A high number of ACL upgrade failures are occurring

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool queries the Win32_PerfRawData_MSExchangeIS_MSExchangeIS Microsoft Windows® Management Instrumentation (WMI) class to determine the current value of the ACLUpgradefailures key. The ACLUpgradefailures key represents the ACL Upgrade: failures performance counter under the MSExchangeIS performance object.

If the Exchange Server Analyzer finds that the value for the ACLUpgradefailures key is larger than 500, the Exchange Server Analyzer displays a warning.

This warning indicates that the Exchange server has reported many access control list (ACL) upgrade failures. Excessive ACL upgrade failures can cause severe performance problems that include random stops in the Information Store process (store.exe).

ACL upgrade failures can occur for a variety of reasons and are known to occur when the following conditions are true:

  • In a mixed mode Exchange organization, the Exchange Server version 5.5 consistency adjuster was not run before you implemented the Active Directory Connector (ADC) server. The Exchange Server 5.5 consistency adjuster removes orphaned ACLs.

  • Active Directory replication is not working correctly.

  • Active Directory Connector replication is not correctly replicating accounts over from Exchange Server 5.5 to Active Directory.

  • There was an incorrect migration of user accounts.

To correct this warning

  1. Review the Microsoft Knowledge Base article 812963, "Using the Ignore Zombie Users Registry Key" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=812963).

  2. After you understand the implications of using the Ignore Zombie Users registry key, add the key at your own discretion.

  3. Run the Exchange Server Analyzer or monitor the ACL Upgrade: failures performance counter to look for excessive ACL upgrade failures.