Domain Migration Administrator 7.x
ERROR: S30442: Failed to start Security Translator, hr=80004005
This error can occur if an Exchange 5.5 mailbox associated with a user account has the reference bit indicating a SACL set to ON when the value is actually NULL. When DMA encounters such a mailbox, the mailbox translation process fails for the current mailbox and then halts.
Mailboxes created using the native Exchange Administrator utility should not experience this issue, however, if a mailbox is created using a custom script or application, it is possible for the mailbox to have this bit set and still have a NULL SACL.
Install DMA 7.2 Hotfix 45265. This hotfix enables DMA to translate mailboxes with a NULL SACL and continue the translation process.
For more information, see the following Knowledge Base article:
What fixes are contained in DMA Hotfix 45265?
You can verify if the SACL setting for a mailbox is causing the problem.
WARNING: Manually editing the NT-Security-Descriptor property on an Exchange mailbox is not supported and may create problems in later accessing the mailbox. The following instructions are intended only to help you verify whether the bit for a SACL is set.
To verify the SACL setting for a single mailbox:
- Open Exchange 5.5 Administrator in RAW mode (admin.exe /r).
- Select the problem mailbox.
- Click File > Raw Properties.
- In the Object attributes column, select NT-Security-Descriptor.
- Click Editor.
- For Editor type, select Text.
- Click OK.
If the bit for the SACL is not set, the NT-Security Descriptor hex number begins with 01000480.
If the bit for the SACL is set, the hex number begins with 01001480.
If you are unable to upgrade to DMA 7.2 Hotfix 45625, another workaround may be to clear the bit on the mailbox NT-Security-Descriptor property for the SACL. If there is no value for the SACL, there should be no problem created by clearing this bit. However, NetIQ Corporation cannot provide support to implement this resolution.