• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1029
  • Last Modified:

Exhange Crashing! Forefront seems to be at issue but can't be sure.

Our enterprise Exchange cluster is crashing daily if not more than once per day.  Sometimes is just pegs out the processor.   Rebooting clears every time.  We removed Forefront and the errors seemed to disappear but did not want to leave it for too many days w/out protection.  Please see error information below, that is all we can get from the event logs.

Log Name:      System
Source:        FcsSas
Date:          5/2/2011 8:24:11 AM
Event ID:      10006
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      X-MAIL01.X.com
Description:
Forefront Client Security State Assessment Service policy applied with errors.

Reverted to the following settings:

Schedule Type: Interval
Time: 12
Parameter:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FcsSas" />
    <EventID Qualifiers="16386">10006</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-05-02T12:24:11.000Z" />
    <EventRecordID>316341</EventRecordID>
    <Channel>System</Channel>
    <Computer>X-MAIL01.X.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Forefront Client Security State Assessment Service policy applied with errors.

Reverted to the following settings:</Data>
    <Data>Interval</Data>
    <Data>12</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>


Log Name:      System
Source:        EventLog
Date:          5/2/2011 8:19:51 AM
Event ID:      6008
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      X-MAIL01.X.com
Description:
The previous system shutdown at 8:16:27 AM on 5/2/2011 was unexpected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="EventLog" />
    <EventID Qualifiers="32768">6008</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-05-02T12:19:51.000Z" />
    <EventRecordID>316229</EventRecordID>
    <Channel>System</Channel>
    <Computer>X-MAIL01.X.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>8:16:27 AM</Data>
    <Data>5/2/2011</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>89712</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Binary>DB07050001000200080010001B009101DB070500010002000C0010001B0091013C0000003C000000000000000000000000000000000000000100000052000000</Binary>
  </EventData>
</Event>
0
KevinWaller
Asked:
KevinWaller
  • 5
  • 4
  • 3
1 Solution
 
GusGallowsCommented:
I have seen this issue with forefront and Exchange. In our case, we were using SAN attached storage and had not set up Forefront to exclude the Exchange directories. When forefront would scan exchange, it would lock up exchange and in a clustered environment, cause a failure. If your exchange server is not internet facing (if it has not port open from the outside), and if you do not surg the internet from the exchange box, there is no real reason to have a client level anti-virus on it. But most are not comfortable with that. If you simply must have one, make sure you are excluding all exchange directories, including the quorum drive.
0
 
GusGallowsCommented:
In forefront, to set the exclusions, you will go into tools, then click on options. From there, scroll down to the Advanced Options. You should have a box that says "Do not scan these files or locations:". Add every exchange folder, and the quorum drive, to this list. Save it and that should stop your failures.
0
 
Keith AlabasterCommented:
Are you talking about Forefront Client Security or Forefront TMG?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
KevinWallerAuthor Commented:
Forefront Client Security along with Forefront Security for Exchange Server is installed.
0
 
Keith AlabasterCommented:
OK - FSE can REALLY hit the processor especially if you have set it to use ALL engines and are scanning both stores and transports. Do you have any Exchange gateways fronting the cluster?
0
 
GusGallowsCommented:
Do you have the exceptions set up in FCS to not scan the Exchange directories (to include binaries, logs and databases) and the quorum disk?
0
 
Keith AlabasterCommented:
Gus - it is FSE, not FCS. There is no client, FSE is an add on that monitors the stores and transports.
0
 
GusGallowsCommented:
Keith, he says that he is running both FSE and FCS on the server. The errors he is showing is also FCS related. I run the same environment here, though I did ultimately remove FCS due to some of my divisions not configuring it properly and causing system outages.

FSE scans all messages, inbound and out, but is limited to the stores and transports. At worst, it can cause your information store or transport service to lock up if not configured properly. It does not typically cause a crash on the system though. If FCS is installed, it scans the hard drives by default. This includes attached storage as well as internal storage. If you do not exclude the exchange directories, to include the binaries, the logs, and the databases, and you do not exclude the quorum drive, the FCS can cause the drives to time out which will crash your system.

I currently run FSE with all engines, and it is an impact on my processor, but not to the point where it causes outages. It basically takes me from 15% utilization to 30%.
0
 
Keith AlabasterCommented:
My apologies - missed that.
0
 
KevinWallerAuthor Commented:
Thanks so much!  Exclusions have held the server in a normal state since the day this solution was offered.  I really appreciate it.
0
 
KevinWallerAuthor Commented:
Thank you!
0
 
GusGallowsCommented:
No problem. Thank you.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now