it_gsr
asked on
How to troubleshoot Mailbox Store edb and logs growing rapidly
Hello All,
I have an exchange organization with about 700 mailboxes on exchange server 2003 SP2 in a front end and back end configuration.
I use GFI MailEssentials for antispam and email security on the front end and for Informations store scanning on the back end.
I have four information stores each in a separate storage group. One of the stores; with 567 users (not well balanced numerically, I admit) has been growing rather rapidly and sporadically the last couple of days. In a given 4 hour period I lost about 1.6GB of space to the edb.
So far, I have checked the following:
SMTP Side:
-There is no NDR looping
-There is no visible spamming
-No open relay
-Normal mailflow
Stores Side:
-no corrupt mail is stuck in a queue
-Exmon shows no user taking up more operations or cpu time than necessary
-when the suspect mailbox store is dismounted, the problem stops momentarily.
Parsing the logs for the storage group holding the information store (collected for the period of increasing databases) using strings.exe (see http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx?PageIndex=3#comments) shows some emails occurring the following number of times within the logs collected during the 2 and half hour window:
3716 craiga@supplydirect.net
5583 bradt@supplydirect.net
3229 sales@pps-awb.co.uk
2602 jacheretrade@yahoo.co.uk
1900 mitchell.ackah@mospacka.co
1567 Internal User A
1368 Internal User B
135 Internal User C
All the above have one thing in common, they are suppliers and internal users A and B are supply officers.
Mail tracking shows no mail sent or received between Internal User B and any of the external accounts but 1 email between Internal User C and craiga@supplydirect.net
Questions:
1. What else should I consider after all the above and what step should I take in resolving the issue?
2. Could a corruption in the mailbox store be the cause of this rapidly growing edb file and Exxx.logs?
Notes:
The following have recently occurred: server disk was replaced following drive failure. The server is in a RAID 5 array
The Active Directory FSMO roles were recently moved from server 2003 SP1 physical servers to corresponding server 2008R2 SP1 virtual servers into a VMware vSphere private cloud.
I have an exchange organization with about 700 mailboxes on exchange server 2003 SP2 in a front end and back end configuration.
I use GFI MailEssentials for antispam and email security on the front end and for Informations store scanning on the back end.
I have four information stores each in a separate storage group. One of the stores; with 567 users (not well balanced numerically, I admit) has been growing rather rapidly and sporadically the last couple of days. In a given 4 hour period I lost about 1.6GB of space to the edb.
So far, I have checked the following:
SMTP Side:
-There is no NDR looping
-There is no visible spamming
-No open relay
-Normal mailflow
Stores Side:
-no corrupt mail is stuck in a queue
-Exmon shows no user taking up more operations or cpu time than necessary
-when the suspect mailbox store is dismounted, the problem stops momentarily.
Parsing the logs for the storage group holding the information store (collected for the period of increasing databases) using strings.exe (see http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx?PageIndex=3#comments) shows some emails occurring the following number of times within the logs collected during the 2 and half hour window:
3716 craiga@supplydirect.net
5583 bradt@supplydirect.net
3229 sales@pps-awb.co.uk
2602 jacheretrade@yahoo.co.uk
1900 mitchell.ackah@mospacka.co
1567 Internal User A
1368 Internal User B
135 Internal User C
All the above have one thing in common, they are suppliers and internal users A and B are supply officers.
Mail tracking shows no mail sent or received between Internal User B and any of the external accounts but 1 email between Internal User C and craiga@supplydirect.net
Questions:
1. What else should I consider after all the above and what step should I take in resolving the issue?
2. Could a corruption in the mailbox store be the cause of this rapidly growing edb file and Exxx.logs?
Notes:
The following have recently occurred: server disk was replaced following drive failure. The server is in a RAID 5 array
The Active Directory FSMO roles were recently moved from server 2003 SP1 physical servers to corresponding server 2008R2 SP1 virtual servers into a VMware vSphere private cloud.
ASKER
Nope.
Craiga is not getting a lot of emails from my exchange organization. He only received 3 emails from us during the period.
Craiga is not getting a lot of emails from my exchange organization. He only received 3 emails from us during the period.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi SreRaj,
I was expecting ExMon to help me zero in on this (highly active user/s) when I used it to open the .etl log collected with perfmon for the activity period.
I will however use your sampling scheme as an alternative. I have started one now and will do so each hour for the next 4 hours.
I will revert with findings.
I was expecting ExMon to help me zero in on this (highly active user/s) when I used it to open the .etl log collected with perfmon for the activity period.
I will however use your sampling scheme as an alternative. I have started one now and will do so each hour for the next 4 hours.
I will revert with findings.
ASKER
Hi SreRaj,
After over 5 hours of monitoring, there has not been any significant changes in the mailbox size or item count for the users (each of whom has a max of 300MB mailbox size configured).
For the day, there has not been any observed changes however in the storage space so I suppose the growth is not occurring now. Only changes I have made on the BE server are to:
Disable basic authentication on the Default Virtual SMTP server
Stop and Disable the POP3 and IMAP4 services 9we do not use these) which were running.
Still Monitoring..
After over 5 hours of monitoring, there has not been any significant changes in the mailbox size or item count for the users (each of whom has a max of 300MB mailbox size configured).
For the day, there has not been any observed changes however in the storage space so I suppose the growth is not occurring now. Only changes I have made on the BE server are to:
Disable basic authentication on the Default Virtual SMTP server
Stop and Disable the POP3 and IMAP4 services 9we do not use these) which were running.
Still Monitoring..
ASKER
The solution was disabling anonymous access on the default smtp server of the exchange 2003 backend server.
Are the mails relevant?