Corelan Cybersecurity Research

The Exchange 2007 search engine has much improved over the index/search engines that were available in Exchange 2000/2003. The new search is less resource-hungry, fast, searched inside attachments, and is enabled out of the box.

Enable/Disable search

To enable or disable Exchange search, open the Exchange Management Shell

Run the following command to see if search is enabled on a specific mailbox :
Test-ExchangeSearch

or create a list of mailbox databases that are search-enabled :
Get-MailBoxDatabase | select name, indexenabled

To enable search, run :
Set-MailboxDatabase -indexenabled:$true

To disable search, run :
Set-MailboxDatabase -indexenabled:$false

To disable search on the entire server, you need to stop the Search Indexer service :
net stop "Microsoft Exchange Search Indexer"

Keep in mind : if you run Outlook 2007 in cached mode, Exchange Search or Store search is not available. The entire search is then handled by the Windows Desktop search. In Outlook 2003, the client does a linear scan of every message.

Test if search works

There’s a neat powershell command that allows you to test if search/index works as anticipated. By default, the searchtime timeout is set to 60 seconds, but in reality you should get results in less than 10 seconds. (so you could optionally speed up the test process by setting a timeout to 20 seconds or so, which will allow you to test a larger chunk of mailboxes using a script, in less time. Use the following command to run a test on all mailboxes on your server :

Get-mailbox | Test-ExchangeSearch –IndexingTimeout 20 | Format-table

You’ll see a green box in your powershell window, showing the progress of the TestSearch process :

When "ResultFound" returns "False" and the SearchTime field says -1, then search isn’t working for that mailbox.

Pay attention to any (other) errors when running this command. They should give you more background info as to why the search doesn’t work for a certain mailbox.

If you have multiple Mailbox Databases, you can use the following script to restrict the test to only a certain mailbox database:

Get-Mailboxdatabase "Server\Database" | Get-mailbox | Test-ExchangeSearch –IndexingTimeout 20 | Format-table

My Exchange server is called "Apollo", the Mailbox Database is called "Mailbox database", so in my case, the command would look like this :

What if search doesn’t work ?

Outlook Web Access : if you get a message stating that "results will take a long time to appear because Microsoft Exchange Search is unavailable. Results will not include matches in the e-mail body", then you might have a corrupted index. Sometimes, when you migrate (or create) mailboxes, the initial index crawl results in a corrupted index. Use the powershell command to run a search test on each mailbox (as explained earlier in this post). Look at the "ResultFound" column, and at the SearchTime. You should see a problem for the user who reported the problem.

Search indexes are not stored in Exchange databases. The search index data for a specific mailbox database is stored in a directory in the same location as the database files. The directory name follows the convention CatalogData-- where the first is the GUID of the database and the second represents the Instance GUID, which is used in the clustered scenario to distinguish between the nodes. The following is an example folder name :

CatalogData-b56624f3-bf19-4463-926f-d4705ac3dd08-cc64dd2d-2428-4f12-bba2-79d6d34c4d27

The typical path for the .edb files and the CatalogData directory is C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\.

The search index can become unsynchronized with the database after a recovery if transaction log files are played into the recovered database. The Exchange search engine does not read the played log files into the search index. I’ve also seen instances where the index got corrupted during or after moving the mailbox from a 2003 server to a 2007 server. In these situations, you should rebuild the search index catalog.

Follow this procedure to rebuild the search index catalog:

• Stop the Microsoft Exchange Search Service
• Remove the old catalog (use the "GetSearchIndexForDatabase –all" powershell command to see if you are removing the right catalog)
• Restart the Microsoft Exchange Search Service.

You can also rebuild the full-text index catalog using the the following powershell command : ResetSearchIndex.ps1 [-force] databasename (or ResetSearchIndex -Force -All if you want to run it on all mailboxes)

[PS] C:\>Get-Mailboxdatabase

 Name             Server     StorageGroup     Recovery

—-             ——     ————     ——–

Mailbox Database     APOLLO     First Storage Group False

[PS] C:\>ResetSearchIndex.ps1 "Mailbox Database"
WARNING: Waiting for service ‘Microsoft Exchange Search Indexer (MSExchangeSearch)’ to finish stopping…
WARNING: Waiting for service ‘Microsoft Exchange Search Indexer (MSExchangeSearch)’ to finish stopping…
WARNING: Waiting for service ‘Microsoft Exchange Search Indexer (MSExchangeSearch)’ to finish stopping…
MSExchangeSearch service stopped
removing: D:\Exchange Server\Mailbox\First Storage Group\CatalogData-fb802b8a-fd2a-4da2-9dc5-7dc41c398409-cc64dd2d-2428-4f12-bba2-79d6d34c4d27

 Confirm
Are you sure you want to perform this action?
Performing operation "Remove Directory" on Target "D:\Exchange Server\Mailbox\First Storage Group\CatalogData-fb802b8a-fd2a-4da2-9dc5-7dc41c398409-cc64dd2d-2428-4f12-bba2-79d6d34c4d27".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):A

MSExchangeSearch service Started

Note : You can use the ResetSearchIndex.ps1 –all parameter to remove the index on all mailboxes.

Now run the Test-ExchangeSearch command again and see if your search problems have been solved.

Tip : see status of your Mailbox Database :

[PS] C:\>Get-MailboxDatabase -status | format-list

JournalRecipient :
MailboxRetention : 30.00:00:00
OfflineAddressBook : \Default Offline Address List
OriginalDatabase :
PublicFolderDatabase : APOLLO\Second Storage Group\Public Folder Datab
ase
ProhibitSendReceiveQuota : 2355MB
Recovery : False
ProhibitSendQuota : 2GB
IndexEnabled : True
AdministrativeGroup : Exchange Administrative Group (FYDIBOHF23SPDLT)
AllowFileRestore : False
BackupInProgress : False
CopyEdbFilePath :

DatabaseCreated : True
Description :
EdbFilePath : D:\Exchange Server\Mailbox\First Storage Group\
Mailbox Database.edb
ExchangeLegacyDN : /o=Mieke en Peter/ou=Exchange Administrative Gr
oup (FYDIBOHF23SPDLT)/cn=Configuration/cn=Serve
rs/cn=APOLLO/cn=Microsoft Private MDB
HasLocalCopy : False

DeletedItemRetention : 14.00:00:00
LastFullBackup : 19/09/2007 3:03:30
LastIncrementalBackup :
MaintenanceSchedule : {zo.1:00-zo.5:00, ma.1:00-ma.5:00, di.1:00-di.5
:00, wo.1:00-wo.5:00, do.1:00-do.5:00, vr.1:00-
vr.5:00, za.1:00-za.5:00}
MountAtStartup : True
Mounted : True
Organization : Mieke en Peter
QuotaNotificationSchedule : {zo.1:00-zo.1:15, ma.1:00-ma.1:15, di.1:00-di.1
:15, wo.1:00-wo.1:15, do.1:00-do.1:15, vr.1:00-
vr.1:15, za.1:00-za.1:15}
RetainDeletedItemsUntilBackup : False
Server : APOLLO
ServerName : APOLLO
StorageGroup : APOLLO\First Storage Group
StorageGroupName : First Storage Group
IssueWarningQuota : 1945MB
EventHistoryRetentionPeriod : 7.00:00:00
Name : Mailbox Database
MinAdminVersion : -2147453113
AdminDisplayName : Mailbox Database
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Mailbox Database,CN=First Storage Group,CN=I
nformationStore,CN=APOLLO,CN=Servers,CN=Exchang
e Administrative Group (FYDIBOHF23SPDLT),CN=Adm
inistrative Groups,CN=Mieke en Peter,CN=Microso
ft Exchange,CN=Services,CN=Configuration,DC=cor
elan,DC=be
Identity : APOLLO\First Storage Group\Mailbox Database
Guid : fb802b8a-fd2a-4da2-9dc5-7dc41c398409
ObjectCategory : corelan.be/Configuration/Schema/ms-Exch-Private
-MDB
ObjectClass : {top, msExchMDB, msExchPrivateMDB}
WhenChanged : 11/09/2007 20:11:58
WhenCreated : 11/09/2007 20:10:37
OriginatingServer : venus.corelan.be
IsValid : True

Links :
http://www.exchangeninjas.com/ExchangeSearchFAQ
http://technet.microsoft.com/en-us/library/aa995966.aspx