Solved

Removing Non Existant User From Exchange 2007 GAL

Posted on 2012-03-27
15
1,231 Views
Last Modified: 2012-07-18
Over the past couple of years we have migrated a number of our sub domains & separate domains, into a single global domain. We also migrated sites from using their own separate Exchange 2003 mail servers, to using a single global Exchange 2007 infrastructure. During this migration 1000s of users were migrated from the old Exchange 2003 servers, over to the new Exchange 2007 mailbox servers. 99.9% migrated without issue. However the odd one or two have had an issue.

We have a user who has an email account on our new domain, AND on one of the old decommissioned domains. This user shows up twice in the GAL and it has caused multiple issues

We have tried deleting the account from the original domain but she still shows up in the GAL.

Currently the old user's AD account doesn't appear to exist anywhere, it's been deleted from the old domain, I've gone through ADSI Edit searching for the unique DN, and can't find anything, but the account still shows up in the GAL.

I have tried forcing a GAL update using "Get-OfflineAddressBook | Update-OfflineAddressBook" & "Get-ClientAccessServer | Update-FileDistributionService"

Is there anyway to delete the GAL entry with some PowerShell command or something? Or some way I can find where this ghost account exists?
0
Comment
Question by:bjblackmore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 4

Expert Comment

by:Neal58
ID: 37770579
does the mailbox still exist?

are you sure the address is still in the GAL and not in specific users personal contacts or .nk2 file?

check there is no exchange contact setup for this old user.

does it appear for all users in the organisation (ie if you create a new user do they have this address?)
0
 

Author Comment

by:bjblackmore
ID: 37770605
Thanks for the reply.

As far as I can see the mailbox & AD account have been deleted from the old domain, so shouldn't exist.

I've done a domain search, and there is no contact setup with these details.

Yes it is showing up in the GAL, not users cache or nk2 file. It's showing in the GAL for all users in the organization, new and old.
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37770612
as a total failover you could recreate the GAL with

Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Open in new window


I'll have a thinky about manually removing a specific entry. I'm sure theres something in the depths of my brain . . . !
0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 
LVL 4

Expert Comment

by:Neal58
ID: 37770619
quick q, when you deleted the mailbox did you select to remove or disable it?

Also, is the decommisioned server still available through the network?
0
 

Author Comment

by:bjblackmore
ID: 37770659
I'll have to find out how it was deleted and if the decommissioned server is still available, as it was performed by our Canadian counterparts on their old domain. I'll pop them an email, but might not get a reply until this afternoon.
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37770678
thats fine, i was only wondering about the old server to see if it was still "see-able" on the network as it may be confusing the new server with old GAL entries. Some firms I've dealt with keep the old server up as a failover for a while . . which is silly!
0
 

Author Comment

by:bjblackmore
ID: 37775952
Hi,

Have had a reply from our Canadian counterparts, apparently the account was deleted from the old Exchange server, which apparently is still connected and running, although not in a healthy state. I'm trying to get the details so I can logon and take a look around!

I also tried recreating the GAL using the code you suggested (below). It told me that it would need to upgrade the GAL to the latest version, and that from then on, only the latest version of the Exchange management shell would be able to manage it. I said Yes to go ahead, hopefully that was the correct answer! However looking at the GAL this morning, it still had the old and new account details, so doesn't appear to have fixed the issue!

Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Open in new window

0
 
LVL 4

Expert Comment

by:Neal58
ID: 37776013
is there any good reason the old server is still up? are the exchange services running on it? if they are, do they need to be?
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37776029
I think until you can find out the actual state of the old server, then that is always going to be a major flaw in the network. If you have transferred all the users over to the new server then there is no need for exchange to be running on there unless it is in a cluster / dag as a local point for users there to reduce latency. If it is only to be used for filesharing or local AD  then get rid of exchange totally, preferably a fresh install of everything!

why oh why do people still leave obsolete devices connected!
0
 

Author Comment

by:bjblackmore
ID: 37786380
Having tried to remote desktop into this server, and not being able to connect, or ping it, I've found out from my Canadian counterparts that's it's actually turned off. However it was a domain controller, as well as Exchange server, and was not decommissioned cleanly, i.e. it was just switched off, and put on a shelf!!

I have discussed with the Canadian team turning the server back on, connecting it to the network, and letting it replicate/update, and then running a proper Exchange uninstall to remove Exchange cleanly, as well as running DCPROMO to demote the DC back to a member server. Hopefully this will fix this issue, otherwise it's a case of going deep into AD and manually removing all of the server references!
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37786678
yeah, that would be a pain! Why did they not decommission the old server properly? Please tell me there was a reason and it wasn't just pure laziness / not knowing, you're just setting yourself up for troubles that way.
0
 

Author Comment

by:bjblackmore
ID: 37843255
Apologies for not replying to this thread sooner. I've had to wait for the Canadian admin to get the server turned on again, then we had some issues getting RDP to work.

In answer to your question, not sure, was done before I joined the company, not sure who did it, so could have been either/both reasons!

So, current state of the server:

The total C: drive is only 4GB, with 500mb free. Not big enough in my opinion for a server that is a DC, let alone one that was also running Exchange. Especially as the C: & D: are on the same physical disk array, and D: is 209GB with 89GB free. No reason another 20GB or 40GB of space couldn't have been reassigned to the C:!

However instead of increasing the C: drive size, someone decided to compress the entire C: drive another big mistake, as even the 'C:\Windows' & 'C:\Program Files' folders are compressed, which is massivily going to impact the servers performance when launching any application.

Exchange 2003 is still installed, but looks like the services have been stopped & disabled.

Active Directory is still installed and appears to be working, although there are some replication errors, as the server has been turned off for a year.

Terminal Services is installed on the server - rather than it just running in Remote Admin mode - yet another mistake due to the security hole it opens!

I'll be going through each of the above items with the current server admin on Monday, and trying to fix each one. Removing TS should be fairly easy, demoting the DC back to member server & uninstalling Exchange might through up a few problems, if it gets it's knickers in a twist. The C: drive disk space is a pain, but I think the server will be decommissioned & scrapped once everything is removed properly, so not to worried about this at the moment!

And just turning on the server doesn't appear to have removed the errant account from the GAL, so nothing that was missing has been replicated to resolve the issue! The account doesn't exist in AD on the server either, so not sure where the GAL is pulling the errant user account from!

Will post an update on Monday once I've spoken to the server admin, and we've given some of the above a try.
0
 

Author Comment

by:bjblackmore
ID: 37862742
Well I've been working on the server for the past 2 days, and think I'm winning...I hope!

I couldn't uninstall Exchange because it said I did not have permission as Active Directory hadn't replicated the necessary permissions to modify Exchange components.

After investigation I found there were problems where the server had lost it's trust relationship with the domain, and the other domain controller, then the server was in the wrong site in sites and services, then DNS was having issues - fixed by deleting the netlogon.dns file & restarting netlogon service.

Then when replication tried again it errored saying 'time since the last replication with this server has exceeded the tombstone lifetime', fixed this by adding a registry entry for 'Allow Replication With Divergent and Corrupt Partner'.

Once I managed to fix those issues, replication started, but then failed with object errors - AD objects that existed in one DC didn't in the other - so fixed this with the 'repadmin /removelingeringobjects'.

Replication now appears to be working OK between the 2 DCs. So I have tried to uninstall Exchange again, however the uninstall setup program errors saying 'One or more users currently use a mailbox store on this server. These users must be oved to a mailbox store on a different server', however this server doesn't appear to have a mailbox store. In fact, there aren't even any Exchange services listed in the services console! If I try to re-install Exchange, this errors with 'To install the first Exchange server in a domain, or to run setup in "/ForestPrep" mode, you must be an Exchange Full Administrator at the organization level. You must use an account that has been granted the Full Exchange Administrator role on the Exchange organization using the Exchange Administrative Delegation Wizard'. So I'm stuck, I can't install or uninstall Exchange from this server! I don't want to run anything like /forestprep, as we're now running a working Exchange 2007 environment, and don't want to risk screwing that up!

Any help or suggestions would be much appreciated!
exchange-uninstall-error.jpg
exchange-uninstall-error2.jpg
exchange-install-error.jpg
0
 

Accepted Solution

by:
bjblackmore earned 0 total points
ID: 38184683
Eventually managed to resolve this issue by removing legacy Exchange 2003 & Domain Controller from subdomain.
0
 

Author Closing Comment

by:bjblackmore
ID: 38197885
This is how I resolved the issue
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question