?
Solved

Identifying who's pounding the Exchange 2007 server

Posted on 2014-10-20
8
Medium Priority
?
31 Views
Last Modified: 2015-06-28
We recently had an incident where a use deleted gigs of email and would up with a corrupt mail box. This it appears was the root cause of large mail queue build-ups to the mailbox server. Once we took this user offline the spiking stopped. So we're fairly convinced this was the root cause. The problem: It took some hunches to figure this out. Is there any logging or diagnostic tool in Exchange to see who exactly is pounding the server and causing a denial of service in terms of ability to deliver email to the mailbox server? It is my understanding that RPC requests within a single (or a few) TCP connections are a limited resource on the Exchahge MB server.  Would there be any means of seeing that say 90% of all the RPC requests are related to one particular user? MS support so far has not offered any insight regarding being able to more quickly trouble-shoot this kind of issue in the future.
Screencap-953-Oct.-18-21.30.jpg
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 34

Expert Comment

by:it_saige
ID: 40393161
Before I started using an external service to filter my emails, I would log requests to port 25 at my router and use that in conjunction with the SMTP logs.

If you are receiving an excessive amount of potentially damaging traffic, it might serve you better in the long run to look into using an external service.

The benefit of this is that I only allow traffic from my filtering service.

-saige-
0
 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393234
Do you allow the Exchange server to be used as a relay?
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393263
No - not as a relay. We have CAS servers at the edge which in turn talk to the mailbox server. Based on a hunch we took on user offline and he problems went away. We put him back online and the problems came back. So we know the issue and in fact it's solved for now. But if this happened again in the future we might not know who was pounding the mail server. As I understand it multiple RPC requests within a TCP conversation are sent to the mailbox server from the CAS. Once a finite limit is reach the server can process no more requests. My question is - how do you tell how's making all of those RPC requests? Who's the pig??
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393276
Try something like Microsoft Exchange Server User Monitor (http://technet.microsoft.com/en-us/library/bb508855%28v=exchg.65%29.aspx) and SolarWinds® Server & Application Monitor (http://www.solarwinds.com/solutions/exchange-server-monitor.aspx).

Also, you can check the logs without any additional software or tools.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40393279
Most monitoring tools can detect a heavy user responsible for the bulk of the RPC traffic.
The Exchange Troubleshooting Tool can also flag a single user as well, although that needs to run in real time, rather than getting historic information.

Simon.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393381
@Jeff It turns out we've been using Microsoft Exchange Server User Monitor. But oddly it revealed no anomaly for the user whose mailbox was causing the problems.  

I use Solar Winds a lot and have some Exchange monitoring. That's how I graphed the queue backups. Are there other Exchange monitors that would get into displaying user level stats??
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40855267
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question