Quarantine Mailboxes


Mailboxes are quarantined when they affect the availability of the mailbox database. When Exchange Store tags the mailbox as quarantined in the registry, the user cannot get access to the mailbox. It’s important to find and fix underlying cause of mailbox corruption. Mailboxes are automatically released from quarantine if quarantined for longer that the quarantine duration. Quarantine duration in Exchange 2010 is 6hrs, while it's 24hrs in Exchange 2013. The QuarantineState and QuarantineTime registry keys are used to keep track of the quarantine status. If the mailbox does not cause further issues, then the registry will be cleaned up.


Fixing the corrupted mailbox

Use New-MailboxRepairRequest cmdlet to detect and fix mailbox corruptions. See Syntax below

New-MailboxRepairRequest -Mailbox testmbox -CorruptionType ProvisionedFolder,SearchFolder,AggregateCounts,Folderview.

Event id 10047 will be logged when the request starts and 10048 will be logged upon successful completion


Finding Quarantined Mailboxes

Note: When a mailbox is quarantined, EventID 10018 will be logged into the application event log and this can be easily picked up by monitoring tools.

1. You can take a peek at the registry to see if there are any mailbox GUIDs listed there under:
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server Name>\Private-{db guid}
Then run Get-Mailbox <GUID> to see which mailbox it is. OR

2. The command Get-MailboxStatistics for a mailbox also has a property to indicate if a mailbox is quarantined.

Get-MailboxStatistics Administrator | Select DisplayName, IsQuarantined | Format-Table -AutoSize


When did this mailbox become quarantined?

To determine what time user’s mailbox was quarantined, search Application log in Event viewer for event id 10018. You will see something similar to this below. Look at the date and advise user they can access mailbox 6hrs from that time. Please note that in Exchange 2013, the quarantine time is now 24hrs. In most cases waiting for this time to elapse is the most feasible thing. Dismounting/remounting the Information store during work hours isn’t something most admins are able to do.

Log Name:      Application
Source:        MSExchangeIS
Date:          8/12/2014 12:08:19 PM
Event ID:      10018
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Description:

The mailbox for user 9c3210f5-ee0c-4418-950f-df039ed87ec0 has been quarantined. Access to this mailbox will be restricted to administrative logons for the next 6 hours. 

Removing Quarantined Mailboxes

In Exchange 2013 onpremise, disable-mailboxquarantine cmdlet can be used remove mailbox from
quarantine.

For Exchange 2010, the registry key for the quarantined mailbox should be reset manually by deleting
mailbox GUID entry under the QuarantinedMailboxes key. The exchange store will need to be restarted
or active database remounted for this to take effect immediately




@O-Xchange
June 11, 2014