Windows 2008 / 2012 Domain Controllers restrict Name Service Provider Interface (NSPI) connections which can cause Enterprise Vault (EV) archiving tasks to fail
Problem
Windows Domain Controllers restrict Name Service Provider Interface (NSPI) connections which can cause Enterprise Vault (EV) archiving tasks to fail
Error Message
Below are a few scenarios that are caused by the restriction:
Scenario 1
The Exchange Mailbox archiving task may fail with Event ID: 3231
Event ID: 3231
Description: Could not get a MAPI session from the session pool.
Error: An event was unable to invoke any of the subscribers [0x80040201]
V-437-3231
To verify in Windows Server whether you encountered the issue enable event logging for NSPI connections. See below:
1. On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.
2. Locate and then double-click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events
3. In the Value data box, type 5, and then click OK.
Note: The default value of this registry entry is 0 (zero).
4. On the File menu, click Exit.
Scenario 2
When enabling mailboxes within the Administration Console events 3196 and or 3139 may be generated:
Event ID: 3139
Description: An non-specific error has occurred whilst enabling archiving for the mailbox /o=Organization/ou=Exchange Administrative Group/cn=Recipients/cn=user
Error: An event was unable to invoke any of the subscribers [0x80040201]
V-437-3139
Event ID: 3196
Description: An error has occurred whilst synchronizing the properties of mailbox /o=Organization/ou=Exchange Administrative Group/cn=Recipients/cn=user
Error: An event was unable to invoke any of the subscribers [0x80040201]
V-437-3196
Scenario 3
When starting multiple archiving tasks that are accessing the same global catalog server it is possible for the NSPI limit to be exceeded.
Event ID: 2956
Source: Enterprise Vault
Description: An error has occurred whilst processing the Public Folder.
Error: 0x80040111
V-437-2956Event ID: 3460
Source: Enterprise Vault
Description: The Task 'Exchange Mailbox Archiving Task for EXCH01' failed to log on to Exchange server 'EXCH01' using mailbox 'SMTP:evsysmb@evault.local'.
Dtrace shows:(ArchiveTask)...EV:H {CAgentTask::Initialise} HRXEX fn trace : Error [0x80004005]
Cause
This issue occurs because Windows Server allow a default maximum of only 50 concurrent NSPI connections per user. Additional NSPI connections are rejected, and a MAPI_E_LOGON_FAILED error message is returned.
Solution
To remove the restriction on concurrent NSPI connections to a Windows Server domain controller:
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.
- On the Windows Server domain controller, create a new registry DWORD value called NSPI max sessions per user under the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters - Set NSPI max sessions per user to a hex value of 0xffffffff. This sets NSPI max sessions per user to its maximum value. In effect, this removes the restriction on concurrent NSPI connections by each user.
NOTE: There is no specific upper-limit to this setting beyond the limits that are imposed by it being a DWORD (that is, 0xffffffff or about 4 billion). Configuring the server in this manner will make it function similarly to Windows Server 2003 in terms of the maximum number of NSPI connections that are allowed per user. - Restart the Active Directory Domain Services service (or reboot the Domain Controller) to make the setting take effect.
For more information please review the following Microsoft knowledge base:
Windows Server 2008 GC’s have a limitation of 50 concurrent NSPI connections per user.
If it is not desirable to set the limit for NSPI connections to the maximum value, the formula below can be used as a guide to determine an appropriate NSPI connection limit.
Number of Mailbox Archiving tasks = 2
Number of connection threads per task = 5
Number of Journal Archiving tasks = 2
Number of connection threads per task = 5
Number of Public Folder Archiving tasks = 2
Number of connection threads per task = 5
Task Controller Service = 20
Storage Service = 32
Shopping Service = 20
PST Migrations = 20
Total 10+10+10+20+32+20+20 = 122
Note: This is only a guide and it may be necessary to increase the limit further. Additionally the calculation does not take into account Discovery Accelerator, Compliance Accelerator and Custodian Manager.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.