Hello,

I have a network with:
* AD based on Windows Server 2003 SP2 Standard
* Exchange 2013 CU5 Standard [ migrated from Exchange 2010 ].

Recently DC with Windows Server 2012 R2 Datacenter was added and then I saw issue:
  When I open Exchange EAC -> Recipients -> Mailboxes -> (Edit Mailbox X ) -> Mailbox Delegation
  then I see message:

warning

The object company.com/OU/X has been corrupted, and it's in an inconsistent state. The following validation errors happened:
________________________________________
The access control entry defines the ObjectType '91e647de-d96f-4b70-9557-d63ff4f3ccd8' that can't be resolved..

I googled a little bit and found at site:
https://msdn.microsoft.com/en-us/library/cc223204.aspx

that Object = 91E647DE-D96F-4B70-9557-D63FF4F3CCD8 is named:  Private Information
and is present in AD DS Forestst with Windows 2008 or higher OS.

Can this message be safely ignored, or should I take any precautions ?
My domain will be upgraded soon to version 2012 R2, old DCs will be removed.

Hi,

According to your description, I understand that display objectType '91e647de-d96f-4b70-9557-d63ff4f3ccd8' cannot be resolved when add Windows server 2012 to your Exchange environment.
If I misunderstand your concern, please do not hesitate to let me know.

Is there any relevant event log in your 2003 DC and 2012 DC, Event ID 566 or Event ID 4662?
Windows 2008 introduced a new property set called Private Information that includes the msPKI* properties as you mentioned.  By design these properties are secured in such a manner that only the SELF object can access them.  You can use the DSACLS command to verify the permissions on the object as needed.

We can safely ignore these messages, its by design.

Thanks

Hello,

Thank you for your answer !

I've seen Event ID 4662 on Windows 2012 R2 DC inn Security log;
below is only fragment from this event with mentioned GUID highlighted:

Operation:
    Operation Type:        Object Access
    Accesses:        -
    Access Mask:        0x0
    Properties:        ---
    {bf967aba-0de6-11d0-a285-00aa003049e2}
%%7688
            {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
            {b3f93023-9239-4f7c-b99c-6745d87adbc2}
            {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {b7ff5a38-0818-42b0-8110-d3d154c97f24}
        {91e647de-d96f-4b70-9557-d63ff4f3ccd8}

How can I "remove" warning which is displayed in Exchange EAC ?
Should I add permissions by DSACLS ( for EAC administrators ? ) for these properties
  in each Exchange Mailbox ?

Hi,

Here's an article about this error, it also describe some workaround to solve this.
http://networkadminkb.com/KB/a464/how-to-fix-security-event-id-566-or-4662.aspx