MSExchangeIS 5000 (0x8004010f): Cannot Mount Database Because of Incorrect Permissions or Invalid Characters in the Organization Name
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2007-01-23
The Microsoft® Exchange Database Troubleshooter Tool detected one or more MSExchangeIS 5000 events with error code 0x8004010f in the Application log. The event indicates that a database or databases on the Exchange server cannot be mounted because of incorrect permissions or invalid characters in the Exchange organization name.
Explanation
The MSExchangeIS 5000 event with error code 0x8004010f can occur if any of the following is true:
The authenticated users do not have read access in the Domain or Configuration containers in Active Directory. When this condition is true, if you try to install a second Exchange server in an administrative group that already contains an Exchange server, you may be unable to install the second server. Additonally, the Microsoft Exchange Information Store service may not start.
Read access permission for the Everyone account is missing from the WellKnown Security Principals container underneath the Configuration container in Active Directory. When this condition is true, the Exchange Information Store service does not start on a member server.
The Exchange organization name contains unsupported characters. When this condition is true, after you install Exchange 2000 Server or Exchange Server 2003, the Exchange Information Store service may not start, and you may find that events MSExchangeIS 5000 and MSExchangeIS 1121 are logged in the Application log.
The event can also be identified as MAPI_E_NOT_FOUND. The event applies to the following versions of Exchange server:
Microsoft Exchange Server 2007
Microsoft Exchange Server 2003
Microsoft Exchange 2000 Server
User Action
To resolve the issue, do one or more of the following.
Important
If you use the Active Directory Service Interfaces (ADSI) Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require that you reinstall Microsoft Windows® 2000 Server, Microsoft Windows Server™ 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
If authenticated users do not have read access in the Domain or Configuration containers in Active Directory, use the ADSI Edit Tool in Exchange Server 2003 and Exchange 2000 Server to grant authenticated users read access in the Domain container and in the Configuration container in Active Directory. Follow these steps:
Note
The ADSI Edit Tool is located in the Microsoft Windows 2000 Support Tools and in the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, run Setup in the Support\Tools folder on the Windows CD. For more information about the Windows Support Tools, see the Sreadme.doc file in the Support\Tools folder on the Windows CD.
To grant authenticated users read access in the Domain or Configuration containers in Active Directory
Click Start, click Run, type adsiedit.msc, and then click OK.
Expand the Domain NC container, right-click the folder for the domain (DC=domain,DC=com), and then click Properties to open the folder properties.
Click the Security tab, and then make sure that the Authenticated Users group has Read access selected in the Allow column. If Read is not selected, click to select Read, and then click OK.
Expand the Configuration Container, right-click the folder for configuration (CN=Configuration,DC=domain,DC=com), and then click Properties to open the folder properties.
Click the Security tab, and then make sure that the Authenticated Users group has Read access selected in the Allow column. If Read is not selected, click to select Read, and then click OK.
Exit ADSI Edit.
Allow time for the change to replicate among the domain controllers.
Start the Information Store service.
- If read access permission for the Everyone account is missing from the WellKnown Security Principals container underneath the Configuration container in Active Directory, follow these steps to resolve the problem:
To grant read access permission for the Everyone account in the WellKnown Security Principals container in Active Directory
Log on as domain administrator, and then start ADSI Edit.
Expand the Configuration container, and click the CN=WellKnown Security Principals container.
Right-click Properties, and then locate the Security tab.
Click Add, type everyone, and then click OK.
Under the Allow column, click to select the Read check box.
- If there are invalid characters in the Exchange organization name, remove the invalid character from the organization name. For more information about what characters are invalid, see Microsoft Knowledge Base article 329599, Exchange Information Store Does Not Start and Events 1121 and 5000 Are Logged.