When you move a mailbox from a Microsoft Exchange Server
5.5 computer to a Microsoft Exchange 2000 Server computer or to a Microsoft
Exchange Server 2003 computer, you may receive the following error message:
Error: Opening destination mailbox.
The information store could not be
The MAPI provider failed.
Additionally, the following event ID messages
may be logged in the Application log:
Event Type: Information
Event Source: MSExchangeAdmin
Event Category: Move Mailbox
Event ID: 1006
Time: 4:24:53 PM
Started to move mailbox 'DDD R1'.
Source Database: /o=Microsoft/ou=AdminGroup/cn=Configuration/cn=Servers/cn=SERVER1/cn=Microsoft Private MDB
/o=Microsoft/ou=AdminGroup/cn=Configuration/cn=Servers/cn=SERVER2/cn=Microsoft Private MDB
Exchange DN: /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=Alias
Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Time: 4:24:54 PM
Disabled user /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=Alias does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.
Event Type: Error
Event Source: MSExchangeIS Mailbox Store
Event Category: Log ons
Event ID: 1022
Time: 4:24:55 PM
Log on Failure on database "First Storage Group\Private Information Store (ALIA)" - Windows 2000 account DOMAIN\administrator; mailbox /o=Microsoft/ou=AdminGroup/cn=Recipients/cn=ALIAS.
The error message ID 0x8004011d references
MAPI_E_FAILONEPROVIDER. Error event IDs 0x80040111 and -2147221231 correspond
A similar sequence of errors may be displayed
when you try to log on to an Exchange 2000 computer mailbox or an Exchange 2003
This problem can occur if the disabled Active Directory
directory service user account that is associated with the mailbox does not
have an msExchMasterAccountSID
The steps that are provided in this section are for
disabling Active Directory user accounts that have Exchange 2000 mailboxes or
Exchange 2003 mailboxes. If you follow these steps when you disable the
account, event 9548 is not logged. If only a small number of mailboxes are
exhibiting this problem, you can generate an msExchMasterAccountSID
attribute. To do this, follow these steps:
- In the Active Directory Users and Computers snap-in, on the
View menu, click Advanced Features.
- In the Exchange Advanced properties of the disabled user
object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the
Associated External Account permission.
- If no account has this permission, grant the SELF account
Associated External Account and Full Mailbox Access permissions.
Note The SELF account is available in all Windows 2000 domains. All
SELF accounts share a well-known security identifier (SID) that is the same
across all domains. If the SELF account is not already listed in the Permissions dialog box, you can add it by typing SELF
as the account name.
Only one account at a time can have the
Associated External Account permission. If this permission is currently owned
by an account that is unwanted or that is not valid, you must remove the
permission on that account before you apply the account to SELF.
After you remove the Associated External Account permission from an account,
exit all properties dialog boxes for the disabled user object. (To do this,
click OK, not Cancel, at each level.) You must do this because changes to permissions
are not applied immediately, but only after you have exited the object
properties for the user. You will be blocked from changing the owner of the
Associated External Account permission until you have closed and re-opened the
properties of the object.
- Reset the Associated External Account permission to
You can use LDAP tools, such as the Active Directory Service
Interfaces (ADSI) Edit snap-in, the LDP utility or Ldifde to view the
attributes of the user object to verify that the msExchMasterAccountSID
attribute has been created. Because of directory replication and
Exchange Server cache refresh latencies, it can take up to two hours after you
make the change before the mailbox can be moved.
To set the msExchMasterAccountSID
attribute for lots of disabled user accounts, you can use the
Collaboration Data Objects for Exchange Management (CDOEXM) interface to modify
the mailbox security descriptor. Starting with Microsoft Exchange 2000 Server
Service Pack 2 (SP2), a new interface is made available in CDOEXM. This
interface is named MailboxRights. This exposure lets you modify the mailbox
security descriptor programmatically.
For more information about how to script a bulk change of the
msExchMasterAccountSid attribute, click the following article number to view
the article in the Microsoft Knowledge Base:
How to associate an external account with an existing Exchange 2000 mailbox
For additional methods that let you set the msExchMasterAccountSid
attribute for lots of disabled user accounts, contact Microsoft
Product Support Services. For more information about the support options that
are available from Microsoft, visit the following Microsoft Web site:
To determine how many disabled user accounts do not have the msExchMasterAccountSid
attribute, you can generate an LDIF formatting export file. To do
this, run the following Ldifde.exe command:
ldifde -f file.txt -d "dc=domain,dc=com" -l nothing -r "(&(objectcategory=person)(objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))"
The following list describes the Ldifde parameters:
- -f: This switch indicates the export destination file.
- -d: This switch indicates that the Microsoft Windows domain from
which to export user objects. For example, if the Active Directory Users and
Computers management console for the domain lists the domain as
corp.company.com, it would become
- -l: This switch, if it is used, restricts output to the export file
of only the attributes enumerated by the switch. In this case, the non-existent
attribute nothing is used so that only object names, not attributes, are
- -r: This switch indicates the LDAP search filter by using the
standard LDAP query syntax. You can also use this search string with Ldp.exe
and other LDAP tools. In this case, the search is for all user objects that are
disabled (msExchMasterAccountControl value of 2) and that do not have an msExchMasterAccountSID attribute.
The following text is an example of the output file:
dn: CN=AAA R1,OU=Recipients,DC=domain,DC=com
dn: CN=AAA R2,OU=Recipients,DC=domain,DC=com
. . . . .
For more information about how to use Ldifde in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
Using LDIFDE to import and export directory objects to Active
We do not recommend that you use the LDIFDE command-line utility
or the ADSIEDIT tool to create, to modify, or to delete the msExchMasterAccountSid
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
hotfix is available to modify the way that Exchange Server 2003 handles a
disabled Active Directory user account that is associated with an Exchange
Server 2003 mailbox
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.