Exchange Event 7024

Leave a comment

Yesterday we had an issue where the exchange information store would not start after a reboot. Our environment is Microsoft Exchange 2007 with all the update rollups installed, running on Windows 2008 R2 VM. The issue started out as all attachments being stripped from users emails.  We tried to restart all exchange and other services to try and resolve the problem and the information store suddenly would not start.  After a few hours of troubleshooting and finding no great information on google, i tried disabling the McAfee Security for Exchange Service, then rebooted the server, and the information store started right up.  The specific error I got was:

The Microsoft Exchange Information Store service terminated with service-specific error %%-2147467259.

A repair of the Mcafee Security for Exchange resolved the issue with the Mcafee product.  I hope this helps someone out.

Restoring A Mailbox Using a Backup and Exchange Recovery Storage Group


My environment is Exchange 2007. I had a user whose exchange folders all dissapeared, we tried to restore it from Veeam and it gave some error about a Domain Controller or something like that which after speaking with Veeam they told us we couldn’t restore it using their methods. I ended up going with the Exchange Recovery Group Method found here.

A helpful discussion about this is located here:

First I created a separate disk on the exchange server because I didn’t have enough space on the hard drive that my exchange install was located on (it was a VM so I just added a 200gb drive to it) I assigned F:\ to it.

I restored the EDB and log files from my backup to “F:\First Storage Group” initially. I copy these later into the RSG

Some helpful commands before you start to see what your databases are named and what storage groups you have setup. If you’re not used to using the powershell these commands will help you out.

[PS] C:\Windows\system32>get-mailboxdatabase

Name Server StorageGroup Recovery
—- —— ———— ——–
Mailbox Database FLEMAIL First Storage Group False
Mailbox Database FLEMAIL Recovery121013 True

[PS] C:\Windows\system32>get-storagegroup
Name Server Replicated Recovery
—- —— ———- ——–
Second Storage Group FLEMAIL None False
First Storage Group FLEMAIL None False
Recovery121013 FLEMAIL None True

If you look above, I called my recovery group ”Recovery121013” which I created in the steps below. My database is just the default of exchange called “Mailbox Database” if you’re wondering why there are 2, one is my current live exchange database and the other one is the one i created in the steps below which is why it already says recovery. My email server is called “FLEMAIL”

So to wrap it up here’s the parameters I’m going to enter into the commands below:

<Server_Name> = FLEMAIL
<path_to_logfiles> = F:\First Storage Group
<RSG_Name> = Recovery121013
<Database_Path> = F:\First Storage Group\RSG
<database_name> = Mailbox Database

Here are the steps I used to create the recovery group and database and then restore the mailbox:

  • First Create the RSG

Here’s the command syntax

new-storagegroup -Server <Server_Name> -LogFolderPath <path_to_Logfiles> -Name <RSG_Name> -SystemFolderPath <Database_Path> -Recovery

Here’s the command I ran. I’m basically creating the Recovery Storage Group in a folder called RSG. The Recovery Storage Group is called Recovery121013

new-storagegroup -Server FLEMAIL -LogFolderPath "F:\First Storage Group\RSG" -Name "Recovery121013" -SystemFolderPath "F:\First Storage Group\RSG" –Recovery

  • Now I copy my “Mailbox Database.EDB” file and all the log files into the RSG folder that it just created, located in “F:\First Storage Group”
  • Now I add a recovery database called “Mailbox Database” to the RSG using the following command

Here’s the command syntax:

new-mailboxdatabase -mailboxdatabasetorecover <Database_Name> -storagegroup <Server_Name>\<RSG_Name> -EDBFilePath <Database_Path>

Here’s the command I ran:

new-mailboxdatabase -mailboxdatabasetorecover "Mailbox Database" -storagegroup FLEMAIL\Recovery121013 -EDBFilePath "F:\First Storage Group\RSG\Mailbox Database.edb"

  • The next step was to check to see if the database was in a clean shutdown state. I ran this command to check to see if it was and it was dirty so I had to clean it up.

eseutil -mh "F:\First Storage Group\RSG\Mailbox Database.edb"

  • Since it was in a dirty state I had to run the eseutil on it:

eseutil /r E00 /l "F:\First Storage Group\RSG" /d "F:\First Storage Group\RSG"

  • Now you set your recovery databases to allow overwriting

Heres the syntax of the command:

set-mailboxdatabase -identity <Server_Name>\<RSG_Name>\<Database_Name> -AllowFileRestore:$True

Here’s the command I ran:

set-mailboxdatabase -identity "FLEMAIL\Recovery121013\Mailbox Database" -AllowFileRestore:$True

  • Now that you have a clean recovery database, you can mount it

Here’s the syntax of the command:

mount-database -identity <Server_Name>\<RSG_Name>\<Database_Name>

Here’s the command I ran:

mount-database -identity "FLEMAIL\Recovery121013\Mailbox Database"

  • Next I create a user called in the “live” exchange called “john smith temp” and restore the mailbox there. You can actually restore it to the original mailbox or whereever you would like (see link at the beginning of this article for different options), for my purposes I used a temporary mailbox. It basically created a folder called “John Smith Temp” with all the users data within the mailbox by the same name.

NOTE: I ended up getting this error message: “Error occurred in the step: Moving messages. This mailbox exceeded the maximum number of corrupted items specified for this move mailbox operation” so i had to add the BadItemLimit flag to the end of the command. I put 1000 just in case. After this it restored correctly

Here’s the syntax:

Restore-Mailbox -RSGMailbox 'John Smith' -RSGDatabase 'RSG\Mailbox Database' -id 'Allison Brown' -TargetFolder 'JSmith Email'

Restore-Mailbox -RSGMailbox 'John Smith' -RSGDatabase 'Recovery121013\Mailbox Database' -id 'John Smith Temp' -TargetFolder 'JsmithTemp Email' –BadItemLimit 1000

I haven’t removed anything yet, but I believe these are the commands to remove the database and RSG after your done with it. Please do more research on this as I have not completed it

Remove-MailboxDatabase -identity FLEMAIL\"Recovery Storage Group"\"Mailbox Database"

Remove-Storagegroup -identity FLEMAIL\"Recovery Storage Group"

Exchange 2007 Outlook anywhere RPC endpoint 6004 error


I was attempting to get outlook anywhere to work. My environment is Exchange 2007 SP3 with the latest rollup package (as of 2/27/13) running on W2K8R2. I am using a UCC certificate from godaddy with my external name “” and my Subject Alternative Names are;; etc…

This is a small environment so every exchange role is installed on the same server.
The error pops up when I run the RPC over HTTP test at

and get an error on the following test:

Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server.

I checked a few things on this:
1. I made sure that the “valid ports” registry key in HKLM/Software/Microsoft/RPC/RpcProxy had the following:


2.I added my internal server name to my DNS hosts (I’m not sure if this made a difference) I’m going to remove it and test at a later time.

3. Following someone’s advice (and what I really think solved the problem) was that I edited the hosts file on the exchange server and put in 2 entries ( is my internal ip address for my exchange server) MYMXINTERNALSRVNAME

This seemed to solve the problem with that 6004 error. I believe it has something to do with an IPv6/IPv4 incompatibility problems with Outlook Anywhere/rpcoverhttp.

More info at:

IPSec does not start

1 Comment

On a Windows 2003 Server I had someone “clean” my registry of their old program for an upgrade that I couldn’t complete.  All I had to do was wait after hours and reboot the server. Well when I went to reboot the server a lot of my services would not start. Including Microsoft Exchange IS  and Exchange MTA stacks (nightmare!!!)  One of the things I noticed was that the first error to pop up in the event viewer was event id 4292

“The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions.”

If I went to services.msc and tried to start the service manually, it would give me the error:

“Error 10048: only one usage of each socket address (protocol/network adress/port) is normally permitted.”

First as a temporary fix  you might try the following for the heck of it which refers to it being caused by an MS update..

But if that doesn’t work try to perform this KB article which fixed my problem completely. Please note that you HAVE to reboot after this (i tried not rebooting and tried to just start the service and it didn’t resolve the problem). Before you delete the key that Microsoft instructs you to delete in the following article, you might want to right click and export it to a file just in case.  As a disclaimer I don’t take any responsibility for any registry corruption or errors.

Another thing I read was that you can disable the IPsec service and reboot server, but that would be as a last resort.  Good Luck.





Blacklist Dirtbags


What a bunch of dirtbags UCE Protect is, don’t use them ever as a blacklist provider and let them fade away. Here’s the scam they have, and yes it is a scam, they try to explain how it’s not a scam on their site… guess what… not true.

I run mail servers for a few legitimate companies. What happened was that an employee brought their personal computer and plugged it into our network. This computer was infected with a botnet or some sort of email sending virus. I fixed the problem by removing the computer from the network, then proceeded to submit and remove the client IP from multiple blacklists that we were legitimately listed on using debouncer Every one of these sites (11 of them) removed my company within an hour to a day which is an acceptable amount of time. These dirtbags at UCEPROTECT will make you pay $108 to remove you from the list or else you HAVE TO WAIT 7 DAYS. In terms of not being able to send email to companies because of one infraction over the course of 15 years, this is an eternity. This is not only unacceptable, but they’re the only blacklist that I see that uses this scumbag tactic. Of course I will not pay this, let’s call it what it is, ransom. Luckily our major clients and vendors don’t use this list so its not a huge problem.

Just wanted to put an alarm out there to not use them as a blacklist because of these scumbag practices. I could see this type of tactic if you repeatedly get on their list, but 7 days for a one time infraction is flat out ridiculous and shady.