If the Exchange server database service is denied write access to its own database files (*.edb) or to the checkpoint file (*.chk), errors similar to the following may be seen: MSExchangeIS (xxxx) Unable to write a shadowed header for file [path\filename].
Common causes of this issue include:
Another process is using the file. Antivirus software may mistakenly quarantine a file, or a backup process may temporarily deny access. In this case, you may see error 1032 in the Description section of event 439. Error 1032 is equivalent to Jet_errFileAccessDenied, in which the file is locked or in use.
A disk or controller failure has occurred, and access to the entire drive has been lost, sometimes temporarily. Check the System Log for I/O or drive errors near the time of the 439 event. In this case, you may see error 1022 in the description of event 4399. Error 1022 is a Jet_errDiskIO, or disk I/O error. The 1022 error is a generic error that appears whenever a disk input/output (I/O) problem prevents Exchange from gaining access to a requested page in the database or to a transaction log.
Permissions have been removed from the folder where the file resides.
The file has been marked read-only. This is most likely to happen to a checkpoint file.
The folder containing the file has been renamed or deleted. This is also mostly likely to happen to a checkpoint file.
Check for alerts related to full disks and resolve as necessary.
To troubleshoot such errors, you must determine what has suddenly blocked the database service from accessing its files. In many cases, restarting the affected server reverses the lock if you cannot find another way to fix the problem.
Confirm that there is sufficient access to the disks.
If the database is still running, you may have to use the Move Mailbox or ExMerge tools to move the mailboxes to another server.
If the database will not mount, you may need to restore from online backup. If there is no valid backup, as a last resort, you may need to repair the database with eseutil /P, run isinteg -fix until all fixes are removed, and then mount the database and use ExMerge to merge to a new, blank database.
For more information about ESE event 439, see:
Target | Microsoft.Exchange.Databases | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 439 | ||
Event Source | ESE | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Unable_to_write_a_shadowed_header_for_the_file" Enabled="onEssentialMonitoring" Target="Exch2003Core!Microsoft.Exchange.Databases" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>.</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Application</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>439</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>ESE</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertOwner>$Data/PublisherName$</AlertOwner>
<AlertMessageId>$MPElement[Name="Unable_to_write_a_shadowed_header_for_the_file.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>