Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Identifying who's pounding the Exchange 2007 server

Posted on 2014-10-20
8
28 Views
Last Modified: 2015-06-28
We recently had an incident where a use deleted gigs of email and would up with a corrupt mail box. This it appears was the root cause of large mail queue build-ups to the mailbox server. Once we took this user offline the spiking stopped. So we're fairly convinced this was the root cause. The problem: It took some hunches to figure this out. Is there any logging or diagnostic tool in Exchange to see who exactly is pounding the server and causing a denial of service in terms of ability to deliver email to the mailbox server? It is my understanding that RPC requests within a single (or a few) TCP connections are a limited resource on the Exchahge MB server.  Would there be any means of seeing that say 90% of all the RPC requests are related to one particular user? MS support so far has not offered any insight regarding being able to more quickly trouble-shoot this kind of issue in the future.
Screencap-953-Oct.-18-21.30.jpg
0
Comment
Question by:amigan_99
8 Comments
 
LVL 33

Expert Comment

by:it_saige
ID: 40393161
Before I started using an external service to filter my emails, I would log requests to port 25 at my router and use that in conjunction with the SMTP logs.

If you are receiving an excessive amount of potentially damaging traffic, it might serve you better in the long run to look into using an external service.

The benefit of this is that I only allow traffic from my filtering service.

-saige-
0
 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393234
Do you allow the Exchange server to be used as a relay?
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393263
No - not as a relay. We have CAS servers at the edge which in turn talk to the mailbox server. Based on a hunch we took on user offline and he problems went away. We put him back online and the problems came back. So we know the issue and in fact it's solved for now. But if this happened again in the future we might not know who was pounding the mail server. As I understand it multiple RPC requests within a TCP conversation are sent to the mailbox server from the CAS. Once a finite limit is reach the server can process no more requests. My question is - how do you tell how's making all of those RPC requests? Who's the pig??
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393276
Try something like Microsoft Exchange Server User Monitor (http://technet.microsoft.com/en-us/library/bb508855%28v=exchg.65%29.aspx) and SolarWinds® Server & Application Monitor (http://www.solarwinds.com/solutions/exchange-server-monitor.aspx).

Also, you can check the logs without any additional software or tools.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40393279
Most monitoring tools can detect a heavy user responsible for the bulk of the RPC traffic.
The Exchange Troubleshooting Tool can also flag a single user as well, although that needs to run in real time, rather than getting historic information.

Simon.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393381
@Jeff It turns out we've been using Microsoft Exchange Server User Monitor. But oddly it revealed no anomaly for the user whose mailbox was causing the problems.  

I use Solar Winds a lot and have some Exchange monitoring. That's how I graphed the queue backups. Are there other Exchange monitors that would get into displaying user level stats??
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40855267
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question