Exchange server memory settings

Our Exchange server has been locking up lately, not terribly often so it isn’t the end of the world, but it obviously should not be happening at all. I eventually noticed an error in the event log that only shows up after a reboot so I didn’t notice it right away. We are running Exchange 2003 on a Server 2003 (32bit) box with 4 gigs of RAM. Hopefully upgrading this year…

Source: MSExchangeIS

Event ID: 9665

The memory settings for this server are not optimal for Exchange.

Then it links to the first article at the bottom of this post. Not being one who likes to jump right into registry settings on a server I first downloaded the best practices analyzer for Exchange and ran that to see if anything other issues came up and to see if it would be a little more helpful with what specific things I should look at for the memory problem.

The issues it found relating to memory utilization were:

• ‘SystemPages’ set too high
• ‘HeapDeCommitFreeBlockThreshold’ not set
• ‘SystemPages’ setting – this second entry actually recommends the value to set it at to be zero.
• USERVA is set incorrectly

The SystemPages setting was recommended to be set to zero in the BPA so I did that right away seeing as how it looked to be the easiest fix. The next two things I tried were adding the /3GB and /USERVA=3030 switches to the boot.ini file. Now right off the bat I didn’t think it worked properly because after hitting OK it showed 3030 being a separate OS entry even though I know I put it all on one line. I didn’t want to make all the registry changes at the same time in case I broke something so I held off on doing anything else. I rebooted the machine over night but still saw event 9665 in the log. Here is what the boot.ini file looked like after adding the switches:

[Boot Loader]
Timeout=30
Default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(2)\WINNT=”Microsoft Windows Server 2003″ /fastdetect /NoExecute=OptOut /3GB /Userva=3030

I googled the USERVA switch and came across a couple forums talking about them (the last 2 bullets) and they both said to replace the /NoExecute switch with /Execute. I did some research before making the change to see if it would really matter. I have a gist of what /noexecute does but do not fully understand the pros/cons of using it or not using it. So to test it out I swapped out the switches and right away noticed that 3030 was not listed in the drop down as an OS. That makes me think the switches are set properly.

I have yet to restart the Exchange server to test these changes. I am debating whether to do it tonight again or wait until Friday. It makes me cringe a little when I make changes that require reboots on the servers during the week. There is always that fear of them not coming back up properly. I think I will wait until Friday and report back – but I have a feeling this will work.

Update: After rebooting over the long weekend I came in today and ran the BPA again. All of the errors mentioned above were fixed. /win

Sources:

• How to optimize memory usage in Exchange Server 2003 (KB815372)
• Exchange best practices analyzer
• SystemPages set too high
• How to Set the HeapDeCommitFreeBlockThreshold Registry Value (technet)
• Using the /Userva switch on Windows Server 2003-based computers that are running Exchange Server (KB810371)
• USERVA is set incorrectly
• 3GB switch how to

The case of the disappearing user from Outlook’s global address list

I couldn’t think of a snappier title 😦

My posts are becoming less frequent, how sad.  That is not for lack of issues I’ve come across, that’s for sure.

The most recent annoying issue isn’t a major problem, but something that I haven’t been able to really figure out for awhile.  We have a specific user who kept disappearing from a couple of mail-enabled groups when looking at them through Outlook’s address book.  If I tried to add her to the group, by editing it in Outlook itself, it would say I didn’t have the proper permissions to edit the members – which is not correct, I checked that.  So I went to the server to look.  We don’t have our address books set up through exchange, they’re all mail-enabled groups in AD.

I kept going to the server to look at what groups she was a member of.  What threw me off was that she was still listed as being a member of the group that she wasn’t showing up in when you looked in Outlook.  I ended up removing her from the group and re-adding her, just to see that she was then removed from another group.  Finally, today I looked at all the other user’s profiles to see what groups they were in and noticed that their primary group was Domain Users and this was not a group that the mysterious disappearing user was apart of.  So I added her to the Domain Users group and made it her primary group.  Voila! She magically appears in both mail-enabled groups in Outlook and will now receive all emails to both groups.

At least I know what was causing the problem, but I would like to know why having a mail-enabled group as the primary takes her out of the address book.  I couldn’t find any answers to that online.

Exchange 2003 and RBLs

We have a spam filter in place that I really do like.  It’s intuitive, has nice reports I can pull, and is easy to look at.  After I came into this job I noticed we were still getting more spam than we probably should.  It was getting sent to the quarantine folder, which is what was supposed to happen, but I felt like we shouldn’t have been getting the vast majority of the spam to begin with because the sources were on RBLs.  There is a setting in Sunbelt Email Security to enable RBLs but  if you have a perimeter network setup like we do there is no place to enter the IPs of the servers the mail passes through before hitting the mail server – the RBLs will not work.

The spam filter was working well enough, but well enough isn’t good enough for me when I know it can work better.  It was suggested that I install Exchange server in edge transport mode on the SMTP gateway/firewall and then install another copy of our spam filter on there to only handle the RBL portion of spam blocking.  But that didn’t seem like the best idea to me and my boss wasn’t sure if the licensing agreements we have would even allow that.  I didn’t like the idea of duplicating all of that and teaching myself to set up another version of exchange that would risk breaking mail for everyone here since I don’t have a test server to work on.

Originally I wanted to find out how to stop our firewall/SMTP gateway from stamping its IP address in the headers so that connection filtering would actually work in Email Security.  But endless hours of research did not find anything that worked.  I wanted to use Email Security because of the reports I could pull to find out where the spam was coming from and who it was going to, etc.  I finally gave in and came across information online about how Exchange 2003 has connection filtering.

Configure connection filtering in Exchange 2003

1. Open Exchange System Manager -> Global Settings -> right-click Message Delivery -> Properties.
2. The General tab is where you can add to the perimeter IP list if you have that type of network setup.
   
3. Connection Filtering tab -> under Block List Service Configuration click Add.  Add any blacklists to this list that you want to use.  I’m using Spamhaus and Spamcop.
   
4. I left all other settings as default.  But you could change the error message that a person receives when attempting to send email to you if they are on a blacklist.  See the source at the bottom for directions on how to do that.

Enable connection filtering on the virtual SMTP server

1. Open Exchange System Manager -> Administrative Groups -> your domain -> Servers -> (server name) -> Protocols -> SMTP -> right-click on the virtual server you want to apply connection filtering to and go to properties.
2. On the General tab click advanced, then edit and check the box for Apply Connection Filter.  Once you Hit OK on all the boxes and get back to Exchange System Manager you need to restart the virtual server you applied the filter to before it will take affect.  To do that you just right-click the virtual server and choose to stop the server and then do that again to start it.

Immediately after restarting the virtual server I was getting notifications for emails getting bounced because their source was on the blacklists I provided.  I had to disable the notifications so I wouldn’t get flooded, but it’s worth it.  Just in one day we’ve gone from 416 emails deleted or quarantined to 74.

Source: http://support.microsoft.com/kb/823866