Exchange 2000 Problem - Page 3
Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 53

Thread: Exchange 2000 Problem

  1. #21
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Sorry. I knew where the badmail was stored, but I was referring to this comment.

    "\Edit there are some utils that could attempt to restore the info store depending on your time and the data worth saving. "

    Wht utils are there to attempt a restore on the info store if it is messed up?
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  2. #22
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by CXGJarrod
    I will try the badmail folder. As I like to keep the options open, can you point me in the right direction Road Closed? The data is worth saving. They were complaining because all of their calendar info is in Exchange. It is probably worth it to them.
    If the databases are corrupted, you will probably still be able to start Exchange services.
    The problem would arise when trying to mount the databases.

    MDBDATA\priv.edb is the private information store database
    MDBDATA\priv.stm is the private information store database index
    keep both together

    If this is what you were talking about...??

    the pub.edb and pub.stm are the public folder information

    If you want to do a corruption check on the databases, check out ESEUTIL
    If you want to run this tool, get some beer and a comfy chair...can take hours
    Also remember ESEUTIL will require free disk space = to the size of the information store to
    run correctly.

  3. #23
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Doh! Sorry... Try the backup, I am looking for them. To my knowledge a succesful exchange backup will verify the integrity of the data sore? You understand that backing up exchange verifies and writes the logs to the actuall database? It is much more than just backing up data. It's also a database manager.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #24
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by RoadClosed
    Doh! Sorry... Try the backup, I am looking for them. To my knowledge a succesful exchange backup will verify the integrity of the data sore? You understand that backing up exchange verifies and writes the logs to the actuall database? It is much more than just backing up data. It's also a database manager.
    Ok. As we dont have exchange here at work and so I am not an exchange admin (just trying to help out the friend) I should try something like this correct?

    http://support.microsoft.com/default...192185&sd=tech

    I should try wiping out the Badmail, (if this does not work) then the ESEUTIL backup and degfragment (if this does not work), then SP3 and finally burn the server/chuck it out the window? (if this does not work) Or reinstall? This is going to cost him a lot of beer.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  5. #25
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    CXG:

    Couple of things bother me about this scenario.....

    1. RDP is Terminal Services with a new name... . I manage my mailserver all the time through terminal sevices and I can read mail and everything through TS. So if the M: drive isn't there, then it isn't mounting or it isn't mounting properly. Just to be sure I fired up the VPN and WinXP RDP'ed to it.... The M: drive is sat there fat, dumb and happy.

    2. You say that it only has a 2G store but you say you have 650Mb of smtp logs... How log has this server been up and have you ever just archived them. I get about 2-6Mb a day with a store that is almost 12G. The are logs for over a year zipped up and there are the plain text files from 04/01/04 totalling 322Mb. So if your logs are that big with such a small store I would look at the logs more carefully.... Is it being used as a spam server? OTOH, do you have a spam filter prior to the Exchange server there... If not then the logs may be bigger... I know my spam server stops 50ish% of mail from reaching my exchange server.... But it's a thought. Unless knowledge of what mail went where and when I would suggest that you delete them once they are older than a couple of months. There's not a lot of point keeping them after that unless it is important to be able to confirm or deny the send or receipt of mail at the server level.

    One final note that is most probably unrelated but it's worth a mention and a question.....

    Did anyone, anywhere experience Exchange 2000 issues this weekend..... here's the suspicious fart coming out in me..... We had issues related to the SCSI array on our exchange server this weekend, (sunday specifically), that brought down the store and required 2 cold reboots to have it come back up..... The array checked out as good after the second reboot and all the drives tested good per the manufacturers testing software..... The event logs indicate that the array failed but the smtp server continued to run until it could no longer delay writes to the array at which point, (presumably at the arrival of the next mail), it flushed the delayed write cache, wrote the "data is lost" message to the event log and continued to accept SMTP mail for a second time... It was noticed by one of my employees when he arrived at 6:30am today.... I see it as "odd"..... Since OWA operates off this server it is open to the public network..... I don't like odd...... Anyone else seeing _odd_ things on Exchange 2000 servers this weekend?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #26
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    delete the bad mail but run the backup first before ESE. Run ESE only if that fails. Look at the backup log windows spits out and if there are no errors then it's most likely not a information store issue. I am hoping it starts after those steps.

    //EDIT Tiger my firwwall was HOT, I mean real HOT all weekend. I don't use OWA but I thing something was going on. I only have port 25 open so I am not a normal target outside mail, so something was out there?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  7. #27
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by Tiger Shark
    CXG:

    Couple of things bother me about this scenario.....

    1. RDP is Terminal Services with a new name... . I manage my mailserver all the time through terminal sevices and I can read mail and everything through TS. So if the M: drive isn't there, then it isn't mounting or it isn't mounting properly. Just to be sure I fired up the VPN and WinXP RDP'ed to it.... The M: drive is sat there fat, dumb and happy.

    2. You say that it only has a 2G store but you say you have 650Mb of smtp logs... How log has this server been up and have you ever just archived them. I get about 2-6Mb a day with a store that is almost 12G. The are logs for over a year zipped up and there are the plain text files from 04/01/04 totalling 322Mb. So if your logs are that big with such a small store I would look at the logs more carefully.... Is it being used as a spam server? OTOH, do you have a spam filter prior to the Exchange server there... If not then the logs may be bigger... I know my spam server stops 50ish% of mail from reaching my exchange server.... But it's a thought. Unless knowledge of what mail went where and when I would suggest that you delete them once they are older than a couple of months. There's not a lot of point keeping them after that unless it is important to be able to confirm or deny the send or receipt of mail at the server level.

    One final note that is most probably unrelated but it's worth a mention and a question.....

    Did anyone, anywhere experience Exchange 2000 issues this weekend..... here's the suspicious fart coming out in me..... We had issues related to the SCSI array on our exchange server this weekend, (sunday specifically), that brought down the store and required 2 cold reboots to have it come back up..... The array checked out as good after the second reboot and all the drives tested good per the manufacturers testing software..... The event logs indicate that the array failed but the smtp server continued to run until it could no longer delay writes to the array at which point, (presumably at the arrival of the next mail), it flushed the delayed write cache, wrote the "data is lost" message to the event log and continued to accept SMTP mail for a second time... It was noticed by one of my employees when he arrived at 6:30am today.... I see it as "odd"..... Since OWA operates off this server it is open to the public network..... I don't like odd...... Anyone else seeing _odd_ things on Exchange 2000 servers this weekend?
    All the issues with this system started sometime this weekend.

    2) It was a guess on the log files, but it puts out 1 18.9MB log file (just SMTP logging) each day. I thought that was a bit big, but as I said I am not an exchange admin and didnt know what was big. I am not sure how big the database store is, but the drive it is located on has 30GB free.

    Gotta get going out there, but I will check up on this thread once I get out there.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  8. #28
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    That smtp log will tell you alot. In addition in event viewer, event ids 1706 - 1707 - 1708 are most likely compromised signs. You must have smtp loggin turned on to get them.

    Good luck, I'll drink one for ya.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #29
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    but it puts out 1 18.9MB log file (just SMTP logging) each day.
    This is plain SMTPSVC logging... right? That's a _TON_ on a daily basis!!!

    My logging under M$ Basic logging captures 5, but sometimes 6, transactions per email, (HELO, MAIL FROM, RCPT TO, DATA, QUIT). If you are capturing the data too then I would sugest that unless there is a need, turn that off.... Your just causing your own problems in disk space alone.... Forget to clean it for a week or three and watch the server drop on you....

    Outside what I am saying listen to RoadClosed.... He has a better grip of the server itself than I do.... I have an employee manage it.... He's much better at it than I am......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #30
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Looks like the spammers have gotten back in. Over 8000 messages in the D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue and almost 20,000 objects in the badmail folder. This might take a while.

    Moving the messages out of the queue for further analysis, but I believe that we just saved 8000 people from learning how to increase the size of their package. Now I just need to find out how they are getting in. I ran some open relay tests a while ago and they came up negative.

    Edit: Ok. Now this is looking like a paying job. He wants to setup some security and kick this spammers @ss. Where is a good place to start looking for this spammer?

    Edit2: The server was backup after clearing the badmail and queue
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides