XADM: Migrated Exchange Server 5.5 Mailboxes Generate Event ID 9551 Warning Messages for the ACL

This article was previously published under Q318549
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
If the access control list (ACL) contains old access control entries (ACEs) or ACEs that are not valid, the Exchange 2000 server may generate an event ID 9551 warning message for migrated Microsoft Exchange Server 5.5 mailboxes. The warning message is similar to:
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: (6)
Event ID: 9551
Date: 01/01/2001
Time: 1:00:00 AM
User: N/A
Computer: SERVER1
Description: An error occurred while upgrading the ACL on folder [MBX:User1]/Calendar located on database "Server1\Mailbox Store 1 (server)". The Information Store was unable to convert the security for /O=ORGANIZATION/OU=SITE/CN=RECIPIENTS/CN=123456 into an NT Security Identifier. It is possible that this is caused by latency in the Active Directory Service, if so, wait until the user record is replicated to the Active Directory and attempt to access the folder (it will be upgraded in place). If the specified object does NOT get replicated to the Active Directory, use the Microsoft Exchange System Manager or the Exchange Client to update the ACL on the folder manually. The access rights in the ACE for this DN were 0x401.
If multiple ACEs that are not valid exist in a single ACL, Exchange 2000 may log an event ID 9551 warning message for only the first ACE. Exchange 2000 may stop processing the ACL when Exchange 2000 sees an ACE that is not valid. If multiple entries exist, and you remove the first ACE that is not valid, Exchange 2000 generates an event ID 9551 warning message for the next ACE that is not valid in the ACL.
The ACEs are entries that originate from Microsoft Windows NT security for Exchange Server 5.5 disabled accounts. This problem may occur if the Exchange Server 5.5 mailboxes (or public folders) were migrated to Exchange 2000 and the DS/IS consistency adjuster was not used on the Exchange Server 5.5 store to remove these entries from the ACL.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The recommended resolution is to run the DS/IS consistency checker against the information store before migration. All information store migrations (both private and public) should run the DS/IS consistency checker to prevent this problem. The following workaround of applying the new build and installing the registry settings and the Deadlist.txt file are supported for situations where the migration has occurred and the server cannot be restored to a pre-migration state, and therefore, performing the DS/IS consistency check is not a possibility. The creation of the Deadlist.txt file can be a tedious and time-consuming activity. This workaround is not meant to be a replacement for running the DS/IS consistency checker before the migration.

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
The English version of this fix should have the following file attributes or later:

Component: Information store

File nameVersion

After you apply this fix, to implement it, you must create a text file that includes the distinguished names that you are getting warning messages for. To implement the fix, you must also use Registry Editor.

To implement the fix:
  1. Create a text file in a text editor, such as Microsoft Notepad.
  2. Insert the address distinguished names from the 9551 event ID warning messages, for example:
  3. Place each distinguished name on a separate line, separated by a carriage return/line feed (CR/LF).
  4. Save the text file in a subfolder on the Exchange 2000 server. (note the location of the file because you will need it later), for example:
  5. Start Registry Editor (Regedt32.exe).
  6. Locate the following key in the registry:
  7. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: DNDeadList
    Data type: REG_SZ
    Value: drive_letter:\subfolder>..\file_name.ext
    For example, this value might be:
    Value: C:\DeadDir\DeadList.TXT
    NOTE: This file must reside locally on the server that this is being performed on and the file size cannot exceed 128 kilobytes (KB).
  8. Quit Registry Editor.
  9. Stop and then restart the Microsoft Exchange Information Store service so that changes can occur.
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 3.

Article ID: 318549 - Last Review: 10/26/2013 10:53:00 - Revision: 5.0

  • kbnosurvey kbarchive kbbug kbexchange2000presp3fix kbexchange2000sp3fix kbfix KB318549