Hello World,
Today, I want to blog about a small issue I’ve encounter during the setup of an Exchange 2007 SP2 server. In this project, the Exchange infrastructure was centrally managed and the local site (where i was working) would have the necessary rights to perform the installation and management of the Exchange Server.
After checking that the Exchange server was provisioned correctly, I decided to start the setup routine from a command line. After some times, I’ve received this kind of error(see screenshot below) :
The Service MSExchangeTransport failed to reach status “Running” on this server.
If you look in the Event viewer, you will might see an event error id 2214 and a message similar to the following screen
I’ve googled a little bit and found this link. The workaround proposed was to add the Exchange Server to the Domain admins group. This was not an option for me because the Infrastructure was centrally managed and that was not allowed (for security reasons) to add the computer account to this group. I thought that maybe some rights were missing. So, i decided to use the policytest.exe tool to validate the configuration of the Exchange infrastructure. This utility is included in the Exchange installation CD and can verify if the Manage auditing and Security Log rights has been granted to your Exchange Server (through the Default Domain Controller Policy) .
The result of the policytest.exe tool clearly returned that the Exchange server was not having all the necessary rights needed to perform the installation.
Obviously, something was missing. It turns out that indeed the Exchange Server group didn’t have (anymore) the SeSecurityPrivilege right. We fixed the problem by updating the Default Domain controller policy and granting the Exchange Servers group the Manage auditing and Security log right. We checked also that the Exchange Server was a member of the Exchange Servers Group. After granting this right to the server, everything was working as expected.
This link provide as workaround the addition of the exchange Computer account to the Domain Admins Group. This workaround is working probably because by default the only group having the SeSecurityPrivilege is the Built-in Administrators group. Domain Admins groups are normally also member of the Administrators group. So, If you encountered or have encounter the issue, you might want to check the rights and remove the Exchange server account from the Domain Admins Group.
Note 1 : Running the /prepareDomain switch during your Exchange 2007 Setup should update the Default Domain Controller Policy and grant the necessary rights the The Exchange servers Groups
Note 2 : Some people have reported a similar error that might have been caused by the removal of the IPv6 protocol. See here (even if the article is targeted to SBS). If you encounter a similar error message and you have remove the IPv6 stack, you have 2 options re-enable the IPv6 stack or use a specific procedure to remove the IPv6 from your Windows 2008 Server
That’s it for this post
Till next time
See ya
Thanks a ton. Your suggestion to add computer into the Enterprise exchange servers group worked perfectly! After hours of slamming my head with my server, you are really a life saver
Hi Vishal,
Happy this post helped you. I hope to upload some more tips and tricks about Exchange in a “near” future
Thank you greatly for posting this information. Myself and a team of other Admins have been hardening our network and system infrastructure and ended up revoking [Manage auditing and Security log] rights from our Exchange servers group. Consequently we spent several hours chasing our tails and asking ourselves the same silly questions on what IPv6 had to do with it and what rights needed to be permitted since giving full Domain Admin rights wasn’t an option. Finally I stumbled upon your blog and within minutes the issue was resolved.
Hello Rick,
Cool, I’m happy that this post has still some values
Till next time
See ya