On Exchange 2010 RTM, I moved several mailboxes into a new mailbox database on the same server. Now, every so often, I see Event ID 9554 in the event log.
I saw two KB articles http://support.microsoft.com/kb/322308 and http://support.microsoft.com/default.aspx/kb/555433/en-us, and they say to make sure inherit security is checked on the user objects. They are.
When I look at the GUID's they all correspond to the ArchiveGuid on the mailboxes. So it looks like some security item needs to be reset/updated. What's the correct way to do this; what should the default security settings be on the archive box? Disconnecting/reconnecting the archive didn't help.
We're also having the same issue on mailboxes moved locally to different databases as well as to other servers with different DAGs.
I can't find any information on the issue, i'm assuming there are few who have actually run into this yet.
Anyone with any suggestions?
Microsoft has confirmed they will be releasing upgrades in SP1 which allow archive and host mailbox to be stored in separate databases. Although that will fix this issue indirectly, it still doesn't isolate the cause when moving a mailbox with attached archive as it states in the docs the archive follows.
Try the below Links
I'm also facing the same problem but trying to resolve with the above Url's.. Strange thing i couldent find a Mailbox or a user account with that GUID, but still receiving the warning.. Hope there's a solution for this!!!!!!!!!!!
We are also having the same problem.
We moved all mailboxes from one db to another db in the same server and deleted the old db.
We couldnt find the GUIDs, but they are likely to be the only 2 mailboxes which have arhive mailboxes.
Started only after the move and just noticed their archive mailboxes are not available now.
(The old db was deleted from exchange but db files and logs are still in the disk)
Sorry, noticed that the archive mailboxes are available and accessible.
Not sure why the exchange server is still logging the 2 warnings
Unable to update Mailbox SD in the DS. Mailbox Guid: 51773779-b332-4825-926d-efb17c7c49b1. Error Code 0x8004010f
Unable to update Mailbox SD in the DS. Mailbox Guid: c3b27d37-b17f-47a2-b411-2803ed70c229. Error Code 0x8004010f
have you found a way to stop these warnings logged or resolve the issue?
Just want to say that we are also getting this error after moving mailboxes to other databases. I cannot determine if the guids in the errors are archive mailboxes. Is there a way to confirm this? I've tried the adfind utility but none of the guids resolve to AD objects.
Thanks for the prompt POST,
To me it seems like a BUG, do you have SP1 running on the server?
What happens when you create a new mailbox, do you get the same error message or Event ID?
Try create Test Mailbox Database and let me know if you are able to create it or you are getting error!
Gulab | Skype: gulab.mallah
I am running SP1 with the latest updates. I can create mailboxes without any error or warning.
The KB555433 says you have to check:
"Allow inheritable permissions from parent to propagate to this object"
on the affected user, but it already is set.
This is happening under the following circumstances for me:
exchange 2010 user native or migrated sending to an exchange 2003 user.
immediately get an NDR saying "there is a problem with the recipient's mailbox".
The error above is logged in the exchange 2003 backend server event log. therefore easy corrolation. i think this is related to the 9776 errors with the mapi-x headers.
I also need a solution. any suggestions?
i will be upping the header size this evening to see if it works
Unable to update Mailbox SD in the DS. Mailbox Guid: a8c3e0fd-92bc-4a1a-b042-705b29dc74f1. Error Code 0x8004010f
This seems to have happened out of nowhere and not sure yet which mailbox it might be.
Glad to see I'm not the only one ;)
I'll see what I can find and post back - Cleint has one exchange server 2007. Theres a FAX MB that has been in place for at least 6 months that the CSRs use and share to pickup incoming faxes -thats the only account I know of that relates to some of these posts about full access etc. I've seen here.
This message just started a few days ago maybe an update applied of the weekend triggered this?? just my thought...
Thanks in advance.
When connecting a user on a shared mailbox with archive (exchange 2010 server) , the error message "Unable to update Mailbox SD in the DS" is raised.
the user can access the shared mailbox and its archive, but can't send mail from the shared mailbox. it is said that user do not have suffisent rights to do this.
any solution/update about this problem ?
I know this could be completely irrelevant. I've reconnected a disconnected Mailbox to an existing user on Exchange 2007 and got the same error message.
In my message on Exchange Management Console, was a part that said the change will not be updated until directory synchronization has occurred.
I've forced directory replication between my domain controllers and the mailbox and everything was visible and accessible without any problems. Nor did I see the error message again.
I hope this helps someone, especially if you have multiple domain controllers in your environment.
Since this thread was not yet marked as solved, I thought I would add my 2 cents:
Most likely, you're getting these errors as the result of Exchange attempting to add a permission/attribute to a user account that is/was a member of a protected group (i.e., the classic "AdminSDHolder" problem). Of course the best practice recommendation is not not assign mailboxes to these users in the first place, but usually that advice is a little too late.
So, here's what I usually do in this situation. You can download the ADFind utility and identify each user individually OR you can create a custom query in ADUC that will identify these users and all users that have the AdminSDHolder flag set on their account (saves you a few steps). Here the custom query string:
ADUC Query for Affected Users
This just gives you info on who is/might be affected, thus generating the event log entry in Exchange. If the user account is rightly a member of a protected group, when you reset the adminCount flag and enable inheritance, these settings revert back in 1 hour. If Exchange doesn't try to update the user account permission or add an object (i.e., adding a mobile phone for activesync, etc.), then you are back to square one.
You can run the script listed on this MS KB: http://support.microsoft.com/kb/817433
Any user who is no longer a member of a protected group will have their account fixed (adminCount=0, inheritance enabled). Any user is still is a member of a protected group will have their account fixed for 1 hour; initiate any changes or testing within that hour to have them stick.
- Proposed as answer by adns_jeremy Thursday, May 19, 2011 4:20 PM