Legacy account information present in native mode administrative group

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-17

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine if the msExchLegacyAccount attribute on each Exchange administrative group object contains data.

The Exchange Server Analyzer also queries Active Directory to determine the value of the msExchAdminGroupMode attribute of each administrative group. A value of 0 for the msExchAdminGroupMode attribute indicates the administrative group is in Exchange native mode. A value of 1 indicates a pure Exchange Server 5.5 environment, and a value of 2 indicates Exchange mixed mode.

If the Exchange Server Analyzer finds that the msExchLegacyAccount attribute contains data, and that the value for the msExchAdminGroupMode attribute is 0, an error is displayed.

When you switch to Exchange native mode, the msExchLegacyAccount attribute is deleted. This attribute is only used in mixed mode Exchange organizations where Exchange Server 5.5 is still present. The actual attribute data is the Exchange Server 5.5 service account, and its presence in the msExchLegacyAccount attribute in a native mode Exchange organization will cause malfunctions during upgrades and service pack installations. In fact, just the presence of the attribute, even without data in it, will cause malfunctions. This is because Exchange Setup uses this attribute as a means of discovering whether an Exchange organization is in mixed mode or native mode. If this attribute exists, Exchange Setup runs in a mixed mode configuration for an installation that is actually in native mode.

It is likely that the msExchLegacyAccount attribute still exists if you manually removed data from Active Directory using the Active Directory Service Interfaces (ADSI) Edit snap-in.

You must remove this data from the msExchLegacyAccount by manually editing the attribute with the LDP (ldp.exe) tool. You must use the LDP tool or another Lightweight Directory Access Protocol (LDAP) version 3 client that will completely remove both the data and the attribute from the directory. The ADSI Edit snap-in is not sufficient in this case, because it only removes the data, and leaves the attribute. LDP.exe is included in the Windows® Support Tools package.

Warning

If you incorrectly modify the attributes of Active Directory objects when you use ADSI Edit, the LDP tool, or another LDAP version 3 client, you may cause serious problems. These problems may require that you reinstall Microsoft Windows Server™ 2003, Exchange Server 2003, or both.. Modify Active Directory object attributes at your own risk.

To remove the msExchLegacyAccount attribute

  1. Start LDP.exe.

  2. On the Connection menu, click Connect; in the Connect dialog box, enter the name of a Domain Controller in the same Active Directory forest as your Exchange Organization, and then click OK.

  3. On the Connection menu, click Bind; in the Bind dialog box, enter credentials that have at least Exchange Full Admin rights at the Administrative Group level, and then click OK.

  4. On the View menu, click Tree; in the Tree View dialog box, leave the field empty if you are connecting from the root domain, otherwise, enter CN=Configuration,DC=Domain_name, DC=Domain_suffix where Domain_name is the root domain in the Active Directory forest and where Domain_suffix is the domain suffix, for example, com, net, and org. Click OK.

  5. Expand the hierarchy view in the left pane of LDP until you open your administrative group. To do this, double-click the nodes in the following order (note that each node in LDP is followed by the full Distinguished Name (DN); only the left-most CNs are noted here for clarity):

    1. DC=Domain_name

    2. CN=Configuration

    3. CN=Services

    4. CN=Microsoft Exchange

    5. CN=Organization_name

    6. CN=Administrative Groups

    7. CN=Administrative_group_name

    In the details (right) pane of LDP, scroll down to view the attributes of your administrative group. If the msExchLegacyAccount attribute is there, you must delete it. If the msExchLegacyAccount attribute is there, it is likely that the msExchLegacyDomain and the msExchEncryptedPassword attributes are also present. If they are, you must delete these as well.

  6. In the hierarchy (left) pane of LDP, right-click Administrative_group_name and then click Modify.

  7. In the Modify dialog box, verify that the full DN listed in the Dn field is correctly identifying the administrative group you need to modify. It should read: CN=***Administrative_group_name,***CN=Administrative Groups,CN=Organization_name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain_name.

  8. In the Modify dialog box, under Operations, select Delete; under Edit entry, enter msExchLegacyAccount in the Attribute field, and then click Enter. This adds msExchLegacyAccount to the Entry List. The Entry List defines the attributes that will be deleted when you click Run.

  9. If either the msExchLegacyDomain or the msExchEncryptedPassword attributes exist in the administrative group, add them to the Entry List as described in Step 8.

  10. When the Entry List contains the attributes that you must delete, click Run. A status message will appear in the LDP details pane.

  11. On the Connection menu, click New to clear the LDP details pane.

  12. Navigate to CN=Administrative_group_name and double-click the object. Review the contents of the right pane to verify that the attributes are deleted.

For more information about modifying Active Directory with the LDP tool, see the Microsoft Knowledge Base article 260745, "XADM: Using the LDP Utility to Modify Active Directory Object Attributes" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=260745).