Warning - validation error

Copper Contributor

Hello,

For a while now I have been getting a warning every time I open a distribution group or mail-enabled security group in the on-prem admin center. 
Capture.PNG

"The object removed has been corrupted or isn't compatible with Microsoft support requirements, and it's in an inconsistent state. The following validation errors happened:
The access control entry defines the ObjectType 'a8df73ef-c5ea-11d1-bbcb-0080c76670c0' that can't be resolved.."

 

As far as I can figure 'a8df73ef-c5ea-11d1-bbcb-0080c76670c0' referrs to the 'Employee Number' LDAP attribute, which a group object does not have? 
It doesn't appear to cause any issues, but I would still like to fix the problem. 

Anyone got any ideas to what might be causing this error? We are running Exchange 2016 CU16 in a hybrid environment. 

15 Replies

@ChristianBergstrom 
Thank you for the suggestion.
I ran "Get-Mailbox -monitoring" but found no errors there. 

@Gly Hey, try this then :)

 

https://social.technet.microsoft.com/Forums/en-US/213afa53-0b61-4dd6-a807-a0262aa16474/the-access-co...

 

What I want to highlight is this.

 

1. Run the IISReset on all Exchange server.
2. If reset IIS does work, reboot all Exchange server and check the result.

@ChristianBergstrom 
I have tried this earlier, both iis reset and reboot. I have also tried recycling the "MSExchangeECPAppPool" as suggested in the post. 

@Gly I'm sure one of the Exchange experts will reply with a solution. At least we have narrowed it down then.

@ChristianBergstrom 
I checked the Ad permissions for the domain now, and it's not yielding any errors either. 

@VickVega 
I have not. I tried to verify the active directory versions now, and I see in ADSI that that the 'objectVersion' in the Configuration naminig context is <not set>. So you may be onto something. We wil try to update schema again next week.

@Gly did you find a fix, I have exactly the same warning messages when editing Distributons Groups in Ex2016 EAC? 

@blozza77 No, I did not - sorry for not updating the post. Eventually we tried to update schema again, but it did not resolve the issue. 

Did you manage to fix this?

@MarcoLFrancisco no we never did, we just live with warning.  It’s doesn’t appear to cause any issues, changes still apply to objects when you ignore the message.

 

I still think it’s a legacy schema object artefact somewhere.  We’ve had exchange in our AD since version 5.x and retired many child domains. 

Did you check the security permissions of the OU where the problematic objects remain? And compare with the security permissions for an OU that does not sync to Azure.

Also you can try to resolve the SID with psgetsid:

C:\PSTools>.\PsGetsid.exe a8df73ef-c5ea-11d1-bbcb-0080c76670c0

https://learn.microsoft.com/en-us/sysinternals/downloads/psgetsid
Do you use LAPS by any chance?
Try the following:
1- Create a New OU in AD
2- Disable inheritance for that OU
3- Open the Properties of the OU, Security, and remove all permissions except for Exchange Permissions and System; Apply exit and refresh AD view;
4- Go again to the OU Properties, to Security, then Advanced button to doublecheck if everything not System or Exchange is really really gone. If you see anything not System or Exchange remove;
5- Place a problematic DL in that OU;
6- Go to ECP, check if you have error, you may not have.
7- Run AD sync to Azure and check again for the error.

If you do not get an error, add the rest of the groups to the permissions one by one and check for the error. If you use LAPS start with that one. If you find it just create a new group for the same purpose and with the same permission on the OU and you should be fine.