I ran into a rather bizarre problem last week. A client company was running Microsoft Exchange Server 2003 Enterprise Edition Service Pack 1 (SP1) and suddenly the server started reporting the following messages in the Application Event Viewer every 5 minutes:
- Event ID: 9095, Source: MSExchangeSA, Category: Information, Description: The MAD Monitoring thread is initializing.
- Event ID: 9096, Source: MSExchangeSA, Category: Information, Description: The MAD Monitoring thread is initialized.
- Event ID: 9099, Source: MSExchangeSA, Category: Error, Description: The MAD Monitoring thread was unable to read the state of the services, error ‘0x80041003'.
The server had been relatively stable, but just before this problem occurred, the company rebooted the server because mail had stopped flowing on this server. The reboot fixed the mail flow problem, but afterward, the errors started appearing in the Application Event Viewer. After some research, I found the Microsoft article "The System Attendant generates Event ID 9098 and 9099 messages every five minutes" (http://support.microsoft.com/?kbid=326011). I followed the directions to fix the problem, but the problem remained. This error deals with permissions for the Windows Management Instrumentation (WMI) service that runs on the server. When I tried to run GPResult or MSInfo32, I also received Access Denied errors. Another symptom appeared when I tried to follow the instructions in the last section of the article. I right-clicked My Computer and selected Manage, then double-clicked Services and Application. I then right-clicked WMI Control and selected Properties. I selected the General tab, which displayed the following errors:
- Win32_processor: WMI: Access Denied
- Win32_operatingsystem: WMI: Access Denied
However, the OS Version and Service Pack didn't have the Access Denied error. I searched the Internet but couldn't find a resolution. I called Microsoft Product Support Services (PSS) for help. PSS recommended that I reapply the Windows Security Template on the server because that had resolved the problem when other methods had failed. I felt this was too aggressive, and if it didn't work could potentially cause the server to crash. I left the case open and requested that a WMI expert review the case and get back to me. I received an email from PSS stating that it noticed that the Microsoft Configuration Capture utility, which was run on the server, reported receiving security settings from two default DC policies. This Exchange server was a DC (yes I know you shouldn't make an Exchange server a DC, but I needed a backup DC in this location). Fortunately I was running Group Policy Management Console (GPMC). I reviewed the existing Group Policy Objects (GPOs). There was only one GPO for the Default Domain Controllers Policy, but when I checked the Domain Controllers organizational unit (OU), the Default Domain Controllers Policy was linked twice. For WMI to work, you must grant the "Impersonate a client after authentication" right to the IIS_WPG, Administrators, and Service accounts. This right is located under Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. I made sure that these groups were granted this right under the Default Domain Controllers Policy and deleted the duplicate link. I ran GPUpdate on the server and waited for Group Policy to refresh. After a few minutes, the errors went away. I don't know why or how the Default Domain Controllers policy was linked twice to the Domain Controllers OU, but deleting the duplicate link fixed the problem.
Tip
If you're running Automatic Data Processing's (ADP's) payroll software, the company recently came out with an upgrade to version 5.1. Before you install the upgrade, make sure to close/disable all programs, including antispyware and antivirus programs. If you fail to close these programs, the upgrade might fail. After the upgrade is complete, make sure to re-enable your antispyware and antivirus programs.
