Mail flow stops with 430 4.2.0 STOREDRV; mailbox logon failure

This is one of the most annoying error that you may probably face with your HT servers and they stop sending emails to MBX servers. There are multiple things that you need to go through to fix this problem. This post is just provide some common troubleshooting steps that can be performed if you face this problem. I faced this one toady in one of my customer’s Exchange 2007 SP2 environment.

This error is most likely generated by permissions issue in active directory. The best bet to find out these problems is using ExBPA. In this particular case the permissions were messed up at the server object level in active directory. Inherited permissions from parent objects got removed due to some reasons.

Here are few things that you should try in this case:

  • First off, make sure your active directory replication is not experiencing any problems.
  • All domain controllers, global catalogs have the correct time and synchronized with your designated NTP server.
  • You can use net time /set \ntpservername if you find any issue discrepancies in the time.
  • Make sure your HT and MBX server’s records are correctly registered in DNS and name resolution works perfectly fine. In some cases, you might want to add PTR records for all of your MBX, DS and HT Servers
  • Make sure your Default Domain Controller Policy had Exchange Server group added in Manage auditing and security log located at
  • Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment of your default domain controller policies.

  • One more things in basic troubleshooting is to check the logon account used for Microsoft Exchange Mail Submission service on mailbox server. It should be set to Local System and Transport Service on Hub transport server should be set to run as Network Service
  • image

    Once you have made sure all these things are in place the permissions are something that we need to concentrate on.

    • Use EXBPA to ensure that none of the Exchange Server objects have permissions inheritance blocked on them. If you have you should see something similar to below:

    image

    • If you really see something like above then the inheritance of permissions to these objects must be allowed. To do this follow below steps:
    • Open ADSIEDIT.MSC and browse to the location CN=<Exchange Server Name>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchange Geek Inc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
    • Right click on the server object that was found not inheriting permissions from parent, Select properties, select Security Tab, Click Advanced button and check the check box “

    image 

    • We are not done yet. There are few more permissions we should check even after allowing inheritance on this object. Follow the previous step to get to security tab of the properties window of Exchange Server object

    image

    • As you see in above screenshot below permissions should be assigned to the Exchange Server security group:
    • Store Constrained Delegation – Allow
    • Store read and write access – Allow
    • Store read only access – Allow
    • Store transport access – Allow
  • These permissions should be checked on all HT servers and MBX servers using ADSIEDIT and they must be as shown above.
  • Force the replication across the site and make sure that all permissions are replicated to all the global catalogs in that site at least.
  • Hope that helps!

    3 thoughts on “Mail flow stops with 430 4.2.0 STOREDRV; mailbox logon failure”

    Comments are closed.