Put an end to persistent Exchange Server Event ID 9548 errors

Learn why bogus Event ID 9548 errors are a regular occurrence in Exchange 2000 and Exchange 2003 environments and get a Microsoft hotfix that resolves this common Exchange Server administration annoyance.

This Content Component encountered an error

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.


VIEW MEMBER FEEDACK TO THIS TIP

Exchange Server administrators who patrol their Exchange 2000 and Exchange 2003 event logs regularly are probably all too familiar with Event ID 9548. This error is thrown whenever the Exchange information store comes across a disabled user that is missing the msExchMasterAccountSid attribute.

The persistence of this error is something of a running joke in Exchange administrator circles, since it's almost impossible not to get Event ID 9548 in a an Exchange Server email environment with one or more disabled users.

The attribute in question is used to calculate permissions on disabled objects for Exchange access control lists (ACLs). Any disabled user account should (in theory) always have this attribute set, but for a galaxy of reasons it sometimes isn't. For one, it's not enforced by the Active Directory Users and Computers (ADUC) snap-in, so its state is not always consistent.

It's relatively easy to disable a user account without also setting the msExchMasterAccountSid attribute, which results in a plethora of -- often spurious -- Event ID 9548 errors. It's been reported that Microsoft Operations Manager (MOM) can generate many bogus Event ID 9548 errors because of the way it's set up.

Microsoft decided it was time to fix this problem at its root, and has released a hotfix for Exchange 2003 that modifies how Exchange Server handles disabled users.

When applied, it suppresses Event ID 9548 errors on disabled accounts that have no msExchMasterAccountSid attribute set, but can still be read. However, it will still report an Event ID 9548 error on an object where it's not possible to tell if it's disabled due to the state of access control on the object.

Since this is a legitimate problem, it definitely deserves to be reported as an error and acted on. The hotfix makes it easier to determine which Event ID 9548 errors are legitimate and which aren't.

Note that legitimate Event ID 9548 errors can be fixed with the NoMAS tool, which is available from Microsoft Product Support Services at no charge. The tool queries any objects that have no msExchMasterAccountSid attribute and will attempt, with your guidance, to repair them if needed.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.


MEMBER FEEDBACK TO THIS TIP

A few weeks ago, I obtained this hotfix from Microsoft. When I attempted to install it, I got a message saying it couldn't install on Exchange 2003 SP2. Go figure. The tech I worked with had all the pertinent information.
—Bill P.

******************************************

EventID.net is another excellent resource for troubleshooting Event ID errors.
—Kevin L.

******************************************

Your article mentions how this problem affects both Exchange 2000 and Exchange 2003 servers, yet the hotfix you provided a link for is only for Exchange 2003. Is there not a hotfix for Exchange 2000?
—Mark S.

******************************************

No, as far as I know there is no hotfix for Exchange 2000 for this issue, only Exchange 2003.
—Serdar Yegulalp, tip author

Do you have comments on this tip? Let us know.


Related information from SearchExchange.com:

  • Tip: Resource for troubleshooting Exchange Server Event IDs
  • Learning Center: Toolbox for Exchange administrators
  • Reference Center: Exchange Server administration tips and resources
  • Reference Center: Exchange Server information store tips and resources
  • This was first published in May 2006

    Dig deeper on Microsoft Exchange Server 2003

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close