This article is otherwise know as “where did my information store go?”.
It amazes me how many people are out there whom are brave enough to change the default permissions on the Information Stores from within the Exchange System Manager – it is a very dangerous thing to do, and can result in your Exchange server not functioning correctly.
Admittedly there are occasions where you may need to modify the permissions – for example where creating an account for an Archiving Product and the like, however there seem to be a growing trend of people that I have spoken with recently whom have either accidently set a “Deny” entry to a key group on either the server or the database within a storage group (normally I have seen the “Everybody” group denied access) or have been trying to make the server more secure, but did not understand the ramifications of making the change.
Ok, lets see what happens when you set a deny entry on the “Everyone” group – normally your storage group will look like this:
As you can see the Databases are mounted and working just fine. this is correct as the permissions on the Database are set like so
You will notice that the “Everyone” group has a single inherited Allow permission entitled “Create Named Properties in the Information Store” – and none of the other permissions entries are set to either “Deny” or “Allow”.
Now lets see what happens when you remove this permission (Essentially remove the inherited rights and set the “Everyone” group to a global Deny on every property):
You can see that the “Mailbox Store” has disappeared, and although it might be mounted you will find that users cannot access the store.
Right so now we are in a little bit of a Pickle – as you cannot see the store to get the permissions back – is all lost? – no not quite.
On you Exchange Server install the Windows 2003 support tools (or Windows 2000) and open up ADSI Edit and navigate to the following section:
CN=InformationStore,CN=<Your Exchange Server>,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=<Your Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Your Domain>,DC=<Your Domain>
And you will find your self at a screen which looks like this:
When you have selected the Storage Group that contains the missing Database the right hand plane of ADSI Edit will change to look like the following:
You will see the entry for the missing mailbox store.
Right click on this entry and select “Properties” – you will get a message like the following:
Click on the OK button and you will be presented with the following dialog box, click on the security tab and select the “Everyone” group:
You will need to change the permissions setting so the Everyone group has Full Control – when you have done this – click Apply – then go back to the ESM (or better still close it and reopen it) and your store should be back, and you should have control over it again.
[...] Missing Exchange Database, or Database will not mount after setting a deny in the ESM… [...]
By: Week(end) reading - subject: exchange on August 6, 2007
at 1:25 pm
Hi MY friend I did what you suggested,because I have the same situation on my server ,but when I try to do the Right click to select “Properties” –I get a message like the following:
An invalid directory pathname was passed
Unfortunaly in a different message.
Can you please give me same help to resolve this issue.
Thank you in advance
By: Max on October 20, 2007
at 2:24 am
Max, I have sent you an e-mail – let me know.
Cheers – Andy
By: Andy Grogan on October 20, 2007
at 3:33 pm
Hello, i have the same problem that Max.
wold you help me too?
Thanks
By: Marce on October 21, 2007
at 1:41 am
I found the solution
You have to restore permission using DSACLS
Example:
First, check your permission using the command line without parameters ( / stuff)
Optionally, you can remove inheritance from it’s parents objects using /P:N
dsacls “CN=Mailbox Store (SERVERNAME),CN=First Storage
Group,CN=InformationStore,CN=SERVERNAME,CN=Servers,CN=First Administrative
Group,CN=Administrative Groups,CN=DOMAIN,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain” /R Everyone
And Then
dsacls “CN=Mailbox Store (SERVERNAME),CN=First Storage
Group,CN=InformationStore,CN=SERVERNAME,CN=Servers,CN=First Administrative
Group,CN=Administrative Groups,CN=DOMAIN,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain” /G Everyone:GA
Replace SERVERNAME and DOMAIN with what applies to your server, and DC=domain,DC=domain will be e.g . DC=microsoft,DC=com
let me know if was helpful
Marce
By: Marce on October 21, 2007
at 4:11 pm
Hmmm Suppose I removed all permissions accidentally and the above trick does not work because it says … The server is not operational but all the other storage groups are working ,… what level of ^&* am i in?
By: Michael on April 16, 2008
at 11:59 am
Hi andy i go the same error as max did before would you be able to post up the fix or email me the fix please
By: steve on May 22, 2008
at 12:32 am
I am having this same issue Andy, Can you send me the way to fix it too?
By: Scott on January 7, 2009
at 8:18 pm
Andy,
I’m having the same error message as Max, Can you please email me a resolution?
Thanks in advance
By: Ninja on May 11, 2009
at 10:19 pm
I am having the same problem.
Andy,
kindly help and provide some guidance here
Thanks in advance
By: Yinka on August 11, 2009
at 1:14 am