During Enterprise Vault (EV) Exchange Journaling, items may be incorrectly regarded as corrupt and moved to the "Failed to Copy" folder when Varonis Datadvantage 'Collects' from the Journal Mailbox

book

Article ID: 100033105

calendar_today

Updated On:

Description

Error Message

Event Log
The following warning is raised in the Enterprise Vault Event log when a message is detected as corrupt

Type :  Warning
Date :  12/08/2016
Time :  11:13:50
Event :  3070
Source :  Enterprise Vault
Category : Journal Task
User :  N/A
Computer : EVServer
Description:
The following message could not be archived as it may be corrupt.

Title: Email Subject
Mailbox: User1

No further attempts will be made to archive this message. The message has been moved to the 'Enterprise Vault Journaling Service\Failed to copy' folder.
 

Dtrace
For this particular problem, the JournalTask will fail to process the message after the GetCalculatedModifiedDate, where EV related MAPI attributes are added and then saved on the message. However, no errors will be thrown at this stage,  but instead, the next line in the dtrace will show that a rollback is occurring as the function UndoMarkForArchiveEx is called.
 
62554    15:02:50.375     [50660]    (JournalTask)    <46284>    EV:L    {GetCalculatedModifiedDate:#1172} Calculated date (dd/mm/yyyy): [11/08/2016 13:00.01] [PR_MESSAGE_DELIVERY_TIME]
62566    15:02:50.469     [50660]    (JournalTask)    <46284>    EV:L    {CExchangeShortcutAccessor::UndoMarkForArchiveEx} (Entry)  ---------Failure already occurred and rollback triggered
62567    15:02:50.484     [50660]    (JournalTask)    <46284>    EV:M    {GetJournalPartProperty:#72} Related Journal Part Property not found on message
62568    15:02:50.547     [50660]    (JournalTask)    <46284>    EV:L    {CExchangeShortcutAccessor::UndoMarkForArchiveEx} (Exit) Status: [Success]
 
Further in the dtrace we can see the Event 3070 being raised:

62586 15:02:50.719  [50660] (JournalTask) <46284> EV~W Event ID: 3070 The following message could not be archived as it may be corrupt. |Title: This is the message subject |Mailbox: User 1
|No further attempts will be made to archive this message. The message has been moved to the 'Enterprise Vault Journaling Service\Failed to copy' folder. 
 

Resolution

Workaround
On Varonis Datavantage, configure an Exclusion list to exclude the Journal Mailbox from the 'Collect' option.

Issue/Introduction

When the Varonis Datavantage application is used to Collect from an Exchange Journal Mailbox, which is also processed by the Enterprise Vault (EV) Journal Task, items may incorrectly be identified as corrupt by the EV Journal Task and moved to the 'Failed to Copy' folder. In most cases, the items would be processed successfully if moved back to the Inbox folder, proving that they are in a healthy state.

The issue has been reported on the following versions but may not be limited to:
- Exchange 2010
- Varonis Datavantage 6.2.50
Powered by Wolken Software