Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Information Store failure

Posted on 2005-04-20
16
Medium Priority
?
6,847 Views
Last Modified: 2012-05-05
Hi All

I have a W2k3 server running Exchange W2k3.
All MS Exchange services send/receive and run fine until a user attempts to attach a file and send.
When this happens the Information Store fails. I go to services and can start it right back up just fine.

Does anyone know what may be causing this failure and errors.
Help, please.

===================================

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            4/20/2005
Time:            8:25:44 AM
User:            N/A
Computer:      MYSERVER
Description:
Faulting application store.exe, version 6.5.6944.3, faulting module unknown,
version 0.0.0.0, fault address 0x57fffffd.

=================================

Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      MAPI Session
Event ID:      9175
Date:            4/20/2005
Time:            8:28:57 AM
User:            N/A
Computer:      MYSERVER
Description:
The MAPI call 'OpenMsgStore' failed with the following error:
The Microsoft Exchange Server computer is not available.  Either there are
network problems or the Microsoft Exchange Server computer is down for
maintenance.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0526-00000000
=====================================
Event Type:      Information
Event Source:      MSExchangeIS Mailbox Store
Event Category:      General
Event ID:      1216
Date:            4/20/2005
Time:            9:21:47 AM
User:            N/A
Computer:      MYSERVER
Description:
The information store database "First Storage Group\Mailbox Store
(MYSERVER)" is limited to 16384 MB.
============================================
Event Type:      Information
Event Source:      MSExchangeIS Public Store
Event Category:      General
Event ID:      1216
Date:            4/20/2005
Time:            9:21:47 AM
User:            N/A
Computer:      MYSERVER
Description:
The information store database "First Storage Group\Public Folder Store
(MYSERVER)" is limited to 16384 MB.
0
Comment
Question by:yrwright
  • 6
  • 5
  • 4
  • +1
16 Comments
 
LVL 24

Expert Comment

by:flyguybob
ID: 13824249
Ahh...the 16GB limitation of Exchange Standard strikes....
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13824260
First, read this KB article:
http://support.microsoft.com/kb/813051
0
 
LVL 24

Assisted Solution

by:flyguybob
flyguybob earned 750 total points
ID: 13824343
Okay.  now that you have read the KB article:
1)  Please realize that this additional 1GB is just a crutch.  It is nothing more than a temporary increase so that you can continue to operate.  You have to down your store in order to get the extra 1GB to take.  However, it does not appear that this would be a problem at this point.
2)  If you have users with large mailboxes, you may want to consider asking them to downsize by:
    a)  Removing non-business related sent items (sort on attachment).
    b)  Removing large files (50MB database exports for which they have a file copy, etc.)
    c)  Emptying their deleted items or deleting their deleted items (note that the DIRT, or Deleted Item Retention Time is in effect here...not something you really want to change unless you want to do a restore for a user).
3)  If you are familiar with eseutil and running defrags, then:
    a)  Make a full backup of your Exchange environment with a validation (offline is fine).
    b)  Run an offline defrag.
  If you are not familiar with eseutil, contact Microsoft PSS if this is your first time around and let them assist.  It was possible to see eseutil accidentally whack some attachments...though this was only really an issue in older versions of Exchange.
4)  Consider purcahsing the Enterprise Edition of Exchange.  There is, unfortunately, no upgrade path unless you have an EA with Microsoft.  Most companies with Enterprise Agreements run the Enterprise Edition of Exchange.  It's a hefty price tag and it was worth it when Microsoft released a new OS every few years.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:yrwright
ID: 13825128
Flyguybob

Thanks for replying.
The server has not reached 16GB in size. The entire server is using less than 10GB and only has 8 accounts.
This server is dedicated to a call center.

These are the first two errors when the store fails.

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            4/20/2005
Time:            9:29:34 AM
User:            N/A
Computer:      Myserver
Description:
Faulting application store.exe, version 6.5.6944.3, faulting module unknown, version 0.0.0.0, fault address 0x57fffffd.

==================
Event Type:      Error
Event Source:      MSExchangeSA
Event Category:      Monitoring
Event ID:      1005
Date:            4/20/2005
Time:            9:31:28 AM
User:            N/A
Computer:      Myserver
Description:
Unexpected error <<0xc1050000 - Network problems are preventing connection to the Microsoft Exchange Server computer. An unexpected, unknown error has occurred. Microsoft Exchange Server Information Store ID no: 80040115-0514-000006bf>> occurred.

The Event IDs seem general so I don't know where to start.

0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 13825215
Normally when I see the store drop because of an attachment, we're talking corruption in the database. But to be fair, have you added/installed any new apps on Exchange, or have you reconfigured the antivirus on the server? If file level AV is scanning any Exchange directories, it can cause this when the attachment hits the store.
0
 

Author Comment

by:yrwright
ID: 13825407
No recent reconfig of AV.
Trekking back to the time this started yesterday here is the error code when it went down for the first time.

Event Type:      Error
Event Source:      MSExchangeIS
Event Category:      General
Event ID:      9673
Date:            4/19/2005
Time:            4:53:18 PM
User:            N/A
Computer:      OUTREACH
Description:
An exception with code 0xc00000fd was thrown in module C:\WINDOWS\system32\ntdll.dll; some parameters and their values were <Exception address - 57fffffd>. A significant section of the call stack is in the data section.

For more information, click http://www.microsoft.com/contentredirect.asp.
Data:
0000: 24 33 13 2e c5 8c f6 77   $3..Å&#140;öw
0008: 3c 33 13 2e 44 d7 16 2e   <3..D×..
0010: 58 33 13 2e 14 33 13 2e   X3...3..
0018: fd ff ff 57 02 00 00 00   ýÿÿW....
0020: 3c 33 13 2e 44 d7 16 2e   <3..D×..
0028: b4 8b f6 77 3c 33 13 2e   ´&#139;öw<3..
0030: 44 d7 16 2e 58 33 13 2e   D×..X3..
0038: 14 33 13 2e fd ff ff 57   .3..ýÿÿW
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 13825483
Well,something changed, if you're getting an exception error like this. Open drwtsn32.exe, check to see if you're getting a dump and a log of this exception. I'm guessing you are; read the log. If you can't think of what's changed, it's time to call PSS because this is no good. The kernel is crashing, there's a stack overflow on the ntdll.dll. What kind of AV do you have installed on the server? Did you check to verify that file-level AV, if any is installed, is prohibited from scanning the \exchsrvr directories?

D
0
 
LVL 24

Accepted Solution

by:
David Wilhoit earned 750 total points
ID: 13825715
Ok, after digging around, looks like you may be a victim of the rootkit Hacker Defender. You're going to need to download a tool to detect the kit, stop it, and delete the files and registry entries. Here' are some steps on removing this ugly beast, if you have it:

First download the tools:

http://www.qihangnet.com/sfzhi/tmp/FHS.exe
http://www.qihangnet.com/sfzhi/tmp/knlps10.zip
http://www.qihangnet.com/sfzhi/tmp/knlsc13.zip

Second, use knlps to find and kill the hidden process.

Usage: knlps.exe -l | -k PID

knlps.exe -l list all process, hide process marked with * .
knlps.exe -k PID kill the special process.

And knlsc13, if the other doesn't succeed:
.knlsc13.exe
Kernel SC v1.3 By zzzEVAzzz
Usage : knlsc13.exe -f | -l[swamd] | -c[a|m|d] ServiceName
-f : Find hidden services.
-l : List specified services.
-c : Config service start type.
s w : Select System or Win32 service type. Default is all.
a m d : Select Automatic, Manual or Disabled start type. Default is all.
Example:
>knlsc13.exe -f : Find hidden services.
>knlsc13.exe -law : List Automatic Win32 services.
>knlsc13.exe -cd BITS : Config BITS service start type to Disabled.

Found all this at governmentsecurity.org, on their forum, but thought it should be posted here as well. Kudos to those folks :)

D
0
 

Author Comment

by:yrwright
ID: 13825739
Nothing changed as far as application installation at 5pm in the evening. Using Symantec EE AV, Last night I shutdown the AV to test that, so that isn't the case.
Seems as though someone else had this identical problem. Referencing

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21156730.html?query=9673&topics=132

I'm not familiar with using that Dr Watson, but I will take a look then see how far I get with that other thread solution. Let you know how it works out.
0
 

Author Comment

by:yrwright
ID: 13825784
OK, tks. I'm going to start going through these steps and see what comes up.
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 13825806
I also just read that it gives out a copy of your SAM, once infected. this could be ugly, even if you get this running again, if that's true.
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13826244
As an aside, Symantec missed 6 viruses/trojans on a machine that my wife was using (it was protected and she still got it!).  Trend's online Housecall caught it just fine.

Bob
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 13826388
that's about right, Symantec bringing up the rear again :) That software sucks worse than ticks...
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13826868
http://support.microsoft.com/default.aspx?scid=kb;en-us;891504

maybe kidego is right...this may require a call to PSS
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 13826952
This article refers to a different failing address space...57fffffd on the ntdll.dll is specific to the rootkit issue....
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13828558
PSS good...
I just had an issue where I worked with someone out of their Dallas office and another out of the Charlotte office.
It's going to SUCK with a capital SUCK when all their U.S. support is dissolved.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question