Hi, I'm administering an Exchange 2007 server which has (in the past few days) started acting up. In the Exchange Server Performance Monitor, I see that the RPC Averaged Latency is at 100% and not moving (everything else seems normal). The Windows server seems to be running OK (RAM is fully used by Exchange and the CPU is around 30%, both normal). In the Exchange user Monitor, I see that one user has 20 times the number of Operations of anyone else (and slowly climbing). Also his session count is higher than that of other users, again, this is slowly rising, this one user accounts for over 99% of CPU usage (of Exchange usage, not the server CPU). I've checked what this user is doing and I can't seem do find a thing out of the ordinary. He uses Outlook 2003 and a mobile phone to check email, nothing seems wrong with either. I've checked if he's using Google Desktop search, nope. I check logons in the Exchange Shell, there are quite a few, but only 4 of them have a ClientIPAddress. This leads me to believe that Exchange is not closing his sessions for some reason. The Exchange Troubleshooting assistant is also telling me that there is 'Unusually user activity exhibited by 'TheUser'', but in the related Technet article, I'm not really finding anything very useful. One thought was that maybe someone had hacked his account, but I also changed his password and restarted Exchange – nothing. I've disabled his WebMail access, POP3 and IMAP4, Unified Messaging is disabled, as is ActiveSync (only thing enabled of the Mailbox Features is MAPI). So far, no change. Any ideas on what else I could try? For not I have to restart the Information Store service at least once a day :(

1. If it's only this one user, try to disable an Outlook add-ins and test. 2. Try Outlook in safe mode and as user to use like this and you monitor using exmon. 3. Ask user if they can use OWA and close Outlook and see. 4. Rebuild his OST if working in offline mode 5. Try a different PCSukh

Thank you for the reply. I've just turned off Outlook at his computer - nothing changes, his session count in the User Monitor remains high, as does his Operations count and CPU %. The most troubling is his max. and avg. server latency which is off the charts. He can access OWA with no problems at all. Ok, I've now disconnected his PC from the network - nothing. In the Management Shell I see his sessions are all up and running, even though there is no IP associated with any of them. Seems like this is not a local problem (so a different PC shouldn't change anything) but a problem with Exchange itself. Any other thoughts?

Check for any delegates for his accounts . If you dismount and mount the Db the sessions are killed , if not you are checking the wrong mailbox, check the user for any rules, forwarding add-ins. you cna also create his profile on another machine and check the sessions after shutting down his PC temprarily.( may be network card issue) Also Increase diagnostics logging for more info,

Agan, thanks for the help. I tried dismounting and mounting the DB - the sessions were all killed, so the mailbox is correct. As soon as I mounted the DB the user jumped back to using over 90% of the CPU, again having the highest latency, very high bytes in and bytes out. There is only one single rule which everyone has (adds 'spam' or some such to the subject of certain messages). No forwarding, no add-ins. Disconnecting his machine did nothing. There are two things which I'll do (if I don't think of anything else). First, the Exchange server is still at SP2 not SP3, so I'll upgrade. The worst-case scenario is to create a new user, transfer his mailbox and delete the existing user... Though I really don't want it to come to that.

I had a similar issue but it was of network card . initiallly we had TCP chimney which used to be very unstable and use to shoot up the messaging ops. the issue was clear when we disabled Tthis feature on the network card. I suspect that you try and change the network card settinsg or better shut down the prblematic machine after clearing the sessions and try the outlook profile on another system and check the issue .. shoudl help

Can't really say if it's this one user that's affecting the entire server to bog down like that even if he's pounding it or has some corrupt looping\bug issue. His sessions could be be active from other services such as BES even after you disconnected his PC from the network. What you can do if you really want to isolate this user is to disable his mailbox then observe. Then re-attach his mailbox to his user account. Before doing this, you want to document any email attributes as they get lost after disabling such as x500 addresses etc.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

or create a new database for this one user and monitor the performance to be sure it is this user. Least this way there wont be an impact to your others users. Also bear in mind that you'll have to squeeze in some backups for this database if required.Sukh

Sync my Exchange Microsoft Server Administration Operating Optimal Detecter my Blog sites space weblog website webgate webaz weblong gateway net Starup Upgrade Switch Profile netMohamadrezaRezaee Parasteshnews Network All Right Reserved Copyright 2010 BonianSazanShomal Co.

How’s the issue currently? Please try to reduce the TCP KeepAliveTime, and then monitor the results How to get rid of 9646 eventsPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

After trying everything above (except for your comment on reducing the TCP KeepAliveTime), I created a new user and attached the existing mailbox to the new user. The original user has been deactivated in Active Directory and removed from the Exchange server, everything looks to be OK. Thanks to everyone for the help!