XADM: C1041722 Error Message Occurs When You Attempt to Mount Databases

When you use Exchange System Manager to mount the Exchange Server computer, you may receive a "C1041722" error message.

This issue can occur if you do not have sufficient rights to mount these databases; the Exchange Enterprise Servers group on all domain controllers in your domain must have Manage Auditing and Security Logs permissions.

To determine if the Exchange Enterprise Servers group does not have Manage Auditing and Security Logs permissions, run the Policytest utility that is found on the Exchange 2000 CD-ROM.

If you have determined that the Manage Auditing and Security Logs permission for the Exchange Enterprise Servers group is missing on any (or all) of the domain controllers, use the following method to troubleshoot this issue:

1. Rerun the setup /domainprep command from the Setup\I386 folder on the Exchange 2000 CD-ROM.
   
   When you run this command, the appropriate permissions are added to one domain controller immediately, then the change replicates out to the other domain controllers. For the best troubleshooting results, run setup /domainprep, and then immediately rerun Policytest.exe and note which domain controllers return the following message:
   Right found: "SeSecurityPrivilege"
   Wait approximately five minutes, and then rerun Policytest.exe.
2. Examine the output of Policytest.exe to determine if either all of the domain controllers now have the appropriate permissions, or if none of them do. If all of the domain controllers return a "Right found: SeSecurityPrivilege" message, try to mount the databases. If none of the domain controllers have the appropriate permissions, go to the next step.
3. Check the Default Domain Controllers Policy:
   1. Start the Active Directory Users and Computers snap-in.
   2. Right-click the Domain Controllers container and click Properties.
   3. Click the Group Policy tab, and then verify that Default Domain Controllers Policy is listed in the Group Policy Object Links box.
      
      If the Group Policy Object Links box does not contain this setting, click Add, locate and click Default Domain Controllers Policy, and then click OK. After you complete this step, make sure that all of the domain controllers are synchronized to ensure that this change has been applied to all domain controllers.
4. Repeat step one.

NOTE: After all of the Domain Controllers display the "Right found: SeSecurityPrivilege" message, it may be necessary for you to stop and start the Microsoft Exchange Information Store service before the databases can mount.

Because of the replication model of Policy Replication, the read System Access Control List (SACL) privilege that was granted to the Exchange Enterprise Group by DomainPrep may be lost in some instances. This issue may arise more often when there are numerous domain controllers in a forest.

There is an additional step that is not included in the troubleshooting procedure, but may provide a fix to this issue when the steps above have not.

If you are still having a problem getting the domain controllers to hold the "Right found: SeSecurityPrivilege" right, manually add the permission, and then allow the setting to replicate to the other domain controllers:

1. Start the Active Directory Users and Computers snap-in.
2. Right-click the Domain Controllers container, and then click Properties.
3. Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
4. Click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
5. In the right pane, double-click Manage Auditing and Security Log, click Add, click Browse, and then add the Exchange Enterprise Servers group.

NOTE: Sometimes, the Exchange Enterprise Servers group may not be visible from the Browse function. If this is the case, add the Exchange Domain Servers group, and then re-run setup /domainprep. Making this manual change to the policy, adding the Exchange Domain Servers Group, will make the addition of "Exchange Enterprise Servers" by setup /domainprep stick across the Domain Controllers.

For additional information about Policytest.exe, click the article number below to view the article in the Microsoft Knowledge Base: