locked
tracking deleted address lists RRS feed

  • Question

  • We had an issue recently where all our address lists, including the default ones (under "All Address Lists" in the management console) disappeared and we are trying to track down where or how this happened.

    We have a forest root domain and 5 child domains.

    At the time we assume the lists were deleted (either through corruption or user error etc) we have several event IDs 8329 about RUS starting a rebuild:

    "The Recipient Update Service is starting a rebuild of CN=All Users\0ADEL:a4845d2c-3d3f-4789-8194-97fd071f5e1c,CN=Deleted Objects,CN=Configuration,DC=forestroot,DC=com DC=childdomain1,DC=customername,DC=com"

    Each event lists "dc=childdomain1" in the object name 

    Does this suggest that the Address Lists were actually deleted from childdomain1 or is this a red herring ?

    Thanks

     

     

     

     

    Friday, June 24, 2011 12:10 PM

Answers

  • you can use the repadmin /showobjmeta against the DN of this container to list where all this object was changes  it will list DCs.. that may give you some idea where the change was innitiated.

    las change may be the one that replicated it .. second last may be the one you are interested in knowing

    Dhruv

     


    Dhruv
    • Marked as answer by jarweb Tuesday, June 28, 2011 8:38 AM
    Monday, June 27, 2011 1:33 PM

All replies

  • 1. I've never seen addresslists disappear at that level.  The event logs just says it's getting rebuilt.

    2. Find out how many people have exch rights to perform such as task and look deeper in your logs.

    3. What you maybe could have done is reversed this, and you still may be able to, this would indicate if the address list was deleted. - http://support.microsoft.com/kb/842032 - if that makes sense, try to rebuild the OAB.

    4. I'd runt he ExchBPA and to make sure your exch config is looking ok and no major issues.


    Sukh
    • Proposed as answer by Sukh828 Monday, June 27, 2011 8:58 AM
    Friday, June 24, 2011 12:45 PM
  • Hi

    Thanks for your reply.

    We have already recreated the address lists so we're OK in that respect. We also know already that there are far too many people with permissions to do this.

    As I said I we would just like to know if the event generated indicates that the address lists were actaully deleted in that particular domain, listed in the event. This would allow us to at least know WHERE it happened, even if we can't determine WHO did it.

    Thanks

     

    Friday, June 24, 2011 1:27 PM
  • Hi,

    I think that only indicates RUS for childdomain1 is rebuilding. If we have leveled up the diagnostic log, we may find more information.

    There are 4 part for troubleshooting RUS, you may have a look.

    Troubleshooting the Recipient Update Service (RUS) using Event Logs - Part 4 (last part)

    http://blogs.technet.com/b/exchange/archive/2004/07/27/198662.aspx

     

    Regards,

    Xiu

    Monday, June 27, 2011 7:47 AM
  • Hi

    Thanks for replying.

    So it looks like there's no way of tracing where or who deleted the address lists - is that correct ?

    Thanks

     

    Monday, June 27, 2011 9:11 AM
  • No, it would be difficult with the information above.
    Sukh
    Monday, June 27, 2011 9:25 AM
  • you can use the repadmin /showobjmeta against the DN of this container to list where all this object was changes  it will list DCs.. that may give you some idea where the change was innitiated.

    las change may be the one that replicated it .. second last may be the one you are interested in knowing

    Dhruv

     


    Dhruv
    • Marked as answer by jarweb Tuesday, June 28, 2011 8:38 AM
    Monday, June 27, 2011 1:33 PM
  • Thanks guys.

     

    Tuesday, June 28, 2011 8:38 AM