You can view the MAPI logon script error messages in the Operator Console of MOM 2005 by using one of the following views:
The appearance of the MAPI logon script error messages may vary depending on the view that you use to view the error messages. However, the common MAPI logon script error messages will contain one of the following phrases:
For example, an error message may appear similar to the following error message:
The information store could not be opened. [MAPI 1.0 -[MAPI_E_LOGON_FAILED(80040111)]]
This event was generated by the script: "Exchange 2003 - MAPI logon verification"
Additional diagnosis on the problem can't be performed because:This event was generated by the script: "Exchange 2003 - MAPI logon verification"
The "General troubleshooting steps" section lists the general steps that you must perform to troubleshoot the issue. Additionally, other sections list steps that you must perform to troubleshoot the issue, depending on the phrase that you see in the error message. However, if the steps that you perform in a particular section do not resolve the issue, you must perform the steps in the other sections. Sometimes multiple causes can exist for the same error. For more information about MAPI error codes, click the following article number to view the article in the Microsoft Knowledge Base:
List of Extended MAPI numeric result codes
General troubleshooting steps
Determine the Mailbox Access account that is used by the MAPI verification script to log on to the Exchange server. To do this, look in Exchange System Manager in the Logons
section under the Mailbox Store
folder. You should see the test mailbox and verify that the Microsoft Windows account that was used to log on was the Mailbox Access account.
Next, determine whether the issue is specific to a particular Exchange server or if the issue applies to all Exchange servers. If you receive MAPI logon verification script problems that generate event ID 9981 (general MAPI logon failure) or event ID 9016 (generated by the MailFlow sender script), verify that the Mailbox Access account has fullmailbox rights on the mailbox that is used for the MAPI logon test. To do this, follow these steps:
- Log on to Outlook by using the Mailbox Access account.
- Open the test mailbox. To do this, click Open Other User’s Folder on the File menu, and then type the name of the test mailbox. You should be able to see the Inbox of the test account.
- If you cannot open the mailbox, start the Active Directory Users and Computers snap-in, and then examine the properties of the test mailbox.
- Click Exchange Advanced, and then click Mailbox Rights.The Mailbox Access account should be listed here and should be granted the following permissions:
- Full Mailbox Access
- Delete mailbox storage
If you can log on to Outlook as the Mailbox Access account, and you can open the mailbox of the testaccount by using the credentials of the Mailbox Access account, you should direct yourtroubleshooting to the individual Exchange servers instead of looking for apermissions problem in Active Directory.
If you cannot open the test mailbox, make sure thatnone of the mailboxes that MOM uses (Mailbox Access account and test mailboxes) are hidden. Also, determine whether the accounts were created manually, were created by using the Exchange Management Pack Configuration Wizard, or were created by using provisioning software. This will help narrow the reasons for the issue with the accounts or test mailboxes.
To resolve this issue, verify the value for the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\ProfileDirectory
This is the location where temporary MAPI logon profiles are created. This value should be configured as follows:
Typically, the profile directory would be C:\temp\exmppd.For more information about MAPI profile files, click the following article number to view the article in the Microsoft Knowledge Base:
XWEB: MMP files Created by MAPI and CDO
Verify that the Mailbox Access account, not the test mailbox for the server, has read and write permissions to the C:
\temp\exmppd directory. The best way to do this is to log on to the server as the Mailbox Access account and then verify that you can create a test file in this directory.
The Mailbox Access account must have local logon rights on each Exchange server. These rights are required for the MAPI logon and mail flow tests. The Exchange Management Pack Configuration Wizard automatically grants the necessary rights.
Typically, this error is related to file versions on theExchange server. To verify file conflicts, follow these steps:
- Verify whether Outlook is installed on this server.
- Verify the versions of Cdo.dll.
- Additionally, you can use the MFCMapi tool to open the mailbox of the Mailbox Access account. To do this, follow these steps:
- Download MFCMapi, and then copy it to the Exchange server. MFCMapi can help you identify the cause of the logon errors. For more information about how to obtain MFCMapi, click the following article number to view the article in the Microsoft Knowledge Base:
MFCMAPI demonstrates MAPI client code
- Run MFCMapi.
- On the Session menu, click Logon and Display Store Table.
- You will be prompted to create a profile.
- You can enter the Mailbox Access account information to verify that you can log on to the mailbox.
- You can also perform a check name operation.
Inherited "Deny" permissions cause the MAPI logon verification test to fail. If the Mailbox Access account is included in a group that has "Send As" and "Receive As" permissions that are configured as "Deny" at the organization level, the Mailbox Access account cannot log on to the Exchange server. To verify and correct this issue, follow these steps.
Step 1: Verify that you can see the mailbox in Exchange System Manager
- Log on to the Exchange server as the Mailbox Access account.
- Start Exchange System Manager.
- Expand Administrative Groups, and then expand Servers.
- Click Mailboxes.
- Verify that you can see the list of mailboxes in the right pane. If you cannot see the mailboxes, the Mailbox Access account may be denied the "View Information Store Status" permission.
Step 2: Verify user rights in Exchange System Manager
- Log on to the Exchange server as the Mailbox Access account.
- Start Exchange System Manager.
- Right-click the organization object, and then click Properties.
- Click the Security tab, and then click Advanced.
Note If you cannot see the Security tab, click the following article number to view the article in the Microsoft Knowledge Base:
How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003
- Verify whether any of the groups that include the Mailbox Access account are denied the "Send As" or the "Receive As" user right.
- If you find that "Deny" permissions are configured for the group that includes the Mailbox Access account, follow the steps in the "Step 3: Make sure that the Mailbox Access account is not included in a group that has organization-level 'Deny' permissions" section.
Step 3: Make sure that the Mailbox Access account is not included in a group that has organization-level "Deny" permissions
If the group that includes the Mailbox Access account has "Deny" permissions configured for the "Send as" or the "Receive as" user right at the organization level, the Mailbox Access account cannot log on to the Exchange server. If the Mailbox Access account is configured as an administrative account that is included in groups that are restricted at the organization level, you must use an ordinary account that is not included in these default groups. For example, you can use an ordinary domain user account that has the "Log on locally" user right for the Mailbox Access account. To correct this problem, follow these steps:
- Create a new Mailbox Access account.
Note You can use an ordinary domain user account.
- Verify that the new Mailbox Access account can resolve names in the global address list.
- Run the Exchange Management Pack Configuration Wizard.
Error: Event ID 9983 – "Cannot Impersonate Mailbox Access Account"
If you receive this event, the credentials that you supplied when you ran the Exchange Management Pack Configuration Wizard or the ExchangeMOMSetCredentialUtility.exe were incorrect. Run the Exchange Management Pack Configuration Wizard or the ExchangeMOMSetCredentialUtility.exe again by using the correct credentials.This event may also indicate that the Mailbox Access account may not have permission to log on locally to the Exchange server. Verify that the Mailbox Access account is listed as having the "Allow log on locally" user right in the Local Security Policy or in the Domain Controller Security Policy if the server is a domain controller.Note
The ExchangeMOMSetCredentialUtility tool is included with Microsoft Operations Manager 2000. The Exchange Server 2003 Management Pack for Microsoft Operations Manager 2000 Service Pack 1 (SP1) and later Management Packs do not include this tool. Instead, the Exchange Management Pack Configuration Wizard is used together with these products. You can use the Exchange Server 2003 Management Pack Configuration Wizard to perform the functions that you performed by using the ExchangeMOMSetCredentialUtility tool.
You receive this error if the mailbox logon script does not run. This error occurs when the Mailbox Access account display name and the samAccountName
attribute in Active Directory are different. To resolve this issue, follow these steps:
- Delete the Mailbox Access account.
- Create a new Mailbox Access account by using the Exchange Management Pack Configuration Wizard.
Intermittent MAPI logon failures
Active Directory problems can cause intermittent failure of the MAPI logonverification script. MAPI logon fails if it cannot access a domain controller orif the domain controller does not respond in a timely manner.
- Start the Microsoft Exchange System Attendant service.
- Verify the configuration for the agent mailboxes. Then, correct any configuration errors.
- Verify that the domain controllers in the domain can be accessed and thatusers can log on by using Outlook.
Log MOM errors
You can log MOM errors to a log file by configuring a registry entry on the Exchange server. To do this, follow these steps:
- Start Registry Editor.
- Locate the following subkey:
- Create the following registry entry under this subkey:
Value name: DebugLS
Value type: DWORD
Value data: 1
- Stop and then restart the MOM service on the Exchange server.Wait until the MAPI logon verification script runs. If it is required, wait overnight to make sure that the script runs.
- Look for the ExMPLS_LOG.txt file in the root of the %systemdrive%. Typically, this is drive C.
Note This log file is frequently useful to troubleshoot MAPI logon issues.