The following shows up sporadically for a couple of mailboxes that have been
deleted for a while now on Exchange 5.5 SP4, NT 4 SP 6a...
Event ID: 1023
Source: MSExchangeIS Private
Type: Failure Audit
Category: Logons
Description:
SOOHOSPS\ExchangeService was validated as /o=Sault Area
Hospitals/ou=SOOHOSPS/cn=Recipients/cn=InoculateIT but was unable to log on
to /O=SAULT AREA HOSPITALS/OU=SOOHOSPS/CN=RECIPIENTS/CN=ADMINSCH.
("ExchangeService" is the original NT install account that was created for
the Exchange box when it was first built).
At first I did a quick search on Technet and found articles like Q259578
Q196413 Q237481 but they don't really apply to our site. But then it hit me
(as you probably noticed) that AAAAAAGGGGHHHHH! InoculateIT is rearing it's
ugly head in that log message too. A mailbox called "InoculateIT" was set
up as a mailbox in Exchange with the "ExchangeService" account as the owner
(as per their instructions way back when...).
So what the heck is going on? My feeling is that the IncoulateIT Exchange
agent (rescanning all the mailboxes with every new signature update) cranks
its way thru all the mailboxes in the store until it tries to log onto these
deleted mailboxes and then it barfs. Where does this AV agent get it's
"list" of mailboxes to scan? Does it query the Exchange directory for a
list of mailboxes? Is Exchange messed up? Does Exchange think these 2
deleted mailboxes still exist for some reason? Does InoculateIT think these
2 deleted mailboxes still exist? Will Spiderman be able to climb to the
roof in time to save Perry White?
Other mailboxes have been deleted since the 2 in question and there doesn't
seem to be an issue with them. Yes - I could (should?) call CAI for some
assistance, but they'll blame it on Exchange anyway. Hey, this may actually
just be an Exchange issue and not the fault of the AV agent, but in anycase
I'd rather get some kind of response & real help in under 8 days. I hope
some of you poor (but wise) souls who may also have run (into) InoculateIT
on your exchange server at some point in your darker days can appreciate my
situation and maybe lend a bit of advice (other than trading in InocuateIT
or microwaving their CD's -- good advice but not an option for me right
now).
thanks
randy.
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
