| Event Id | 9017 |
| Source | MSExchangeAdmin |
| Description | Microsoft Exchange System Attendant has detected a discrepancy in the published security data for Exchange server server name. This servers encryption keys may have been modified illicitly. |
| Event Information | "According to Microsoft: Cause: When the Microsoft Exchange System Attendant service is started, it performs a consistency check to confirm that the public key for its server is correctly published in Active Directory. If this event occurs, the Microsoft Exchange System Attendant has determined that this consistency check has failed, which could indicate that the Active Directory copy of the key may have been illicitly replaced with a forged key. To avoid any potential risk from this situation, the Microsoft Exchange System Attendant will generate a new server key pair. A possible cause is that this encryption keys for this server may have been modified illicitly. User Action : Once the new key pair is generated, all passwords that are used by Exchange server components on this server must be re-entered using the Exchange System Management snapin. This will include the Legacy Service Account password, SMTP/MTA passwords, and other connector passwords. Precautions should be taken to ensure that the Active Directory is not being illicitly modified by unauthorized persons." |
| Reference Links | Microsoft Exchange System Attendant has detected a discrepancy in the published security data for Exchange server server name |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.