Within Exchange, any Distribution Group(s) or E-mail enabled Security Group(s) which contain Lingering Links will impact the OAB (Offline Address Book) generation process causing it to not replicate correctly. While this issue has been around since AD started with Windows 2000, it is a fairly unknown issue and is related to how the OAB (Offline Address Book) Generation process functions.

A couple options exist to fix this issue. You will either need to delete and recreate the impacted group(s), or re-host the Active Directory partition that contains the group(s) with Lingering Links.

What are Lingering Links?

Some understanding of what a ‘Link’ is in Active Directory might be good here:

Some inter-object references in the Active Directory require back-references for either usability or administrative purposes. For example, if managedBy is an object attribute, you can look at ObjectA and determine that ObjectA is managed by ObjectB. Likewise, it is sometimes helpful to be able to look at ObjectB and determine what objects ObjectB manages (the values of the managedObjects attribute for example). Active Directory maintains referential integrity between objects that reference each other so that when one object is moved in the directory tree, the reference between it and other objects is maintained. This referencing is accomplished through linked attributes.

Two attributes that are linked are marked in the schema as having the same link-pair identifier; one is marked as the forward link and the other as the back link. For example, in the managedBy / managedObjects link pair, managedBy is the forward link. Therefore, to adjust the managedObjects attribute on a user object, you must go to the objects that you want to add or remove from the user's managedObjects value and modify the managedBy value on each object. Back-link attributes are computed when they are requested by a user action.

To find all of the objects that ObjectB manages, links are examined for all records in which the link pair is managedBy / managedObjects and the back-link attribute identifies ObjectB. The link pairs of those records provide the database identifiers of all the records (objects) that are managed by ObjectB.

Distribution list membership is implemented both as a forward-link and as a back-link pair. The back-link objects would be the objects that store the isMemberOfDl attribute. The forward-link member attribute is a multivalued attribute, which allows a user to be a member of more than one distribution list. The back link must always be a multivalued link because it is impossible to restrict who creates links to various objects.

A Lingering Link is a backwards linked attribute that contains the DN (Distinguished Name) of an object that no longer exists in Active Directory. These problems result from Global Catalog servers (and the read only partition residing on GC’s) not receiving sound replication from writable Domain Controllers from the domains which are having an issue. This is why the GC’s typically hold the Lingering Link value that is broken and the writable DC’s are not necessarily experiencing the issue.

Problem symptoms

The OAB Generation process uses a QueryRows function to return attribute values from Active Directory. If there is invalid data returned, there could be error events returned in the application event viewer and OABGen process will not complete.

Error events associated with this issue:

Event Source

Event ID

Event String

MSExchangeSA

9126

OALGen encountered error 8004010e while calculating the offline address list for address list '\Global Address List'.

MSExchangeSA

9330

OALGen encountered error 8004010e (internal ID 500139c) accessing Active Directory ContosoHUB03 for '\Global Address List'.

MSExchangeSA

9339

Active Directory ‘HubServer’ returned error 8004010e while generating the offline address list for '\Global Address List'. The last recipient returned by the Active Directory was 'UserName'. This offline address list will not be generated.

A recently published KB article written by Justin Turner is now available for additional detailed information about how lingering links apply to Exchange:

Exchange Offline Address Book (OAB) generation failures caused by Attributes containing stale or bad data: events 9126 9330 and 9339 with error 8004010e cited
http://support.microsoft.com/kb/2553698

Troubleshooting

Internally, Active Directory engineers periodically cleanup Lingering Objects by using the repadmin command line tool, which is a fairly easy process. The Microsoft ADRAP (AD Risk Assessment Program, a service for our Premier customers) reports if you have any Lingering Objects in your Active Directory environment. While cleaning up Lingering Objects is a pretty well known process, Lingering Links are not easily identified from the AD side.  There is however, an Exchange tool that can identify Lingering Links: oabvalidate.exe http://oabvalidate.codeplex.com/. The author of the tool (Bill Long) actively updates the tool on Codeplex. The OABValidate tool is small (under 800kb) and runs against a specified DC, usually doesn’t take too long to run (depending on the number of objects in your AD environment), and will give you a listing of any groups that contain Linking Links that need to be addressed.

What happens after Exchange is installed and running and you have Lingering Links introduced to your environment? You will get OAB Generating errors which could indicate that you have Lingering Links that need to be addressed.

Mike O’Neill