First off, Exchange Enterprise Servers is a domain local group. If you have a single domain, this isn't an issue, however if you have multiple domains you could see odd results because permissions may not always be correct due to the tight scope of DLGs. Generally it is not advisable to use DLGs to grant write or control access or deny any access [1] in the forest NCs. You can still get screwed with granting read with DLGs as well, but you usually have read through so many different ACEs people don't get bit by it.
The rest of this is all educated guessing... The manage replication topology permission being requested on the root of the config makes me think that the RUS wants to get some replication info which it doesn't have access to unless it has the manage replication topology permission. Off the top of my head, possibly the replication cursors to figure out where one DC was at in replication with another DC (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/ds_re pl_cursor.asp). I expect it might do this after a RUS is repointed to another DC since it does everything with USNs. I don't know if the Enterprise RUS does a full rebuild after rehoming, if it does, then it won't need the cursors, if it doesn't it definitely will need them. Anyway, you might be able to get around this by forcing a full rebuild of the enterprise RUS or just grant Manage Replication Topology rights to the config container for the Exchange Servers global group. joe [1] I don't generally recommend DENY ever anyway. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, December 29, 2004 9:50 AM To: [EMAIL PROTECTED]; [email protected] Subject: [ActiveDir] Failure Audit 565 On my Domain Controllers I am getting this failure audit and found the solution below from eventid.net. Does anyone have any feelings about this solution? Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 565 Date: 12/29/2004 Time: 6:07:59 AM User: MYDOMAIN\MYMAILSERVER$ Computer: MYDC Description: Object Open: Object Server: DS Object Type: configuration Object Name: CN=Configuration,DC=MYDOMAIN,DC=ORG New Handle ID: - Operation ID: {0,869841286} Process ID: 300 Primary User Name: MYDC$ Primary Domain: MYDOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: MYMAILSERVER$ Client Domain: MYDOMAIN Client Logon ID: (0x0,0x311C2325) Accesses Control Access Privileges - Properties: DELETE READ_CONTROL SYNCHRONIZE ACCESS_SYS_SEC MAX_ALLOWED Write Property List Object %%7690 %%7694 %%7695 Manage Replication Topology For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. This event was logged every 1 minute by our exchange 2000 server on our Domain Controller Security Log. I found that the "Recipient Update Service (Enterprise Configuration)" was the one triggering the failure. I went into ADSIedit and gave "Exchange Enterprise Servers" permissions to "CN=Configuration,DC=internal,DC=net" now the same event is logged as success. I gave Full Control since I don't know what permissions I should give the group. Justin A. Salandra MCSE Windows 2000, MCSA Windows 2003 Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
