Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. MSExchangeISPublic Event 9551 is logged after you grant Public Folder permissions to an Exchange Server 5.5 user

MSExchangeISPublic Event 9551 is logged after you grant Public Folder permissions to an Exchange Server 5.5 user

View products that this article applies to.

This article was previously published under Q277906
This article is a consolidation of the following previously available articles: 277906, 281607, and 812215

↑ Back to the top

Symptoms

If you are working in a mixed-mode environment where Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 and Microsoft Exchange Server 5.5 are installed in separate Active Directory domains, when you grant an Exchange Server 5.5 user permissions to a public folder on the Exchange 2000 or Exchange 2003 computer, the following events are logged in the Application log.

Event 1

Event Type: Error
Event ID: 9562
Event Source: MSExchangeIS
Event Category: General
Description: Failed to read attribute msExchUserAccountControl from Active Directory for /O=Your_Exchange_Organization/OU=Your_Exchange_Administrative_Group/CN=RECIPIENTS/CN=User_Name.

Event 2

Event Type: Error
Event ID: 9551
Event Source:MSExchangeISPublic

Description: An error occurred while upgrading the ACL on folder [Public Folders]/Folder located on database "First Storage Group\Public Folder Store (Exchange_Server_Name)".

The Information Store was unable to convert the security for /O=Your_Exchange_Organization/OU=Your_Exchange_Administrative_Group/CN=RECIPIENTS/CN=User_Name into a Windows 2000 Security Identifier. It is possible that this is caused by latency in the Active Directory Service, if so, wait until the user record is replicated to the Active Directory and attempt to access the folder (it will be upgraded in place). If the specified object does NOT get replicated to the Active Directory, use the Microsoft Exchange System Manager or the Exchange Client to update the ACL on the folder manually. The access rights in the ACE for this DN were 0x41b.
When an Exchange Server 5.5 user tries to access the public folder, he or she may receive one of the following error messages.

Error message 1

Error 500 Internal server error

Error message 2

Client operation failed

↑ Back to the top

Cause

This issue may occur because any user object that is mailbox-enabled must have the msExchUserAccountControl attribute stamped on it by Recipient Update Service, and the attribute value must be set to 0. If the user object is not configured in this way, it is treated as mailbox-disabled.

By default, Recipient Update Service is not available in an Active Directory domain that has only an Exchange Server 5.5 computer. Therefore, the user object in Active Directory that is associated with the mailbox on the Exchange Server 5.5 computer does not have the msExchUserAccountControl attribute set.

When you grant an Exchange Server 5.5 user permissions to a public folder in Exchange 2000 or Exchange 2003, the information store on the Exchange 2000 or Exchange 2003 computer assigns the distinguished name of this mailbox to that public folder. The Exchange 2000 or Exchange 2003 information store tries to upgrade this Exchange Server 5.5 distinguished name to a Windows security identifier (SID). If the Active Directory user object that is associated with this mailbox does not have the msExchUserAccountControl attribute set, when the information store reads this attribute, and then does not upgrade the Exchange Server 5.5 distinguished name to a Windows SID, the information store generates the events that are described in the "Symptoms" section.

↑ Back to the top

Resolution

To resolve this issue, run Exchange 2000 or Exchange 2003 Setup with the /domainprep switch in the domain in which the Exchange Server 5.5 computer resides. Then, create an additional Recipient Update Service for that same domain . This Recipient Update Service instance will populate the msExchUserAccountControl attribute for all mailbox-enabled user objects. To create the additional Recipient Update Service, follow these steps:
  1. Start Exchange System Manager.
  2. Right-click the Recipient Update Services container, and then click New Recipient Update Service.
  3. Enter the domain where the Exchange Server 5.5 computer resides as the object to be updated by this service.
  4. Enter the name of the Exchange 2000 or Exchange 2003 computer where you want to run this service.
  5. Click OK.
For more information about running setup /domainprep, click the following article number to view the article in the Microsoft Knowledge Base:
312407� Requirements for preparing Windows domains for Exchange Server 2003 or for Exchange 2000 Server
For additional information about the Exchange Recipient Update Service, click the following article number to view the article in the Microsoft Knowledge Base:
319065� How to work with the Exchange Recipient Update Service

↑ Back to the top

Keywords: KB277906, kbprb

↑ Back to the top

Article Info
Article ID : 277906
Revision : 6
Created on : 10/25/2007
Published on : 10/25/2007
Exists online : False
Views : 391