Recreate audit log mailbox in Exchange Server

How to recreate the audit log mailbox in Exchange Server? The audit log mailbox, also known as AuditLog mailbox, is a system mailbox. You can find it in Active Directory Users and Computers (ADUC) or with PowerShell. It can happen that the mailbox is not available in AD. In this article, you will learn how to recreate AuditLog mailbox in Exchange Server.

Table of contents

Before you start

If you have one or multiple Exchange Servers running in the organization, you only have one AuditLog mailbox present. It means that if you have Exchange Server 2016 running and you install Exchange Server 2019, you will not have two AuditLog system mailboxes.

Note: Exchange Server installation is smart enough to know that an AuditLog mailbox is available.

Sometimes an AuditLog mailbox can get corrupted or deleted. That’s when you want to recreate the AuditLog mailbox. I recommend checking the AuditLog mailbox with PowerShell instead of looking in ADUC if it’s shown.

Read more: Move audit log mailbox in Exchange Server »

Get audit log mailbox

Run Exchange Management Shell as administrator. Make use of the Get-Mailbox -AuditLog cmdlet to find the audit log mailbox in Exchange Server. In our example, we do see the audit log mailbox.

[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota

Name                                                ServerName Database AdminDisplayVersion         ProhibitSendQuota
----                                                ---------- -------- -------------------         -----------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} ex01-2016  DB01     Version 15.1 (Build 1979.3) 50 GB (53,687,091,200 bytes)

Good to know is that there is only one audit log mailbox in an Exchange Organization. That’s even if you have multiple Exchange Servers running.

If you don’t see the audit log mailbox after running the cmdlet, it means that it can’t be found. This is when the mailbox is not enabled or deleted.

Delete audit log mailbox

Go to ADUC and locate the mailbox. The default place is the Users container. If you can’t find it over there, use the search. Delete the system mailbox with the name SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}.

Recreate audit log mailbox in Exchange Server delete auditlog mailbox

If you like to remove the audit log mailbox with PowerShell, use the following cmdlet.

[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Remove-Mailbox -AuditLog -Confirm:$false

Recreate audit log mailbox

Find the Exchange Server ISO file in your files. If you don’t have it, download Exchange Server ISO from the Microsoft website. After it’s finished downloading, mount the ISO.

Recreate audit log mailbox in Exchange Server mount Exchange ISO

Note: Always save the Exchange Server ISO files because Microsoft does not keep the ISO files available online if newer versions are released.

Find to which drive letter the ISO is mounted. In our example, it’s the (I:) drive.

Recreate audit log mailbox in Exchange Server check drive letter

Run Command Prompt as administrator and run the command I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD. It will recreate the missing audit log mailbox.

C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD

Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation                                                                          COMPLETED

The Exchange Server setup operation completed successfully.

Start ADUC and make sure that you click the refresh button in the toolbar. If that doesn’t work, close and start ADUC. Verify that the PrepareAD setup created the audit log mailbox in AD.

Recreate audit log mailbox in Exchange Server check recreated auditlog mailbox

Run the cmdlet to check if the audit log mailbox shows up. The result is empty, but why is that? That’s because we have to enable the mailboxes.

[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota

In the next step, we will enable the audit log mailbox.

Enable audit log mailbox

With one cmdlet, we can enable the audit log mailbox.

[PS] C:\>Enable-Mailbox -Identity "SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}" -AuditLog

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
SystemMailbox{8cc370d3... SystemMailbox{8cc... ex01-2016        50 GB (53,687,091,200 bytes)

It’s always good to verify after enabling the audit log mailbox.

[PS] C:\>Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion, ProhibitSendQuota

Name                                                ServerName Database AdminDisplayVersion         ProhibitSendQuota
----                                                ---------- -------- -------------------         -----------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} ex01-2016  DB01     Version 15.1 (Build 1979.3) 50 GB (53,687,091,200 bytes)

AuditLog SystemMailbox is showing up. Everything is looking fantastic. Did this help you to recreate AuditLog mailbox in Exchange Server?

Keep reading: Recreate arbitration mailboxes in Exchange Server »

Conclusion

You learned how to recreate audit log mailbox in Exchange Server. Sometimes you see the audit log mailbox in ADUC, but it’s not working. That’s why it’s better to check the audit log mailbox with PowerShell. If it’s corrupted or missing, follow the steps to recreate the audit log mailbox. When done, remember to verify the audit log mailbox!

Did you enjoy this article? You may also like Create mailbox database in Exchange Server. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 5 Comments

  1. In addition to last post: in ADUC this account (SystemMailbox 8cc370d3…) is in CN=Users (not some Exchange OU), and it is disabled. It looks like a mess after migrating 2016 to 2019. I see some other SystemMailboxes there, also disabled: 1f05a927…, 2ce34405…, bb558c35…, d0e409a0…, e0dc1c29…
    And again, everything works, so if there isn’t any danger around the corner I don’t know if I should touch it.

    Reply

    1. All the system mailboxes (including the SystemMailbox 8cc370d3…) should be in the CN=Users default container, and they are all disabled. The screenshot in the article confirms this.

      Follow the article to recreate the audit log mailbox, and you should be good.

      Reply

  2. Hi.
    I have Exchange 2019 here, and “get-mailbox -auditlog” returns a mailbox with missing database, so “WARNING: The object (…)SystemMailbox{8cc370d3(…) has been corrupted or isn’t compatible(…) following validation errors happened:
    WARNING: Database is mandatory on UserMailbox.”
    It doesn’t have database, but has a server name, which is old Exchange 2016 server (from before migration to 2019).
    I didn’t noticed any issues with Exchange. Should I recreate this auditlog mailbox anyway?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *