Mailbox Quarantine
One corrupted mailbox can have the potential to disrupt service by taking down the entire information store, thereby affecting all users on that server. Mailbox quarantine has been introduced in Exchange Server 2010 to help prevent this situation.
What is Mailbox Quarantine?
Mailbox quarantine is a feature in the Exchange Server 2010 information store. Based on values in the registry, the store detects a mailbox or mailboxes that have the potential to or have caused the store to crash and quarantines them for specific period. The mailboxes that have the potential to crash the store are called Poisoned mailboxes.
When does quarantining happen?
Quarantining of mailboxes can occur in two situations:
- A thread that is doing work for a mailbox has crashed.
- More than 5 threads allocated to process a mailbox, have not progressed for long time.
How does it work?
The store will tag a mailbox that has the potential to crash the store. The tag includes the number of times that mailbox has caused the store to crash and a time stamp. If the store is crashed by a mailbox, a registry key is created. The path to the registry key is:
HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes\ {Mailbox GUID}
It will have the following two values:
- CrashCount – The number of times the mailbox has crashed the store.
- LastCrashTime – The last time the mailbox crashed the store.
The key is not created until the store has been crashed at least one time by a mailbox.
Each time a database is mounted, the store checks the registry to see if any mailboxes hosted on this particular database is tagged. If the registry indicates that a mailbox has caused the store to crash the mailbox will be quarantined.
By default, if a mailbox has been identified as a threat 3 times in 2 hours then that mailbox will be quarantined for 6 hours.
These default settings can be modified by creating the following key:
HKLM\SYSTEM\CCS\Services\MSexchangeIS\ParameterSystem\Servername\Private-dbguid\Quarantined Mailboxes
Using the following values:
- MailboxQuarantineCrashThreshold – The number of times a mailbox can be identified before the store quarantines it.
- MailboxQuarantineDurationInseconds – The number of seconds a mailbox remains in quarantine before the store releases it.
These two values do not exist by default. They should be created only if there is a need to change the default behaviour.
A background process in the store runs every 2 hours (this default can’t be changed) to check the registry values for each mounted database. The store checks the CrashCount and LastCrashTime values and performs any of the following four actions:
- If all tagged mailboxes have a CrashCount value less than the MailboxQuarantineThreshhold (default value of 3) in the last 2 hours, then the dbguid registry value for the mailbox located at HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes is deleted.
- If a tagged mailbox has a CrashCount is greater than the value MailboxQuarantineThreshhold (default value of 3) and a mailbox is not quarantined then the mailbox will be quarantined immediately.
- If a mailbox has been quarantined longer than the default 6 hours or the time specified in the value MailboxQuarantineDurationInSeconds then it will be released immediately.
- If a mailbox is quarantined for less than the default six hours or time specified in the value MailboxQuarantineDurationInSeconds then it will remain quarantined.
What happens when clients try to access a quarantined mailbox?
When a client attempts to access a mailbox the following occurs:
1. The store will return an error code ecMailboxQuarantinedand basedon this, XSO throws the transient exception MapiExceptionMailboxQuarantined to signal transport and other XSO clients
2. Every 5 minutes transport tries to deliver message sent to a quarantined mailbox
3. Outlook clients see the following pop up when they try to access a quarantined mailbox
![clip_image002[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/65/99/metablogapi/4431.clip_image0021.jpg "clip_image002[1]")
4. OWA displays the following pop up error message when trying to access a quarantined mailbox
![clip_image004[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/65/99/metablogapi/0880.clip_image0041.jpg "clip_image004[1]")
Only clients such as MFCMAPI that can pass Open-As-Admin flag can access a mailbox while it is in quarantined state. Even Exchange processes such as content indexing and mailbox assistants cannot access the mailbox.
For example, a move mailbox request will fail with the following pop up error:
![clip_image006[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/65/99/metablogapi/7217.clip_image0061.jpg "clip_image006[1]")
Resetting a quarantined mailbox
It is possible to reset a quarantined mailbox by deleting the quarantine registry key for that mailbox located at:
HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes\ {Mailbox guid}.
The database then has to be dismounted and remounted or the IS service restarted for the reset to take effect immediately. Unless the underlying issue is not resolved, the mailbox could crash the store and become quarantined again.
Troubleshooting
Application log
The following event will be logged when a mailbox is automatically quarantined:
Log Name: Application
Source: MSExchangeIS
Event ID: 10018
Task Category: General
Level: Error
Description: The mailbox for user /o=AMERICAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test1 has been quarantined. Access to this mailbox will be restricted to administrative logons for the next 6 hours.
The following event will be logged when a mailbox is automatically removed from the quarantine:
Log Name: Application
Source: MSExchangeIS
Event ID: 10019
Task Category: General
Level: Error
Description: The quarantine of the mailbox for user /o=AMERICAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test1 has expired. Access to the mailbox has been restored.
Shell Command
We can also use the Get- MailboxStatistics cmdlet to see if a mailbox has been quarantined.
Get-MailboxStatistics –identity test1 | FL Isquarantined
Isquarantined : True
Performance Monitor
The store also provides the performance monitor counter: MSExchangeIS Mailbox\Quarantined Mailbox Count. This counter shows the number of quarantined mailboxes on a specific server.
EXTRA
Finally we can used EXTRA to trace data. Select Function from Trace Types and use the tag tagQuarantineMailboxunder component Store .
Thanks to Hamza Hassen and Jonathan Runyon for putting all this information together which will help so many of us certainly…
Comments
Anonymous
January 01, 2003
Excellent, worked perfectly.
Thanks.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
thanksAnonymous
August 13, 2011
Great article...Anonymous
August 17, 2011
Superb article. Is there any specific reason why a mailbox might become poisoned in the first place though, or any way I can prevent this in the future? or is it just "one of those things"Anonymous
August 23, 2011
How about the mailflow until mailbox is quarantined....? Will the mails be backing up or they'll NDRed untill the mailbox gets released???Anonymous
August 26, 2011
The mails will back up. This happened to one of my users and after 6 hours the mailbox was taken out of quarantine (8pm in this case) and was populated with emails sent during the afternoon so nothing was lost. The fact it happened in the first place though is still a mysteryAnonymous
October 29, 2011
What a comprehensive article, thank you for posting it.Anonymous
November 18, 2011
Well explained.. thank youAnonymous
July 23, 2012
There are not any details on what happens on the client side in regards to what what happens to mail flow to this mailbox during the Quarantine period. Here are some details: In the case of a poisoned mailbox, the Store returns error code ecMailboxQuarantined, a new error specific to the quarantine feature. Based on this, XSO throws the transient exception MapiExceptionMailboxQuarantined to signal to Transport and other XSO clients that the mailbox is quarantined. Transport retries message delivery every 5 minutes to make sure that mail is not lost.Anonymous
March 12, 2014
THANK YOU!!! Helped out big time. STay AwesomeAnonymous
May 20, 2014
The comment has been removedAnonymous
July 24, 2014
Thanks a lot for sharing just resolved an issue referring your article :)Anonymous
July 31, 2014
I removed the quarantined mailbox keys but problem still remains.
Any idea what would be the next step?Anonymous
July 31, 2014
Sorry guys, I forget to restart Infostore. When I did restart, it fix the issue.
Thanks.Anonymous
April 23, 2015
Some mailboxes may be quarantined when the database or log partition is full !!!Anonymous
May 20, 2015
Just had the issue.
OI did reset the CrashCount Counter to 1.
The registry entry was deleted almost immediately (I don't know if I was lucky or if the behavior of the background task was changed in the most recent Exchange 2010 CUs)
The mailbox became available again without the need of dismounting/remounting the affected storeAnonymous
January 23, 2016
Very Good article..Anonymous
February 07, 2016
Great article its really helpful