Hello, I have installed Exchange 2010 SP1 with the latest updates. When I am running the command Search-AdminAuditLog -StartDate 4/4/2011 -EndDate 4/5/2011 The system returned The attempt to search the administrator audit log failed. Please try again later. at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchWorker.Search() at Microsoft.Exchange.Management.SystemConfigurationTasks.SearchAdminAuditLog.WriteResult[T](IEnumerable`1 dataObjects)Admin audit log search criteria: OrganizationId= StartDateUtc=4/3/2011 10:09:24 PM EndDateUtc=4/4/2011 10:09:24 PM Cmdlets Parameters ObjectIds UserIds Succeeded=0 [PS] C:\Windows\system32>Get-AdminAuditLogConfig RunspaceId : d02c9f82-6ec6-4c78-a48e-4058bdeffb48 AdminAuditLogEnabled : True TestCmdletLoggingEnabled : True AdminAuditLogCmdlets : {*} AdminAuditLogParameters : {*} AdminAuditLogExcludedCmdlets : {} AdminAuditLogAgeLimit : 90.00:00:00 AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : Admin Audit Log Settings DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,CN=FirstOrganization,CN=Microsoft Exchang e,CN=Services,CN=Configuration,DC=DOMAINNAME,DC=local Identity : Admin Audit Log Settings Guid : d31cfd73-2ae4-4c83-b7d0-85ec0e0e5612 ObjectCategory : Domainname.local/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config ObjectClass : {top, msExchAdminAuditLogConfig} WhenChanged : 4/5/2011 1:33:09 AM WhenCreated : 12/3/2009 2:43:51 PM WhenChangedUTC : 4/4/2011 10:33:09 PM WhenCreatedUTC : 12/3/2009 12:43:51 PM OrganizationId : OriginatingServer : DC01.domainname.local IsValid : True Seems Exchange 2010 SP1 Admin Audit Log Search not working with parameters. Any help?

“Search-AdminAuditLog” cmdlet will fail with this error when content indexing is not running; MSExchangeSearch (Indexer) service is stopped Please check if exchange search is working properly Diagnose Exchange Search Issues James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

any update on this? I'm not sure if its exactly the same, but the search-adminauditlog cmdlet isn't really working for me. If I try this: Search-AdminAuditLog -StartDate ((Get-Date).AddHours(-24)) -EndDate (Get-Date) from a mailbox server, I get output, but it does not seem to be correct: ******************************************************************************************* RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe ObjectModified : CmdletName : CmdletParameters : {} ModifiedProperties : {} Caller : Succeeded : Error : RunDate : OriginatingServer : Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqiBAAAJ IsValid : True RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe ObjectModified : CmdletName : CmdletParameters : {} ModifiedProperties : {} Caller : Succeeded : Error : RunDate : OriginatingServer : Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqiAAAAJ IsValid : True RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe ObjectModified : CmdletName : CmdletParameters : {} ModifiedProperties : {} Caller : Succeeded : Error : RunDate : OriginatingServer : Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh/AAAJ IsValid : True RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe ObjectModified : CmdletName : CmdletParameters : {} ModifiedProperties : {} Caller : Succeeded : Error : RunDate : OriginatingServer : Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh+AAAJ IsValid : True RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe ObjectModified : CmdletName : CmdletParameters : {} ModifiedProperties : {} Caller : Succeeded : Error : RunDate : OriginatingServer : Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh9AAAJ IsValid : True ******************************************************************************************* As was mentioned earlier, the MSExchangeSearch service is started on both mailbox servers. I did try to run the TroubleShoot-CI.ps1 against the 2 mailbox servers, and I did notice some unusual output: ******************************************************************************************* [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\Troubleshoot-CI.ps1 -server [edited out..]| fl Get-EventLog : No matches found At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CITSLibrary.ps1:622 char:40 + $msftesqlCrashes = get-eventlog <<<< -computername $Server -after $StartTime -logname "Application" $msftesqlServiceName | where {$_.eventId -eq $msftesqlCrashEventId} + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand Name : [edited out..] IsDeadLocked : False CatalogStatusArray : {Mailbox Database 1897056752\[edited out..], xdb1-priv\[edited out..]} ******************************************************************************************* These are the current admin audit settings I have...: RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe AdminAuditLogEnabled : True TestCmdletLoggingEnabled : True AdminAuditLogCmdlets : {*} AdminAuditLogParameters : {*} AdminAuditLogExcludedCmdlets : {} AdminAuditLogAgeLimit : 90.00:00:00 AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : Admin Audit Log Settings DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,[edited out..] Identity : Admin Audit Log Settings Guid : 93b3b148-20bd-47a5-aec2-d0fabf25edf6 ObjectCategory : [edited out..]/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config ObjectClass : {top, msExchAdminAuditLogConfig} WhenChanged : 9/12/2011 9:23:10 PM WhenCreated : 2/17/2010 3:46:29 PM WhenChangedUTC : 9/13/2011 2:23:10 AM WhenCreatedUTC : 2/17/2010 9:46:29 PM OrganizationId : OriginatingServer : [edited out..] IsValid : True anyone have any ideas on what I might be missing, aside from the output from Troubleshoot-CI.ps1? -Joseph Banda