KevinWaller
asked on
Exhange Crashing! Forefront seems to be at issue but can't be sure.
Our enterprise Exchange cluster is crashing daily if not more than once per day. Sometimes is just pegs out the processor. Rebooting clears every time. We removed Forefront and the errors seemed to disappear but did not want to leave it for too many days w/out protection. Please see error information below, that is all we can get from the event logs.
Log Name: System
Source: FcsSas
Date: 5/2/2011 8:24:11 AM
Event ID: 10006
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: X-MAIL01.X.com
Description:
Forefront Client Security State Assessment Service policy applied with errors.
Reverted to the following settings:
Schedule Type: Interval
Time: 12
Parameter:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FcsSas" />
<EventID Qualifiers="16386">10006</
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-05-02T12:
<EventRecordID>316341</Eve
<Channel>System</Channel>
<Computer>X-MAIL01.X.com</
<Security />
</System>
<EventData>
<Data>Forefront Client Security State Assessment Service policy applied with errors.
Reverted to the following settings:</Data>
<Data>Interval</Data>
<Data>12</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
Log Name: System
Source: EventLog
Date: 5/2/2011 8:19:51 AM
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: X-MAIL01.X.com
Description:
The previous system shutdown at 8:16:27 AM on 5/2/2011 was unexpected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</E
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-05-02T12:
<EventRecordID>316229</Eve
<Channel>System</Channel>
<Computer>X-MAIL01.X.com</
<Security />
</System>
<EventData>
<Data>8:16:27 AM</Data>
<Data>5/2/2011</Data>
<Data>
</Data>
<Data>
</Data>
<Data>89712</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>DB0705000100020008
</EventData>
</Event>
Log Name: System
Source: FcsSas
Date: 5/2/2011 8:24:11 AM
Event ID: 10006
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: X-MAIL01.X.com
Description:
Forefront Client Security State Assessment Service policy applied with errors.
Reverted to the following settings:
Schedule Type: Interval
Time: 12
Parameter:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FcsSas" />
<EventID Qualifiers="16386">10006</
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-05-02T12:
<EventRecordID>316341</Eve
<Channel>System</Channel>
<Computer>X-MAIL01.X.com</
<Security />
</System>
<EventData>
<Data>Forefront Client Security State Assessment Service policy applied with errors.
Reverted to the following settings:</Data>
<Data>Interval</Data>
<Data>12</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
Log Name: System
Source: EventLog
Date: 5/2/2011 8:19:51 AM
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: X-MAIL01.X.com
Description:
The previous system shutdown at 8:16:27 AM on 5/2/2011 was unexpected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</E
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-05-02T12:
<EventRecordID>316229</Eve
<Channel>System</Channel>
<Computer>X-MAIL01.X.com</
<Security />
</System>
<EventData>
<Data>8:16:27 AM</Data>
<Data>5/2/2011</Data>
<Data>
</Data>
<Data>
</Data>
<Data>89712</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>DB0705000100020008
</EventData>
</Event>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
GusGallows
In forefront, to set the exclusions, you will go into tools, then click on options. From there, scroll down to the Advanced Options. You should have a box that says "Do not scan these files or locations:". Add every exchange folder, and the quorum drive, to this list. Save it and that should stop your failures.
Are you talking about Forefront Client Security or Forefront TMG?
ASKER
Forefront Client Security along with Forefront Security for Exchange Server is installed.
OK - FSE can REALLY hit the processor especially if you have set it to use ALL engines and are scanning both stores and transports. Do you have any Exchange gateways fronting the cluster?
Do you have the exceptions set up in FCS to not scan the Exchange directories (to include binaries, logs and databases) and the quorum disk?
Gus - it is FSE, not FCS. There is no client, FSE is an add on that monitors the stores and transports.
Keith, he says that he is running both FSE and FCS on the server. The errors he is showing is also FCS related. I run the same environment here, though I did ultimately remove FCS due to some of my divisions not configuring it properly and causing system outages.
FSE scans all messages, inbound and out, but is limited to the stores and transports. At worst, it can cause your information store or transport service to lock up if not configured properly. It does not typically cause a crash on the system though. If FCS is installed, it scans the hard drives by default. This includes attached storage as well as internal storage. If you do not exclude the exchange directories, to include the binaries, the logs, and the databases, and you do not exclude the quorum drive, the FCS can cause the drives to time out which will crash your system.
I currently run FSE with all engines, and it is an impact on my processor, but not to the point where it causes outages. It basically takes me from 15% utilization to 30%.
FSE scans all messages, inbound and out, but is limited to the stores and transports. At worst, it can cause your information store or transport service to lock up if not configured properly. It does not typically cause a crash on the system though. If FCS is installed, it scans the hard drives by default. This includes attached storage as well as internal storage. If you do not exclude the exchange directories, to include the binaries, the logs, and the databases, and you do not exclude the quorum drive, the FCS can cause the drives to time out which will crash your system.
I currently run FSE with all engines, and it is an impact on my processor, but not to the point where it causes outages. It basically takes me from 15% utilization to 30%.
My apologies - missed that.
ASKER
Thanks so much! Exclusions have held the server in a normal state since the day this solution was offered. I really appreciate it.
ASKER
Thank you!
No problem. Thank you.