XADM: Migrated Exchange Server 5.5 Mailboxes Generate Event ID 9551 Warning Messages for the ACL (318549)


The information in this article applies to:

  • Microsoft Exchange 2000 Server SP1
  • Microsoft Exchange 2000 Server SP2
This article was previously published under Q318549
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

If the access control list (ACL) contains old access control entries (ACEs) or ACEs that are not valid, the Exchange 2000 server may generate an event ID 9551 warning message for migrated Microsoft Exchange Server 5.5 mailboxes. The warning message is similar to:
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: (6)
Event ID: 9551
Date: 01/01/2001
Time: 1:00:00 AM
User: N/A
Computer: SERVER1
Description: An error occurred while upgrading the ACL on folder [MBX:User1]/Calendar located on database "Server1\Mailbox Store 1 (server)". The Information Store was unable to convert the security for /O=ORGANIZATION/OU=SITE/CN=RECIPIENTS/CN=123456 into an NT Security Identifier. It is possible that this is caused by latency in the Active Directory Service, if so, wait until the user record is replicated to the Active Directory and attempt to access the folder (it will be upgraded in place). If the specified object does NOT get replicated to the Active Directory, use the Microsoft Exchange System Manager or the Exchange Client to update the ACL on the folder manually. The access rights in the ACE for this DN were 0x401.
If multiple ACEs that are not valid exist in a single ACL, Exchange 2000 may log an event ID 9551 warning message for only the first ACE. Exchange 2000 may stop processing the ACL when Exchange 2000 sees an ACE that is not valid. If multiple entries exist, and you remove the first ACE that is not valid, Exchange 2000 generates an event ID 9551 warning message for the next ACE that is not valid in the ACL.

CAUSE

The ACEs are entries that originate from Microsoft Windows NT security for Exchange Server 5.5 disabled accounts. This problem may occur if the Exchange Server 5.5 mailboxes (or public folders) were migrated to Exchange 2000 and the DS/IS consistency adjuster was not used on the Exchange Server 5.5 store to remove these entries from the ACL.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The recommended resolution is to run the DS/IS consistency checker against the information store before migration. All information store migrations (both private and public) should run the DS/IS consistency checker to prevent this problem. The following workaround of applying the new build and installing the registry settings and the Deadlist.txt file are supported for situations where the migration has occurred and the server cannot be restored to a pre-migration state, and therefore, performing the DS/IS consistency check is not a possibility. The creation of the Deadlist.txt file can be a tedious and time-consuming activity. This workaround is not meant to be a replacement for running the DS/IS consistency checker before the migration.

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack

The English version of this fix should have the following file attributes or later:

Component: Information store

File nameVersion
Store.exe6.0.5770.64
Phatcat.dll6.0.5770.64
Mdbsz.dll6.0.5770.64
Jcb.dll6.0.5770.64
Exres.dll6.0.5770.64
Exprox.dll6.0.5770.64
Exoledb.dll6.0.5770.64
Excdo.dll6.0.5770.64
Dcsmsg.dll6.0.5770.64
Dsaccess.dll6.0.5770.64
Davex.dll6.0.5770.64

After you apply this fix, to implement it, you must create a text file that includes the distinguished names that you are getting warning messages for. To implement the fix, you must also use Registry Editor.

To implement the fix:
  1. Create a text file in a text editor, such as Microsoft Notepad.
  2. Insert the address distinguished names from the 9551 event ID warning messages, for example:

    /O=ORGANIZATION/OU=SITE/CN=RECIPIENTS/CN=123456

  3. Place each distinguished name on a separate line, separated by a carriage return/line feed (CR/LF).
  4. Save the text file in a subfolder on the Exchange 2000 server. (note the location of the file because you will need it later), for example:

    C:\DeadDir\DeadList.TXT

  5. Start Registry Editor (Regedt32.exe).
  6. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

  7. On the Edit menu, click Add Value, and then add the following registry value:

    Value name: DNDeadList
    Data type: REG_SZ
    Value: drive_letter:\subfolder>..\file_name.ext

    For example, this value might be:

    Value: C:\DeadDir\DeadList.TXT

    NOTE: This file must reside locally on the server that this is being performed on and the file size cannot exceed 128 kilobytes (KB).
  8. Quit Registry Editor.
  9. Stop and then restart the Microsoft Exchange Information Store service so that changes can occur.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 3.
Modification Type:MajorLast Reviewed:6/28/2004
Keywords:kbbug kbExchange2000preSP3fix kbExchange2000sp3fix kbfix KB318549
©2004 Microsoft Corporation. All rights reserved.