Exchange database files are being written to an encrypted folder

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2010-07-26

The Microsoft® Exchange Best Practices Analyzer Tool queries the Win32_Directory Microsoft Windows® Management Instrumentation (WMI) class to determine the value of the Encrypted key for the folder that contains the Microsoft Exchange Information Store database files. If the Exchange Server Analyzer finds the value for Encrypted set to True, an error is displayed.

On a computer that is running Exchange 2000 Server or Exchange Server 2003, the database files are written to the following default location:

<drive>:\Program Files\Exchsrvr\mdbdata

On a computer that is running Exchange Server 2007 computer, the database files are written to the following default location:

<drive>:\Program Files\Microsoft\Exchange Server\Mailbox\<Storage Group Name>

Microsoft does not support the storage of Exchange data files on an Encrypting File System (EFS) encrypted volume. When you store your Exchange data files on an encrypted volume, the additional overhead significantly affects Exchange performance. The Exchange data files include all the following files:

  • .edb files

  • .stm files

  • .log files

  • .dat files

  • .eml files

  • .chk files

To help secure your Exchange data files, we recommend that you prevent unauthorized access to the Exchange computer and that you use the S/MIME message format to encrypt message data.

To resolve this problem, you must either turn off file encryption on the folder where the database files are being written, or move the database files to a folder where encryption is not enabled.

  1. Right-click the folder on which you want to turn off file encryption, and then click Properties.

  2. On the General tab, click Advanced.

  3. In the Advanced Attributes dialog box, click to clear the Encrypt contents to secure data check box, and then click OK.

  1. Open Exchange System Manager.

  2. Expand Administrative Groups, expand your administrative group, expand Servers, expand your server, expand your storage group, right-click Mailbox Store, and then click Properties.

  3. On the Database tab, under Exchange database, or Exchange streaming database, click Browse, type the path location to a folder where encryption is not enabled, and then click OK.

  4. Click OK or Apply to apply your changes, and then click Yes on the warning message.

  5. After you click Yes, the stores (databases) are dismounted, moved, and remounted. When these procedures are successfully finished, you receive the following informational message:

    The database files have been moved successfully

  1. Follow the guidance in the core Exchange Server 2007 documentation, "How to Move a Storage Group Path" (

For more information about how to move database files, see Microsoft Knowledge Base article 821915, How to Move Exchange Databases and Logs in Exchange Server 2003.

For more information about Exchange Server data files and EFS, see Knowledge Base article 834638, Information about the storage of data files on an encrypted volume in Exchange Server.

For information about how to secure messages in Exchange Server 2003, see the Exchange Server 2003 Message Security Guide.


Community Additions