EXCHANGE 2K Cannot Open messages.
I am running Exchange Server 2000 SP3 and have applied the Post SP3 Rollup dated September (824282). I have 2 DC's both running DNS. Basically I have split IIS and Exchange between them.
Last week the Exchange server slowed to a standstill. Users could either not connect to Exchange using their Outlook 2K clients or they could connect but not open messages. It appeared to me that Store.exe was stealing all of the server's resources. When I stopped the service the system seemed to run fine. There were no adverse messages being logged in in either the application or system logs.
After researching the Store.exe problem it looked to me like the fix was the Post SP3 Patch, so I reapplied it. That only made matters worse, both the Priv and Pub databases went to a "not consistant state" and I had to go through recovery procedures to get everything back.
Now I am back up after a week but still have the original problem. The server is running like a pig, (takes 30 seconds for the start menu to come up) and users cannot open outlook. After a long wait I can get Outlook open and see folder lists and the unread messages which continue to come in, I just can't open them.
I haven't earned my living as an Admin for many years and am stumped. My clients have been down for way too long because of my stubborness.
Last week the Exchange server slowed to a standstill. Users could either not connect to Exchange using their Outlook 2K clients or they could connect but not open messages. It appeared to me that Store.exe was stealing all of the server's resources. When I stopped the service the system seemed to run fine. There were no adverse messages being logged in in either the application or system logs.
After researching the Store.exe problem it looked to me like the fix was the Post SP3 Patch, so I reapplied it. That only made matters worse, both the Priv and Pub databases went to a "not consistant state" and I had to go through recovery procedures to get everything back.
Now I am back up after a week but still have the original problem. The server is running like a pig, (takes 30 seconds for the start menu to come up) and users cannot open outlook. After a long wait I can get Outlook open and see folder lists and the unread messages which continue to come in, I just can't open them.
I haven't earned my living as an Admin for many years and am stumped. My clients have been down for way too long because of my stubborness.
Have you checked your queues to see if you are getting pegged with SMTP traffic (DoS, Virus, SPAM relay, etc...)? Store.exe typically takes a lot of memory, but what was the processor usage like?
Are you running any Av software on the server?
If yes then can you confirm it's not scanning any of the exchange directories on the server?
If yes then can you confirm it's not scanning any of the exchange directories on the server?
ASKER
dstoker509: I am monitoring the queues, there is traffic I am seeing spam & looks like netsky. I am running GFI Mail Essentials which seems to be catching them. The CPU activity is fluctuating between 85 & 99%. It does drop drastically though when other processes demand.
ASKER
What90: I am running CA eTrust InoculatIT and the mail option is running.
Okay, have you work out where the Virused emails are coming from?
If they are internal run a full AV update and scan on all you workstation and server on the LAN.
The client machines may be flooding the Exchange server with Netsky spam and causing the problem.
Post back.
If they are internal run a full AV update and scan on all you workstation and server on the LAN.
The client machines may be flooding the Exchange server with Netsky spam and causing the problem.
Post back.
ASKER
I have followed all of the config suggestions to prevent Relaying and do not believe that I am an open relay. I have submitted tests to ORDB and they look good. I am worried about spoofing though. The netsky has been a pleague for me.
ASKER
What90: The virus messages seem to all be external. I have eTrust running everywhere and updating nightly with realmon on incoming and outgoing files. I can run full scans any time to verify, in the past few days they always come up clean. I only hace 6 workstations.
Are you receiving a majority of virus/SPAM (same thing) messages from a single IP address or an isolated network segment. You may be able to block all network traffic from that segment on your firewall to relieve your Exchange server.
ASKER
dstoker509: I don't know how to tell. But I'd love to check if you can tell me how.
For one, you can use NetMon (included with your Windows Server) to analyze packets entering your Exchange Server.
How to Capture Network Traffic with Network Monitor: http://support.microsoft.com/default.aspx?scid=kb;EN-US;148942
Look for incoming SMTP traffic on port 25.
How to Capture Network Traffic with Network Monitor: http://support.microsoft.com/default.aspx?scid=kb;EN-US;148942
Look for incoming SMTP traffic on port 25.
ASKER
dstoker509: OK standby I will have a look at the article and run the test then post the results. Thanks
ASKER
dstoker: I have had to stop the exchange services in order to get the monitor to run. I have left SMTP service running but I do not know how to read the report. I do not have SMS running so I cannot resolve the addresses but there is one MAC that I see blasting me on ports 25 & 80 also there are ARP-RARP requests to all my public addresses.
I am really outside of my element here and don't know how to proceed with this information.
I am really outside of my element here and don't know how to proceed with this information.
Another option: If you have access to the virus queue to view blocked emails, look at the message headers to see where they came from. Not sure exactly how with GFI, but I assume that you can somehow.
What type of firewall are you using? How do people reach your Server? (Linksys router/gateway/firewall using port forwarding, PIX, etc..) Any information so that I can give clearer advice pertanent to your organization.
What type of firewall are you using? How do people reach your Server? (Linksys router/gateway/firewall using port forwarding, PIX, etc..) Any information so that I can give clearer advice pertanent to your organization.
ASKER
dstoker509: I have a Netopia router but I am using a dual homed server with 2 NICs one on the Wan side and one on the Lan side and using MS routing service running NAT to issue addresses to clients. I am only using 2 public addresses one for DNS/Exchange and the other for secondary DNS/IIS. The MAC that is sending the ARP requests is looking at all 10 of my public addresses.
I will look into the message headers now.
I will look into the message headers now.
In NetMon, when you view captured packets, under the column "Src Other Addr" and "Dst Other Addr" do you see the IP address? Also, under the ARP_RARP, you should also see the Target IP address in the Description Column.
I would suggest disabling the Public NIC's ASAP to get your users internal mail working. At the very least I would suggest purchasing a cheap firewall router like a Linksys down at BestBuy (or wherever). With the linksys, you can use Port-forwarding to forward only port 25 to your server. The only DNS records (MX and A) that you will need will be for your external Router IP address. You can forward the necessary ports via NAT. Then, once you determine the IP segment causing this problem, you can block it on the firewall.
***Unless you implement a firewall between you and the Internet. 1) this problem cannot be fixed as your server will still have to filter traffic after you determine the offender and 2) other users on the Internet will find and exploit this unprotected server.
***Unless you implement a firewall between you and the Internet. 1) this problem cannot be fixed as your server will still have to filter traffic after you determine the offender and 2) other users on the Internet will find and exploit this unprotected server.
ASKER
dstoker509: OK, first GFI only will block based upon several criteria but, will only capture based upon a specific e-mail address or domain name. I am capturing all blocked messages to a junk folder for review. there dosen't seem to be a consistent offender.
In NetMon I do see IPs in the "Src Other Adr" and Dest Other Adr" The IPs are consistand with 69.28.146.235 and my Exchange IP. Traffic both ways
Regarding the ARP_RARP that same IP is querying a whole range of IPs sequentially including all of mine and others, both before and after the range assigned to me by my provider.
In NetMon I do see IPs in the "Src Other Adr" and Dest Other Adr" The IPs are consistand with 69.28.146.235 and my Exchange IP. Traffic both ways
Regarding the ARP_RARP that same IP is querying a whole range of IPs sequentially including all of mine and others, both before and after the range assigned to me by my provider.
ASKER
dstoker509: I realize that I probably shouldn't have posted that IP but I don't really care since they are creaming my server.
ASKER
dstoker509: So if I understand you, if I disable the WAN NIC Exchange couuld function fine but as confirgured no external messages will work either way. However, that would provide a good test to demonstrate that the problem is external.
Then Implementation of the the firewall will allow me to block the offenting segment. Am I correct in thinking that I will need to open ports 25 & 80 on the firewall in order to allow both mail and IIS traffic?
I do have a netopia SDSL router installed, I just never learned how to implement the firewall and until now never needed to.
Then Implementation of the the firewall will allow me to block the offenting segment. Am I correct in thinking that I will need to open ports 25 & 80 on the firewall in order to allow both mail and IIS traffic?
I do have a netopia SDSL router installed, I just never learned how to implement the firewall and until now never needed to.
If you disable the WAN port, but still can reach the Internet via the router, most outgoing email will still work; just not inbound.
You are correct about the ports unless you use SSL (443 instead of 80).
You are correct about the ports unless you use SSL (443 instead of 80).
ASKER
dstoker509: sorry for the delay... disabling the wan NIC prohibits internet access and therefore access to this site. I did disable it though and restarted the exchange services. The symptoms returned even though there was no internet connection. I have run ipconfig on all machines and the offending MAC does not appear to be in use. I'm stumped big time now!
Sounds like you may have something running on your server. Without a firewall that can easily happen. I would double-check the outgoing email to see if your server has some sort of Virus that is trying to respawn itself. I would also suggest looking for unexpected processes running in Task Manager. As a last resort, you may even want to consider rebuilding the server using content from backups (although not a full system state restore). However, I would enable a firewall prior to that to ensure a safe environment.
***You may have already done this, but I would strongly suggest getting another pair of eyes on the problem as these forums can only be of so much help when troubleshooting problems like this.
Good Luck!
-David
***You may have already done this, but I would strongly suggest getting another pair of eyes on the problem as these forums can only be of so much help when troubleshooting problems like this.
Good Luck!
-David
ASKER
dstoker509: Thanks for the feedback. I have already rebuilt Exchange but not the server. I may have to do so. I was hoping that someone else had experienced similar problems. I am convinced that this is a server issue, I just loathe the prospect of rebuildiong the server. I guess that is where I'm going though since nothing else seems to be working.
Thank you for the assistance, Is protocol that I issue you the points? I am new to participation in these forums, but I sure appreciate your help and rapid interaction!
DRBibens
Thank you for the assistance, Is protocol that I issue you the points? I am new to participation in these forums, but I sure appreciate your help and rapid interaction!
DRBibens
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.