How to get rid of 9646 events

Applies to Exchange 2003

Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9646
Mapi session “/o=<org>/ou=First Administrative
Group/cn=Recipients/cn=<userName>” exceeded the maximum of 32 objects of type “session”.

Seen these in your environment?  Sometimes they are caused by desktop search engines opening too many MAPI sessions, other times they are because your Exchange server is keeping open connections from the client that the client for whatever reason thinks are closed.

For example, say you have users connecting to Exchange over a poor network connection or VPN.  When Outlook connects, it establishes MAPI sessions.  If the users drops the VPN connection without closing Outlook first, those connections are going to stay open on the Exchange server for 2 hours.  If the user connects again, more connections get added to the Exchange server for that user.  See where we’re going with this?  If you max out, new connections will fail, resulting in an unhappy end user.

 So how do you fix this?

Well, one of three ways.

You can try to prevent your clients from doing so many connections by educating your users, making changes in Outlook 2007, correctly configuring Network Accelerators to not keep connections open, etc.

You can tell Windows/Exchange that 2 hours is far too long to keep a session open without activity.  To do this you follow the instructions in this document, specifically the TCP KeepAliveTime, set that to 5 minutes.

KB324270 How to harden the TCP/IP stack against denial of service attacks in Windows Server 2003.;EN-US;324270

Or finally, and the last resort, you can add additional allowable sessions by following KB842022.  Note that this is a last resort, as in many cases you are merely delaying your pain for later.  Note the warning:  “If you do this, try to determine the minimum value that you can use so that the client program can run without problems. If you raise the limit too high, the client program might affect the performance of the Exchange Server computer.”

Event ID 9646 is logged in the application event log of your Exchange Server 2003 computer when a client opens many MAPI sessions.;EN-US;842022.

Database Status Unknown in 2k7 EMC? This might be why….

Applies to Exchange 2007 

So I ran into a case today that was pretty interesting.  The symptoms were a fairly generic error in the app log:

Event ID: 4001
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: server name
A transient failure has occurred. The problem may resolve itself in awhile. The service will retry in 56 seconds. Diagnostic information:
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot lookup package Kerberos.
The error occurred was: (null)

And in the Exchange Management Console, all the databases reported back a status of “Unknown”.  Also you couldn’t run the EXBPA on the server, it came back with a network/registry error:

Error (The network path was not found) opening registry key reg:/servername/HKEY_LOCAL_MACHINE/Software\Microsoft\Windows NT\CurrentVersion, skipping object.

The customer could run the EXBPA against the server remotely, and remotely in the EMC the database status came back Healthy instead of Unknown.


Weird huh?

Turns out that there were corrupt / bad entries for the machine name in the hosts file, and it was causing all three symptoms.  #’ing the records and doing an ipconfig /flushdns resolved everything in just a minute or two.