Exchange Server Object ID Error With Windows Server 2016 Domain Controllers

Saw this error the other day:


When you open Exchange Control Panel and view the Mailbox Delegation tab of any user account you get the following:

The object <name> has been corrupted, and it’s in an inconsistent state. The following validation errors happened: The access control entry defines the ObjectType ‘9b026da6-0d3c-465c-8bee-5199d7165cba’ that can’t be resolved..

You do not see this error on any mailboxes that you have moved to Office 365 in hybrid mode, that is you do not see it on any RemoteMailbox objects.

The issue is because ObjectType ‘9b026da6-0d3c-465c-8bee-5199d7165cba’ is the GUID of the DS-Validated-Write-Computer Control Access Right introduced in WS2016 AD DS which is new to your Active Directory upon installing your first 2016 domain controller. Exchange Server reads this access control list when you open the Mailbox Delegation tab in Exchange Control Panel or when you run Get-ADPermission on the mailbox. This error is cosmetic, but to remove it you just need to reboot all your Exchange Servers in turn (relying on your database availability groups and load balancers to maintain service). Once you have rebooted each server, the error goes away when you are connected to that server for administrative functions. There is no impact on user connectivity whilst this error is in place, though it may impact you ability to assign permissions without error.

Therefore recommend that you reboot one server as soon as you can and then use that server as your target for administration until you can reboot the remaining servers.



, , , , , ,




3 responses to “Exchange Server Object ID Error With Windows Server 2016 Domain Controllers”

  1. Mahesh Gajanayake avatar
    Mahesh Gajanayake

    Thanks for the post Brian. We observed the same warning with Exchange 2016 CU9 in hybrid setup after upgrading the first DC to server 2016.

  2. Bikram avatar


    I got this error poppedup as soon as I introduced AD server 2019 into my Network

    Instead of restarting Exchange I did IISRESET and the ERROR was gone. Thanks for pointer that the Issue is not with Exchange but due to AD2016/2019 Server introduced in the Network


  3. George avatar

    would anyone know how an object ID can be resolved or know the service accounts ACL rights from powershell ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.