Microsoft KB Archive/289492

= You receive the &quot;The operation failed. ID no: 80004005&quot; error message when you try to expand public folders in Exchange 2000 Server System Manager =

Article ID: 289492

Article Last Modified on 7/24/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server

-



This article was previously published under Q289492



SYMPTOMS
When you try to expand the public folder tree in Exchange System Manager, you may receive the following error message:

The operation failed.

ID no: 80004005



CAUSE
This is a generic error message that occurs that has several known causes. In most cases, the cause of the issue is found in the Microsoft Internet Information Service (IIS) or in the Microsoft Internet Explorer configuration for the computer that is running Exchange 2000 Server. If you have recently altered security settings in Internet Explorer, or if you have made changes to your World Wide Web server configuration, review these changes carefully.



RESOLUTION
To establish the scope of the issue, try to access public folders by each of the following methods:  Use a Message Application Programming Interface (MAPI) client such as Microsoft Outlook or the Microsoft Exchange Client. Use an Internet Message Access Protocol (IMAP) client such as Microsoft Outlook Express or another IMAP mail reader. Use HTTP in Internet Explorer or in another Web browser. For example, you can use

http:// /public

Where  is the NetBIOS name of your Exchange computer. Use Installable File System (IFS). To do so, connect to drive M of the Exchange server.

Additionally,
 * Check the Event Viewer logs on the Exchange server.
 * Try to access folders in Exchange System Manager while you are connected to a different Exchange 2000 Server server. To do this, right-click the Public Folders object in Exchange System Manager, and then click Connect To.

If you can access public folders from the client side through all four of the preceding methods, but you still cannot access any public folders in Exchange System Manager, the issue is likely in your IIS or Internet Explorer configuration.One of the following methods may be helpful.

Note Re-start Exchange System Manager after you try any of these methods.  Make sure that the public folder database is started on the server to which you are connected.</li> Make sure that the World Wide Web Publishing service is started on the Exchange 2000 Server server. If the World Wide Web Publishing service is stopped, HTTP access to public folders does not work.</li> Check the version of the W3svc.dll file on the Exchange server. You can use the Filever.exe utility to do this, or you can open the file properties in Windows Explorer. If the version of the file is later than 5.0.2195.1600, you probably have installed a post-Service Pack 1 (SP1) hotfix for IIS. This installation created this issue. If this situation occurs, roll back this file to 5.0.2195.1600.Or, we recommend that you install a later version of the file that is available from the following Microsoft Web site:

http://www.microsoft.com/downloads/release.asp?ReleaseID=25547

Note

This download is described in detail at the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-086.mspx

Restart the server after you install the newer fix or replace the W3svc.dll file.</li> Change Internet Explorer security settings for Local intranet to Medium or Low. To do this, follow these steps: Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process. <ol> Click the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.</li> Click the Local intranet icon. The security setting appears under Security level for this zone. If this setting is High, you may be able to access folders after you are prompted for your logon credentials. HTTP access may also require credentials, and sometimes HTTP access may not work even if appropriate credentials are presented.</li> Move the slider down in the Security level for this zone area so that the legend to the right of the slider bar reads Low or Medium.</li> Click OK.

Note You may have to restart the Exchange services or wait for cache timeouts to expire before this method becomes effective.

For more information about how to configure Security Zones in Internet Explorer, view the following document on the Microsoft Web site:

http://www.microsoft.com/windows/ie/ie6/using/howto/security/setup.mspx</li></ol>

</li> Add the Exchange 2000 Server server to the list of Trusted sites.

If you must use high security for the Local intranet zone, an alternative method that you can use is to add the Exchange server to the list of trusted sites. To do this, follow these steps:Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process. <ol> Click the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.</li> Click the Trusted Sites icon on the Security page, and then click Sites.</li> In the Add this Web site to this zone box, type http://Your_Server_Name or http://Your_Server_IP_Address, and then click Add.</li> Make sure the Require server verification (https:) for all sites in this zone check box is unchecked.</li> Click OK.</li> Move the slider down in the Security level for this zone area so that the legend to the right of the slider bar reads Low or Medium.</li> Click OK.

Note You may have to restart the Exchange services or wait for cache timeouts to expire before this solution becomes effective.

For more information about how to configure Security Zones in Internet Explorer, view the following document on the Microsoft Web site:

http://www.microsoft.com/windows/ie/using/howto/security/setup.asp</li></ol> </li> Examine your proxy server settings in Internet Explorer. These settings are on the Connections tab of the Internet Properties page. Proxy settings are configured on a connection-by-connection basis, and so the settings for all connections must be verified. In most cases, the LAN Settings proxy configuration is the one involved in the issue. If a proxy server is defined, make sure that the server is valid and that the Bypass proxy server for local addresses check box is selected.</li> <li>If there is more than one virtual Web server on the Exchange server, make sure that the Web site that contains the Exchange 2000 administration virtual directories is assigned to port 80. (Unless it has been renamed, the virtual server for Exchange 2000 is the default Web site. The Exchange 2000 administration virtual directories include Public, Exadmin, and Exchange.)

To swap the ports that are assigned to multiple virtual Web servers, you must restart all Exchange and IIS services. The port assignment for a virtual server can be checked on the properties of the server object. The TCP port on the Web Site properties page should be 80.

Also, make sure that there is at least one blank host header that is defined for the Web site. To do this, on the Web Site properties page, click the Advanced button on the IP Address line. If there is no blank host header, add one with the following properties: <ul> <li>IP Address: All Unassigned (or appropriate address for a multi-homed system)</li> <li>TCP Port: 80</li> <li>Host Header Name: (nothing)</li></ul>

Changing the host header does not require restarting any services.</li> <li>If If your logon account is mail-enable, you have logged on to Windows is mailbox-enabled, verify that the msExchUserAccountControl attribute exists on the account, and that its value is 0. If this attribute is the issue, the following event should appear in the Application Log of the Exchange server:

Event Type: Error

Event Source: MSExchangeIS

Event Category: General

Event ID: 9562

Date: 2/13/2001

Time: 5:00:00 PM

User: N/A

Computer: SERVER1

Description: Failed to read attribute msExchUserAccountControl from Active Directory for /o=Organization/ou=First Administrative Group/cn=Recipients/cn=accountname.

This can be an issue because user objects that are granted administrative privileges have inherited permissions that are blocked from parent folders. This is a security measure to prevent an inadvertent compromise of administrator accounts. You can re-enable inheritable permissions from the Security page of the object's properties, but an automatic system process may disable inheritance again within a few minutes.

If you force the Recipient Update Service (RUS) to run from Exchange System Manager during the interval before inheritance is again disabled, the RUS stamps the msExchUserAccountControl attribute on the user object. Be aware that the RUS cannot make updates to this account later.Changes to e-mail addresses and other mail-related configurations may not be applied.

We strongly discourage enabling a mailbox for an account with administrative priveleges because these accounts are likely to be used to log on everyday.Therefore, the server becomes more vulnerable to compromise if an administrator forgets to secure a server where the administrator is logged on to. If you want to provide for occasional access to mail while you are logged on with an administrative account, give the administrative account Owner rights to the mailbox.

To do this with the Active Directory Users and Computers console: follow these steps: <ol> <li>Click Advanced Features from the View menu.</li> <li>Open the properties for the mailbox-enabled account that you use to log on everyday. Click the Mailbox Rights button on the Exchange Advanced properties page, and grant the special administrative account Full mailbox access.</li></ol>

If an administrator account is not mailbox-enabled, the absence of the msExchUserAccountControl attribute may not prevent public folder access.</li> <li>Check the Secure Sockets Layer (SSL) settings for the default Web site. SSL is not supported as an access method for Exchange System Manager. To check the settings, open the properties for the default Web site, or the site that contains the Exchange 2000 administrative virtual folders, and examine the Directory Security page. If the Edit button is unavailable in the Secure Communications section, then SSL is not enabled. If the Edit button is available, click the button, and then clear the Require Secure Channel check box.

You can also enable SSL at the virtual directory level and at the level of the entire Web site. Therefore, check the Exadmin virtual directory under the Web site, and disable SSL as necessary. If disabling SSL is not an option, you can administer Exchange 2000 Server public folders from a more secure Exchange server where such a high level of security is not required.</li> <li> Check to see if URLscan is installed on the system. To do this, search for the Urlscan.ini file. If the file appears,make sure that the .ini file contains the following settings: [Options] UseAllowVerbs=1 UseAllowExtensions=0 NormalizeUrlBeforeScan=1 VerifyNormalization=1 AllowHighBitCharacters=1 AllowDotInPath=1 RemoveServerHeader=0 EnableLogging=1 PerProcessLogging=0 AllowLateScanning=0

[AllowVerbs] PROPFIND SEARCH PROPPATCH DELETE MKCOL MOVE COPY OPTIONS

[DenyVerbs]

[DenyHeaders] If: Lock-Token:

[DenyExtensions] .asp .cer .cdx .asa .exe .bat .cmd .htw .ida .idq .htr .idc .shtm .shtml .stm .printer .ini .log .pol .dat Note If the internal Domain Name System (DNS) for your network does not contain .com, you can add .com to the DENYEXTENSIONS list: [DenyUrlSequences] .. ./ \ % & To replace the .ini file youmust stop the World Wide Web Publishing Service (w3svc), replace the .ini file, and then restart the World Wide Web Publishing Service (w3svc). </li></ul>

Additional query words: exch2kp2w PF ESM 8004005 XADM

Keywords: kberrmsg kbprb KB289492

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.