none
how to catch a "thief"

    Question

  • Exchange 2010 SP2

    2 hubs/cas, 2 mb

    one "hub/cas/mb" server in remote location

    we have this consultant whom we think is preventing people from using Exchange after office hours so that he can finish his task. the reason we're saying this is because we know he is replicating our production Exchange databases to the remote site. last night, without warning, no users can access their emails. all servers are online though. the only tell-tale sign I could see that something is weird is that in the event viewer it says database logs are full (100GB), and some other error that says unable to replicate because of too much data being generated.

    I just want to know if indeed the cause of last nights outage was because of his copying work. is there something in the event viewer or in EMC that would help me identify it?

    Tuesday, November 19, 2013 7:09 AM

Answers

  • He is probably restricting login access with GPO then but for Directors not. the problem is if he is trying to mount the db you need all the logs (unless you recover)
    Wednesday, November 20, 2013 6:50 AM
  • Hi,

    We can refer to the Administrator Audit Logging:

    http://technet.microsoft.com/en-us/library/dd335144(v=exchg.141).aspx

    If it’s not enabled and there is no reference in event log, I am afraid there is no other logs which will record the previous operations.

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Wednesday, November 20, 2013 8:11 AM
    Moderator
  • Exchange Server 2010 handles replication automatically in a DAG environmnet there is no reason to copy anything. 

    Your real problem seems to me, not having confident with your IT consultant, which in this case you need to let him go and hire someone who you can trust. If you are not the person who can make this happen, you will continue to listen stories like this from your consultant and won't be able to determine the real cause.

    If you can hire independent consultant who can assist you to understand your environment and possibly come up with solution. It could be design etc. issues , who knows what he is doing, is better as far as i can tell.

    good luck

    ocd

    Thursday, November 21, 2013 1:39 AM

All replies

  • Hi

    Are the logs not truncating with backups?

    Check that no GPO is set to prevent them logging in. Are the databases not offline during this time? How is he replicating this? Copy? If you have a DAG in place there is continuous replication?

    Wednesday, November 20, 2013 6:42 AM
  • to tell you the truth, I have no idea how he is replicating the databases.

    the databases are not placed offline because our directors access their emails 24x7 from anywhere.

    we have DAG in place.

    Wednesday, November 20, 2013 6:46 AM
  • He is probably restricting login access with GPO then but for Directors not. the problem is if he is trying to mount the db you need all the logs (unless you recover)
    Wednesday, November 20, 2013 6:50 AM
  • Hi,

    We can refer to the Administrator Audit Logging:

    http://technet.microsoft.com/en-us/library/dd335144(v=exchg.141).aspx

    If it’s not enabled and there is no reference in event log, I am afraid there is no other logs which will record the previous operations.

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Wednesday, November 20, 2013 8:11 AM
    Moderator
  • Exchange Server 2010 handles replication automatically in a DAG environmnet there is no reason to copy anything. 

    Your real problem seems to me, not having confident with your IT consultant, which in this case you need to let him go and hire someone who you can trust. If you are not the person who can make this happen, you will continue to listen stories like this from your consultant and won't be able to determine the real cause.

    If you can hire independent consultant who can assist you to understand your environment and possibly come up with solution. It could be design etc. issues , who knows what he is doing, is better as far as i can tell.

    good luck

    ocd

    Thursday, November 21, 2013 1:39 AM