Help my Exchange 2013 server is sending out thousands of spam mails!

April 28, 2015, 2:35 pm

≫ Next: NSF to PST conversion popular Alternatives

≪ Previous: New-MailboxSearch Failing "The simultaneous search limit has been exceeded." DiscoveryMaxConcurrency not working.

Hi all,

today i noticed that my Exchange server was using 100% cpu and memory.I noticed that edgetransport service was using all the resource.

Then i opened queue viewer and saw thousands of mails in the queue.Then then get the annoying message that it cannot show more than 1000 messages.I click ok and stop the refreshing.I could mark all e-mails and choose suspend,but after that it starts to refresh and same annoying message keeps popup (cant display more than 1000 messages)

So i have blocked all incoming port 25 on my TMG and also blocked all trafic out from the mail server.

I than ran the following command on My exchange server : Remove-Message -Server mail01 -filter {status -eq "suspended"} -WithNDR $false

Doesnt seem it helped,since there are still over 1k messages in the queue!

I deleted the queue folder under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\ and it re-created new folder.Still all queue arent removed.

How can i remove all messages in the queue viewer?

I also find it strange why outsiders manage to relay on my server,since i only set allow for couple of internal servers?

Scanned those and no virus there (i dont use those servers to download anything)

any advice please?

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

↧

NSF to PST conversion popular Alternatives

July 14, 2014, 10:00 am

≫ Next: Exchange 2010 logon statistics with powershell

≪ Previous: Help my Exchange 2013 server is sending out thousands of spam mails!

As per my knowledge we don't have any free NSF to PST conversion tool out in market however i want to know any alternative solution to get the job done by means by scripts or some intelligent mechanism that we as an messaging admin can implement to save cost involved in migrations . Please suggest ?

Aditya Mediratta

↧

Exchange 2010 logon statistics with powershell

August 14, 2014, 4:47 am

≫ Next: Exchange 2013 - Event ID 4999 MS Exchange Common - Watson report about to be sent for process id: 5816

≪ Previous: NSF to PST conversion popular Alternatives

I am trying to get some logon statistics from a Exchange server 2010, I am using the following command,

Get-MailboxServer | Get-LogonStatistics | Select UserName,ClientVersion,LastAccessTime,ServerName, but it returns this, 3587.0.32963.1, as a version number.

I have read that it is af bug in Exchange 2010. Does anyone have a workaround?

↧

Exchange 2013 - Event ID 4999 MS Exchange Common - Watson report about to be sent for process id: 5816

September 30, 2014, 11:43 am

≫ Next: Removing rights to a mailbox via powershell issues

≪ Previous: Exchange 2010 logon statistics with powershell

Hi,

We have a single Exchange 2013 server and are getting this error many times in a day. I haven't been able to find a solution and was wondering if anyone came across this error or have any suggestions.

Edition : Standard
AdminDisplayVersion : Version 15.0 (Build 913.22)

Watson report about to be sent for process id: 5816, with parameters: E12IIS, c-RTL-AMD64, 15.00.0913.022, M.Exchange.Imap4, M.Exchange.Net, M.E.N.NetworkConnection.BeginNegotiateTlsAsClient, System.InvalidOperationException, 99a4, 15.00.0913.007.
ErrorReportingEnabled: True

Thanks

Amit

↧

Removing rights to a mailbox via powershell issues

April 23, 2015, 11:34 am

≫ Next: SiteFolderServer Mystery

≪ Previous: Exchange 2013 - Event ID 4999 MS Exchange Common - Watson report about to be sent for process id: 5816

I am trying to remove 2 rights to a mailbox via powershell. the command I am running doesn't seem to work though.

There are 2 service accounts that seem to have a deny setting on the mailbox; as shown in the screenshot. user column is inDomain\User format.

I am trying to remove these because I believe it is causing an integration issue between Cisco Unified messaging and outlook. (New voicemails do not show up in the inbox for this one user, even though tests from Cisco UM are ok.)

Running this command doesn't seem to remove the entries I need:

remove-MailboxPermission -Identity <USER ALIAS> -User<SERVICE ACCOUNT> -AccessRights FullAccess -InheritanceType all

↧

SiteFolderServer Mystery

April 29, 2015, 2:34 am

≫ Next: health probe - not running and trying to see why?

≪ Previous: Removing rights to a mailbox via powershell issues

Thesitefoldersever value is very important in Exchange 2003, especially in coexistence environment within Exchange 2003/2007/2010.

As you may know, there is big change in Exchange 2003 to Exchange 2007/2010 that the OAB, free/busy information retrieve methods are different. Depending on different

-Outlook 2003/Exchange 2003: Outlook Clients retrieve the OAB, Free/Busy Information directly from Public Folder. They check thesitefoldersever value on the AG so that they know which pubic folder they are going to access.

-Outlook 2003/Exchange 2007: The same mechanism as above.

-Outlook 2007/Exchange 2003: The same mechanism as above.

-Outlook 2007/Exchange 2007: OAB files store on a physical folder on the CAS Server (Generated from MBX server) and Free/Busy files are retrieved by EWS service.

In summary, if there is no 2003 version, including both Exchange and Outlook, you can safely ignore thesitefoldersever attribute and this will not cause issues even if they are not set correctly.

However, if you have 2003 version in your environment and the user report that his OAB or Free/Busy does not work, you need to check this value and see if it set to the correct public folder database. You can refer to the following steps to verify thesitefoldersever value. The sample is on an Exchange 2007 test machine and this also applies to Exchange 2003.

Use ADSI EDIT tool to make the site folder server of Exchange 2007 Administrative Group point to the Exchange 2007 public folder store.

a. Install Windows Support Tool which located in the windows server CD:\ Support\tools\suptools.msi on your Domain Controller server.

b. Run the Adsiedit.msc from a command prompt.

c. Expand Configuraiton->Configuraiton,DC=Domain,DC=com->CN=Services->CN=Microsoft Exchange->CN=White Construction->CN=Administrative Groups->CN=Exchange Administrative Group (FYDIBOHF23SPDLT)->CN=Servers->CN=exchangeserver2->CN=InformationStore->CN=Public Folder Data. Following is a screenshot in my lab environment for your reference.

d. Right click “CN=Public Folder Database” and click “Properties”. Find the attribute “distinguishedName”, double click it and copy its value to a notepad.

e. Back to “CN=Exchange Administrative Group (FYDIBOHF23SPDLT)”. Right click it and click “Properties”. Find the attribute “siteFolderServer”. Double click it and paste the “distingushedName” that we got in step d into it. Click “OK” to save it.

f. Click “CN=First Administrative Group”, right click it and select “Properties”. Double click the “siteFolderServer” attribute and paste the value of “distinguishedname” we got in step d into it.

g. Expand CN=Configuration,DC=Doman,DC=com->CN=Services->CN=Microsoft Exchange->CN=White Construction->CN=Address Lists Container->CN=Offline Address Lists. In the right panel, right click “Default Offline Address List” and click “Properties”.

h. Find the attribute“siteFolderServer”. Double click it and pasted the value of “distinguishedname” we got in step d into it. Click “OK”.

Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

↧

health probe - not running and trying to see why?

April 23, 2015, 6:36 am

≫ Next: OWA Shows No Distribution Groups

≪ Previous: SiteFolderServer Mystery

Hi,

Im trying to fix our exchange server 2013 (patched upto and including CU8)

when I run the following command

get-healthreport -server servername | where {$_.alertvalue -ne “healthy”} | ft -auto

Server State HealthSet AlertValue LastTransitionTime MonitorCount
------ ----- --------- ---------- ------------------ ------------
xxNotApplicable Compliance Unhealthy 23/04/2015 14:01:26 29
xxNotApplicable MailboxTransport Unhealthy 23/04/2015 13:21:35 25
xxNotApplicable Outlook Unhealthy 23/04/2015 13:57:21 3

when i run the next command to get a list of the monitors that are unhealthy

$test = get-healthreport -server servername | where {$_.alertvalue -ne “healthy”}
foreach ($line in $test) {$line.entries | where {$_.alertvalue -ne “healthy”} | ft -auto}

it shows me that the following monitor is unhealthy in the outlook healthset

Server State Name TargetResource HealthSetName AlertValue ServerComponent
------ ----- ---- -------------- ------------- ---------- ---------------
xx NotApplicable OutlookRpcCtpMonitor Outlook Unhealthy None

From this I found that the probe is OutlookRpcCtpMonitor, so I then tried to invoke the probe

invoke-monitoringprobe -identity Outlook\OutlookRpcCtpProbe -server xx

that returns the following error..

WARNING: Failed to find the probe result for invoke now request id 2610659f96e64e62b4c71d1f61f65d5e and probe
workdefinition id 198.

I have restarted the server, recycled the MSExchangeSyncAppPool. Not sure what else to try so that can fix the unhealthy set within exchange.

Kind regards

Simon

↧

OWA Shows No Distribution Groups

April 29, 2015, 12:41 pm

≫ Next: OAB Genration Failed

≪ Previous: health probe - not running and trying to see why?

I'm trying to get the "MyDistributionGroups" role working so owners of groups can add and remove members of their group. I created a new group, set a handful of users as owners, and enabled the "MyDistributionGroups" role as part of the policy that applies to the owner mailboxes. However, when I sign in as one of the owners, I go into the options, then Groups, and it says "There are no items to show in this view." Have I missed something?

↧

OAB Genration Failed

April 1, 2015, 1:20 am

≫ Next: FrontEndTransport\OnPremisesInboundProxyMonitor Unhealthy

≪ Previous: OWA Shows No Distribution Groups

Hello, I have an Single multiple child domain controller scenario. Everything was working fine till day before, clients started reporting that they ain't recieving updated OAB in outlook. After some research in Exchange server OAB folder we found that folders OAB folder exists with its sub folders (a long GUID) but we were not able to see the same folders under IIS-->OAB virtual directory. Wwe have then manualy tried updating the OAB which gave an error below....                                                                                                                                                                                                                                                      " Generation of OAB "\Global_OAB" failed. Dn: CN=Global_OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=Vedanta Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=vedantaresource,DC=local
ObjectGuid: 932afc69-0712-4992-a9bd-57df6c0e02f5
Stats: S:OAB='\Global_OAB';I64:Status=2147500037;Dt:StartTime=2015-04-01T06:15:23.8692958Z;Dt:EndTime=0001-01-01T00:00:00.0000000;S:DC=;I32:Total.Records=0;I32:Total.TempFiles=0;Ti:TimeWritingFiles=00:00:00;S:Org=vedantaresource.local;S:Wasted=False;I32:Total.RecordsAddedChurn=0;I32:Total.RecordsDeletedChurn=0;I32:Total.RecordsModifiedChurn=0;I32:MailboxDownload.FS.BytesRead=6211212;I32:MailboxDownload.FS.BytesWritten=6211212;Ti:MailboxDownload.FS.Reading.ElapsedTime=00:00:00.3238458;Ti:MailboxDownload.FS.Writing.ElapsedTime=00:00:00.1273409;Ti:PrepareFilesForOABGeneration.DownloadFilesFromMailbox.StoreRpcLatency=00:00:01.7970000;I32:PrepareFilesForOABGeneration.DownloadFilesFromMailbox.StoreRpcCount=1067;Ti:PrepareFilesForOABGeneration.DownloadFilesFromMailbox.CpuTime=00:00:03.1718750;Ti:PrepareFilesForOABGeneration.DownloadFilesFromMailbox.ElapsedTime=00:00:05.4275814;Ti:PrepareFilesForOABGeneration.CpuTime=00:00:03.1718750;Ti:PrepareFilesForOABGeneration.ElapsedTime=00:00:05.4277854;Ti:Total.CpuTime=00:00:03.1718750;Ti:Total.ElapsedTime=00:00:05.4278649;;
S:Exp=System.UnauthorizedAccessException: Access to the path is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.File.InternalMove(String sourceFileName, String destFileName, Boolean checkHost)
   at Microsoft.Exchange.MailboxAssistants.Assistants.OABGenerator.OABGenerator.SafeFileReplace(String sourceFile, String destinationFile)
   at Microsoft.Exchange.MailboxAssistants.Assistants.OABGenerator.OABGenerator.DownloadFilesFromMailbox(MailboxSession mailboxSession)
   at Microsoft.Exchange.MailboxAssistants.Assistants.OABGenerator.OABGenerator.PrepareFilesForOABGeneration(AssistantTaskContext assistantTaskContext)
   at Microsoft.Exchange.MailboxAssistants.Assistants.OABGenerator.OABGeneratorAssistant.<>c__DisplayClassc.<ProcessAssistantStep>b__8()
   at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
   at Microsoft.Exchange.MailboxAssistants.Assistants.OABGenerator.OABGeneratorAssistant.ProcessAssistantStep(AssistantTaskContext assistantTaskContext) "                                                                                                                                                                                                                                                                                                                                                                          We do not understand why the problem has caused all of a sudden. Requesting help in this regards.

Neilesh

↧

FrontEndTransport\OnPremisesInboundProxyMonitor Unhealthy

April 28, 2015, 2:15 am

≫ Next: FfoSystemProbe Warning 1006 on Exchange 2013 cu 7

≪ Previous: OAB Genration Failed

We have three sites running EX2010 with MBX,Hub and CAS at all three. One site is internet facing via TMG2010.

We have now deployed EX2013 and all appears to be working OK, however we are receiving health report issues with the CAS at all three sites.

The FrontEndTransport reports as failed but I am unable to see why. We also get an error under the InvokeNowResult that implies that the OnPremisesInboundProxyMonitor could not be found.

Any help much appreciated!

Event4 (ManagedAvailability)

HealthSet FrontendTransport
   Subject The client submission probe failed 3 times over 15 minutes.
    Message The client submission probe failed 3 times over 15 minutes. Probe Exception: '' Failure Context: '' Execution Context: '' Probe Result Name: '' Probe Result Type: '' Monitor Total Value: '0' Monitor Total Sample Count: '0' Monitor Total Failed Count: '0' Monitor Poisoned Count: '0' Monitor First Alert Observed Time: '15/04/2015 02:18:36'
    Monitor OnPremisesSmtpClientSubmissionMonitor

Event 2006 (InvokeNowResult)

State None
Result Failed
ErrorMessage
Could not find assembly or object type associated with monitor identity 'FrontEndTransport\OnPremisesInboundProxyMonitor'. Please ensure that the given monitor identity exists on the server.

↧

FfoSystemProbe Warning 1006 on Exchange 2013 cu 7

December 23, 2014, 10:01 am

≫ Next: Lock down Exchange 2013 ECP to internal access only

≪ Previous: FrontEndTransport\OnPremisesInboundProxyMonitor Unhealthy

I can't find much online about this with websearch.

Log Name:      Application
Source:        FfoSystemProbe
Date:          12/23/2014 10:05:53 AM
Event ID:      1006
Task Category: General
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      myserver.mydomain.local
Description:
System Probe configuration. The logging directory was not specified in the registry and system probe will not be enabled on this server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="FfoSystemProbe" />
    <EventID Qualifiers="32768">1006</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-12-23T17:05:53.000000000Z" />
    <EventRecordID>10531</EventRecordID>
    <Channel>Application</Channel>
    <Computer>myserver.mydomain.local</Computer>
    <Security />
</System>
<EventData>
</EventData>
</Event>

A quick registry search does find a key:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\FfoSystemProbe]
"EventMessageFile"="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.SystemProbeMsg.dll"
"CategoryMessageFile"="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.SystemProbeMsg.dll"
"TypesSupported"=dword:00000007
"CategoryCount"=dword:00000001

A quick look at the Bin folder under Exchange installation shows the dll file exists and permissions on it seem to match similar files in the same folder.

Duplicate registry entries exist also with identical subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\EventLog\Application\FfoSystemProbe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\FfoSystemProbe

↧

Lock down Exchange 2013 ECP to internal access only

April 4, 2013, 6:05 am

≫ Next: Journal mailbox, archiving and "Client submission probe" emails

≪ Previous: FfoSystemProbe Warning 1006 on Exchange 2013 cu 7

I'm concerned about the ECP on Exchange 2013 being accessible from the outside world. Is there a preferred method of disabling access to ECP from the outside while still allowing OWA and everything else?

Vincent Sprague

↧

Journal mailbox, archiving and "Client submission probe" emails

April 29, 2015, 3:29 pm

≫ Next: -1018 There is a checksum error on a database page.

≪ Previous: Lock down Exchange 2013 ECP to internal access only

My company does db level journaling which causes all of "Client submission probe" emails to be journaled. We use Symantec Enterprise Vault to archive all the emails as soon as they arrive in journaling mailbox. I am testing various solutions to prevent these emails from being archived and would like to know what other people have done to address this issue. I've read a few solutions and none of them we can fully implement. 1 - we can't turn off these probe emails due to IT policy, 2 - I can't create a "hard delete" rule as it's only a client side rule, 3 - I have created a rule to move them to Deleted item but those don't empty manually and I don't like have scheduled tasks running when it comes to mailbox management (create a PS script to autoempty the Deleted Items after a period of time). I am considering creating a transport rule that will block those emails from ever arriving at the journaling mailbox but I am yet to test this.

How have you addressed this problem?

PS. I created a transport rule but I don't think it's able to catch messages that are placed into the journaling mailbox.

↧

-1018 There is a checksum error on a database page.

April 30, 2015, 8:41 am

≫ Next: Deleting Exchange Log Files

≪ Previous: Journal mailbox, archiving and "Client submission probe" emails

Our backup exec 2014 software is giving us this error when doing a GRT resotre. Backup of the DB runs fine with no errors, however a GRT generates this message which, according to MS, there is a checksum error in the database.

this is a brand new server (win 2012 standard r2) with a new install of exchange 2013. exchange 2007 server is working fine.

thanks in advance for any ideas

↧

Deleting Exchange Log Files

April 30, 2015, 5:41 am

≫ Next: Replaced Cert now Outlook giving error.

≪ Previous: -1018 There is a checksum error on a database page.

Hello,

I have a client who has over 100 GB of log files. Turns out circular logging wasn't enabled. Wanted to know if there are any repercussions to deleting older log files now that circular logging is enabled.

Thanks In Advance,

↧

Replaced Cert now Outlook giving error.

April 29, 2015, 1:17 pm

≫ Next: Event ID 3028 MSExchangeApplicationLogic

≪ Previous: Deleting Exchange Log Files

Our existing SAN Cert expired so I bought and installed a new one from godaddy. The old Cert had SAN Names for the internal name of the server I'll say server.internal.local. The new ICANN rules persuaded me to not include the internal name of the server on the replacement Cert and only use publicly accessible names, I'll say mail.public.org.

Now our Outlook Clients in our internal network are throwing an error at startup saying:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site server.internal.local.

Outlook is unable to connect to the proxy server. (Error Code 10)

I looked at the settings of the Outlook email Account and sure enough under the Exchange Proxy Settings, the Use this URL... and the Only connect to... are showing server.internal.local.

I followed the instructions here: http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html

Which led me through creating a split brain DNS zone so the internal clients will find the server using the public name that matches the cert and also (theoretically) modifying the autodiscover so the clients will look for the server at the new address.

Apparently, I'm missing something because even when configuring a new Outlook profile I still get the certificate error and the proxy settings are still being set to the old internal name and I am unable to change them.

To further complicate things, this environment has a SBS2011 that Exchange has been mostly migrated to the new Exchange 2013 machine but Exchange has not been decommissioned from it yet. I'll call it OLDSERVER. I did go into Sites and Services and delete the Autodiscover serviceconnection point for OLDSERVER thinking it would simplify the issue. No Bueno.

↧

Event ID 3028 MSExchangeApplicationLogic

November 3, 2014, 1:16 am

≫ Next: how will I get to know when the mailbox has been deleted

≪ Previous: Replaced Cert now Outlook giving error.

Hi,

I have a problem where Event ID 3028 Source MSExchangeApplicationLogic is beeing logged every 6 hours with 4 same type of events. Here is the log:

Scenario: ProcessKillBit. Failed to read killbit list file because of exception System.IO.IOException: The process cannot access the file 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\prem\15.0.995.29\ext\killbit\killbit.xml' because it is being used by another process.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode, FileAccess access, FileShare share)
at Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitHelper.TryReadKillBitFile(Int32& refreshRate, DateTime& lastModifiedTime)

The environment is single virtual MS Exchange 2013 server running on Windows 2012 R2. DC is running on a separate server.

I can't seem to find any articles or blogs relating to this issue.

Thanks for any help.

↧

how will I get to know when the mailbox has been deleted

April 30, 2015, 12:14 pm

≫ Next: Mailbox not visible in EMC

≪ Previous: Event ID 3028 MSExchangeApplicationLogic

hi There,

Is there any idea how will I get to know when or by whom one particular "mailbox or the mail contact" has been deleted from the exchange server?

Do we need to enable the audit to ensure the events are captured? if yes what type of audit has to be enabled? how it is to be done? what are the pre-requsites and dis-advantages?

↧

Mailbox not visible in EMC

April 27, 2015, 12:27 am

≫ Next: Exchange 2013 The Microsoft Exchange Diagnostics .

≪ Previous: how will I get to know when the mailbox has been deleted

Hello.

I have a mailbox that is moved from exchange 2010 to Exchange 2013 using Cmdlet Move-mailbox. After moving the mailbox is not visible in the EMC in Exchange 2013. However, it appears using Get-Mailbox cmdlet.
Any ideas on why it does not appear in EMC?

Thanks.

↧

Exchange 2013 The Microsoft Exchange Diagnostics .

April 30, 2015, 7:31 pm

≫ Next: DR Exchange 2013 ECP will redirect to OWA

≪ Previous: Mailbox not visible in EMC

Exchange 2013, CU6,

Passive database in DR site faced the Service down because of network issue and was automatically recovered by Exchange self diagnostics.

I rememeber that it needs to be manually take service-up in Exchange 2010, EMC in that case.

What is the functionality of Microsoft Exchange Diagnostics?

Event logs

Microsoft Exchange Diagnostics service terminated unexpectedly, restart service

↧