Wednesday, January 13, 2010

Restrictive Throttling Policies in Exchange 2010

Exchange Server 2010 has the ability to limit user and administrative actions. But in testing this feature in a lab I set the default policy (which by default affects everyone, including the Administrator account) to a policy that stopped me undoing the policy again!

I ran Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 1 -PowerShellMaxCmdletsTimePeriod 1000 -PowerShellMaxCmdlets 1 which had the effect of saying I could open one PowerShell session (that is okay - its my lab environment), run a single cmdlet (maybe a bit too low) and to run one cmdlet every 1000 seconds. I had not worked out that 1000 seconds is over 15 minutes.

The problem came two days later, starting Exchange Management Shell and connecting to the remote PowerShell endpoint obviously invokes more than one cmdlet. The second cmdlet is terminated, and so Exchange Management Shell cannot start - ever!

The error message I got was:

The WS-Management service cannot process the request. The user load quota of X requests per Y seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least Z milliseconds.

X is the value of PowerShellMaxCmdlets and Y is the PowerShellMaxCmdletsTimePeriod

So to fix I cracked open ADSIEdit - not to be done lightly, as it runs the risk of destroying the entire Exchange organization and Active Directory.

To fix this and reset the Throttling Policy connect to the Configuration Naming Context in ADSIEdit and navigate to CN=Global Settings,CN=organization name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain. Open CN=Default Throttling Policy_guid and edit msExchPowerShellThrottlingPolicyState to read:

v~0~con~18~cmds~-1~per~-1~que~-1~excmds~-1

Once Active Directory replicates you will be able to run PowerShell cmdlets in Exchange Management Shell. The first cmdlet I would run would be one to ensure that you are back to the default policy just in case you made a mistake in ADSIEdit:

Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 18 -PowerShellMaxCmdletsTimePeriod $null -PowerShellMaxCmdlets $null -PowerShellCmdletQueueDepth $null

4 comments:

popadophalis!!!!!! said...

Hey Brian!!! its your old mate popadophalis!!!! remember me?!?!?! we used to go and play in the woods when we were children all those years ago...ooooh good times

Anonymous said...

hiya Brian, i just wanna say its really nice what your doing here :D ignore the popadopilisas :P

Anonymous said...

i found this blog through your family site thing, there were loads of pictures of your family up, anyone can see them! maybe you should privatise them? just an idea since the internet has everyone :S

Alex said...

There are many problems with ms exchange. But this trouble is very unique. Luckily I observed one software some weeks ago. It would be helpful in this situation to my mind - how do you retrieve inbox emails from microsoft exchange.