Solved

Identifying who's pounding the Exchange 2007 server

Posted on 2014-10-20
8
24 Views
Last Modified: 2015-06-28
We recently had an incident where a use deleted gigs of email and would up with a corrupt mail box. This it appears was the root cause of large mail queue build-ups to the mailbox server. Once we took this user offline the spiking stopped. So we're fairly convinced this was the root cause. The problem: It took some hunches to figure this out. Is there any logging or diagnostic tool in Exchange to see who exactly is pounding the server and causing a denial of service in terms of ability to deliver email to the mailbox server? It is my understanding that RPC requests within a single (or a few) TCP connections are a limited resource on the Exchahge MB server.  Would there be any means of seeing that say 90% of all the RPC requests are related to one particular user? MS support so far has not offered any insight regarding being able to more quickly trouble-shoot this kind of issue in the future.
Screencap-953-Oct.-18-21.30.jpg
0
Comment
Question by:amigan_99
8 Comments
 
LVL 32

Expert Comment

by:it_saige
ID: 40393161
Before I started using an external service to filter my emails, I would log requests to port 25 at my router and use that in conjunction with the SMTP logs.

If you are receiving an excessive amount of potentially damaging traffic, it might serve you better in the long run to look into using an external service.

The benefit of this is that I only allow traffic from my filtering service.

-saige-
0
 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393234
Do you allow the Exchange server to be used as a relay?
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393263
No - not as a relay. We have CAS servers at the edge which in turn talk to the mailbox server. Based on a hunch we took on user offline and he problems went away. We put him back online and the problems came back. So we know the issue and in fact it's solved for now. But if this happened again in the future we might not know who was pounding the mail server. As I understand it multiple RPC requests within a TCP conversation are sent to the mailbox server from the CAS. Once a finite limit is reach the server can process no more requests. My question is - how do you tell how's making all of those RPC requests? Who's the pig??
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40393276
Try something like Microsoft Exchange Server User Monitor (http://technet.microsoft.com/en-us/library/bb508855%28v=exchg.65%29.aspx) and SolarWinds® Server & Application Monitor (http://www.solarwinds.com/solutions/exchange-server-monitor.aspx).

Also, you can check the logs without any additional software or tools.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40393279
Most monitoring tools can detect a heavy user responsible for the bulk of the RPC traffic.
The Exchange Troubleshooting Tool can also flag a single user as well, although that needs to run in real time, rather than getting historic information.

Simon.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 40393381
@Jeff It turns out we've been using Microsoft Exchange Server User Monitor. But oddly it revealed no anomaly for the user whose mailbox was causing the problems.  

I use Solar Winds a lot and have some Exchange monitoring. That's how I graphed the queue backups. Are there other Exchange monitors that would get into displaying user level stats??
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40855267
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now