Critical - SBS 2011 quickly losing C Drive space?

This is highly critical - I can only assume that it is a virus.... I have a client with a SBS 2011 box, running Exchange 2010. Something has begun to fill up C Drive hard drive space slowly but steadily.  It is down to 4 GB and already they can no longer receive email. I have stopped the email services hoping that will slow it down for now. It runs Symantec Antivirus client and Symantec Mail Security for Exchange. How can I fix this? I'll even pay for professional to remote in and help me. All help is appreciated.
xav1963Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Get Tree Size Pro (Jam Software), install it and run it in Admin Mode. It will give you a sorted list of what is taking space. Look at that and let us know. Candidates for chewing up space are Backups on the hard drives, Shadow Storage, Log Files (especially from Anti Virus software). Find out what is taking the space and then we can help more.
David AtkinTechnical DirectorCommented:
In addition to Johns comments.  Read the following article on how to reclaim disk space in SBS.  The article refers to 2008 but is also valid in 2011:

http://blogs.technet.com/b/sbs/archive/2010/03/02/recovering-disk-space-on-the-c-drive-in-small-business-server-2008.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xav1963Author Commented:
just got on site .... server slowly comes up .... down to 3.2 gb free space ... am running disk cleanup just to get some space to work...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

rindiCommented:
Are the exchange transaction logs saved to C:\? If so make sure your backup program is exchange-aware (the built in tool of SBS is), that the backups are 100% successful, and also that you are doing full backups. Only that will prune the exchange transaction.

If the backups aren't successful, check your logs for the reason and remedy that. If your backup tool isn't exchange-aware, and the backups are successful which it makes, setup your exchange server for circular logging. That will ensure that old logs will be pruned.

Use the disk cleanup wizard which is part of the desktop experience or themes feature, to cleanup your disk. There is a KB you have to install with it (should normally be part of Windows updates, optional) that adds support for windows updates cleanup in the cleanup wizard.

WSUS will probably also chew up space, but as I don't know much about WSUS, check yourself how you can cleanup old files you don't need anymore in the WSUS repository. Probably you can also change the location of WSUS to some other disk/partition.

Delete the contents of C:\Windows\SoftwareDistribution\Downloads.
xav1963Author Commented:
ok was able to free some space... I am at 9 gb now... so now can began to find culprit... backups look unsuccessful for long time... looks like due to issue with shadow copy service .... too late to do anything about that right now ....
installed treesize ... how do you want me to export log?
JohnBusiness Consultant (Owner)Commented:
We do not particularly see a log - just the main culprits from Tree Size. You need to review logs to see why backups are not happening. If it helps here, you can post a screenshot of Tree Size list results (not graph).
rindiCommented:
Fix the issue you have with the backups, then run a full backup and make sure it is successful. That should then free up some space.

Successful backups are always the top priority and that must be the first thing you fix. Always.
xav1963Author Commented:
I agree about the backups but if I have a virus, what good would it do me now to backup that?
JohnBusiness Consultant (Owner)Commented:
Run your own Anti Virus software and scan followed by a scan with Malwarebytes. That will tell you if you have a virus. More likely the things we mentioned above are the root cause unless you are using your server in such a way that attracts malware and viruses.
xav1963Author Commented:
plus my fear is while I try to resolve backup issues, my drive will be getting filled again and be in worst jam ... I will try to work on both at same time... do I need to open up another thread for the windows server backup errors?
JohnBusiness Consultant (Owner)Commented:
Stick with this thread here to avoid confusion.  Follow rindi's overall advice on backups above.

Also run Disk Cleanup from time to time.

Do a virus scan and see if it is even an issue.
rindiCommented:
I prefer creating a backup of the system even if there was a virus on it.

Servers with exchange on it often fill up because of the transaction logs I mentioned, which aren't pruned due to the failing backups, so getting the backup to work could solve your problem, it may not be a virus after all...

Servers also usually don't easily get infected directly, as they aren't used directly by users sitting on the server. It is far more likely that files containing a virus or malware is saved on it, but usually that virus or malware will infect the connected workstations, not the server (of course that doesn't mean you shouldn't have any realtime virus scanner installed on the server).
xav1963Author Commented:
understood ... running antivirus right now ... when done will try backup again ... hopefully enough space ...12.8 free of 119GB ....

 Event viewer shows common error for months now - Event ID 8230 - Volume Shadow Copy Service error : Failed resolving account spsearch with status 1376. Check connection to domain controller and VssAccessControl registry key.
Also service SharePoint 2010 VSS Writer will not start..Error 1069 ... due to logon failure....
rindiCommented:
The log you got shouldn't cause issues according to the link below, but there is a workaround for it (also in that link):

https://support.microsoft.com/en-us/kb/2537096
xav1963Author Commented:
able to clear up a little more room with treesize ... getting rid of temp files... below is export from program, anywhere else I can cut/move? ...

Also thing ... it seems ever since started running AV scan, been gaining more hard drive space slowly ... so far only 1 cookie found....


C:\      111.4 GB      111.3 GB      199,227       30,004       100.0 %      6/19/2015      6/19/2015      TrustedInstaller
C:\Program Files\      48.1 GB      48.2 GB      81,867       3,617       43.3 %      6/19/2015      6/19/2015      TrustedInstaller
C:\Windows\      24.4 GB      24.5 GB      92,361       22,774       22.0 %      6/19/2015      6/19/2015      TrustedInstaller
C:\WSUS\      10.6 GB      10.6 GB      2       4       9.5 %      6/19/2015      6/19/2015      SYSTEM
C:\System Volume Information\      10.5 GB      10.5 GB      34       14       9.4 %      6/19/2015      6/19/2015      Administrators
C:\inetpub\      9.2 GB      9.2 GB      4,072       77       8.3 %      6/19/2015      6/19/2015      SYSTEM
C:\ProgramData\      4.0 GB      3.8 GB      5,066       632       3.4 %      6/19/2015      6/19/2015      Administrators
C:\Users\      1.8 GB      1.8 GB      10,170       2,059       1.6 %      6/19/2015      6/19/2015      Administrators
C:\Program Files (x86)\      1.2 GB      1.2 GB      5,090       753       1.1 %      6/19/2015      6/19/2015      TrustedInstaller
C:\*.*      1.0 GB      1.0 GB      6       0       0.9 %      6/19/2015      6/19/2015      (Multiple)
C:\Hotfix\      199.1 MB      199.4 MB      102       0       0.2 %      11/11/2011      3/27/2012      SYSTEM
C:\Recovery\      163.6 MB      163.6 MB      2       1       0.1 %      7/13/2009      4/10/2012      SYSTEM
C:\ExchangeSetupLogs\      56.9 MB      57.1 MB      97       1       0.1 %      10/30/2013      10/30/2013      Administrators
C:\Drivers\      47.6 MB      47.8 MB      94       19       0.0 %      3/27/2012      3/27/2012      SYSTEM
C:\Install\      41.5 MB      41.6 MB      42       12       0.0 %      3/27/2012      3/27/2012      SYSTEM
C:\HP_LaserJet_200_color_MFP_M276\      35.3 MB      35.5 MB      105       1       0.0 %      6/19/2013      11/19/2013      Administrators
C:\Config.Msi\      14.9 MB      15.0 MB      67       0       0.0 %      10/30/2013      10/30/2013      Administrators
C:\DELL\      7.0 MB      7.1 MB      45       4       0.0 %      3/27/2012      3/27/2012      SYSTEM
C:\SmsmseSetupLogs\      5.9 MB      5.9 MB      1       0       0.0 %      7/19/2013      7/19/2013      Administrators
C:\$Recycle.Bin\      387 Bytes      12.0 KB      3       3       0.0 %      7/28/2013      7/28/2013      Administrators
C:\usr\      709 Bytes      4.0 KB      1       2       0.0 %      6/19/2015      6/19/2015      SYSTEM
C:\backup\      0 Bytes      0 Bytes      0       1       0.0 %      3/27/2012      3/27/2012      SYSTEM
C:\Documents and Settings\      0 Bytes      0 Bytes      0       0       0.0 %      7/14/2009      7/14/2009      SYSTEM
C:\PerfLogs\      0 Bytes      0 Bytes      0       1       0.0 %      7/13/2009      7/13/2009      Administrators
C:\StorageReports\      0 Bytes      0 Bytes      0       3       0.0 %      4/10/2012      4/10/2012      SYSTEM
C:\TEMP\      0 Bytes      0 Bytes      0       2       0.0 %      2/20/2013      2/20/2013      Administrators
David AtkinTechnical DirectorCommented:
Firstly, read the article I posted a link to about reclaiming further disk space.  Your inetpub logs could be quite large looking at the info you've given.

Secondly.  Presuming the Sharepoint services are stopped as well?  If so... To fix the Sharepoint VSS Writer login issue you will need to reset the SPFarm and SPsearch account passwords. See here:

http://blogs.technet.com/b/sbs/archive/2011/08/17/http-error-503-accessing-company-web-on-sbs-2011-standard.aspx

You may get an 'job-admin-apppool-change" already exists under the parent' error when trying to reset.  If so follow the instructions here:
http://www.sp2013blog.com/Lists/Posts/Post.aspx?ID=29

Remember to change the Log On As password in Services.

Once complete, re-run the backup.
xav1963Author Commented:
not sure how this is happening ... but I went ahead and reset those sp passwords ... all 3 were out of sync ... AV Scan is still running but now I have 27.4 GB free space ... how did that happen?
JohnBusiness Consultant (Owner)Commented:
Anything running may have somehow removed old logs (as should have happened originally.
xav1963Author Commented:
thanks so far .. willing appreciate the help... but not out of waters yet ... I will test the backup as soon as AV scan done.. almost there ... also want to be sure have all updates and SPs... trying to run windows update ... getting failure... the service "update services" starts but stops after few minutes ... any ideas on this one?
xav1963Author Commented:
I must confess in my desperation for HD space this morning, I did follow above advice of "Delete the contents of C:\Windows\SoftwareDistribution\Downloads" and possibly some of those were not installed yet... Could that have affected the updates?
JohnBusiness Consultant (Owner)Commented:
Try the two Microsoft links below for update failures.

http://support.microsoft.com/kb/2509997

http://support.microsoft.com/kb/971058

There may be a FixIt for your server in the second one.
rindiCommented:
No, If the files there are missing it'll just download them again. So it would only take a little longer.
xav1963Author Commented:
ran a small backup of system state only ... still failed with same error code even though I took care of the sp passwords.... the Volume Copy Shadow service constantly is stopping ...error code 2155348129 ... evnt id 521 ...source :backup ... any ideas?
rindiCommented:
This seems to be caused by your SQL server. I'd stop the SQL server services, then try the backup again. After that if it goes through, troubleshoot the SQL server problem by checking the Link below:

https://support.microsoft.com/en-us/kb/2615182
xav1963Author Commented:
Gentlemen... I am at it again... Had gone up to 26 GB free space on Friday, now back down to 13 GB... first priority is getting local backup again...several windows errors ... doing research .. fixing ... getting closer ... still worried why I am losing hard drive space so steadily ... thought it was the remote backup... Concentsus ... had stopped working also recently... so removed that ... but HD space still going down....Still using Treeview but not noticing anything steadily increasing... except typical email... Any other ideas on how to find culprit???
xav1963Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for xav1963's comment #a40843989
Assisted answer: 167 points for rindi's comment #a40839191
Assisted answer: 167 points for John Hurst's comment #a40839451
Assisted answer: 166 points for David Atkin's comment #a40839706

for the following reason:

took care of issue initailly
rindiCommented:
Also make sure your backup tool is exchange aware. Many online backup tools aren't. If that is the case, then you should enable circular logging on your server.
xav1963Author Commented:
helped some...thx..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.