Tip

Put an end to persistent Exchange Server Event ID 9548 errors

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish

    Requires Free Membership to View

it, we'll send you a nifty thank-you gift.
VIEW MEMBER FEEDACK TO THIS TIP

Exchange Server administrators who patrol their Exchange 2000 and Exchange 2003 event logs regularly are probably all too familiar with Event ID 9548. This error is thrown whenever the Exchange information store comes across a disabled user that is missing the msExchMasterAccountSid attribute.

The persistence of this error is something of a running joke in Exchange administrator circles, since it's almost impossible not to get Event ID 9548 in a an Exchange Server email environment with one or more disabled users.

The attribute in question is used to calculate permissions on disabled objects for Exchange access control lists (ACLs). Any disabled user account should (in theory) always have this attribute set, but for a galaxy of reasons it sometimes isn't. For one, it's not enforced by the Active Directory Users and Computers (ADUC) snap-in, so its state is not always consistent.

It's relatively easy to disable a user account without also setting the msExchMasterAccountSid attribute, which results in a plethora of -- often spurious -- Event ID 9548 errors. It's been reported that Microsoft Operations Manager (MOM) can generate many bogus Event ID 9548 errors because of the way it's set up.

Microsoft decided it was time to fix this problem at its root, and has released a hotfix for Exchange 2003 that modifies how Exchange Server handles disabled users.

When applied, it suppresses Event ID 9548 errors on disabled accounts that have no msExchMasterAccountSid attribute set, but can still be read. However, it will still report an Event ID 9548 error on an object where it's not possible to tell if it's disabled due to the state of access control on the object.

Since this is a legitimate problem, it definitely deserves to be reported as an error and acted on. The hotfix makes it easier to determine which Event ID 9548 errors are legitimate and which aren't.

Note that legitimate Event ID 9548 errors can be fixed with the NoMAS tool, which is available from Microsoft Product Support Services at no charge. The tool queries any objects that have no msExchMasterAccountSid attribute and will attempt, with your guidance, to repair them if needed.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.


MEMBER FEEDBACK TO THIS TIP

A few weeks ago, I obtained this hotfix from Microsoft. When I attempted to install it, I got a message saying it couldn't install on Exchange 2003 SP2. Go figure. The tech I worked with had all the pertinent information.
—Bill P.

******************************************

EventID.net is another excellent resource for troubleshooting Event ID errors.
—Kevin L.

******************************************

Your article mentions how this problem affects both Exchange 2000 and Exchange 2003 servers, yet the hotfix you provided a link for is only for Exchange 2003. Is there not a hotfix for Exchange 2000?
—Mark S.

******************************************

No, as far as I know there is no hotfix for Exchange 2000 for this issue, only Exchange 2003.
—Serdar Yegulalp, tip author

Do you have comments on this tip? Let us know.


Related information from SearchExchange.com:

  • Tip: Resource for troubleshooting Exchange Server Event IDs
  • Learning Center: Toolbox for Exchange administrators
  • Reference Center: Exchange Server administration tips and resources
  • Reference Center: Exchange Server information store tips and resources

    This was first published in May 2006

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.