Exchange 2007 / 2010 Search for and Delete Emails Containing “yoursearchtext”

KB ID 0000343

Problem

You have a nasty email that contains a virus or some offensive content and you want to delete ALL instances of it.

Solution

1. Log on as the domain administrator > Open the Exchange Command Shell.

2. First grant the correct rights to the administrator account.

This gives the Administrator FULL rights to ALL mailbox’s

[box]Get-mailbox -Database “Mailbox Database”| add-mailboxpermission -user administrator -AccessRights FullAccess[/box]

Note: this assumes your mailbox database is called “Mailbox Database”.

3. Then locate and delete the emails containing “yoursearchtext”.

[box]Get-Mailbox -Database “Mailbox Database” | Export-Mailbox -SubjectKeywords “yoursearchtext” -DeleteContent[/box]

Note: If you are unable to use the export-mailbox command then see here

Related Articles, References, Credits, or External Links

NA

Exchange – Unable to Mount Stores (log file missing)

KB ID 0000348

Problem

Exchange fails to mount a database and complains, with an error like the one below when you try and mount it manually.

Error:
Mailed to mount database ‘ database name’
Error:
Exchange is unable to mount the database that you specified. Specified
database {your server name}{path to database}{database name}; Error code:
MapiExeptionCallFailed: Unable to mount database. (hr=0x80004005,
ec=1032)

You may also see the following errors in the event log,

Event ID 9518

Log Name: Application
Source: MSExchangeIS
Date: 04/11/2010 13:51:09
Event ID: 9518
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: servername.doaminname
Description:
Error 0xfffffbf8 starting Storage Group /DC=local/DC=hc/CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=First Organization/CN=Administrative Groups/CN=Exchange Administrative Group (FYDIBOHF23SPDLT)/CN=Servers/CN=SERVERNAME/CN=InformationStore/CN=First Storage Group on the Microsoft Exchange Information Store.
Storage Group – Initialization of Jet failed.

Event ID 489

Log Name: Application
Source: ESE
Date: 04/11/2010 13:51:09
Event ID: 489
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: servername.domainname
Description:
MSExchangeIS (2476) First Storage Group: An attempt to open the file “C:Program FilesMicrosoftExchange ServerMailboxFirst Storage GroupMailbox Database.edb” for read only access failed with system error 32 (0x00000020): “The process cannot access the file because it is being used by another process. “. The open file operation will fail with error -1032 (0xfffffbf8).

Additionally if you have McAfee (and it caused the problem) you may also see,

Event ID 259

Log Name: Application
Source: McLogEvent
Date: 04/11/2010 13:45:33
Event ID: 259
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: servername.domainname
Description:
The file C:Program FilesMicrosoftExchange ServerMailboxFirst Storage GroupE00.log�00074b5.js contains the JS/Redirector Trojan. Undetermined clean error, deleted successfully. Detected using Scan engine version 5400.1158 DAT version 6156.0000.

Solution

Essentially we are missing a log file and the database is not happy, in my case the AV software had quarantined the file and even restoring it didn’t fix the problem.

1. Before you proceed make sure that the folder that contains the log files, is NOT included in your AV scan in the future, to negate this happening again.

2. We need to repair the database, click start > run > cmd {enter}.

3. At command line, change directory to the exchange “bin” directory with the following command,

[box]
cd “C:Program filesMicrosoftExchange ServerBin”
[/box]

Note: Your “bin” directory may be elsewhere check the path.

4. MAKE SURE the drive has plenty of spare room – there needs to be 110% the size of the database FREE for this process to work. If that’s a problem you need to copy the database to a larger drive for this procedure.

Note: You can carry out the procedure on another drive, to run eseutil you need the following three files (eseutil.exe, ese.dll, and exchmem.dll)

5. Take a copy of the broken database and put it somewhere safe.

6. Execute the following command,

[box]
eseutil /d “C:{path to the database}{database name}”
[/box]

7. Depending on the size of the database this can take a little time. When complete it will say DONE.

8. Now locate the directory that has the log files in it, (it will be on the properties of the storage group – in this example you can scroll left and right to see the full path).

9. Copy all the log files to the same place you copied the database earlier. (Note: they will all start E00xxxxx in this case).

10. Remount the affected database.

 

Related Articles, References, Credits, or External Links

NA