bjblackmore
asked on
Removing Non Existant User From Exchange 2007 GAL
Over the past couple of years we have migrated a number of our sub domains & separate domains, into a single global domain. We also migrated sites from using their own separate Exchange 2003 mail servers, to using a single global Exchange 2007 infrastructure. During this migration 1000s of users were migrated from the old Exchange 2003 servers, over to the new Exchange 2007 mailbox servers. 99.9% migrated without issue. However the odd one or two have had an issue.
We have a user who has an email account on our new domain, AND on one of the old decommissioned domains. This user shows up twice in the GAL and it has caused multiple issues
We have tried deleting the account from the original domain but she still shows up in the GAL.
Currently the old user's AD account doesn't appear to exist anywhere, it's been deleted from the old domain, I've gone through ADSI Edit searching for the unique DN, and can't find anything, but the account still shows up in the GAL.
I have tried forcing a GAL update using "Get-OfflineAddressBook | Update-OfflineAddressBook"
Is there anyway to delete the GAL entry with some PowerShell command or something? Or some way I can find where this ghost account exists?
We have a user who has an email account on our new domain, AND on one of the old decommissioned domains. This user shows up twice in the GAL and it has caused multiple issues
We have tried deleting the account from the original domain but she still shows up in the GAL.
Currently the old user's AD account doesn't appear to exist anywhere, it's been deleted from the old domain, I've gone through ADSI Edit searching for the unique DN, and can't find anything, but the account still shows up in the GAL.
I have tried forcing a GAL update using "Get-OfflineAddressBook | Update-OfflineAddressBook"
Is there anyway to delete the GAL entry with some PowerShell command or something? Or some way I can find where this ghost account exists?
ASKER
Thanks for the reply.
As far as I can see the mailbox & AD account have been deleted from the old domain, so shouldn't exist.
I've done a domain search, and there is no contact setup with these details.
Yes it is showing up in the GAL, not users cache or nk2 file. It's showing in the GAL for all users in the organization, new and old.
As far as I can see the mailbox & AD account have been deleted from the old domain, so shouldn't exist.
I've done a domain search, and there is no contact setup with these details.
Yes it is showing up in the GAL, not users cache or nk2 file. It's showing in the GAL for all users in the organization, new and old.
as a total failover you could recreate the GAL with
I'll have a thinky about manually removing a specific entry. I'm sure theres something in the depths of my brain . . . !
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}I'll have a thinky about manually removing a specific entry. I'm sure theres something in the depths of my brain . . . !
quick q, when you deleted the mailbox did you select to remove or disable it?
Also, is the decommisioned server still available through the network?
Also, is the decommisioned server still available through the network?
ASKER
I'll have to find out how it was deleted and if the decommissioned server is still available, as it was performed by our Canadian counterparts on their old domain. I'll pop them an email, but might not get a reply until this afternoon.
thats fine, i was only wondering about the old server to see if it was still "see-able" on the network as it may be confusing the new server with old GAL entries. Some firms I've dealt with keep the old server up as a failover for a while . . which is silly!
ASKER
Hi,
Have had a reply from our Canadian counterparts, apparently the account was deleted from the old Exchange server, which apparently is still connected and running, although not in a healthy state. I'm trying to get the details so I can logon and take a look around!
I also tried recreating the GAL using the code you suggested (below). It told me that it would need to upgrade the GAL to the latest version, and that from then on, only the latest version of the Exchange management shell would be able to manage it. I said Yes to go ahead, hopefully that was the correct answer! However looking at the GAL this morning, it still had the old and new account details, so doesn't appear to have fixed the issue!
Have had a reply from our Canadian counterparts, apparently the account was deleted from the old Exchange server, which apparently is still connected and running, although not in a healthy state. I'm trying to get the details so I can logon and take a look around!
I also tried recreating the GAL using the code you suggested (below). It told me that it would need to upgrade the GAL to the latest version, and that from then on, only the latest version of the Exchange management shell would be able to manage it. I said Yes to go ahead, hopefully that was the correct answer! However looking at the GAL this morning, it still had the old and new account details, so doesn't appear to have fixed the issue!
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}
is there any good reason the old server is still up? are the exchange services running on it? if they are, do they need to be?
I think until you can find out the actual state of the old server, then that is always going to be a major flaw in the network. If you have transferred all the users over to the new server then there is no need for exchange to be running on there unless it is in a cluster / dag as a local point for users there to reduce latency. If it is only to be used for filesharing or local AD then get rid of exchange totally, preferably a fresh install of everything!
why oh why do people still leave obsolete devices connected!
why oh why do people still leave obsolete devices connected!
ASKER
Having tried to remote desktop into this server, and not being able to connect, or ping it, I've found out from my Canadian counterparts that's it's actually turned off. However it was a domain controller, as well as Exchange server, and was not decommissioned cleanly, i.e. it was just switched off, and put on a shelf!!
I have discussed with the Canadian team turning the server back on, connecting it to the network, and letting it replicate/update, and then running a proper Exchange uninstall to remove Exchange cleanly, as well as running DCPROMO to demote the DC back to a member server. Hopefully this will fix this issue, otherwise it's a case of going deep into AD and manually removing all of the server references!
I have discussed with the Canadian team turning the server back on, connecting it to the network, and letting it replicate/update, and then running a proper Exchange uninstall to remove Exchange cleanly, as well as running DCPROMO to demote the DC back to a member server. Hopefully this will fix this issue, otherwise it's a case of going deep into AD and manually removing all of the server references!
yeah, that would be a pain! Why did they not decommission the old server properly? Please tell me there was a reason and it wasn't just pure laziness / not knowing, you're just setting yourself up for troubles that way.
ASKER
Apologies for not replying to this thread sooner. I've had to wait for the Canadian admin to get the server turned on again, then we had some issues getting RDP to work.
In answer to your question, not sure, was done before I joined the company, not sure who did it, so could have been either/both reasons!
So, current state of the server:
The total C: drive is only 4GB, with 500mb free. Not big enough in my opinion for a server that is a DC, let alone one that was also running Exchange. Especially as the C: & D: are on the same physical disk array, and D: is 209GB with 89GB free. No reason another 20GB or 40GB of space couldn't have been reassigned to the C:!
However instead of increasing the C: drive size, someone decided to compress the entire C: drive another big mistake, as even the 'C:\Windows' & 'C:\Program Files' folders are compressed, which is massivily going to impact the servers performance when launching any application.
Exchange 2003 is still installed, but looks like the services have been stopped & disabled.
Active Directory is still installed and appears to be working, although there are some replication errors, as the server has been turned off for a year.
Terminal Services is installed on the server - rather than it just running in Remote Admin mode - yet another mistake due to the security hole it opens!
I'll be going through each of the above items with the current server admin on Monday, and trying to fix each one. Removing TS should be fairly easy, demoting the DC back to member server & uninstalling Exchange might through up a few problems, if it gets it's knickers in a twist. The C: drive disk space is a pain, but I think the server will be decommissioned & scrapped once everything is removed properly, so not to worried about this at the moment!
And just turning on the server doesn't appear to have removed the errant account from the GAL, so nothing that was missing has been replicated to resolve the issue! The account doesn't exist in AD on the server either, so not sure where the GAL is pulling the errant user account from!
Will post an update on Monday once I've spoken to the server admin, and we've given some of the above a try.
In answer to your question, not sure, was done before I joined the company, not sure who did it, so could have been either/both reasons!
So, current state of the server:
The total C: drive is only 4GB, with 500mb free. Not big enough in my opinion for a server that is a DC, let alone one that was also running Exchange. Especially as the C: & D: are on the same physical disk array, and D: is 209GB with 89GB free. No reason another 20GB or 40GB of space couldn't have been reassigned to the C:!
However instead of increasing the C: drive size, someone decided to compress the entire C: drive another big mistake, as even the 'C:\Windows' & 'C:\Program Files' folders are compressed, which is massivily going to impact the servers performance when launching any application.
Exchange 2003 is still installed, but looks like the services have been stopped & disabled.
Active Directory is still installed and appears to be working, although there are some replication errors, as the server has been turned off for a year.
Terminal Services is installed on the server - rather than it just running in Remote Admin mode - yet another mistake due to the security hole it opens!
I'll be going through each of the above items with the current server admin on Monday, and trying to fix each one. Removing TS should be fairly easy, demoting the DC back to member server & uninstalling Exchange might through up a few problems, if it gets it's knickers in a twist. The C: drive disk space is a pain, but I think the server will be decommissioned & scrapped once everything is removed properly, so not to worried about this at the moment!
And just turning on the server doesn't appear to have removed the errant account from the GAL, so nothing that was missing has been replicated to resolve the issue! The account doesn't exist in AD on the server either, so not sure where the GAL is pulling the errant user account from!
Will post an update on Monday once I've spoken to the server admin, and we've given some of the above a try.
ASKER
Well I've been working on the server for the past 2 days, and think I'm winning...I hope!
I couldn't uninstall Exchange because it said I did not have permission as Active Directory hadn't replicated the necessary permissions to modify Exchange components.
After investigation I found there were problems where the server had lost it's trust relationship with the domain, and the other domain controller, then the server was in the wrong site in sites and services, then DNS was having issues - fixed by deleting the netlogon.dns file & restarting netlogon service.
Then when replication tried again it errored saying 'time since the last replication with this server has exceeded the tombstone lifetime', fixed this by adding a registry entry for 'Allow Replication With Divergent and Corrupt Partner'.
Once I managed to fix those issues, replication started, but then failed with object errors - AD objects that existed in one DC didn't in the other - so fixed this with the 'repadmin /removelingeringobjects'.
Replication now appears to be working OK between the 2 DCs. So I have tried to uninstall Exchange again, however the uninstall setup program errors saying 'One or more users currently use a mailbox store on this server. These users must be oved to a mailbox store on a different server', however this server doesn't appear to have a mailbox store. In fact, there aren't even any Exchange services listed in the services console! If I try to re-install Exchange, this errors with 'To install the first Exchange server in a domain, or to run setup in "/ForestPrep" mode, you must be an Exchange Full Administrator at the organization level. You must use an account that has been granted the Full Exchange Administrator role on the Exchange organization using the Exchange Administrative Delegation Wizard'. So I'm stuck, I can't install or uninstall Exchange from this server! I don't want to run anything like /forestprep, as we're now running a working Exchange 2007 environment, and don't want to risk screwing that up!
Any help or suggestions would be much appreciated!
exchange-uninstall-error.jpg
exchange-uninstall-error2.jpg
exchange-install-error.jpg
I couldn't uninstall Exchange because it said I did not have permission as Active Directory hadn't replicated the necessary permissions to modify Exchange components.
After investigation I found there were problems where the server had lost it's trust relationship with the domain, and the other domain controller, then the server was in the wrong site in sites and services, then DNS was having issues - fixed by deleting the netlogon.dns file & restarting netlogon service.
Then when replication tried again it errored saying 'time since the last replication with this server has exceeded the tombstone lifetime', fixed this by adding a registry entry for 'Allow Replication With Divergent and Corrupt Partner'.
Once I managed to fix those issues, replication started, but then failed with object errors - AD objects that existed in one DC didn't in the other - so fixed this with the 'repadmin /removelingeringobjects'.
Replication now appears to be working OK between the 2 DCs. So I have tried to uninstall Exchange again, however the uninstall setup program errors saying 'One or more users currently use a mailbox store on this server. These users must be oved to a mailbox store on a different server', however this server doesn't appear to have a mailbox store. In fact, there aren't even any Exchange services listed in the services console! If I try to re-install Exchange, this errors with 'To install the first Exchange server in a domain, or to run setup in "/ForestPrep" mode, you must be an Exchange Full Administrator at the organization level. You must use an account that has been granted the Full Exchange Administrator role on the Exchange organization using the Exchange Administrative Delegation Wizard'. So I'm stuck, I can't install or uninstall Exchange from this server! I don't want to run anything like /forestprep, as we're now running a working Exchange 2007 environment, and don't want to risk screwing that up!
Any help or suggestions would be much appreciated!
exchange-uninstall-error.jpg
exchange-uninstall-error2.jpg
exchange-install-error.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is how I resolved the issue
are you sure the address is still in the GAL and not in specific users personal contacts or .nk2 file?
check there is no exchange contact setup for this old user.
does it appear for all users in the organisation (ie if you create a new user do they have this address?)