Exchange 2007 OAB Generation fails with errors 9348 and 9109
The OAB Generation process can fail when rebuilding an Offline Address List if permissions on the Default Global Address List have been restricted or removed. If this happens you might see the following errors in the Windows Application Log:
Event Type: Error
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9384
Date: 2/1/2007
Time: 2:32:21 PM
User: N/A
Computer: OABGEN-SERVER
Description:
OALGen only supports alphanumeric and space characters on the offline address name. The offline address list is not going to be published.
- /o=First Organization/cn=addrlists/cn=oabs/cn=Default Offline Address Book
Event Type: Warning
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9109
Date: 2/1/2007
Time: 2:32:21 PM
User: N/A
Computer: OABGEN-SERVER
Description:
OALGen encountered an error ffffffff (internal ID 50506c7) while generating address list '/o=First Organization/cn=addrlists/cn=oabs/cn='Default Offline Address Book. Check' other logged events to see if this is a serious error.
- /o=First Organization/cn=addrlists/cn=oabs/cn=Default Offline Address Book
The problem is that the OAB generation process needs to query the Active Directory to find the OAB object that is being built (the msExchOAB object class), but is unable to do so because of the permission problems. This is extremely important because during the OAB Generation process the System Attendant will read the legacyExchangeDN off of that OAB and convert it to a GUID. This is the GUID that will be used to create the OAB Directory. [\\ServerName\ExchangeOAB\<GUID OF OAB>].
Even know we are unable to find the OAB object the OAB Generation process still continues to the point where it tries to create the local distribution point on disk [\\ServerName\ExchangeOAB] or [c:\program files\Microsoft\Microsoft Exchange\ExchangeOAB] and fails because it does not have the GUID.
How to fix this
All Global Address List permissions should be as followed:
- Authenticate Users Allow Aces - "Read", "Open Address List", "List Contents"
- Exchange Servers Allow Aces - "Read", "Open Address List"
- SYSTEM Allow Aces - "Read", 'Write", "Create All Child Objects", "Delete All Child Objects", "Open Address List"
You can add these permissions using the Exchange Scripting Console:
1. First you need to set the container by typing the following: $container = "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=Mix Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mix,DC=test,DC=lab"
2. You need to add the access rights for the Authenticated Users by running the following command: Add-ADPermission $container -User "Authenticated Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
Once you run this command you will see the following output listed below:
Identity User Deny Rights
\Default Global A... Domain\Authenticated Users False Open-Address-Book
\Default Global A... Domain\Authenticated False ReadProperty
\Default Global A... Domain\Authenticated False ListObject, GenericExecute
\Default Global A... Domain\Authenticated False ListChildren
3. You need to add the access rights for the Exchange Servers Group by running the following command: Add-ADPermission $container -User "Exchange Servers" -AccessRights GenericRead -ExtendedRights Open-Address-Book
Identity User Deny Rights
\Default Global A... Domain\Exchange Servers False Open-Address-Book
\Default Global A... Domain\Exchange Servers False ReadProperty
\Default Global A... Domain\Exchange Servers False ListObject, GenericExecute
4. You need to add the access rights for the System account by running the following command: Add-ADPermission $container -User System -AccessRights GenericAll
Identity User Deny Rights
\Default Global A... NT AUTHORITY\SYSTEM False
\Default Global A... NT AUTHORITY\SYSTEM False CreateChild, DeleteChild
\Default Global A... NT AUTHORITY\SYSTEM False Self, ReadProperty, WriteProperty
\Default Global A... NT AUTHORITY\SYSTEM False DeleteTree, ListObject, Delete, Generic Execute, WriteDacl, WriteOwner
Dave
Comments
Anonymous
February 03, 2007
Hi Thanks for these information. How can I set the permission with the CMDLet's? CheersAnonymous
February 03, 2007
I have updated the blog with the commands to add the permissions for all 3. :) DaveAnonymous
March 15, 2007
I have the same Problem but this solutions seems not to work. The same errors in the application log appear after adding the rights to the gal. My first Problem was that a Outlook 2003 client was not able to log on the mailbox role (in my case a CCR Cluster). The creation of the MAPI Profile stucked. The name of the mailbox user could not be verified. This seems to be a GAL Permission Problem to. Do you have any ideas to solve this Problem?Anonymous
March 15, 2007
From the sounds of it you are unable to do a check names. Can you run the cmdlets and post your results here so I can see what the permissions look like?Anonymous
March 16, 2007
i found the problem. it was a domain controller replication problem. rebooted both dc's an now it works fine. THANKS A LOT