June 7, 2012

Quarantined mailboxes in Exchange 2010

There is a new feature in Exchange 2010 that will quarantine any mailbox that can potentially crash the Information store.

This is identified by a SCOM (monitoring) alert for event ID: 10018
When the offending mailbox has been reset and is no longer in quarantine, event ID 10019 will be present.

This means that Exchange has detected a problematic mailbox (possibly corrupt) and has quarantined it before it crashes the information store.

The cause can be either:
·         A thread that is doing work for a mailbox has crashed.
·         More than 5 threads allocated to process a mailbox, have not progressed for long time.

The following two conditions define a poison mailbox:
A registry entry of CrashCount that has a value of 3 must exist.
A registry entry of LastCrashTime that has a value of FILETIME < (current FILETIME + 6 hours) must exist.
What will happen:
·         Event ID 10018 will be logged in the application logs

Log Name: Application
Source: MSExchangeIS
Event ID: 10018
Task Category: General
Level: Error
Description: The mailbox for user /o=AMERICAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test1 has been quarantined. Access to this mailbox will be restricted to administrative logons for the next 6 hours.

·         A regkey will be present on the residing server
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server Name>\Private-{db guid}\QuarantinedMailboxes\{mailbox guid}

What will happen?
Exchange will quarantine that mailbox for 6 hours from the last crash time reported for that mailbox.
User will get errors when trying to open outlook or OWA, stating that it can not open the folders. You also won’t be able to perform a mailbox move request on that mailbox.

User/s will state that they are unable to access email via Outlook, OWA and blackberry or iphone/pad. Errors will include:
"Unable to open your default e-mail folders. The attempt to log onto Microsoft Exchange has failed"
"A problem occurred while you were trying to use your mailbox"

1: Receive SCOM alert about Event ID 10018 

2: To identify of any quarantined mailboxes. In Powershell type,
Test-MAPIConnectivity | ? {$_.result -eq"fail"} | ft

3: To identify from the event log if the GUID/mailbox is still in a quarantined state. In Powershell type:
Get-MailboxStatistics –identity <GUID or username> | FL Isquarantined
Isquarantined : True (a quarantined mailbox will give this result)

(NB: to convert the Mailbox GUID to username, refer to: http://exchangegloves.blogspot.com/2012/06/convert-guid-to-user-name.html )

4: Open Perfmon and look for this counter (this value should always be at 0):
MSExchangeIS Mailbox
Quarantined Mailbox Count

1: The cause of the poison mailbox must be identified and corrected. Once this is accomplished, to gain access to the mailbox immediatly, the registry key for the quarantined mailbox should be reset manually by deleting it. 

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server Name>\Private-{db guid}\QuarantinedMailboxes\{mailbox guid}

NB: The database hosting the mailbox needs to be remounted, or the Exchange store restarted, for the reset of the quarantined mailbox to take effect.
2: Run New-MailboxRepairRequest in Exchange Powershell on the corrupt mailbox.



No comments:

Post a Comment