
My advice is:
1) Plan (see above) with help and aprooval by an experienced pro.
2) Reinstall the server.
3) Check that everything is working, including connecting 1 test client to the AD domain, to Exchange (including sending email in and out), to the Internet, and to other services if aplicable.
Put some sample info in Outlook Calendar and send test messages.
These will be used later to test the backup.
4) Backup the server - check the logs, in Event Viewer and in backup software logs.
5) Format the server or use a different empty hard-drive for the test (could be a simple IDE drive).
6) Reinstall SBS and restore the server from backup.
Check that everything is working like before on the restored server.
Do not blof and do not use the data from the hard-drive - only from the backup tape.
This could be a long proccess, but now is the time to do it!
It will save you and the company many hours in the future, and also might prevent data loss!
And, BTW - will give you a great experience for the future.

Bye
Yizhar




Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kimble]

Once again thanks for the responce. I'm looking to reinstall SBS, but before I do so I have a couple of questions. I have hardware RAID that I want to set to RAID 1. How is this going to affect a reinstall?

I would think that I wouldn't have to do anything for a reinstall, but If I want to format the drive and test restoring from a tape backup I'm going to have some issues with setting up RAID. From what I can tell you setup the RAID drivers right before you install the OS. Would the RAID Firmware keep the its setting on a format? Can I just go about a reinstall without worring about the RAID setup?

Please advise. Thanks again

 

[kimble]

Thank god I bought a dell. After taking more time to read, read, read I get how their little server assistant cd does everything for you. Reconfigures RAID and does a nice clean new install.

I just hope it goes as easily as the documentation says.