Blog Post

Exchange Team Blog
2 MIN READ

Fix available to alleviate event ID 9548

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Mar 22, 2006

No doubt many of you are familiar with the event commonly seen in application logs of Exchange 2000 and 2003 servers, MSExchangeIS event 9548, indicating that the information store came across a disabled user who is missing the msExchMasterAccountSid attribute while processing some various task.  There are many KB articles associated with this event, such as 291151, 326990, 278966, 328880, 316047, and possibly more.  There have also been countless support cases where this design was at least a contributing factor.  Almost every application log from an Exchange 2000 or 2003 server ever seen has likely been littered with 9548 events, to the point where it has become an annoyance event.  For additional information on the event and the related information, I suggest reading this article: http://www.msexchange.org/articles/NoMAS-Tool.html.

 

A CDCR (Critical Design Change Request) was accepted last year to resolve the issue without having to run tools or scripts, and the first version of this fix was released last week.  The KB article is 903158.

 

The problem was that a decision was made during the development of Exchange 2000 that every disabled user account with a mailbox had to have the msExchMasterAccountSid attribute.  This is because in order for a mailbox to function within the store, a SID must be associated with the mailbox.  The logic worked like this:

 

1. If the user account associated with the mailbox is disabled, and has msExchMasterAccountSid, AND msExchMasterAccountSid is not the well-known SELF SID, then msExchMasterAccountSid is the SID that is associated with the mailbox.

 

2. If the user account is enabled, or if it is disabled and has msExchMasterAccountSid set to the well-known SELF SID, then use objectSid.

 

3. If the user account is disabled, and has no msExchMasterAccountSid, OR if we cannot tell if the user is enabled or disabled due to access control on the user object, or if we cannot read the objectSid due to access control, fail the operation and log the 9548 event.

 

In the 3rd case, the vast majority of the 9548 events came from the first part - that is, almost all 9548 events are due to disabled user accounts which are missing msExchMasterAccountSid.  The new logic works as follows:

 

1. If the user account associated with the mailbox is disabled, and has msExchMasterAccountSid, AND msExchMasterAccountSid is not the well-known SELF SID, then msExchMasterAccountSid is the SID that is associated with the mailbox.  (NOTE: No change here)

 

2. If the user account is enabled, or if it is disabled and has msExchMasterAccountSid set to the well-known SELF SID, OR if the user is disabled has does not have msExchMasterAccountSid, then use objectSid.  (Big change here)

 

3. If we cannot tell if the user account is enabled or disabled due to access control on the user object, or if we cannot read the objectSid due to access control, fail the operation and log the 9548 event.

 

So now, the only way you will get the 9548 event is due to a real problem with the user account associated with a mailbox.

 

- Alex Seigler

Updated Jul 01, 2019
Version 2.0
troubleshooting

47 Comments

Show More
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    PingBack from http://blogs.msexchange.org/walther/2006/03/22/fix-available-to-alleviate-event-id-9548/
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    I think I am missing something. I got the hotfix from support. When I run the hotfix it says: "You can install this hotfix on Service Pack 1 only".
    I didn't see mention of this limitation anywhere.
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    For both questions, the answer is the objectSID of the disabled user account.  When the store sees "SELF", it grabs the objectSID and uses that (because that is what SELF means).

    So, for disabled user, if MAS is set to SELF, or if it is not set at all, we use the objectSID of the disabled user.  The only time we would use the SID in MAS as-is is when the attribute is populated and not SELF (like an NT4 SID or a SID from a different forest).

    -aseigler
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    Forget what I wrote, ladies and gentlemen. The effects of the morning coffee just set in :)
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    Well done.

    Now, let's examine #2 more closely:

    You wrote: If the user account is enabled ...then use objectSid.

    No problem with that.

    You wrote:
    if it is disabled and has msExchMasterAccountSid set to the well-known SELF SID...then use objectSid

    My question: Which ObjectSID? The disabled account's SID or SELF?

    You wrote:
    if the user is disabled has does not have msExchMasterAccountSid...then use objectSid

    Again, a question:
    Which ObjectSID? The disabled account's SID or SELF?

    The last 2 descriptions are not clear (to me) because, in one instance, there is MAS, and in another, there isn't. So, which SID are we using? The way I read KB903158 is that Exchange will always assume that MAS is equal to SELF SID and will ALWAYS use SELF SID even when there is no MAS associated with the disabled account. But your description does not make this clear when you mentioned objectSID.
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    I'm sure a lot of you have seen event 9548 in your event logs from time to time.
    If 9548 isn't ringing a bell, maybe this example text will:

    Disabled user /o= Organization Name /ou= Administrative Group Name /cn=Recipients/cn= Computer Name does not
  • Deleted's avatar
    Deleted
    Mar 23, 2006
    Thank you, thank you, thank you.  I used to have a one-off script to set the attribute for disabled accounts (since we wanted the mailboxes to still function) until NoMAS came along.  Actually, I have always preferred MsAccntSidFixer, and I use it to this day.  Now I will be able to stop doing that once applied.  Thank you so much.

    Scott.