Windows 2008 / 2012 Domain Controllers restrict Name Service Provider Interface (NSPI) connections which can cause Enterprise Vault (EV) archiving tasks to fail

Windows 2008 / 2012 Domain Controllers restrict Name Service Provider Interface (NSPI) connections which can cause Enterprise Vault (EV) archiving tasks to fail

Article: 100021750
Last Published: 2015-07-20
Ratings: 0 0
Product(s): Enterprise Vault

Problem

Windows 2008 / 2012 Domain Controllers restrict Name Service Provider Interface (NSPI) connections which can cause Enterprise Vault (EV) archiving tasks to fail

Error Message

Below are a few scenarios that are caused by the restriction:

Scenario 1

The Exchange Mailbox archiving task may fail with Event ID: 3231

Event ID: 3231

Description: Could not get a MAPI session from the session pool.

Error: An event was unable to invoke any of the subscribers [0x80040201]

V-437-3231

To verify in Windows Server 2008 whether you encountered the issue enable event logging for NSPI connections.  See below:

1. On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.

2. Locate and then double-click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events

3. In the Value data box, type 5, and then click OK.

Note: The default value of this registry entry is 0 (zero).

4. On the File menu, click Exit.

Note: Windows Server 2008 R2 and later versions log this event by default. In Windows Server 2008, this is a verbose level of event logging that may generate many events. This verbose level of event logging includes events that are unrelated to the diagnosis of this issue. We recommend that you restore this setting to the default value after you finish troubleshooting. See Microsoft KB949469 for more information on enabling event logging for NSPI connections.

Scenario 2

When enabling mailboxes within the Administration Console events 3196 and or 3139 may be generated:

Event ID: 3139

Description: An non-specific error has occurred whilst enabling archiving for the mailbox /o=Organization/ou=Exchange Administrative Group/cn=Recipients/cn=user

Error: An event was unable to invoke any of the subscribers [0x80040201]

V-437-3139

Event ID: 3196

Description: An error has occurred whilst synchronizing the properties of mailbox /o=Organization/ou=Exchange Administrative Group/cn=Recipients/cn=user

Error: An event was unable to invoke any of the subscribers [0x80040201]

V-437-3196

Scenario 3

When starting multiple archiving tasks that are accessing the same global catalog server it is possible for the NSPI limit to be exceeded.  

Event ID: 2956

Source: Enterprise Vault

Description: An error has occurred whilst processing the Public Folder.

Error: 0x80040111

V-437-2956

Event ID: 3460

Source: Enterprise Vault

Description:  The Task 'Exchange Mailbox Archiving Task for EXCH01' failed to log on to Exchange server 'EXCH01' using mailbox 'SMTP:evsysmb@evault.local'.

Dtrace shows:
(ArchiveTask)...EV:H    {CAgentTask::Initialise} HRXEX fn trace : Error [0x80004005]

 

Cause

This issue occurs because Windows Server 2008 and later versions allow a default maximum of only 50 concurrent NSPI connections per user. Additional NSPI connections are rejected, and a MAPI_E_LOGON_FAILED error message is returned.
 


 

Solution

To remove the restriction on concurrent NSPI connections to a Windows Server 2008 / 2012 domain controller:

Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.

  1. On the Windows Server 2008 / 2012 domain controller, create a new registry DWORD value called NSPI max sessions per user under the following registry key:

    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \NTDS \Parameters
  2. Set NSPI max sessions per user to a hex value of 0xffffffff. This sets NSPI max sessions per user to its maximum value. In effect, this removes the restriction on concurrent NSPI connections by each user.

    NOTE: There is no specific upper-limit to this setting beyond the limits that are imposed by it being a DWORD (that is, 0xffffffff or about 4 billion). Configuring the server in this manner will make it function similarly to Windows Server 2003 in terms of the maximum number of NSPI connections that are allowed per user.
  3. Restart the Active Directory Domain Services service (or reboot the Domain Controller) to make the setting take effect.

    For more information please review the following Microsoft knowledge base:
    https://support.microsoft.com/kb/949469 
     

If it is not desirable to set the limit for NSPI connections to the maximum value, the formula below can be used as a guide to determine an appropriate NSPI connection limit.

Number of Mailbox Archiving tasks = 2

Number of connection threads per task = 5

Number of Journal Archiving tasks = 2

Number of connection threads per task = 5

Number of Public Folder Archiving tasks = 2

Number of connection threads per task = 5

Task Controller Service = 20

Storage Service = 32

Shopping Service = 20

PST Migrations = 20
 
Total 10+10+10+20+32+20+20 = 122

Note: This is only a guide and it may be necessary to increase the limit further. Additionally the calculation does not take into account Discovery Accelerator, Compliance Accelerator and Custodian Manager.

 

 

References

UMI : V-437-3231 UMI : V-437-2196 Etrack : 3139 Etrack : 3231 UMI : V-437-3139 Etrack : 3196 UMI : V-437-3196 Etrack : 2956

Was this content helpful?