Access Denied error message when starting exchange 5.5 administrator


I have searched Microsofts knowledge base and used various articles to attempt to correct the problem I have but none work.
The articles include Q256986,Q170472 and Q288952.

The problem I have is as follows:  I have setup up a dummy server with Small Business Server 4.5 and Exchange 5.5 installed.  This server is set up to replicate our main server, it has the same IP address, computer name, site name, organisation name and service account log on details for exchange, plus it's not connected to a network.  This is so we can take the main server off the network for maintenance and attach the dummy server.

What I am attempting to do is copy over the exchange mailboxes from the main server to the dummy server.  I have tried using NT4's back up and restore facility for exchange to copy the directories, which didn't work.  I have also tried simply backing up and restoring to the dummy server the following directories:

When I then try to open the Exchange administrator it comes up with the following message:

A connection cannot be made to the microsoft exchange server.
You do not have permissions required to complete this operation.

I have tried various options suggested in the microsoft knowledge base (see atricle numbers early) and none work.

The exchange system attendant service and directory service start ok but the exchange information store fails to start with the error message:
returned service specific error 4021.

Can you HELP!!!!!



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is because the service account you are using might have the same exact name and password, but the SID for the service account is different. You see, the Security Identifier (SID) is actually HARD-CODED in the directory database. (Dir.edb)

I have seen this a million times when people are doing what you are doing. I'm guessing you probably created a new domain offline, and you are using a brand new service.
Even though everything appears the same offline, the SID is different.
In this situation, the directory service will start, but because the SID is different, the directory thinks you are using a different account, and, the information store will not start as well.

If you are wanting to accomplish this, you will have to get the SID for the service account offline somehow. The most popular way for doing this, is to add a BDC to the domain, replicate the SAM database (with all of the SID's), then take the new BDC offline, promote it to a PDC and you now have an exact replica of your production networks domain offline.

Once you accomplish this, you WILL get all of the Exchange services to start.

Hope this helps!!!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I'm a little confused.  You have two servers.  Both it seems are Primary Domain Controllers and it would seem, both would have the same domain name.  If thats true, they can't be on the net at the same time and could never talk to each other.

I don't think SBS permits Trust relationships... so they can't be on with different domains.

So one of them has to be a PDC and the other a BDC.  The BDC isn't going to like being a BDC if its away from its PDC for long.

How many users do you have??

If you have a lot, then you need to do it right.  Set up a BDC with an Exchange Server and replicate the mail.  

If you don't have a lot, then send everyone's mail to their PST files (and then if you want, copy it back to the server.)

You are going to have to be under the domain control of the same domain controller when you install Exchange Server on both machines.

Try to keep it simple.  Why are you doing this?



1. If you will note pete-mbs' second paragragh, he states "plus it's not connected to a network."

He is trying to build a replica of the server OFFLINE. (Like alot of people do)

2. HDWILKINS - "If you have a lot, then you need to do it right.  Set up a BDC with an Exchange Server and replicate the mail."   ??????? <--- That is not possible with Exchange, the emails DO NOT replicate between servers, having a second server in the site does NO good here.

3. HDWILKINS - "If you don't have a lot, then send everyone's mail to their PST files (and then if you want, copy it back to the server.) <---- This is very dangerous, if you have everyone pushing their mail to a pst file, where is the fault tolerance there??? If someone's PST file goes bad, whose to blame? You cannot expect users to backup their own pst files! (Try putting everyone's PST files on a file server and see how good performance is!)

If you want to talk about the number one way to stay fault tolerant and ready for recovery, seperate the log files from the databases, (put them on seperate drives) and spend all of your time performing backups and testing them. Simple as that.

I know where are you trying to go with this, pete-mbs.
Just go with my explanation above, and you will be fixed. The reason you are getting the access denied error, and the information store won't start, is because the SID for the account that you are using as the service account is different. You need to get a BDC onto the production network...replicate the SAM database with all of the NT accounts, then take it offline and promote it to a PDC.
Then try your Exchange project again. (It will work)

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

You are correct in that looking back I see that he is using 'Backup and Restore'

I think you are wrong about the replication.  I've done it but I can't find the right Microsoft paper to support my position.  

The attached URL comes close:  Once you replicate the directories and break the link, the directories are on both machines.  (This isn't exactly the document I was looking for but its close.)

I will grant you that I don't remember if this procedure is possible with Back Office because of the limitations on that product (which I never use for those reasons.)

As to using PST files, depending on the number of users, this is a very acceptable thing to use.  Microsoft has tools to do it: or;EN-US;q177776 , etc.

All of this, including your comments about a BDC (to which I agree) will require that the two servers get on line together which probably isn't going to happen unless he blows the second server away and re-installs.

I'm sort of wondering why pete-mbs is doing this the way he is.  

You can't find the right doc, and you won't because it's impossible....i find it really hard to believe that you have done it too....must have took some serious hacking...

I can gaurantee you that replicating the directory from server1 to server 2, does NOT put a copy of anything.....if the mailboxes are homed on server1, and it goes down, the mailboxes are NOT accessible. You cannot have two objects HOMED on two directories. IMPOSSIBLE. The only things that are fault tolerant in that manner are public folders. You CAN place a copy of a public folder onto another server, if the first server goes down, you have a copy of the public folder on the second server.
As for mailboxes, the entries are replicated to the second server, but they are only visible for users to browse the GAL and things like that, the emails and mailboxes are NOT copied to the second server, and WILL NOT be accessible if the first server goes down.

Could you imagine a place like the air force that has hundreds of sites. They replicate thousands of servers; if your theory was true that all of the emails and mailboxes are replicated, then every single private database would be in the hundreds of Tarabytes!!!!........I promise and gaurantee that the emails do not replicate to a second server, and that the mailboxes might replicate to the second server, but if the first server goes down, you're still out of luck because they are homed on the first server.

You said that if you replicate directories and break the link....what good does that do? Then you will have two servers in your directory, as soon as you delete the first server, all of the mailboxes homed on that server will be deleted. Create a mailbox, replicate it to a second server, look at the attributes on it, it will only be accessible if the home server is up and running. It DOES NOT put a copy of the mailbox and it's contents on the second server, only makes the mailbox viewable from the GAL for users on the second server.
Even if you replicate a mailbox to a second server, you would have to hack and hack and hack the attributes to rehome it if the first server went down, and you still would be without email because they are not replicated to the second server....

Trust me, it is very imperative to have a clear understanding of replication when you support Exchange....

Have you tested your own theory????? (that mailboxes and their emails replicate to the second server in the site)If you create a mailbox and replicate it to the second server in the site, take the first server down and try to logon. It won't work, number one you have to have the Exchange server name in your cannot put the second server's name because the mailbox is not homed there. The second server is going to say heh,"that mailbox is not homed here, i might have a copy in the directory, but you can't logon to it because the server it is homed on is down"

As for the PST file theory, heh, it's your network, do it however you want. All i'm saying is that every single day of the week i get calls from people saying their server is down. My question is do you have a backup, their response is no.......and if i'm in charge of the Email server, I'M going to backup the databases, and spend my time coming up with a master backup and restore plan.....not push to PST files or bring up multiple servers... PST files corrupt more often then backup tapes...

Exchange is designed recoverable. Make full backups everyday and disable circular logging.....test'em

Sorry i don't have any links for you....the only thing i have is years of experience supporting the product....
Are you always so insulting?

I've done this.  How else would you set up a new mail server and move the users?  Do you think that their mail just gets left behind?  I didn't write break the link, Microsoft did.

Best of luck,


HDWILKINS: Sincerest apologies! - i honestly do not mean to be insulting....i am pretty passionate about Exchange, it's my job. Please take NO offense...

When you move the mailbox to the second server, it moves the emails over, that's why moving the mailbox can take a long time when it is big....

You said you have done this...okay, we will leave it at that...maybe i do not understand they way you have done it. But intrasite replication does not put a copy of a mailbox and it's emails onto another server, you must move the contents. And in the event the server it is homed on goes down, you will not be able to move the mailbox and it's contents because the server will be inaccessible, therefore wasting the second server in the site theory.
Lets keep this in mind.  As I remember it, BackOffice 4.5 isn't going to let us have a second server on the site anyway.  I don't think it has the connectors.  (I could be wrong about that but I don't think so.)  I also don't think that it can work under any circumstances unless the recipient server was once a BDC and they shared the same SAM database for security reasons (which is probably his problem).

I'd also wonder what the point of all of this is, because 10 minutes after the server is cloned, the on line server is going to be different than it was (because there's been new mail traffic).

Its been a while since I've done it so I'm fuzzy on how I've done it.  I think that when I did it with BO 4.5 that I had to use PST files and with a normal exchange 5.5 licence I moved the mailboxes.

But, I've done it.  I remember very clearly haveing the origional server off line, with the mail still in it after the move.  I never do anything without a backup plan knowing that I can restore what I've done.  

Even if I hadn't done it and I had to plan the thing from scratch, I know I could move the mailboxes from one to the other (5.5, not BO) and restore the old server from backup tape to its state pre the move which would accomplish the task of haveing a cloned mail server.  (if not tape, from a drive that had been mirrored with the mirror broken before the move.)

I do this for a living also and sometimes I have to get inventive.

See, the only thing i don't understand, is when you have server1 and server2, the emails (private database - priv.edb) from server1 do not replicate to server2, so if server1 goes down and you move the mailbox from server1 to server2, how does it have the emails?? That would be a disaster if all priv.edb's replicated to all other servers in the site!

And another thing, when you move a mailbox from server1 to server2, server1 must be accessible......How, oh how are you accomplishing the task the defeats the code and design of the product??

"I also don't think that it can work under any circumstances unless the recipient server was once a BDC and they shared the same SAM database for security reasons (which is probably his problem)."

Yes you are correct, that is why he cannot start his services right now, the service account SID from the production network is not present...must take BDC from production network offline, them promote to a PDC to accomplish the task pete-mbs is performing....
pete-mbsAuthor Commented:

I appreciate all your hard work and effort on this subject.

The reason I'm doing this is I'm not a network administrator, exchange administrator or anything close.  I do technical support for document management software.  The trouble is our company is small and so I have been asked to fill in the above roles.

My boss has requested that I set up a second server with exchange installed so I can take the main server off the network to upgrade the software and still have people able to access their emails.

I figured the best way to do this would be to make a copy of the main server using the same identifies, name, site etc.

I didn't appreciate that even if the 2 servers were set up exactly the same, they would still be different in the hard coding.

For now I will try the .PST method as the other one involves plugging the second server into the network and unfortunately I've given it the same IP address as the main server, I know I can change it but I'll try the .pst method first.

I'll get back to you with an update of my progress.

Again I'd like to thank you both for the time you spent on this, This is a steep learning curvre for me, but I'm slowly crawling up it!!!!

pete-mbsAuthor Commented:

Thanks for all your answers but unfortunately our main server crashed on tuesday so I had to re-install Small Business Server 4.5 and exchange 5.5 which is what I had planned to do in the first place.

I managed to retain the company emails which was a relief and simply ran isinteg- patch once I'd placed priv.edb and pub.edb back in place.

I now have a problem with the full install of SBS 4.5 in that it installs a conflicting .dll (RSABASE.dll) from the option pack 4 compared to service pack 4.  This dll then prevents the adminstrator kit from installing due to a version mismatch.

Any suggestions??

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.