Thursday, July 12, 2012

How to Enable Logging for RPC Client Access Throttling in Exchange 2010

Throttling is a resource protection feature introduced with Exchange 2010.  It is designed to prevent a single user or groups of users from consuming all the Exchange resources and causing a denial of service (DoS) attack.

Users will see various warnings and errors in Outlook when RPC throttling occurs.  Two of the most common warnings and errors in Outlook are shown below:

Unable to open your default e-mail folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.

Unable to expand the folder. The set of folders could not be opened.

By default RPC throttling is not logged anywhere, which makes it very difficult to troubleshoot.  Without logging you normally need to load up all the Perfmon counters and watching them increment.  This does nothing to tell you who is being throttled, though.

You can enable logging for RPC throttling by configuring the Microsoft.Exchange.RpcClientAccess.Service.exe.config file.  This file is located in the \Program Files\Microsoft\Exchange Server\V14\Bin folder on the Client Access Servers.

Open the config file in Notepad and edit the LoggingTag tag key to add the Throttling value as follows:

<add key="LoggingTag" value="ConnectDisconnect, Logon, Failures, ApplicationData, Warnings, Throttling" />


Save the Microsoft.Exchange.RpcClientAccess.Service.exe.config file and restart the Microsoft Exchange RPC Client Access service on the CAS.  This needs to be done on all CAS servers.

Meaningful RPC throttling events are then logged in the \Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access folder.  Open the latest log file to search for RPC throttling events.  They usually include the term "exceeded":
2012-06-26T17:32:23.301Z,19,0,/o=theguillets/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Jeff Guillet,,OUTLOOK.EXE,14.0.6117.5001,Cached,192.168.1.5,192.168.1.30,ncacn_http,,Connect,2614 (rpc::MaxConnectionsExceeded),00:00:00,"SID=S-1-5-21-117020884-2285600563-2343042490-1113, Flags=None; Connection Limit Exceeded",RpcDispatch:

You can adjust throttling using client throttling policies.  Throttling policies are groups of settings that are used to control how much resources that a user or connection can use in an Exchange organization. Throttling polices can only be used against users that are using Exchange 2010 servers. They do not apply to previous versions of Exchange.  See the TechNet article Understanding Client Throttling Policies (http://technet.microsoft.com/en-us/library/dd297964) for more information.
12:19 PM