Dgoldman's WebLog

The daily adventures of an Escalation Engineer

Exchange 2007 OAB Generation fails with errors 9348 and 9109

Exchange 2007 OAB Generation fails with errors 9348 and 9109

  • Comments 5

The OAB Generation process can fail when rebuilding an Offline Address List if permissions on the Default Global Address List have been restricted or removed. If this happens you might see the following errors in the Windows Application Log:

Event Type: Error
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9384
Date:  2/1/2007
Time:  2:32:21 PM
User:  N/A
Computer: OABGEN-SERVER
Description:
OALGen only supports alphanumeric and space characters on the offline address name. The offline address list is not going to be published.
- /o=First Organization/cn=addrlists/cn=oabs/cn=Default Offline Address Book

Event Type: Warning
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9109
Date:  2/1/2007
Time:  2:32:21 PM
User:  N/A
Computer: OABGEN-SERVER
Description:
OALGen encountered an error ffffffff (internal ID 50506c7) while generating address list '/o=First Organization/cn=addrlists/cn=oabs/cn='Default Offline Address Book.  Check' other logged events to see if this is a serious error.
- /o=First Organization/cn=addrlists/cn=oabs/cn=Default Offline Address Book

The problem is that the OAB generation process needs to query the Active Directory to find the OAB object that is being built (the msExchOAB object class), but is unable to do so because of the permission problems. This is extremely important because during the OAB Generation process the System Attendant will read the legacyExchangeDN off of that OAB and convert it to a GUID. This is the GUID that will be used to create the OAB Directory. [\\ServerName\ExchangeOAB\<GUID OF OAB>].

Even know we are unable to find the OAB object the OAB Generation process still continues  to the point where it tries to create the local distribution point on disk [\\ServerName\ExchangeOAB] or [c:\program files\Microsoft\Microsoft Exchange\ExchangeOAB] and fails because it does not have the GUID.

How to fix this

All Global Address List permissions should be as followed:

  • Authenticate Users Allow Aces - "Read", "Open Address List", "List Contents"
  • Exchange Servers Allow Aces - "Read", "Open Address List"
  • SYSTEM Allow Aces - "Read", 'Write", "Create All Child Objects", "Delete All Child Objects", "Open Address List"

You can add these permissions using the Exchange Scripting Console:

1. First you need to set the container by typing the following: $container = "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=Mix Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mix,DC=test,DC=lab"

2. You need to add the access rights for the Authenticated Users by running the following command: Add-ADPermission $container -User "Authenticated Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

Once you run this command you will see the following output listed below:

Identity                   User                            Deny  Rights
\Default Global A... Domain\Authenticated  Users False Open-Address-Book
\Default Global A... Domain\Authenticated  False ReadProperty
\Default Global A... Domain\Authenticated  False ListObject, GenericExecute
\Default Global A... Domain\Authenticated  False ListChildren

3. You need to add the access rights for the Exchange Servers Group by running the following command: Add-ADPermission $container -User "Exchange Servers" -AccessRights GenericRead -ExtendedRights Open-Address-Book

Identity                   User                                  Deny  Rights
\Default Global A... Domain\Exchange Servers  False Open-Address-Book
\Default Global A... Domain\Exchange Servers  False ReadProperty
\Default Global A... Domain\Exchange Servers  False ListObject, GenericExecute

4. You need to add the access rights for the System account by running the following command: Add-ADPermission $container -User System -AccessRights GenericAll

Identity                   User                              Deny  Rights
\Default Global A... NT AUTHORITY\SYSTEM  False
\Default Global A... NT AUTHORITY\SYSTEM  False CreateChild, DeleteChild
\Default Global A... NT AUTHORITY\SYSTEM  False Self, ReadProperty, WriteProperty
\Default Global A... NT AUTHORITY\SYSTEM  False DeleteTree, ListObject, Delete, Generic Execute, WriteDacl, WriteOwner

Dave

Comments
  • Hi

    Thanks for these information.

    How can I set the permission with the CMDLet's?

    Cheers

  • I have updated the blog with the commands to add the permissions for all 3. :)

    Dave

  • I have the same Problem but this solutions seems not to work. The same errors in the application log appear after adding the rights to the gal.

    My first Problem was that a Outlook 2003 client was not able to log on the mailbox role (in my case a CCR Cluster). The creation of the MAPI Profile stucked. The name of the mailbox user could not be verified.

    This seems to be a GAL Permission Problem to.

    Do you have any ideas to solve this Problem?

  • From the sounds of it you are unable to do a check names. Can you run the cmdlets and post your results here so I can see what the permissions look like?

  • i found the problem. it was a domain controller replication problem. rebooted both dc's an now it works fine.

    THANKS A LOT

Page 1 of 1 (5 items)