Messaging by Chris Crandall on Dec 2013

ExBPA and ExTRA Results

I wanted to put together a list of common alerts from ExBPA, and ExTRA in one location. I have provided my customer with tons of health checks and though the information in the tools are great sometimes I find that more information is needed for additional knowledge of the problem and more importantly how to resolve the issue and any side effects with making changes. I will continue to add to this list but here is a good starting point.

ExBPA

Critical: MaxPageSize

The maximum LDAP page size for the default query is set too high and may cause performance problems. The default of 1000 is recommended. Current value: 10000.

Description

The Lightweight Directory Access Protocol (LDAP) administrative limits balance Active Directory operational capabilities and performance. These limits prevent specific operations from adversely affecting the performance of the server. The limits also make the server resilient to denial of service attacks. Increasing this setting beyond its default value could have an adverse impact on your Active Directory infrastructure. 

Resolution:

Using Ntdsutil.exe, change the LDAP policy Set MaxPage Size to 1000. 

Reference:

How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

http://support.microsoft.com/?kbid=315071

MaxPageSize is set too high

http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/ef05b737-0a94-49ab-8deb-5acf91865531.mspx?mfr=true

How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

http://support.microsoft.com/?kbid=315071

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1265206,00.html#

Warning: Policy change required

The Active Directory forest functionality level has been raised. A modification to the system policies is required to avoid automatic re-homing of new mailboxes. 

Description:

This warning indicates that the Active Directory forest has been prepared for Windows Server 2003. To avoid e-mail address stamping issues when the forest is upgraded to Windows Server 2003 full functionality level, a modification to the recipient policies is required. The affected recipient policy is specified in the Exchange Server Analyzer output.

If Windows Server 2003 is used as a domain controller and the recipient policy is not updated, linked value replication in Windows Server 2003 causes the Recipient Update Service to incorrectly write the e-mail addresses of new users. The first time the Recipient Update Service sees the user, it may be between the time that mailnickname replicates and the time that homeMDB replicates, due to linked value replication. Therefore, the user would fall under the default policy at that time, instead of under the homeMDB-based policy. A few minutes later, when homeMDB replicates, the user would fall under their homeMDB policy. However, the user already would have addresses that match the default policy.

Resolution:

  1. Open Exchange System Manager.
  2. Expand Recipients, select Recipient Policies, right-click RecipientPolicyName, and then click Properties.
  3. On the RecipientPolicyName Properties page, on the General tab, under Filter rules, click Modify.
  4. On the Find Exchange Recipients menu, select Custom Search. If the recipient policy was originally created by a custom search, the Find Custom Search page is displayed after you click Modify in step 3.
  5. Change the Lightweight Directory Access Protocol (LDAP) query so that the homeMdb attribute is not used as part of the filter condition. Attributes such as extensionAttribute, msExchHomeServerName, or UPN are valid arguments that may help you achieve the same search result.
  6. Click OK to save the change, and then close Exchange System Manager.

Reference:

Search filter change is required for Recipient Policy

http://technet.microsoft.com/en-us/library/aa996257.aspx

Recipient Update Service may overwrite the value of the homeMDB attribute for new Exchange Server 2003 users

http://support.microsoft.com/?kbid=903291

Warning: Multiple Exchange domain containers present

Active Directory domain is prepared for Exchange but there are multiple ‘Microsoft Exchange System Objects’ containers in existence. Manual removal of the duplicate containers may be necessary. Containers found:

Description:

This issue may occur in Exchange Server environments in which:

  • A 2-way Active Directory Connector (ADC) server Connection Agreement from Active Directory to Exchange Server 5.5 was deleted and replaced.
  • A new 1-way ADC server Connection Agreement from Exchange Server 5.5 to Active Directory is in place.
  • A mixed-mode environment running Exchange Server 5.5 was migrated to an Exchange Server 2003 environment.
  • A migration to Exchange Server 2003 from a foreign mail server has been performed.

When the Exchange Server Analyzer displays this error, you must delete the incorrect duplicate Microsoft Exchange System Objects container or organizational unit (OU). When a duplicate Microsoft Exchange System Objects container exists, you cannot solve the problem by running DomainPrep again. You must identify and delete the incorrect duplicate Microsoft Exchange System Objects container.

Resolution:

  1. Log on to the domain controller with administrative credentials.
  2. Click Start, click Programs, click Administrative Tools and then click Active Directory Users and Computers.
  3. In the Active Directory Users and Computers management console pane, click View from the toolbar menu and select Advanced Features.
  4. In the Active Directory Users and Computers management console pane, locate the incorrect, duplicate Microsoft Exchange System Objects container or organizational unit (OU).
  5. Verify the incorrect, duplicate Microsoft Exchange System Objects container or OU does not contain valid Active Directory objects.
  6. Right-click the incorrect, duplicate Microsoft Exchange System Objects container or OU and then click Delete.
  7. Confirm the deletion by clicking Yes in the Active Directory dialog box.

Reference:

Duplicate Microsoft Exchange System Objects container exists in Active Directory

http://technet.microsoft.com/en-us/library/aa998138.aspx

Warning: ‘MSGINA.DLL’ driver update is available

The version of ‘MSGINA.DLL’ installed on the server can cause working sets to be improperly trimmed when Terminal Services is used.

Description:

 

When you use Terminal Services to log on to or to log off from a computer that is running Microsoft Windows Server 2003, the sizes of the working sets of all the processes in the console session may be trimmed to the sizes just after the computer started up. This reduction in the sizes of the working sets may be temporary. The reduction occurs whether the computer is a workgroup computer, a member server, or a domain controller.

 

As the working sets are trimmed, data in memory may be written to the page file. This behavior increases disk activity. Eventually, you may receive a “Virtual memory minimum too low” error message.

 

Resolution:

 

There is a hotfix available but I would only recommend it if the symptoms are present.  Windows Server 2003 SP2 contains the updated version of MSGINA.DLL

 

Reference:

 

MSGINA.DLL driver update available

http://technet.microsoft.com/en-us/library/a3a12275-2ee2-4ca8-87d7-cea79dc90e40.aspx

 

The sizes of the working sets of all the processes in a console session may be trimmed when you use Terminal Services to log on to or log off from a computer that is running Windows Server 2003

http://support.microsoft.com/?kbid=905865

 

 

Informational: SMTP server accepts basic authentication

 

 SMTP instance ‘Default SMTP Virtual Server’ on the server is configured to allow basic authentication.

 

Description:

 

If basic authentication is configured on the SMTP server, the risk of a security breach increases. Basic authentication allows user names and passwords to be sent across the network in clear text. Without encryption, user names and passwords can be easily intercepted on the Internet.

 

If you use basic authentication, it is strongly recommended that you also use Transport Layer Security (TLS) encryption for more security. TLS encrypts user names, passwords, and message data. You can require that clients who are connecting to the SMTP virtual server use TLS encryption. TLS is designed to help protect outgoing messages, but TLS does not help protect traffic that travels from clients to the server.

 

Resolution:

 

Remove the Basic authentication (password is sent in clear text) form the SMTP virtual server on all back-end servers, under the access tab.

 

Reference:

 

Exchange Server Transport and Routing Guide

<http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3TransnRouting/52b1df56-0437-47a6-bb66-043f110962c6.mspx?mfr=true>

 

SMTP server accepts basic authentication

http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/616ab191-c5c1-49ab-9262-6e850e14e678.mspx?mfr=true

 

 

ExBPA Reports for Mailbox Servers

 

Warning: Storage driver is more than two years old

 

Storage driver file  on server is more than two years old. Check with your vendor to find out if a newer version is available. Installed driver details:

Description:

 

The Storage driver is more than two years old. An old Storage driver can lead to poor performance and/or unexpected failure. When dealing with a hardware issue, most vendors require the hardware to be at the most recent version before troubleshooting the hardware issue.

 

Resolution:

 

Contact the hardware vendor for the next version of the Storage driver.

 

 

Warning: Storage driver is more than two years old

 

Storage driver file for on server is more than two years old. Check with your vendor to find out if a newer version is available. Installed driver details:

 Description:

 

The Storage driver is more than two years old. An old Storage driver can lead to poor performance and/or unexpected failure. When dealing with a hardware issue, most vendors require the hardware to be at the most recent version before troubleshooting the hardware issue.

 

Resolution:

 

Contact the hardware vendor for the next version of the Storage driver.

 

 

Warning: Storage driver is more than two years old

 

Storage driver file on server is more than two years old. Check with your vendor to find out if a newer version is available. Installed driver details

 

Description:

 

The Storage driver is more than two years old. An old Storage driver can lead to poor performance and/or unexpected failure. When dealing with a hardware issue, most vendors require the hardware to be at the most recent version before troubleshooting the hardware issue.

 

Resolution:

 

Contact the hardware vendor for the next version of the Storage driver.

 

Informational: Remove IMF from the mailbox servers

 

Since inbound mail is filtered for SPAM through the DMZand the front-end server having IMF installed on the mailbox servers causes additional load and is not needed.

 

Description:

 

Exchange Intelligent Message Filter provides advanced server-side message filtering designed to combat the influx of unsolicited commercial e-mail, also known as spam or junk e-mail. Exchange Intelligent Message Filter requires Exchange Server 2003. When used in combination with Microsoft Office Outlook 2003, it helps to significantly reduce the volume of spam users receive.

In a typical Exchange Server 2003 topology, e-mail servers that are configured to send and receive Internet-based e-mail are usually deployed at or near the Internet inside data centers. These e-mail servers (known as gateway servers), accept incoming Internet e-mail messages and forward these messages to the appropriate mailbox server. Exchange Intelligent Message Filter is installed on the Exchange Server 2003 gateway servers to filter incoming Internet e-mail messages before they are sent to a user’s inbox.

 

If you use a non-Microsoft e-mail server as your Internet gateway server, you can install Exchange Intelligent Message Filter on a server that is running Exchange Server 2003 and is configured as a bridgehead server that accepts incoming Internet e-mail messages from your gateway servers.

 

Having IMF on the mailbox servers increases the load without providing additional benefit to the environment. Since all inbound email messages pass through the front-end servers, which have IMF enabled, there is no need to have IMF installed on the mailbox servers.

 

Resolution:

 

  1. Logon to Exchange System Manager
  2. Navigate to the Property page of the Default SMTP Virtual Server
  3. In the properties window navigate to General tab > Advanced > Edit
  4. Uncheck Apply Sender ID Filter and Apply Intelligent Message Filter

 

Reference:

 

Exchange Intelligent Message Filter Overview

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/overview.mspx

 

Exchange Intelligent Message Filter

http://technet.microsoft.com/en-us/exchange/bb288484.aspx

 

Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide

http://technet.microsoft.com/en-us/library/aa996624.aspx

 

Using Microsoft Exchange Intelligent Message Filter

http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-filter.html

 

Exchange Intelligent Message Filter Overview

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/overview.mspx

 

Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide

http://www.microsoft.com/downloads/details.aspx?familyid=B1218D8C-E8B3-48FB-9208-6F75707870C2&displaylang=en

 

 

Informational: Enable automatic updates for message filter

 

 Automatic updates for the Intelligent Message Filter is not enabled.

 

Description:

 

The Intelligent Message Filter feature is installed with Microsoft Exchange Server 2003 Service Pack 2 (SP2). You must manually enable Intelligent Message Filter to obtain the benefits of this new message filtering technology.

 

Spam Confidence Level (SCL) is a rating system that is beneficial when evaluating the sending domain and determining the actions taken on the specific domain based on the SCL score. The SCL rating will be update through windows update or WSUS.

 

Resolution:

 

Creating the registry key named ContentFilter under HKEY_LOCAL_MACHINESoftwareMicrosoftExchangeHKEY_LOCAL_MACHINESoftwareMicrosoftExchange

 

Reference:

 

The “Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide” is now available

http://support.microsoft.com/kb/907747

 

Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide

http://www.microsoft.com/downloads/details.aspx?familyid=B1218D8C-E8B3-48FB-9208-6F75707870C2&displaylang=en

 

Warning:  Database set to zero pages

 

Databases in storage group ‘First Storage Group’ on server are set to zero pages during backup. While this can improve security, it will affect server performance during backup.

 

Description:

 

The setting that enables the overwriting of deleted records/long values with zeros during backup. This is a process known as zeroing out. You can control the zeroing out of database pages at the storage group level. Each storage group can have a different policy for zeroing out deleted database pages.

 

Resolution:

 

  1. Open Exchange System Manager.
  2. Expand Servers, and then expand the server you want to modify.
  3. Right-click the storage group that you want to change, and then click Properties.
  4. In the Properties dialog box, select or clear the Zero Out Deleted Database Pages check box as needed. Selecting the check box enables zeroing out and clearing the check box disables zeroing out.
  5. Click OK to save the setting.
  6. Close Exchange System Manager, and then restart the Microsoft Exchange Information Store service for the change to take effect.

 

Reference:

 

Databases in this storage group are set to zero pages during backup

http://technet.microsoft.com/en-us/library/aa996097.aspx

 

 

Informational: Single global catalog server in topology

 

There is only one global catalog server in the Directory Service Access (DSAccess) topology on the server. This configuration does not provide fault-tolerance.

 

Description:

 

For fault tolerance, it is a best practice to have at least two global catalog servers available to service Exchange Servers and users. A single global catalog server represents a single point of failure. Exchange Server 2003 depends on global catalog servers for a variety of functions. If a global catalog server is not available, mail delivery can become slow or stop completely. In addition, if a global catalog server is not available, Exchange Server services may not start. If Exchange Server services do not start, users cannot access their mailboxes.

 

For scalability and for fault tolerance, it is recommended that you configure at least two global catalog servers in each Active Directory service site. If a site spans multiple domains, it is recommended that you configure a global catalog for each domain where Exchange Server 2003 computers and clients reside.

 

Resolution:

 

Install another Global Catalog server in the site. This allows fault tolerance and better performance from Exchange and Active Directory.

 

Reference:

 

Exchange Considerations for Promoting a Domain Controller to a Global Catalog Server

<http://go.microsoft.com/fwlink/?linkid=3052&kbid=304403>

 

Exchange Server-Related Considerations for Demoting a Global Catalog Server to a Domain Controller

<http://go.microsoft.com/fwlink/?linkid=3052&kbid=305065>

 

Exchange Server 2003 Active Directory Integration

<http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/adintegration.mspx>