Solved

EXCHANGE 2K Cannot Open messages.

Posted on 2004-04-23
24
352 Views
Last Modified: 2012-06-27
I am running Exchange Server 2000 SP3 and have applied the Post SP3 Rollup dated September (824282).  I have 2 DC's both running DNS.  Basically I have split IIS and Exchange between them.

Last week the Exchange server slowed to a standstill.  Users could either not connect to Exchange using their Outlook 2K clients or they could connect but not open messages.  It appeared to me that Store.exe was stealing all of the server's resources.  When I stopped the service the system seemed to run fine.  There were no adverse messages being logged in in either the application or system logs.

After researching the Store.exe problem it looked to me like the fix was the Post SP3 Patch, so I reapplied it.  That only made matters worse, both the Priv and Pub databases went to a "not consistant state" and I had to go through recovery procedures to get everything back.

Now I am back up after a week but still have the original problem.  The server is running like a pig, (takes 30 seconds for the start menu to come up) and users cannot open outlook.  After a long wait I can get Outlook open and see folder lists and the unread messages which continue to come in, I just can't open them.

I haven't earned my living as an Admin for many years and am stumped.  My clients have been down for way too long because of my stubborness.
0
Comment
Question by:DRBibens
  • 13
  • 9
  • 2
24 Comments
 
LVL 10

Expert Comment

by:dstoker509
ID: 10899279
Have you checked your queues to see if you are getting pegged with SMTP traffic (DoS, Virus, SPAM relay, etc...)? Store.exe typically takes a lot of memory, but what was the processor usage like?
0
 
LVL 20

Expert Comment

by:What90
ID: 10899475
Are you running any Av software on the server?

If yes then can you confirm it's not scanning any of the exchange directories on the server?
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10900281
dstoker509: I am monitoring the queues, there is traffic I am seeing spam & looks like netsky. I am running GFI Mail Essentials which seems to be catching them.  The CPU activity is fluctuating between 85 & 99%.  It does drop drastically though when other processes demand.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10900291
What90: I am running CA eTrust InoculatIT and the mail option is running.
0
 
LVL 20

Expert Comment

by:What90
ID: 10900313
Okay, have you work out where the Virused emails are coming from?


If they are internal run a full AV update and scan on all you workstation and server on the LAN.

The client machines may be flooding the Exchange server with Netsky spam and causing the problem.

Post back.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10900320
I have followed all of the config suggestions to prevent Relaying and do not believe that I am an open relay.  I have submitted tests to ORDB and they look good.  I am worried about spoofing though.  The netsky has been a pleague for me.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10900341
What90:  The virus messages seem to all be external.  I have eTrust running everywhere and updating nightly with realmon on incoming and outgoing files.  I can run full scans any time to verify, in the past few days they always come up clean.  I only hace 6 workstations.
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10901263
Are you receiving a majority of virus/SPAM (same thing) messages from a single IP address or an isolated network segment.  You may be able to block all network traffic from that segment on your firewall to relieve your Exchange server.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10901457
dstoker509: I don't know how to tell.  But I'd love to check if you can tell me how.
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10901523
For one, you can use NetMon (included with your Windows Server) to analyze packets entering your Exchange Server.

How to Capture Network Traffic with Network Monitor: http://support.microsoft.com/default.aspx?scid=kb;EN-US;148942

Look for incoming SMTP traffic on port 25.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10901589
dstoker509:  OK standby I will have a look at the article and run the test then post the results.  Thanks
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10903232
dstoker:  I have had to stop the exchange services in order to get the monitor to run.  I have left SMTP service running but I do not know how to read the report.  I do not have SMS running so I cannot resolve the addresses but there is one MAC that I see blasting me on ports 25 & 80 also there are ARP-RARP requests to all my public addresses.

I am really outside of my element here and don't know how to proceed with this information.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Expert Comment

by:dstoker509
ID: 10903404
Another option: If you have access to the virus queue to view blocked emails, look at the message headers to see where they came from.  Not sure exactly how with GFI, but I assume that you can somehow.

What type of firewall are you using?  How do people reach your Server? (Linksys router/gateway/firewall using port forwarding, PIX, etc..)  Any information so that I can give clearer advice pertanent to your organization.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10903513
dstoker509: I have a Netopia router but I am using a dual homed server with 2 NICs one on the Wan side and one on the Lan side and using MS routing service running NAT to issue addresses to clients.  I am only using 2 public addresses one for DNS/Exchange and the other for secondary DNS/IIS.  The MAC that is sending the ARP requests is looking at all 10 of my public addresses.

I will look into the message headers now.
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10903524
In NetMon, when you view captured packets, under the column "Src Other Addr" and "Dst Other Addr" do you see the IP address?  Also, under the ARP_RARP, you should also see the Target IP address in the Description Column.
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10903625
I would suggest disabling the Public NIC's ASAP to get your users internal mail working.  At the very least I would suggest purchasing a cheap firewall router like a Linksys down at BestBuy (or wherever).  With the linksys, you can use Port-forwarding to forward only port 25 to your server.  The only DNS records (MX and A) that you will need will be for your external Router IP address.  You can forward the necessary ports via NAT.  Then, once you determine the IP segment causing this problem, you can block it on the firewall.

***Unless you implement a firewall between you and the Internet. 1) this problem cannot be fixed as your server will still have to filter traffic after you determine the offender and 2) other users on the Internet will find and exploit this unprotected server.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10903643
dstoker509:  OK, first GFI only will block based upon several criteria but, will only capture based upon a specific e-mail address or domain name.  I am capturing all blocked messages to a junk folder for review.   there dosen't seem to be a consistent offender.

In NetMon I do see IPs in the "Src Other Adr" and Dest Other Adr"  The IPs are consistand with 69.28.146.235 and my Exchange IP. Traffic both ways

Regarding the ARP_RARP that same IP is querying a whole range of IPs sequentially including all of mine and others, both before and after the range assigned to me by my provider.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10903656
dstoker509: I realize that I probably shouldn't have posted that IP but I don't really care since they are creaming my server.
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10903758
dstoker509: So if I understand you, if I disable the WAN NIC Exchange couuld function fine but as confirgured no external messages will work either way.  However, that would provide a good test to demonstrate that the problem is external.

Then Implementation of the the firewall will allow me to block the offenting segment.  Am I correct in thinking that I will need to open ports 25 & 80 on the firewall in order to allow both mail and IIS traffic?

I do have a netopia SDSL router installed, I just never learned how to implement the firewall and until now never needed to.
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10904095
If you disable the WAN port, but still can reach the Internet via the router, most outgoing email will still work; just not inbound.

You are correct about the ports unless you use SSL (443 instead of 80).
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10904554
dstoker509: sorry for the delay... disabling the wan NIC prohibits internet access and therefore access to this site.  I did disable it though and restarted the exchange services.  The symptoms returned even though there was no internet connection.  I have run ipconfig on all machines and the offending MAC does not appear to be in use.  I'm stumped big time now!
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 10918177
Sounds like you may have something running on your server.  Without a firewall that can easily happen.  I would double-check the outgoing email to see if your server has some sort of Virus that is trying to respawn itself.  I would also suggest looking for unexpected processes running in Task Manager.  As a last resort, you may even want to consider rebuilding the server using content from backups (although not a full system state restore).  However, I would enable a firewall prior to that to ensure a safe environment.

***You may have already done this, but I would strongly suggest getting another pair of eyes on the problem as these forums can only be of so much help when troubleshooting problems like this.

Good Luck!

-David
0
 
LVL 1

Author Comment

by:DRBibens
ID: 10920160
dstoker509:  Thanks for the feedback.  I have already rebuilt Exchange but not the server.  I may have to do so.  I was hoping that someone else had experienced similar problems.  I am convinced that this is a server issue, I just loathe the prospect of rebuildiong the server.  I guess that is where I'm going though since nothing else seems to be working.

Thank you for the assistance, Is protocol that I issue you the points?  I am new to participation in these forums, but I sure appreciate your help and rapid interaction!

DRBibens
0
 
LVL 10

Accepted Solution

by:
dstoker509 earned 500 total points
ID: 10920210
If you feel that I assisted you in troubleshooting the problem in a manner that will lead you to a resolution of the problem, then please issue me the points.  Sometimes, rebuilding the server is the answer.

Good Luck!

-David
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now