Free Microsoft Outlook Resources & Whitepapers

Security log filling up with 565 errors

Hey guys,

I have a 2003 Enterprise Exchange server and the security log is filling up with 565 audit failures.  Here is the information:

Date: 3/7/2007
Time: 1:21:13 PM
Type: Failure Aud
User: anydomain/anyuser
Computer: exchsrvr
Source: Security
Category: Object Access
Event ID: 565

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object Name: /O=anyorg/OU=HEADQUARTERS/cn=Configuration/cn=Servers/cn=exchsrvr/cn=Microsoft Private MDB
Handle ID: 0
Operation ID: {0,387310921}
Process ID: 7256
Process Name: D:Program FilesExchsrvrbinstore.exe
Primary User Name: exchsrvr$
Primary Domain: anydomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: anyuser
Client Domain: anydomain
Client Logon ID: (0x0,0x1715E528)
Accesses: Unknown specific access (bit 8)

Privileges: -
Properties:
---
%{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
Administer information store
%{d74a8774-2289-11d3-aa62-00c04f8eedd8}
Mail-enable public folder
Modify public folder deleted item retention
Modify public folder expiry
Modify public folder quotas
Modify public folder replica list
View information store status
Create top level public folder
Modify public folder ACL
Modify public folder admin ACL
Access Mask: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Anyone have any ideas why these are popping up and how to resolve it?

Thanks


Post your answer or comment

comments powered by Disqus
Hey guys,

I have a 2003 Enterprise Exchange server and the security log is filling up with 565 audit failures.  Here is the information:

Date: 3/7/2007
Time: 1:21:13 PM
Type: Failure Aud
User: anydomain/anyuser
Computer: exchsrvr
Source: Security
Category: Object Access
Event ID: 565

Object Open:
Object Server: Microsoft Exchange
Object Type: Microsoft Exchange Database
Object Name: /O=anyorg/OU=HEADQUARTERS/cn=Configuration/cn=Servers/cn=exchsrvr/cn=Microsoft Private MDB
Handle ID: 0
Operation ID: {0,387310921}
Process ID: 7256
Process Name: D:Program FilesExchsrvrbinstore.exe
Primary User Name: exchsrvr$
Primary Domain: anydomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: anyuser
Client Domain: anydomain
Client Logon ID: (0x0,0x1715E528)
Accesses: Unknown specific access (bit 8)

Privileges: -
Properties:
---
%{a8df74ba-c5ea-11d1-bbcb-0080c76670c0}
Administer information store
%{d74a8774-2289-11d3-aa62-00c04f8eedd8}
Mail-enable public folder
Modify public folder deleted item retention
Modify public folder expiry
Modify public folder quotas
Modify public folder replica list
View information store status
Create top level public folder
Modify public folder ACL
Modify public folder admin ACL
Access Mask: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Anyone have any ideas why these are popping up and how to resolve it?

Thanks

Hi

After a recent upgrade of Sophos AV (which caused massive problems), one of the issues I now face is the c:program filesexchsrvrmdbdata directory is filling up with hundreds of .STF files, consuming all available space on the C: drive. The only way I can rectify this is by restarting the Information Store service.

I'm speaking with Sophos to find out what they changed that caused this behaviour to start. However, in the meantime, I'd quite like to have these files stored elsewhere (maybe on a partition with masses of empty space, perhaps) but I can't find anywhere within Exchange that specifies this directory as a somewhere to dump these files. All other log files/transaction logs are stored elsewhere (on D: and E:).

I've found a reference in the registry to this path under the path HKLM/system/controlset01/services/MSExchangeIS/WorkingDirectory, but I don't want to change this value without expert guidance.

Any opinions?

My queue is filling up with messages to people I've never heard of from ip address 255.255.255.255 and from or DSN. I'm not very familiar with exchange 2007. Have enabled an open relay or something. Any help would be greatly appreciated.

Hi,

I've got a bit of an odd one, i've not seen before.

sbs2003 server, running exchange03, within exchange system manager, the
queues are filling up with mail that hasnt been sent by any users on
our domain.

when I open the mail up, every single one is from the same sender
support@xxx.com - and this domain xxx.com is a company that supplies us
with sofware, rather than a spam sender that could have compromised our
server.

I have checked the main things i can think of, however there are no
errors in the logs, port 25 isnt open on the firewall, and i've run
virus software and it hasnt picked anything up.

anyone got any ideas?

Kind regards,

James

We are contsantly getting this error message below:
This is an SMTP protocol log for virtual server ID 1, connection #549059. The client at "xxx.xxx.xxx.xxx" sent a "rcpt" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "rcpt TO: ". This will probably cause the connection to fail.

As you can see it doesnt have any data to show who it is coming from or where it is going. Not sure when this started because the logs have filled up with these errors. any ideas where to start or what to look for? I looked in the SMTP connector and I dont see any unknown or suspicious connections. i know a couple weeks ago i accidentlay moved a few exchange security groups into another OU and saw an error message about that a couple days later, so i added the exchange groups back to the users OU in active directory. not sure if that has something to do with this or not. but any suggestions would be helpful!!

Thanks,

log files in MDBDATA folder of exchange server 2k has filled up with almost full partition of hard drive , how i can delete the files to get more space,i've taken full backup,
Pls anyone have an idea to get server up after starting services and mount the storage.

Thanx in advance

Hello,

Am running Exchange 2003 SP2 on Win2003 SP1. Have Exchange 2003 co-existing
with Exchange 2000 (which is shortly to be removed).

My event log is getting filled up with 9549 errors of the following
----------------------------------------------------------------------------------------------
source: msexchangeis
EventID 9549
Type: Error

An ambiguous SMTP proxy SystemMailbox{3427CDF7-BEB3-405B-A3CA-8DBB4630D6BF}
was found on 0x2 mailboxes in the DS. The store cannot map this SMTP proxy
to a unique Mailbox GUID.
----------------------------------------------------------------------------------------------

I have carried out an LDIF export to determine the mailboxes, and indeed two
do turn up. One is displayed as
SystemMailbox{3427CDF7-BEB3-405B-A3CA-8DBB4630D6BF}
CNF:2b67a880-302b-46de-b57f-921441241003

The other is displayed as
SystemMailbox{3427CDF7-BEB3-405B-A3CA-8DBB4630D6BF}

Both appear to have the same alias name and are displayed as being on the
same store.

If this was a normal mailbox, i'd know what to do and simply change the smtp
email address of one of them.

However how do I find out which one to delete or change?

Help would be much appreciated, some people have simply deleted the longer
one and don't appear to report any problems, i'm loathe to do that. I have
also tried manually changing the SMTP addresses of one, and this hasn't
prevented the messages from returning.

Hello all!

I am having a little problem with my mdbdata logs filling up my hard drive. Evidentally, its supposed to be set up to be purged every time the thing backs up with Veritas, but its definately not working. Please help! Anyone got any ideas?? I am fairly new to Exchange Server....Thanks!

About a month ago I set up Outlook Web Access and since that time I noticed the SMTP queue was filling up with mail that didn't belong to our company. So I disabled the relaying. I noticed some mail was still passing through our server, so I deleted a few of the messages from the queue, with no NDR. After that my event log keeps filling up with the Error for Event ID 12800. This is a known issue with Exchange 2K, and their recommended fix was to install SP2, which I have done. But this didn't fix the problem. My event log is still filling up with the error. Please help!

For some reason the mdbdata folder will fill up with 5mb log files, I have been running Incrimental Backups nightly and fulls weekly but it will not delete the logs. I have had to stop the system attendent and delete them almost on a daily basis. I have just been using the NTBACKUP feature until funds come free to buy a tape system. I have considered Enabling Circular logging until a better solution can be found. Any other ideas would of great help.

Thanks

Hello there. I'm running Exchange 2000 on Server 2000. Recently we discovered it was functioning as an open relay. We closed the relay but unfortunately our SMTP queues continue to fill up with junk waiting to be sent. I've gone through it all a bunch of times & deleted the messages but it continues to fill up.

Does anybody have any suggestions as to how to stop the spam from coming in? This manual deletion thing is really tedious.

Thanks in advance!

Hi folks

I have come across a real show stopper of a problem through a simple process. I have a parent domain with 7 child domains, each with a single domain controller / global catalog server. These servers also run Exchange 2003 on top of Windows 2003 server and all was well. Replication and DNS were fine between domains.
I then created addtional sites to represent the geographical locations of the servers, setup the appropriate subnets and then used the "move" function of the sites and services MMC to move the child domain servers. At this point, all was still well and all tests showed no errors.

On re-booting prior to rolling these out, everything went haywire. The logs fill up with 2080 topology errors, the information and SA services will not start and event id 1038 pops up complaining that the domain name cannot be found in any global catalog.

Any ideas? Microsofts own site rollout document shows this to be a supported process but can exchange servers really be moved to a different site? Note that the ip address and domains have not been changed - they have just been moved from the "default first site" to a subnetted site.

Getting desperate as this project is so far behind now and rollout was for monday.....

Any help much appreciated!!!

Glen
Mouseworks
Australia

Why is my Queue filling up with junk, i'm not a open relay???

It has a bunch of junk domains... 

Everytime i clear them out it fills back up...
It's a bunch of domains no one here emails to or from...

What do i do?

Hello everyone...

My Exchange server (Version 5.5) has a directory (Folder)... That keeps
filling up with files and making my disk full. The folder name is:
D:EXCHSRVRIMCDATAINARCHIVE

I can't for the life of me figure out why... Can anyone help me?

Just write2me@daleallen.com
www.daleallen.com
Thanks in advance
Dale Allen
CCNA, MCSE, CNE

I have a client that is running Exchange 2003 on a SBS.

For the longest time, I have been noticing that the queues are filling up
with junk email. Maybe around 100 to 200 a day. Where is this comming
from?

I have done the basics to fix the problem:
- ensured that exchange relaying is turned off
- changed everyones passwords, disabled the guest account
- virus/adware scanned all pc's (but it could be comming from our VPN
connection)

Any suggestions?

I'm running a pure Exchange 2003 environment. I just noticed in one of our
SMTP gateway servers (front-end) a queue called "deleted objects". It's
filling up with messages that i know should be deliverable. What would
cause this, and more importantly, how do clear it out and deliver the
messages??

Thanks in advance.

Logging POP3 access (as well as SMTP) works great. My question is, can I
"Log One User"? The logging feature (as far as I can see) logs everything.
Not critical, but we have a server with 295 users and the log fills up with
ever user activity (the ones that we log, like authentication).

Thanks in advance.

RG

I have read the MS articles, and have made sure that I am not an open relay, but my queue is still filling up with messages. When they all say postmaster@.com. I have read that this is common because it is bouncing back spam or something like that, is this right? I am concerned because the queue is getting bigger by the minute.

By the way, this is a fresh install of windows, and exchange.

Exchange 2003 server
Windows 2003 server

Ok so I have RPC over HTTP installed on a single server. It works flawlessly inside the firewall.

When I try to connect from outside I recieve the prompt for my UN/PW & the send recieve details go to processing then they fail & I get this error.

Task 'Microsoft Exchange Server' reported error (0x8004011D) : 'The server is not available. Contact your administrator if this condition persists.'

We have a watchgaurd Firebox 4500 & I have set up NAT to forward all incoming requests from the external IP of the ssl address to the internal Exchange server. This works flawlessly for OWA over https

I took a peek in the firewall logs & it seems that it is letting the connection on port 443 come in. Every time I hit send / recieve I can watch the firewall logs fill up with entries to the proper IP, but to no avail.

If I connect this same client to the vpn & then try it prompts for password & connects first try.

Any thoughts?

This is a spiraling downward problem over the last few months. First time filled up 16 gig was at 12.something, a few weeks later 10.5 gig, then 9.1 gig, today was 8.1 gig. I have run the offline defrag/repairs (commands below) many many times, ran them over and over again for 9 hours this weekend, to no avail.  No errors are shown when I run these. I immediately hit the 16 gig limit today with 8.1 actual mail boxes.

eseutil /g G:Exchsrvrmdbdata1maildb1.edb /tf:1maildb1_temp.edb
eseutil /d G:Exchsrvrmdbdata1maildb1.edb /tf:1maildb1_temp.edb
isinteg -s servername -fix -l G:isinteg.pri -test alltests

Yes, I know 2000 is old. I am working on it. I have a full upgrade plan including new machines but email was not the first on the list. And I just can't get past seeing 8.1 gig of actual email but that maxes out the 16 gig??

I am not quite sure how to see what version of exchange 2000 I am, so if the recommendation is to patch it please advise me how to see the current version/patches.
System Manager says: Version 5.0 (build 2195, sp4).

Yes I do backup, I use Vertas and there are no .log files in mdbdata other than since my last backup.

Edit to add: I found the Exchange version: 6.0.6249, there appear to be 3 possiable patches after my version but I was only able to find info on the patch for 6.0.6487 which appears to be a security issue patch. I am unsure if it is related to my problem.

Edit: I heard that having virus real protection on the mdb file etc could be a problem. We did recently move the database to a different drive with more space. Yesterday we turned off virus real protection on the mdbdata folder (discovered it was already off on the old database location). I beleive this should then have allowed the on line defrag to free up the actual availalbe space. No go. only 80 meg reported free at last nights online defrag. Tonight I will try and fully turn off realtime virus protection on the computer if possiable.

Edit 2/14/07: Still no ideas anyone?? Turning of the virus protection after 2 nights is still NOT helping, and I will be very lucky if I can manage to end out the week with email runinng at the 17 gig limit. Space is simply  NOT BEING FREED up. Each night the on line defrag MAY report 10 meg free if I am luckly. I tried to fully turn off virus protection last night during the offline defrag, but the server apparently turned it back on as it was back on this morning. So tonight I will do more drastic measures to assure Virus protection is NOT running at all.

PLEASE HELP if anyone has any suggestions.

My set up is as follows. I have three domain names, airmech.demon.co.uk and
giromax.co.uk. they are POP3 accounts, the mail goes into a catchall mailbox
on my ISPs servers. and airmechcompressedair.co.uk which has the MX record
pointing to our external IP address.

I have two Servers, connected via broadband. server1 is the gateway machine,
it has ISA Installed and VPOP3, VPOP3 handles the mail coming in, it dials
in to the relevant ISP's server and pulls the mail off, it is then set-up to
forward the mail (LAN FORWARDING) onto my second server. I don't think the
problem lies with my VPOP3 server.

My second server is the DC for the domain. It has Exchange 2000 installed.
this server has its SMTP service published via ISA so the domain
airmechcompressedair.co.uk can come into it. This set-up appeared fine. 2
days ago it had to be changed. the users were complaining that they weren't
receiving mail for their airmechcompressedair.co.uk domain. So I contacted
the ISP and asked them to set-up a POP box for that domain, they said there
was already one, that I could use and it had been set-up from the word go,
so all the missing emails were in there.

Fine I thought. I configured VPOP3 to download airmechcompressedair.co.uk
and forward it onto the exchange machine, and stopped publishing the
exchange server. Now everything has gone belly up.

I have had to move the mailbox store and the log files to a different disk,
as my C: drive was just filing up very quickly and the MTA kept falling
over. these moved over fine but my C; drive kept filling up. I then noticed
that the badmail folder was the culprit, so I moved it to the e drive, using the option in the SMTP Default Server. I
have messed about with the configuration in exchange and now I get no
messages in the badmail folder, in either e: or c:.

Yesterday I noticed in system manager, there were a lot of messages in
queues under the default SMTP service. these have disappeared this morning,
but the MTA had fallen over. I checked disk space and there was about 2.5Gb
on C: I started the MTA Service and the disks started rattling and the c
drive was quickly filled up, I check the folders
c:progra~1exchsrvmailrootvsibadmail and queue and there were no files
in there. I stopped the MTA and the disk space was given back. I can't think
what the problem could be. I am quite new to exchange 2000 I have all three
domains in a recipient policy called airmech, not in my default one. I have
set-up the default SMTP service under protocolsSMTP to not allow relaying,
I haven't specified a postmaster.

under routing I have created an SMTP connector for outbound mail, it is not
set to forward onto a host but send directly via DNS. I can't help but think
its the MTA Service that is causing the problem but I no longer have any
idea where to look. I am tearing my hair out. Users have not been able to
send or receive email for at least two days now.

Thanks for any suggestions

Stuart

We started getting this after disaster recovery of E2K3 SP1 server. Our solution was dial-tone restore (sort of, see rest of message), but anyone have any experience with this specific error -2147221240 ? Not much turned up in search and MS had nothing in KB could find.

Also, exmerge is supposed to skip corrupted items when exporting to .pst, yes? Has this been case in practice?

We are doing the dial-tone restore using Henry Walther's articles and much, much thank you Henry. We are attempting it with a twist, though. We just did the first part -- creating the blank database -- and that seems to have fixed the 327 errors, which *we think* was due to a lot of corrupted mailboxes. We are now restoring the backup to the RSG. However, because we think the backup may also be corrupted due to the hardware issues we were having even though no errors reported on backup, we are not going to switch the databases. Instead, we are going to keep the clean, blank database as production, exmerge the RSG info into .pst files and not exmerge the resulting .pst files into the blank database but just let each user open the .pst and copy whatever they feel is crucial to keep.

Re: the corruption -- this may help someone else -- The reason we went to dial-tone restore is because after completing the DR due to hardware failure (we had to replace all drives in RAID array at once) using Veritas BackupExec 10.0 IDR, then restoring the last backup of Exchange databases made using Veritas Exchange Agent (the backups had no errors and the restore had no errors), the local delivery queue started filling up with messages. Not all messages, some went through -- we think after studying message tracking of the stuck emails vs emails that went through that those that did not have a recipient with a corrupted mailbox went thru while those that did have recipient with corrupted mailbox got stuck. And if the message also had other recipients, some got it but others (even if their mailbox was not corrupted) did not. The event logs had no errors (no errors with normal logging) and when we turned on diagnostic logging the only error we got was the 327 Exchange Store Driver "The following call : EcLocallyDeliverMsg to the store failed. Error code : -2147221240" Nothing in MS KB on that error code but googling turned up that it is MAPI_E_INVALID-OBJECT (we could not figure out whether that applied to our issue or where to look for answers if it did), and some posts by people who had traced this error to mailbox corruption and said the only solution they found was (1) if they could determine which mailboxes and these were few, delete/recreate mailbox or (2) if many mailboxes corrupt, create new blank database. Since we suspected quite a number of corrupted mailboxes and what if it was the store overall, we created new, blank database.

Joan

I have a user of Outlook 2003 who has a mailbox folder called "Sync Issues"
The Outlook e-mail account used is an exchange account. (Exchange 2003). We
think this folder showed up after installing Business Contact Manager. It was
loaded as a test and has since been un-installed. I t seems that something
has been screwed up since its removal. The Sync Issues folder is constantly
filling up with error messages that all look exactly like the following and
when they are cranking they can show up at the rate of about one new message
per minute which quickly fills the folder etc.

Message:

Subject: Synchronization Log:
Importance: High

15:57:46 Synchronizer Version 11.0.8000
15:57:46 Synchronizing Mailbox 'User Name'
15:57:46 Synchronizing Hierarchy
15:57:47 Synchronizing server changes in folder 'Deleted Items'
15:57:47 Downloading from server 'EXV23.SPCollege.com'
15:57:47 Error synchronizing folder
15:57:47 [80040119-501-80040119-560]
15:57:47 The client operation failed.
15:57:47 Microsoft Exchange Server Information Store
15:57:47 For more information on this failure, click the URL below:
15:57:47
http://www.microsoft.com/support/prodredirect/outlook2000_us .asp?err=80040119-501-80040119-560
15:57:47 Done
15:57:47 Microsoft Exchange offline address book
15:57:47 Download successful

Does anyone know where these messages are coming from and how to stop them
from being generated.

Thanks for all your help,

Ralph Malph

Outlook 2007 SP2
Exchange 2007 SP1

I want to create a task with an formated hyperlink in the body.

At
Set objDoc = objInsp.WordEditor
always security boxes pop up !!!!! Why????

This is the Code:
Private Sub CreateNewTaskWithHyperlink()
Dim appOutLook As Outlook.Application
Dim taskOutLook As Outlook.TaskItem
Dim objInsp As Outlook.Inspector
Dim objSel As Word.Selection
Dim strLink As String
Dim strLinkText As String
Dim olAnw As Object
Dim docangebot As Word.Document
Set docangebot = ActiveDocument
'Only For test fix Hyperlink
strLink = "http://www.google.de"
strLinkText = "Googeln" '
'
On Error Resume Next
Set olAnw = GetObject(, "Outlook.Application")
On Error GoTo ErrorToDo
If olAnw Is Nothing Then
Dim wshShell As Object
Dim strPath As String
Dim strOpen As String
Const PATH =
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice12.0 OutlookInstallRootPath"
Const APP = "Outlook.exe"
Set wshShell = CreateObject("WScript.Shell")
strPath = wshShell.RegRead(PATH)
strOpen = strPath & APP
Shell strOpen, vbMinimizedNoFocus
Set wshShell = Nothing
End If
Set appOutLook = CreateObject("Outlook.Application")
appOutLook.Session.Logon
Set taskOutLook = appOutLook.CreateItem(olTaskItem)
With taskOutLook
.Subject = "Test hyperlink"
.Importance = olImportanceNormal
'Only for test fix Date
.DueDate = "01.03.2010"
.StartDate = "01.03.2010"
.ReminderTime = "01.03.2010" & " " & "08:00"
'
.ReminderSet = True
Set objInsp = .GetInspector
' ?????????
Set objDoc = objInsp.WordEditor 'Programmatic Access Security
Check
'
Set objSel = objDoc.Windows(1).Selection
objDoc.Hyperlinks.Add objSel.Range, strLink, "", "", strLinkText,
""
Set objSel = objDoc.Windows(1).Selection
'Text before Hyperlink
With objSel
.Collapse wdCollapseStart
.InsertBefore "Das ist der Link zum "
End With
'Text after Hyperlink
Set objSel = objDoc.Windows(1).Selection
With objSel
.Collapse wdCollapseStart
.MoveEnd WdUnits.wdStory, 1
.Select
.InsertAfter " Viel Spass! "
End With
.Importance = olImportanceHigh
.Save
End With
ErrorExit:
Set taskOutLook = Nothing
Set appOutLook = Nothing
Exit Sub
ErrorToDo:
Select Case Err.Number
Case 13
Resume ErrorExit
Case 287
Resume ErrorExit
Case Else
MsgBox Err.Number & ";" & Err.Description
End Select
End Sub

Without WordEditor the code runs without security pop up:

Set appOutLook = CreateObject("Outlook.Application")
appOutLook.Session.Logon
Set taskOutLook = appOutLook.CreateItem(olTaskItem)
With taskOutLook
.Subject = "Test hyperlink"
.Importance = olImportanceNormal
.DueDate = "01.03.2010"
.StartDate = "01.03.2010"
.ReminderTime = "01.03.2010" & " " & "08:00"
.ReminderSet = True
.Body = "Das ist der Link zum " & "http://www.google.at" & " Viel
Spass!"
.Importance = olImportanceHigh
.Save
End With

Reinfried


Not finding an answer? Try a Google search.