Exchange 2007 service failed to start

Product Version:
=======================
Window server 2008
Exchange server 2007
2 DCs in root domain, and 2 DCs in child domain

Problem Description:
=======================
Exchange service (Information Store, System Attendant) cannot start, status is “Starting”.

Trouble Shooting Steps:
=======================
1. Tried to reboot Exchange server, the same issue.

2. Check the application logs on Exchange server, find the following:

Source: MSExchange ADAccess
Date: 7/31/2009 2:20:22 PM
Event ID: 2080
Level: Information
Computer: samailprd01.testing.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1728). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
sadcprd01.testing.local CDG 1 0 0 1 0 0 0 0 0
sadcprd02.testing.local CDG 1 7 7 1 0 0 1 7 1
sadcprd03.testing.local CDG 1 7 7 1 0 0 1 7 1
sadcprd04.testing.local CDG 1 7 7 1 0 0 1 7 1

Source: MSExchange ADAccess
Date: 7/31/2009 2:19:01 PM
Event ID: 2114
Level: Error
Computer: samailprd01.testing.local
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1728). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

3. In the 2080 event, we find each DC’s “SACL right” is “0”. That means there should be some permission lost in AD. Base on our previous experience, this may cause the “service fail to start” issue.

4. Log on DC in child domain, check whether “Exchange Servers” group have the permission to access “Manage auditing and security log” in Local Security Policy. Then we find “Exchange Servers” is NOT there.

5. We involved AD engineer to help check. In one of the child DC, we following these steps to modify the permission of item “Manage auditing and security log”:
1) Click Start -> Run, type: CMD, then type :gpmc.msc
2) Expand "Domain Controllers" on the left, right click "Default domain controllers policy", select “Edit”, then click “Policies” -> “Windows settings” -> “Security settings” -> “Local policies” -> “User right assignment”
3) Double click “Manage auditing and security log”, then click “Add Users or Group” to add “Exchange Servers” group. Then run “gpupdate /force” on the DCs.

6. After that, we reboot Exchange server. Now we see all the Exchange service are started successfully, and send test email, it is working fine.