Solved

Removing Non Existant User From Exchange 2007 GAL

Posted on 2012-03-27
15
1,213 Views
Last Modified: 2012-07-18
Over the past couple of years we have migrated a number of our sub domains & separate domains, into a single global domain. We also migrated sites from using their own separate Exchange 2003 mail servers, to using a single global Exchange 2007 infrastructure. During this migration 1000s of users were migrated from the old Exchange 2003 servers, over to the new Exchange 2007 mailbox servers. 99.9% migrated without issue. However the odd one or two have had an issue.

We have a user who has an email account on our new domain, AND on one of the old decommissioned domains. This user shows up twice in the GAL and it has caused multiple issues

We have tried deleting the account from the original domain but she still shows up in the GAL.

Currently the old user's AD account doesn't appear to exist anywhere, it's been deleted from the old domain, I've gone through ADSI Edit searching for the unique DN, and can't find anything, but the account still shows up in the GAL.

I have tried forcing a GAL update using "Get-OfflineAddressBook | Update-OfflineAddressBook" & "Get-ClientAccessServer | Update-FileDistributionService"

Is there anyway to delete the GAL entry with some PowerShell command or something? Or some way I can find where this ghost account exists?
0
Comment
Question by:bjblackmore
  • 8
  • 7
15 Comments
 
LVL 4

Expert Comment

by:Neal58
ID: 37770579
does the mailbox still exist?

are you sure the address is still in the GAL and not in specific users personal contacts or .nk2 file?

check there is no exchange contact setup for this old user.

does it appear for all users in the organisation (ie if you create a new user do they have this address?)
0
 

Author Comment

by:bjblackmore
ID: 37770605
Thanks for the reply.

As far as I can see the mailbox & AD account have been deleted from the old domain, so shouldn't exist.

I've done a domain search, and there is no contact setup with these details.

Yes it is showing up in the GAL, not users cache or nk2 file. It's showing in the GAL for all users in the organization, new and old.
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37770612
as a total failover you could recreate the GAL with

Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Open in new window


I'll have a thinky about manually removing a specific entry. I'm sure theres something in the depths of my brain . . . !
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37770619
quick q, when you deleted the mailbox did you select to remove or disable it?

Also, is the decommisioned server still available through the network?
0
 

Author Comment

by:bjblackmore
ID: 37770659
I'll have to find out how it was deleted and if the decommissioned server is still available, as it was performed by our Canadian counterparts on their old domain. I'll pop them an email, but might not get a reply until this afternoon.
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37770678
thats fine, i was only wondering about the old server to see if it was still "see-able" on the network as it may be confusing the new server with old GAL entries. Some firms I've dealt with keep the old server up as a failover for a while . . which is silly!
0
 

Author Comment

by:bjblackmore
ID: 37775952
Hi,

Have had a reply from our Canadian counterparts, apparently the account was deleted from the old Exchange server, which apparently is still connected and running, although not in a healthy state. I'm trying to get the details so I can logon and take a look around!

I also tried recreating the GAL using the code you suggested (below). It told me that it would need to upgrade the GAL to the latest version, and that from then on, only the latest version of the Exchange management shell would be able to manage it. I said Yes to go ahead, hopefully that was the correct answer! However looking at the GAL this morning, it still had the old and new account details, so doesn't appear to have fixed the issue!

Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Open in new window

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:Neal58
ID: 37776013
is there any good reason the old server is still up? are the exchange services running on it? if they are, do they need to be?
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37776029
I think until you can find out the actual state of the old server, then that is always going to be a major flaw in the network. If you have transferred all the users over to the new server then there is no need for exchange to be running on there unless it is in a cluster / dag as a local point for users there to reduce latency. If it is only to be used for filesharing or local AD  then get rid of exchange totally, preferably a fresh install of everything!

why oh why do people still leave obsolete devices connected!
0
 

Author Comment

by:bjblackmore
ID: 37786380
Having tried to remote desktop into this server, and not being able to connect, or ping it, I've found out from my Canadian counterparts that's it's actually turned off. However it was a domain controller, as well as Exchange server, and was not decommissioned cleanly, i.e. it was just switched off, and put on a shelf!!

I have discussed with the Canadian team turning the server back on, connecting it to the network, and letting it replicate/update, and then running a proper Exchange uninstall to remove Exchange cleanly, as well as running DCPROMO to demote the DC back to a member server. Hopefully this will fix this issue, otherwise it's a case of going deep into AD and manually removing all of the server references!
0
 
LVL 4

Expert Comment

by:Neal58
ID: 37786678
yeah, that would be a pain! Why did they not decommission the old server properly? Please tell me there was a reason and it wasn't just pure laziness / not knowing, you're just setting yourself up for troubles that way.
0
 

Author Comment

by:bjblackmore
ID: 37843255
Apologies for not replying to this thread sooner. I've had to wait for the Canadian admin to get the server turned on again, then we had some issues getting RDP to work.

In answer to your question, not sure, was done before I joined the company, not sure who did it, so could have been either/both reasons!

So, current state of the server:

The total C: drive is only 4GB, with 500mb free. Not big enough in my opinion for a server that is a DC, let alone one that was also running Exchange. Especially as the C: & D: are on the same physical disk array, and D: is 209GB with 89GB free. No reason another 20GB or 40GB of space couldn't have been reassigned to the C:!

However instead of increasing the C: drive size, someone decided to compress the entire C: drive another big mistake, as even the 'C:\Windows' & 'C:\Program Files' folders are compressed, which is massivily going to impact the servers performance when launching any application.

Exchange 2003 is still installed, but looks like the services have been stopped & disabled.

Active Directory is still installed and appears to be working, although there are some replication errors, as the server has been turned off for a year.

Terminal Services is installed on the server - rather than it just running in Remote Admin mode - yet another mistake due to the security hole it opens!

I'll be going through each of the above items with the current server admin on Monday, and trying to fix each one. Removing TS should be fairly easy, demoting the DC back to member server & uninstalling Exchange might through up a few problems, if it gets it's knickers in a twist. The C: drive disk space is a pain, but I think the server will be decommissioned & scrapped once everything is removed properly, so not to worried about this at the moment!

And just turning on the server doesn't appear to have removed the errant account from the GAL, so nothing that was missing has been replicated to resolve the issue! The account doesn't exist in AD on the server either, so not sure where the GAL is pulling the errant user account from!

Will post an update on Monday once I've spoken to the server admin, and we've given some of the above a try.
0
 

Author Comment

by:bjblackmore
ID: 37862742
Well I've been working on the server for the past 2 days, and think I'm winning...I hope!

I couldn't uninstall Exchange because it said I did not have permission as Active Directory hadn't replicated the necessary permissions to modify Exchange components.

After investigation I found there were problems where the server had lost it's trust relationship with the domain, and the other domain controller, then the server was in the wrong site in sites and services, then DNS was having issues - fixed by deleting the netlogon.dns file & restarting netlogon service.

Then when replication tried again it errored saying 'time since the last replication with this server has exceeded the tombstone lifetime', fixed this by adding a registry entry for 'Allow Replication With Divergent and Corrupt Partner'.

Once I managed to fix those issues, replication started, but then failed with object errors - AD objects that existed in one DC didn't in the other - so fixed this with the 'repadmin /removelingeringobjects'.

Replication now appears to be working OK between the 2 DCs. So I have tried to uninstall Exchange again, however the uninstall setup program errors saying 'One or more users currently use a mailbox store on this server. These users must be oved to a mailbox store on a different server', however this server doesn't appear to have a mailbox store. In fact, there aren't even any Exchange services listed in the services console! If I try to re-install Exchange, this errors with 'To install the first Exchange server in a domain, or to run setup in "/ForestPrep" mode, you must be an Exchange Full Administrator at the organization level. You must use an account that has been granted the Full Exchange Administrator role on the Exchange organization using the Exchange Administrative Delegation Wizard'. So I'm stuck, I can't install or uninstall Exchange from this server! I don't want to run anything like /forestprep, as we're now running a working Exchange 2007 environment, and don't want to risk screwing that up!

Any help or suggestions would be much appreciated!
exchange-uninstall-error.jpg
exchange-uninstall-error2.jpg
exchange-install-error.jpg
0
 

Accepted Solution

by:
bjblackmore earned 0 total points
ID: 38184683
Eventually managed to resolve this issue by removing legacy Exchange 2003 & Domain Controller from subdomain.
0
 

Author Closing Comment

by:bjblackmore
ID: 38197885
This is how I resolved the issue
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now