linsysadmin
IS-IT--Management
Hello. As my handle suggests, I am more at home in a BASH shell than in Win 2k3 Server, but I have gotten along quite fine up to now...
Scenario: small business with single 2003 SBS server running both AD and Exchange. 20 users on the system full time, with Windows XP, OS X Tiger and Linux workstations all bonded to the domain and working happily for some time now. Roaming profiles and folder redirects enabled (for desktop and My Docs). All e-mail handled by Exchange server.
A single user, which relies on e-mail to archive important and sensitive documents, reported that a an online folder in outlook (online meaning it's stored in the Exchange server, I do not allow users to archive mail locally as it won't get replicated to the server and therefore will not be backed up daily) went missing. This was one of two subfolders of the user's Inbox. The other subfolder showed up empty where it had previously contained several mails as well. All other mails are intact and accounted for.
The user also reported being unable to find incoming mail. Accessing exchange (as IMAP server) from Thunderbird on a Linux system revealed that these incoming mails were not being deleted, the incoming mail rules in Outlook were causing a problem, since two of them referred to the now missing inbox subfolder which contained the important data. Once the two offending rules were deleted, incoming mail was available again, though the missing mails mentioned were not now again available. Searching the contents of the user's entire exchange mailbox did not find the missing mail (in case it had been moved or rearchived) - these mails are all from the same individual and more than a few are missing.
A check with all other users reveals no other problems, either in retaining or in sending/receiving mail. A detailed look through all log files on the server shows no errors of relevance with either IIS or Exchange Server or Mail Transfer Agent. Having looked over the sizes of mailboxes in the system just a few days back, when the user reports having had all her mail available (she works with that folder every day) I recalled the reported size of the user's mailbox and checked the present size, which had grown by a moderate amount (normal for her traffic level). Enough mail is missing that a significant drop in overall mailbox size on the server would have been noticed.
The possibility of archived mail by outlook (by accident - the user was instructed not to and it was disabled - don't like .pst's
was thoroughly ruled out by a search of all locations for .pst files modified in the last month.
Several backup measures are in place on this server, particularly as regards Exchange, in order to circumvent possible data loss, and these were tried one at a time:
Exchange is set to keep deleted mails and mailboxes for 30 days. Looking in the recovery console yielded a few mails, but these had been legitimately deleted. None were from either of the folders mail is missing from.
Next step, volume shadow copy. Shadow copy is enabled on the volume on which exchange server is installed (which is RAID 1, and is showing no H/W errors at this time) and the shadow copy tab in volume properties shows copies available for several months back (a lot of space was allocated for this purpose). Restoring the whole volume a few days back is obviously completely out of the question. Querying my buddy google turned up a utility called volrest.exe which should restore individual files. All attempts to use this utility yield "Failed to query shadow copies. Incorrect function.", whereas any incorrect syntax yields the info screen - many different options and lack of them were tried, testing on different files as well - same error. Nothing of relevance for this error found on google.
I also know about the twclient utility and tried utilizing this - no previous versions of the database are listed!
That's fine, I still have tape backups, so I guess I will copy a previous DB over, create a restore group in Exchange... sounds pretty simple, though I have never had to do it... except my tape drive gave out on me three days ago, and I have no other way to read my backups right now
Kind of stumped by the whole thing, I hope not to have been too long-winded, in the hopes that I have overlooked something stupid (happens). Something does not add up.
The only other possible conclusion is viruses, but I still consider it an unlikely possibility since a. only one client has this problem, b. All Windows clients on the network run Avast! anti-virus which so far has been pretty good c. I have two firewalls at the edge of the network, one of which is an IPCop standalone machine with copfiler install updated and functioning d. The user has not received or opened any suspicious attachments of late.
Scenario: small business with single 2003 SBS server running both AD and Exchange. 20 users on the system full time, with Windows XP, OS X Tiger and Linux workstations all bonded to the domain and working happily for some time now. Roaming profiles and folder redirects enabled (for desktop and My Docs). All e-mail handled by Exchange server.
A single user, which relies on e-mail to archive important and sensitive documents, reported that a an online folder in outlook (online meaning it's stored in the Exchange server, I do not allow users to archive mail locally as it won't get replicated to the server and therefore will not be backed up daily) went missing. This was one of two subfolders of the user's Inbox. The other subfolder showed up empty where it had previously contained several mails as well. All other mails are intact and accounted for.
The user also reported being unable to find incoming mail. Accessing exchange (as IMAP server) from Thunderbird on a Linux system revealed that these incoming mails were not being deleted, the incoming mail rules in Outlook were causing a problem, since two of them referred to the now missing inbox subfolder which contained the important data. Once the two offending rules were deleted, incoming mail was available again, though the missing mails mentioned were not now again available. Searching the contents of the user's entire exchange mailbox did not find the missing mail (in case it had been moved or rearchived) - these mails are all from the same individual and more than a few are missing.
A check with all other users reveals no other problems, either in retaining or in sending/receiving mail. A detailed look through all log files on the server shows no errors of relevance with either IIS or Exchange Server or Mail Transfer Agent. Having looked over the sizes of mailboxes in the system just a few days back, when the user reports having had all her mail available (she works with that folder every day) I recalled the reported size of the user's mailbox and checked the present size, which had grown by a moderate amount (normal for her traffic level). Enough mail is missing that a significant drop in overall mailbox size on the server would have been noticed.
The possibility of archived mail by outlook (by accident - the user was instructed not to and it was disabled - don't like .pst's
was thoroughly ruled out by a search of all locations for .pst files modified in the last month. Several backup measures are in place on this server, particularly as regards Exchange, in order to circumvent possible data loss, and these were tried one at a time:
Exchange is set to keep deleted mails and mailboxes for 30 days. Looking in the recovery console yielded a few mails, but these had been legitimately deleted. None were from either of the folders mail is missing from.
Next step, volume shadow copy. Shadow copy is enabled on the volume on which exchange server is installed (which is RAID 1, and is showing no H/W errors at this time) and the shadow copy tab in volume properties shows copies available for several months back (a lot of space was allocated for this purpose). Restoring the whole volume a few days back is obviously completely out of the question. Querying my buddy google turned up a utility called volrest.exe which should restore individual files. All attempts to use this utility yield "Failed to query shadow copies. Incorrect function.", whereas any incorrect syntax yields the info screen - many different options and lack of them were tried, testing on different files as well - same error. Nothing of relevance for this error found on google.
I also know about the twclient utility and tried utilizing this - no previous versions of the database are listed!
That's fine, I still have tape backups, so I guess I will copy a previous DB over, create a restore group in Exchange... sounds pretty simple, though I have never had to do it... except my tape drive gave out on me three days ago, and I have no other way to read my backups right now
Kind of stumped by the whole thing, I hope not to have been too long-winded, in the hopes that I have overlooked something stupid (happens). Something does not add up.
The only other possible conclusion is viruses, but I still consider it an unlikely possibility since a. only one client has this problem, b. All Windows clients on the network run Avast! anti-virus which so far has been pretty good c. I have two firewalls at the edge of the network, one of which is an IPCop standalone machine with copfiler install updated and functioning d. The user has not received or opened any suspicious attachments of late.
