We had unusually high traffic between one of our three Ex10 mailbox servers and our domain controllers for four days. It started abruptly and completed abruptly. ExMon indicates its coming from a msexchangemailboxassistants.exe process for a specific user on the Ex10 mailbox server. It reported 45 sessions for this user using 77% of cpu (which was > 100% more than the next lowest user). There was nothing suspicious about the users session or computer and the process on the server outlived the user session on the computer (quitting Outlook, restarting or turning off the computer had no impact). So ... a few questions. Any idea what might cause such behaviour? How can it be prevented and/or what actions are appropriate should it occur again?

Does the user run any other program connecting to Exchange, like xobni?Jesper Bernle | Blog: http://xchangeserver.wordpress.com

There are no 3rd party apps or plugins we are aware of and no active-sync devices either. The user's computer and account are about as plain as you can get.

Have you checked all connections reported by Get-LogonStatistics -Identity User?Jesper Bernle | Blog: http://xchangeserver.wordpress.com

I'm afraid I didn't think to do that. We saw similar traffic once before (from a different server) but we were unaware of ExMon at the time. Assuming both ExMon and Get-LogonStatistics showed something abnormal. What steps should be taken to identify and correct the issue?

Well, in ExMON you get the client IP so continue on from there. You had problems with msexchangemailboxassistants.exe; Microsoft Exchange Mailbox Assistants : This service is installed on Mailbox Server Role. It is a required service which needs to be running all the time. It is dependent upon “Microsoft Exchange Active Directory Service” Who is responsible for this service : “MSExchangeMailboxAssistants.exe" Path from where it is executed : "C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeMailboxAssistants.exe" Functions:  It is responsible to initiate the function for Resource Booking, Out of Office, Calendaring and Managed Folder Assistants. Event Id : 1004 and 1001 So, the nex step is to see if you can determine if the user is using any of the above mentioned functions when you see the high load in ExMON.Jesper Bernle | Blog: http://xchangeserver.wordpress.com

The client IP was the address of the mailbox server hosting the account. The same server I was running ExMon on. It also listed the client version 14.1.270.1 which I believe is Exchange 2010 SP1 with Rollup 2.

When you see this happening, does the end-user do anything specific in Outlook on his machine? Perhaps trying to book a meeting with a lot of attendees?Jesper Bernle | Blog: http://xchangeserver.wordpress.com

Not that we could determine. There was no delegate access being made either. Should the throttling settings be preventing this type of behaviour? Are you fairly confident this would be a client side issue?

I don’t think the issue is caused by throttling policies since it is configured on CAS server and the following components are covered by the policies. Microsoft Exchange ActiveSync Exchange Web Services IMAP Outlook Web App POP Windows PowerShell For more information, please refer to the following article: http://technet.microsoft.com/en-us/library/dd297964.aspx At this stage, I suggest you move the mailbox to another database to check the result. Meanwhile, please check whether there is any error message in Event log. If so, please post it here for research. Thanks. NovakPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

The account was successfully moved with no corrupted items found. This error is occasionally logged (0-4 times a day) for apparently random databases ... -- [ Log Entries Start ] -- Source: MSExchangeIS Mailbox Store Event ID: 9877 Content Indexing function 'CISearch::EcGetRowsetAndAccessor' received an unusual and unexpected error code from MSSearch. Mailbox Database: [XXXXXX] Error Code: 0x80041606 -- [ Log Entries End ] -- Also, we were seeing this series of log entries each hour due to a mis-configured NIC adapter (the first adapter, used for a SAN backup, had "File and Print Sharing" disabled). This has since been corrected and the events are no longer logged. -- [ Log Entries Start ] -- Source: MSExchange ADAccess Event ID: 2501 Process MSEXCHANGEADTOPOLOGY (PID=1336). The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server. -- Source: MSExchange ADAccess Event ID: 2604 Process MSEXCHANGEADTOPOLOGY (PID=1336). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object [XXXXXX] - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. -- Source: MSExchange ADAccess Event ID: 2601 Process MSEXCHANGEADTOPOLOGY (PID=1336). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E39D35ABE5747B979FFC0C6E5EA26,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. -- [ Log Entries End ] --

I might have bats in my eye ;-) but I cannot see, in the last post of yours, if the main issue is resolved or not. Is it?Jesper Bernle | Blog: http://xchangeserver.wordpress.com

Hi, Does the msexchangemailboxassistants.exe process still consume most of CPU usage after moving the mailbox? Regarding to the Event error messages, I suggest you refer to the following article to troubleshoot the issue. http://support.microsoft.com/kb/2025528 Thanks. NovakPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

As I said in the initial message we "had unusually high traffic between one of our three Ex10 mailbox servers and our domain controllers for four days" but the traffic stopped as abruptly as it started. I had seen a similar incident previously but didn't know to use ExMon at the time (in other words, that might have been something completely different). I was trying to determine what the most likely source of the problem was, what and how the MSExchangeMailboxAssistants.exe process was related to a user who was apparently completely disconnected from the server, how to prevent such a thing from happening again but, most importantly, how to troubleshoot and stop the behaviour should it happen again.