The Exchange logs disk is getting full, and you want to truncate Exchange logs without…
Recreate audit log mailbox in Exchange Server
How to recreate the audit log mailbox in Exchange Server? The audit log mailbox, also known as AuditLog mailbox, is a system mailbox. You can find it in Active Directory Users and Computers (ADUC) or with PowerShell. It can happen that the mailbox is not available in AD. In this article, you will learn how to recreate AuditLog mailbox in Exchange Server.
Table of contents
Before you start
If you have one or multiple Exchange Servers running in the organization, you only have one AuditLog mailbox present. It means that if you have Exchange Server 2016 running and you install Exchange Server 2019, you will not have two AuditLog system mailboxes.
Note: Exchange Server installation is smart enough to know that an AuditLog mailbox is available.
Sometimes an AuditLog mailbox can get corrupted or deleted. That’s when you want to recreate the AuditLog mailbox. I recommend checking the AuditLog mailbox with PowerShell instead of looking in ADUC if it’s shown.
Read more: Move audit log mailbox in Exchange Server »
Get audit log mailbox
Run Exchange Management Shell as administrator. Make use of the Get-Mailbox -AuditLog cmdlet to find the audit log mailbox in Exchange Server. In our example, we do see the audit log mailbox.
[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota
Name ServerName Database AdminDisplayVersion ProhibitSendQuota
---- ---------- -------- ------------------- -----------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} ex01-2016 DB01 Version 15.1 (Build 1979.3) 50 GB (53,687,091,200 bytes)
Good to know is that there is only one audit log mailbox in an Exchange Organization. That’s even if you have multiple Exchange Servers running.
If you don’t see the audit log mailbox after running the cmdlet, it means that it can’t be found. This is when the mailbox is not enabled or deleted.
Delete audit log mailbox
Go to ADUC and locate the mailbox. The default place is the Users container. If you can’t find it over there, use the search. Delete the system mailbox with the name SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}.
If you like to remove the audit log mailbox with PowerShell, use the following cmdlet.
[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Remove-Mailbox -AuditLog -Confirm:$false
Recreate audit log mailbox
Find the Exchange Server ISO file in your files. If you don’t have it, download Exchange Server ISO from the Microsoft website. After it’s finished downloading, mount the ISO.
Note: Always save the Exchange Server ISO files because Microsoft does not keep the ISO files available online if newer versions are released.
Find to which drive letter the ISO is mounted. In our example, it’s the (I:) drive.
Run Command Prompt as administrator and run the command I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD. It will recreate the missing audit log mailbox.
C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD
Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Performing Microsoft Exchange Server Prerequisite Check
Prerequisite Analysis COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation COMPLETED
The Exchange Server setup operation completed successfully.
Start ADUC and make sure that you click the refresh button in the toolbar. If that doesn’t work, close and start ADUC. Verify that the PrepareAD setup created the audit log mailbox in AD.
Run the cmdlet to check if the audit log mailbox shows up. The result is empty, but why is that? That’s because we have to enable the mailboxes.
[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota
In the next step, we will enable the audit log mailbox.
Enable audit log mailbox
With one cmdlet, we can enable the audit log mailbox.
[PS] C:\>Enable-Mailbox -Identity "SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}" -AuditLog
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
SystemMailbox{8cc370d3... SystemMailbox{8cc... ex01-2016 50 GB (53,687,091,200 bytes)
It’s always good to verify after enabling the audit log mailbox.
[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota
Name ServerName Database AdminDisplayVersion ProhibitSendQuota
---- ---------- -------- ------------------- -----------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} ex01-2016 DB01 Version 15.1 (Build 1979.3) 50 GB (53,687,091,200 bytes)
AuditLog SystemMailbox is showing up. Everything is looking fantastic. Did this help you to recreate AuditLog mailbox in Exchange Server?
Keep reading: Recreate arbitration mailboxes in Exchange Server »
Conclusion
You learned how to recreate audit log mailbox in Exchange Server. Sometimes you see the audit log mailbox in ADUC, but it’s not working. That’s why it’s better to check the audit log mailbox with PowerShell. If it’s corrupted or missing, follow the steps to recreate the audit log mailbox. When done, remember to verify the audit log mailbox!
Did you enjoy this article? You may also like Create mailbox database in Exchange Server. Don’t forget to follow us and share this article.
In addition to last post: in ADUC this account (SystemMailbox 8cc370d3…) is in CN=Users (not some Exchange OU), and it is disabled. It looks like a mess after migrating 2016 to 2019. I see some other SystemMailboxes there, also disabled: 1f05a927…, 2ce34405…, bb558c35…, d0e409a0…, e0dc1c29…
And again, everything works, so if there isn’t any danger around the corner I don’t know if I should touch it.
All the system mailboxes (including the SystemMailbox 8cc370d3…) should be in the CN=Users default container, and they are all disabled. The screenshot in the article confirms this.
Follow the article to recreate the audit log mailbox, and you should be good.
Hi.
I have Exchange 2019 here, and “get-mailbox -auditlog” returns a mailbox with missing database, so “WARNING: The object (…)SystemMailbox{8cc370d3(…) has been corrupted or isn’t compatible(…) following validation errors happened:
WARNING: Database is mandatory on UserMailbox.”
It doesn’t have database, but has a server name, which is old Exchange 2016 server (from before migration to 2019).
I didn’t noticed any issues with Exchange. Should I recreate this auditlog mailbox anyway?
Follow the article to recreate the audit log mailbox, and you should be good.
If the servers language settings are anything other than English US, the search won’t return any results: https://learn.microsoft.com/en-US/exchange/troubleshoot/compliance/search-adminauditlog-mailboxauditlog-return-no-result