Suddenly the Exchange environment is restored to a previous date

Posted on 2012-09-10
Last Modified: 2012-09-27
I have a Small Business server 2008 running at a customers location and this morning i received a phone call about an issue that they don't see any appointments in their calendar.

So i went to take a look and i noticed even the e-mail is from 24-12-2011.

From 09-09-2012 at 7:45 i see normal things again.

Even in the event viewer the dates of all events are from 24-12-2011 and suddenly i see events from 09-09-2012.

It looks like the server was restored to that date, but i know for sure that it wasn't me.
I restarted the server, but no luck and everything looks fine.
On 06-09-2012 i send an e-mail to a specific mailbox to this customer for maintenance and i received no error, when i send the mail now i receive an error "no such user". So the mailbox doesn't excist anymore.

I need some serious help with this, so hopefully you can help me with this.
Question by:RemcoVi
    LVL 6

    Expert Comment

    Imp: First Restore the server with the last latest backup. Make the production up and running

    Author Comment

    That will be a hard task, because i can't read the files from the back-up for some reason.
    This will be my 2nd task to take a look why this is not working as it should.

    Author Comment

    Trying to do a recover on the database, but i don't see the specific mailbox wich excisted on 06-09-2012 anymore.

    I ran the Database Recovery Management on the Exchange Management console - > Toolbox.
    When i want to see all the log files you see the date 24-12-2011 jumps to 09-09-2012.
    So there is a hole of nearly 9 months.

    It looks like i can't recover the files and need the back-up file, but this file is not readable.

    Anyone with suggestions what to do?

    Author Comment

    Weird thing is that i lost the user wich was attached to the mailbox wich still excists on 06-09-2012.

    Something happens to the server and it looks like a restore or if i wouldn't know better it somekind of restoring a restore point. But then again, a server doesn't have this future.

    Suddenly the server is set back 9 months in the past. What can cause this?

    Author Comment

    Losing the user is one thing. Password changes are set back to also the same date.
    So there is something happened in kind of a system restore.

    When i run the command WBADMIN GET VERSIONS it shows no restore points.

    I am running out of solutions or things to look at, please help.
    LVL 56

    Expert Comment

    by:Cliff Galiher
    It sounds as though someone restored a backup (you or another) or someone reverted a VM snapshot (same net effect.)

    You are looking at doing a full restore (not just an exchange mailbox restore) from a more recent backup. If you have a bare metal backup, that's what I'd do. I wouldn't trust a system state that old, and bare metal is a sure fire way to get almost current.
    LVL 21

    Accepted Solution

    Any chance any/som of the OSTs on the stations show anything different/more than the exchange server.  Disconnect a station from the network and open OL.  If more/different, save them to PSTs before proceeding

    Author Comment

    This is not a virtual server, but i know what you mean. Problem is that nobody for as far as know has access to the server or even have to skill to do this. System states are empty anyway.

    Weird enough there is 1 or 2 users wich an actual up to date mailbox even when they synced. So i think they where lucky there OST file synced to the server instead the other way.

    The only thing i could check is that the raid setup of mirrored is broken and it is booting from a wrong disk with an older state. So in this case there should be a broken drive, so i will take a look at that on location tomorrow and hopefully the disk is broken. Then at least i have a chance to recover some files.
    LVL 17

    Assisted Solution

    As you stated above either you rebooted from a wrong drive to mount with an older EDB or someone did a wholesale recover of the files and AD as well.  It would seem to be odd to have rebooted from the wrong drive, unless you have two different implementations or some level of hardware snapshots and you are booting against a previous snapshot.  Only way I see this happening with a raid issue is IF you had a previous instance of the system on a partition that was never mirrored since that point in time and then the primary partition failed and secondary took over.  But again that would mean that there was no active mirroring or raid in place since that 12-14-2011 date.
    LVL 47

    Assisted Solution

    "this morning i received a phone call about an issue that they don't see any appointments in their calendar"

    Who reported the issue?
    Did a user at the customer site report this issue?

    How many users are at this site?

    Have you confirmed the exact same thing has happend for ALL USERS Inbox and Calendars at this site?

    My gut feeling is that a Server does not just roll back to another Date/Time deleting all the current mail and calendar items

    However, an Users or All Users Mailbox and calendar could have archived all the recent items.

    Making the Old Unarchived items look like the Current Date/TIme

    Then when recent items arived, it would look like there is a big hole

    Author Comment

    I think i am done struggling now. The only way what happened was that a malfunction drive came alive again and became primary.

    Because on 1 disk i see an exchange database file of 20Gb and on the other 30Gb.
    Some files excist on one drive and not on the other.

    Weird that this is possible and weird that i didn't receive any errors of raid corruption or what so ever.

    Freaking pain in the ass, because i can't collect the data because everything is corrupt.

    Thanks for your help!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now