Configuring quota settings for named properties and replica identifiers in Exchange 2000 Server and in Exchange Server 2003 (820379)

MORE INFORMATION

You can configure a quota on the named properties and the replica identifiers resources to help minimize the damage from an attack on the Exchange Server 2003 computer. Without a limit on the number of named properties and of replica identifiers that can be created, an attack that is directed at an Exchange Server 2003 computer and that is meant to fill up the named properties and the replica identifiers tables to their maximum of 32,000 entries could make the computer unresponsive to client requests. These quotas are designed to minimize the effect of this kind of attack.

By default, Exchange Server 2003 has a hard quota of 16,000 named properties or replica identifiers for each MDB. You can override this setting by adding the following registry values to the registry key for each MDB (private or public) where you want to configure these settings. After you change these registry settings, you must dismount, and then remount the database before these changes become effective:

Value name: Named Props Quota
Value type: REG_DWORD
Value data: positive integer between 1 and 0x7FFF
Value name: Replids Quota
Value type: REG_DWORD
Value data: positive integer between 1 and 0x7FFF
Value name: NonMAPI Named Props Quota
Value type: REG_DWORD
Value data: positive integer between 1 and 0x7FFF
Note You can use this registry value only after you apply Exchange Server 2003 Service Pack 2. The default value of the registry value is 8000.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To add the registry keys for each MDB, follow these steps:

Click Start, click Run, type regedit in the Open box, and then click OK.
Locate the following registry subkey, where <servername> is the name of the Exchange Server 2003 computer, and where <Private-GUID> is the name of the private or public MDB where you want to configure one or more of the quotas:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<servername>\<Private-GUID>
In the left pane, right-click Private-GUID, point to New, and then click DWORD Value.
- To configure the Named Props Quota setting:
  1. In the New Value #1 box, type Named Props Quota, and then press ENTER.
  2. Right-click Named Props Quota, and then click Modify.
  3. In the Value data box, type a positive integer between 1 and 0x7FFF, and then click OK.
- To configure the Replids Quota setting:
  1. In the New Value #1 box, type Replids Quota, and then press ENTER.
  2. Right-click Replids Quota, and then click Modify.
  3. In the Value data box, type a positive integer between 1 and 0x7FFF, and then click OK.
- To configure the Replids Quota setting:
  1. In the New Value #1 box, type NonMAPI Named Props Quota, and then press ENTER.
  2. Right-click NonMAPI Named Props Quota, and then click Modify.
  3. In the Value data box, type a positive integer between 1 and 0x7FFF, and then click OK.
Quit Registry Editor.
Start Exchange System Manager, dismount the database where you configured one or more quotas, and then remount the database.

After you configure one or more quotas, the following behaviors occur:

A Warning event is logged when a named property or a replica identifier is created and the quota threshold is reached. This warning threshold is 20 entries less than the quota (quota minus 20). The named property or the replica identifier is successfully created, and one or both of the following event ID messages are logged in Windows Event Viewer:
Message 1
Event ID: 9666
Type: Warning
Category: General
Source: msgidNamedPropsQuotaWarning
Description: The number of named properties created for database "%1" is close to quota limit.%n Current number of named properties: %2%n Quota limit for named properties: %3%n User attempting to create the named property: %4%n Named property GUID: %5%n Named property name/id: %6%n %n%n

For more information, click http://www.microsoft.com/contentredirect.asp.
Message 2
Event ID: 9668
Type: Warning
Category: General
Source: msgidReplidsQuotaWarning
Description: The number of replica identifiers created for database "%1" is close to quota limit.%n Current number of replica identifiers: %2%n Quota limit for replica identifiers: %3%n User attempting to create the replica identifier: %4%n %n%n

For more information, click http://www.microsoft.com/contentredirect.asp.
An Error event is logged when an attempt is made to create a named property or a replica identifier if the quota limit is met. In this case, the call to create the named property or the replica identifier is unsuccessful, and one or both of the following event ID messages are logged in Windows Event Viewer:
Message 1
Event ID: 9667
Type: Error
Category: General
Source: msgidNamedPropsQuotaError
Description: Failed to create a new named property for database "%1" because the number of named properties reached the quota limit (%2).%n User attempting to create the named property: %3%n Named property GUID: %4%n Named property name/id: %5%n %n%n

For more information, click http://www.microsoft.com/contentredirect.asp.
Message 2
Event ID: 9669
Type: Error
Category: General
Source: msgidReplidsQuotaError
Description: Failed to create a new replica identifier for database "%1" because the number of replica identifiers reached the quota limit (%2).%n User attempting to create the replica identifier: %3%n %n%n

For more information, click http://www.microsoft.com/contentredirect.asp.
MAPI clients that attempt to create named properties after these limits have been reached may receive the error code 0x80040900 (-2147219200 in decimal). This error code is MAPI_E_NAMED_PROP_QUOTA_EXCEEDED. Typically, this error code is received when a "save" or a "submit" operation is performed on a new message.

Upgrade scenario

An issue may occur when you upgrade a Microsoft Exchange 2000 Server computer that has a MDB with more than 16,000 named properties to Exchange Server 2003. In this case, a client may experience the following symptoms:

The client logs on to the newly upgraded Exchange Server 2003 computer by using Microsoft Outlook Web Access.
The client (whose mailbox is located on a store with more than 16,000 named properties) opens Calendar and creates a new calendar appointment.
The client tries to save the appointment.

In this case, the client receives a message that states that the action cannot be performed. An event is logged on the Exchange Server 2003 computer that indicates the specific user who tried to create the named property and the property name.

Recovery scenario

If all replica identifiers are exhausted in a public folder store because of an attack by a malicious user or because an Exchange Server 2003 client is malfunctioning, there is no typical method available to recover the replica identifiers or to increase the size of the replica identifiers table. To resolve this issue, replicate all content that is specific to the problem server to another server (replicate off). Remove the public MDB, and then allow the content to be replicated back from another server.

To resolve an issue where all replica identifiers are exhausted in a private store because of an attack by a malicious user or because an Exchange Server 2003 client is malfunctioning, move all mailboxes on this store to a different server, remove the private store on the source (problem) server, and then move all the users back to the original server.