tracking deleted address lists
We had an issue recently where all our address lists, including the default ones (under "All Address Lists" in the management console) disappeared and we are trying to track down where or how this happened.
We have a forest root domain and 5 child domains.
At the time we assume the lists were deleted (either through corruption or user error etc) we have several event IDs 8329 about RUS starting a rebuild:
"The Recipient Update Service is starting a rebuild of CN=All Users\0ADEL:a4845d2c-3d3f-4789-8194-97fd071f5e1c,CN=Deleted Objects,CN=Configuration,DC=forestroot,DC=com DC=childdomain1,DC=customername,DC=com"
Each event lists "dc=childdomain1" in the object name
Does this suggest that the Address Lists were actually deleted from childdomain1 or is this a red herring ?
Thanks
June 24th, 2011 8:15am
1. I've never seen addresslists disappear at that level. The event logs just says it's getting rebuilt.
2. Find out how many people have exch rights to perform such as task and look deeper in your logs.
3. What you maybe could have done is reversed this, and you still may be able to, this would indicate if the address list was deleted. -
http://support.microsoft.com/kb/842032 - if that makes sense, try to rebuild the OAB.
4. I'd runt he ExchBPA and to make sure your exch config is looking ok and no major issues.Sukh
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 8:51am
Hi
Thanks for your reply.
We have already recreated the address lists so we're OK in that respect. We also know already that there are far too many people with permissions to do this.
As I said I we would just like to know if the event generated indicates that the address lists were actaully deleted in that particular domain, listed in the event. This would allow us to at least know WHERE it happened, even if we can't determine WHO did
it.
Thanks
June 24th, 2011 9:33am
Hi,
I think that only indicates
RUS for
childdomain1 is rebuilding. If we have leveled
up the diagnostic log, we may find more information.
There are 4 part for troubleshooting RUS, you may have a look.
Troubleshooting the Recipient Update Service (RUS) using Event Logs - Part 4 (last part)
http://blogs.technet.com/b/exchange/archive/2004/07/27/198662.aspx
Regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 3:48am
Hi
Thanks for replying.
So it looks like there's no way of tracing where or who deleted the address lists - is that correct ?
Thanks
June 27th, 2011 5:12am
No, it would be difficult with the information above.Sukh
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 5:26am
you can use the repadmin /showobjmeta against the DN of this container to list where all this object was changes it will list DCs.. that may give you some idea where the change was innitiated.
las change may be the one that replicated it .. second last may be the one you are interested in knowing
Dhruv
Dhruv
June 27th, 2011 4:33pm