Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 9157 Source: MSExchangeSA

Microsoft Exchange Server computer system attendant does not have sufficient rights to read Exchange Server configuration objects in Active Directory. System attendant will try again in approximately one minute.
I had the same problem on a Exchange 2003 cluster. This problem occurs when some AD Security Groups (Exchange Domain Servers and Exchange Enterprise Servers) are moved for another Organizational Unit than Users OU. Move groups back to Users OU and the problem will be disappear.
If you get this error, verify that the Group "Exchange Domain Servers" and "Exchange Enterprise Servers" are still part of the default Container "Users". If someone moved the group in another OU, move it back, and restart Exchange Services.
Note: This error occurs only if you have restarted the Exchange Server.
In my case, this message occurred while installing a new Exchange server in an existing Exchange environment. The setup process hanged at "Starting MSExchangeSA Service" stage and this message start to appear every minute in the application log. I checked the "Exchange Domain Servers" group and found that my new server was not a member of this group. I added it into this group by hand and the process continued and finished successfully.
See ME910413 for information about this event.
This is a known issue if you move the following Exchange Groups from the default location which is CN=Users to other OUs:
Exchange Domain Servers (Security Group - Global)
Exchange Enterprise Servers (Security Group - Domain Local)
Exchange Services (Security Group - Global).

To resolve this, you have to move these 3 groups back to the default location which is Users OU, CN=Users.

See ME260914 and ME324949 for more information on this problem.

As per Microsoft: "This behavior can occur if the computer account for the Exchange Server computer has been deleted, lost or does not have Full Control permissions to the Exchange Server computer object in Active Directory". See ME297295, ME257623, and MSEX2K3DB for more details.

See "Veritas Support Document ID: 253220" and "Veritas Support Document ID: 253219" if you are installing Exchange 2000 with the VERITAS Cluster Server (tm) Exchange 2000 Installer.
SA and Information Store were not starting, and I noticed the 9157 error in the event log. I noticed that one of the other administrators had moved both security exchange groups out of the default “Users” OU. Moving them back, fixed the problem, SA started immediately, and in turn, so did the Information Store.
Other things worth checking are your trusts. I found that my trust had failed between the child and parent domain meaning that the service could not logon to the parent domain and so it did not start.
Organizing and restructuring the AD is a good thing. My guess is that Microsoft has hard coded AD locations in Exchange 2003, for groups "Exchange domain Servers" and "Exchange Enterprise Servers". If you have moved these groups out of the default Users container this problem will appear. The solution is to move them back to the users container in AD and then restart your Exchange System Attendant.
The ME297295 article fixed my problem. I was rebuilding a server which was a domain controller, but got its ntds.dit file corrupted. After a DCpromo demote/promote this problem cropped up.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.