Article ID: 324114 - View products that this article applies to.
This article was previously published under Q324114
This article has been archived. It is offered "as is" and will no longer be updated.
If you use an administrator account to run Exmerge.exe to identify user accounts that are not represented in Active Directory, the event ID 9551 warning messages that identify those objects and users may not be logged.
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
301378Component: Information store
(http://support.microsoft.com/kb/301378/EN-US/ )XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
NOTE: Because of file dependencies, this update requires Microsoft Exchange 2000 Server Service Pack 2.
Date Time Version Size File name ---------------------------------------------------------- 12-JUL-2002 17:08 6.0.5771.28 4,547,136 Store.exe
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 3.
In an environment that is mixed (contains Microsoft Exchange Server 5.5 and Exchange 2000) or an environment that was previously mixed, the access control list (ACL) of mailboxes and public folders may contain user accounts that are not represented in Active Directory. Such users are "zombie" users.
Zombie users may cause a problem if the ACL from Exchange Server 5.5 is upgraded to match the NTDS format that is used in Exchange 2000. Exchange 2000 tries to upgrade the ACL each time that the ACL has to be evaluated. If Exchange 2000 encounters a zombie user during the upgrade, the upgrade does not work. Exchange 2000 tries to upgrade the ACL again the next time that Exchange 2000 accesses the ACL. Zombie users can lead to a range of issues, depending upon how prevalent they are in the environment.
If Exchange 2000 encounters a zombie user during the ACL upgrade, the following warning message is logged. Administrators can use this warning message to identify the object and user account that are in a zombie state:
This warning message is logged only if Exchange 2000 accesses the object and cannot upgrade the ACL. If you are an Exchange administrator, you may want to be proactive and use a utility such as Exmerge.exe to identify all of the zombie users in your environment. Exmerge.exe accesses each folder, which forces an upgrade of ACLs. You typically use an Exchange administrator account to run Exmerge.exe, but if you do so, the event ID 9551 warning message is not logged. The fix that this article describes permits administrators to run a utility such as Exmerge.exe to access each folder and identify zombie users with the event ID 9551 error messages. For additional information about how to use the information store to automatically remove identified zombie users, click the article number below to view the article in the Microsoft Knowledge Base:
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event ID: 9551
An error occurred while upgrading the ACL on folder [MBX:User1]/Calendar located on database "Server1\Mailbox Store 1 (server)". The Information Store was unable to convert the security for /O=ORGANIZATION/OU=SITE/CN=RECIPIENTS/CN=123456 into an NT Security Identifier. It is possible that this is caused by latency in the Active Directory Service, if so, wait until the user record is replicated to the Active Directory and attempt to access the folder (it will be upgraded in place). If the specified object does NOT get replicated to the Active Directory, use the Microsoft Exchange System Manager or the Exchange Client to update the ACL on the folder manually. The access rights in the ACE for this DN were 0x401.
(http://support.microsoft.com/kb/318549/EN-US/ )XADM: Migrated Exchange Server 5.5 Mailboxes Generate Event ID 9551 Warning Messages for the ACL