DrWu
asked on
AD\Exchange duplicate accounts and deleted items problems
Hi
We have what I assume to be a serious issue with our Exchange server and\or our Win2k AD.
A few months back we completed the migration from exchange 5.5 to 2000, including a migration to AD from NT4. It all went well. However, recently we realised that we had been having a replication between the domain controllers in our 3 domains and root domain - it was a routing and firewall issue. Anyway, the routing problem was fixed and all the domain controllers can now replicate to each other.
We have recently been receiving a number of errors in the exchange application event logs -
---------------
EventID 9514
Two objects in the Directory have the same proxy - /DC=UK/DC=IKANO/DC=LAN/OU=
DEL:6F6027B9-97A9-4480-921
---------------
EventID 9549
An ambiguous SMTP proxy john.smith@blah.net was found on 0x2 mailboxes in the DS. The store cannot map this SMTP proxy to a unique Mailbox GUID.
---------------
This has only started happening since the replication problem was fixed. I'm under the impression that a GC domain controller had a lot of old information stored on it, and now this information has been replicated back to the rest of the domains. The outcome of this is that users sporadically cannot receive external email, because there are 2 instances of their SMTP address in AD - one in the OU where they should be, and another in the DELETED OBJECTS OU. When the users were originally migrated from exchange 5.5, their disabled account was put into the EXCHANGE 5.5 USERS OU, I then deleted the whole OU when the migration was complete.
What I don't understand, is this: When you delete and object in AD, it enters a tombstone period, set at 60 days. You should be able to reuse any of the details associated with this account right away though - so why are the SMTP addresses of accounts that have been deleted from the system interfering with live accounts?
I have already attempted to view the deleted objects in question, as outlined in http://support.microsoft.com/default.aspx?scid=kb;EN-US;258310 , but I can not find any of the SMTP addresses or user accounts that are conflicting. I have used the LDIFDE utility to try and find the deleted objects that are conflicting, but to no avail - I can find plenty of deleted objects, just no duplicates, so it's not that I can't find data, it's that the right data isn't there.
What I would like to do is to find out where AD and EXCHANGE are getting the details about these old accounts and the DELETED OBJECTS OU - it doesn't seem to be anywhere and I cannot find any of the duplicated SMTP addresses. I have also changed the tombstone period to 1 day from the 60 days, and the problem has persisted. Perhaps the deleted items haven’t been tombstoned at all and not deleted properly from AD and this is where the error comes from?
------
Anyway, help would be appreciated. Microsoft have been looking at this for me for over a week and they have got absolutely nowhere (which is my usual experience with them) so high points will be awarded!
Many thanks
Aaron
We have what I assume to be a serious issue with our Exchange server and\or our Win2k AD.
A few months back we completed the migration from exchange 5.5 to 2000, including a migration to AD from NT4. It all went well. However, recently we realised that we had been having a replication between the domain controllers in our 3 domains and root domain - it was a routing and firewall issue. Anyway, the routing problem was fixed and all the domain controllers can now replicate to each other.
We have recently been receiving a number of errors in the exchange application event logs -
---------------
EventID 9514
Two objects in the Directory have the same proxy - /DC=UK/DC=IKANO/DC=LAN/OU=
DEL:6F6027B9-97A9-4480-921
---------------
EventID 9549
An ambiguous SMTP proxy john.smith@blah.net was found on 0x2 mailboxes in the DS. The store cannot map this SMTP proxy to a unique Mailbox GUID.
---------------
This has only started happening since the replication problem was fixed. I'm under the impression that a GC domain controller had a lot of old information stored on it, and now this information has been replicated back to the rest of the domains. The outcome of this is that users sporadically cannot receive external email, because there are 2 instances of their SMTP address in AD - one in the OU where they should be, and another in the DELETED OBJECTS OU. When the users were originally migrated from exchange 5.5, their disabled account was put into the EXCHANGE 5.5 USERS OU, I then deleted the whole OU when the migration was complete.
What I don't understand, is this: When you delete and object in AD, it enters a tombstone period, set at 60 days. You should be able to reuse any of the details associated with this account right away though - so why are the SMTP addresses of accounts that have been deleted from the system interfering with live accounts?
I have already attempted to view the deleted objects in question, as outlined in http://support.microsoft.com/default.aspx?scid=kb;EN-US;258310 , but I can not find any of the SMTP addresses or user accounts that are conflicting. I have used the LDIFDE utility to try and find the deleted objects that are conflicting, but to no avail - I can find plenty of deleted objects, just no duplicates, so it's not that I can't find data, it's that the right data isn't there.
What I would like to do is to find out where AD and EXCHANGE are getting the details about these old accounts and the DELETED OBJECTS OU - it doesn't seem to be anywhere and I cannot find any of the duplicated SMTP addresses. I have also changed the tombstone period to 1 day from the 60 days, and the problem has persisted. Perhaps the deleted items haven’t been tombstoned at all and not deleted properly from AD and this is where the error comes from?
------
Anyway, help would be appreciated. Microsoft have been looking at this for me for over a week and they have got absolutely nowhere (which is my usual experience with them) so high points will be awarded!
Many thanks
Aaron
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any more help on this issue guys? I'm pulling my hair out and Microsoft are doing jack to help!
Aaron
Aaron
Did you fix it?
ASKER
Hi yan
Yes, after much hassle.
It turned out that a domain controller in another domain and network had lost replication with the main domain for a few months and was brought back online - it told the other DC's that a load of delted items were not infact deleted and this messed up the DCs tombstoned lists. I had to used LDP to find out the guids of deleted objects and manually remove them from the DCs.
Took ages, but this helped me a lot!
Aaron
Yes, after much hassle.
It turned out that a domain controller in another domain and network had lost replication with the main domain for a few months and was brought back online - it told the other DC's that a load of delted items were not infact deleted and this messed up the DCs tombstoned lists. I had to used LDP to find out the guids of deleted objects and manually remove them from the DCs.
Took ages, but this helped me a lot!
Aaron
ASKER
I have already done http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318774 - the smtp address duplicates are not accessable in AD through a custom search, or using LDIFDE. I am aware of which addresses are duplicated, but they are not there in AD!
cheers
Aaron