Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 9582 Source: MSExchangeIS

Source
Level
Description
The Virtual memory necessary to run your Exchange server is fragmented in such a way that performance may be affected. It is highly recommended that you restart all Exchange services to correct this issue.
Comments
 
As per ME960144, this issue occurs because of a memory leak issue in the Store.exe process. A hotfix is avaialble from Microsoft.
ME815372 has information on how to optimize memory usage in Exchange Server 2003.
See ME883527 for a hotfix applicable to Microsoft Exchange 2000 Server.

ME325044 and ME317411 show how to troubleshoot virtual memory fragmentation in Exchange 2003 and Exchange 2000.

See ME296073, ME816753, MSEX2K3DB, and the link to "Event ID 9582 (error) from source MSExchangeIS" for more information.
Problem:
1. Store.exe is the main process that runs Exchange.
2. Store.exe is designed to take as much memory as the system has available.
3. Store.exe is supposed to release memory if another process needs it (It has to beg for it first). This is most common when you are running other resource-intensive apps, like Anti-Virus or Spam Filtering.
4. As memory becomes available again, store.exe grabs it.
5. This unbounded memory give and take results in highly fragmented memory. You see Warnings and Errors #9582. It takes so much of the system resources that your CPU is spending more and more time on this, finally CPU utilization =100%
6. The server must be rebooted and the process starts all over again.

Solution:
Manage memory better (Use Win2K Advanced Server) or put a "governor" on Store.EXE
1. If you have 1Gb or more of physical memory installed and the operating system is Windows 2000 Advanced Server (only!), ensure the /3GB option is set in the Boot.ini file
2. Ensure that the server is running Exchange 2000 Service Pack 3 (SP3) or later. There were some significant changes made to Virtual memory allocation in SP3.
3. Ensure that the server is running Windows 2000 Service Pack 3 or later.
4. Set the following registry parameter if you have 1Gb or more of physical memory, and then restart the server. Read Microsoft KB article ME315407.
Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Parameter: HeapDeCommitFreeBlockThreshold
Type: REG_DWORD
Default: Not present
Recommend setting: 0x00040000
Make sure you enter the 40000 (in HEX) or 262144 (in DEC).

In most scenarios, the steps listed above will resolve the majority of virtual address space consumption issues. Wait at least 1 day on normal load condition before doing any additional changes. On larger servers, more tuning may be required to re-align the balance between performance and scalability; this involves changing the Store Database Cache Size in the Shema.

The “msExchESEParamCacheSizeMax” parameter controls the Buffer size. Its value is expressed in a count of pages, and should be set to an exact multiple of 8192 for maximum efficiency.
• Default size = 219726 (~858Mb)
• Recommended maximum = 307200 (1.2Gb)
• Very Large address-space constrained servers = 196608 (768Mb)

NOTE: Transaction log replay will be significantly faster if the ESE buffer is set to a large size. You should consider temporarily increasing the buffer size to 307200 in disaster recovery scenarios.

Steps to Modify “msExchESEParamCacheSizeMax”
To modify the store database cache size, follow these steps:

1. Use ADSIEdit (part of Windows Support Tools on W2K CD) to connect to the Configuration Container Naming Context of your Active Directory. Use Schema Master for this operation.
2. Go to the following path: Configuration Container ->Configuration -> Services -> Microsoft Exchange -> YourOrganization -> Administrative Groups -> YourAdminGroup -> Servers -> YourServer -> Information Store
3. Right-click the Information Store object, and then click Properties.
4. Change the Select which properties to view drop-down list box to Both.
5. Select the “msExchESEParamCacheSizeMax” attribute and adjust the value. Although no value will be present, the default will be 219726.
25:800M msExchESEParamCacheSizeMax=204800
24:768M msExchESEParamCacheSizeMax=196608 (this value worked for me)
23:736M msExchESEParamCacheSizeMax=188416
22:704M msExchESEParamCacheSizeMax=180224
21:672M msExchESEParamCacheSizeMax=172032
20:640M msExchESEParamCacheSizeMax=163840
Note: Be careful when setting this value, as it is very easy to make a mistake and set the “msExchESEParamCacheSizeMin” attribute instead.
6. Remember to click Set after changing the edit field for the attribute.
7. Close the ADSIEdit tool by closing the MMC console application.
8. Wait for Active Directory replication to replicate this new value throughout the forest.
9. Restart the Information Store service on the Exchange 2000 server.

Wait for a day or 2 to experience normal load, before making more modifications. My setup was Win2K Server SP3 + 2GB RAM, Exch2K SP3 (SP4 latest fixes, including latest store.exe).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...