When you have been managing Exchange for as long as I have, you build up a list of tweaks and customizations to ensure it runs smoothly. This can be Exchange 2010, Exchange 2013, Exchange 2016, or Exchange 2019. I will run through what I do when building and managing a machine. We will look at the following:
- Network card settings (RSS)
- Windows Server 2008 R2 settings
- Ring RX (VMware) settings when buffer overrun has occurred on a host
- Templates (time-saver, not really a tweak)
- Scripted installations
- Null routes (malware)
- IISCrypto (locking down your server)
- POP/IMAP settings you might not have configured
- Scripts to clear logging of Exchange 2016/2019 servers
Let’s dive into these Exchange tweaks and customizations.
Drivers. We all know that drivers cause more havoc on some systems than others. What I found was that running Exchange on virtualization platforms (covered in one of my other articles) has its benefits and you do notice the snappiness of the system.
Network card settings. When it comes to Exchange, there are a lot of tweaks and customizations we can do on the network cards. If you manage your systems through System Center Virtual Machine Manager (VMM) and failover clustering, you notice that the Hyper-V NIC on legacy systems does not give you the ability to enable RSS (receive side scaling). However, with the VMXNET3 driver on VMware, tested on Version 6.7 U2 and U3, you have the ability to enable RSS on a Windows 2008 R2 Server.
Ring RX. This is another one of those options that is unfortunately not an option on Hyper-V NICs on a virtual machine. You may be asking, what is RX Ring and why do I care about setting it? What we noticed is that once a virtual machine RX Ring buffer exhaustion has taken place, VMs can lose network connectivity and this is not good as the database availability group keeps failing over.
This step we will dive into really quickly. If you want to first find the port number and SwitchName, which is needed to check exhaustion, you need to run the following command from your VMware host:
After you have the information, you can now run the first of two commands (Replace 31244676 with the port number from the output and the SwitchName):
vsish -e get /net/portsets/vSwitch12/ports/31244676/clientStats port client stats
The item you are looking for here is DroppedRx. The next command to run is the following:
vsish -e get /net/portsets/vSwitch12/ports/31244676/vmxnet3/rxSummary
What you are looking for is the line where it says the number of times the first ring is full. This will tell you if you have exhausted the ring.
Windows Server 2008 R2 settings. What we found on the network adapter is it is good to uninstall all the extra protocols except for IPv4 and IPv6. The next thing we do is turn off LMHOSTS and disable NetBIOS on the network cards.
Another small item probably not many admins even look at is changing the server properties to “adjust for best performance.”
Templates. Templates in Hyper-V or VMware make your life easy. After all, you might not remember all the things you change or remove. But after building a server (and adding Windows updates), having templates saves you time because servers can be recovered or built in less than an hour
Scripted installations. There are not that many of them out there but EighTwOne has built an awesome script for installing Exchange 2013/2016 and 2019. A lot of effort and time has been put in here and you simply kick it off and sit back and watch the install happen. I recommend using it. I used it for all my installs. Work smarter, not harder!
Null routes. I wrote an article on my PowerShell blog on how to find and remove this form of malware, which is quite bad. In the interim, I null route all these IPs so if a box does get infected, it cannot spawn the process. I make this part of my installs as I find it effective. Turning on PowerShell logging will reveal the culprit if you have one.
IISCrypto. I wrote a post on this for TechGenix. Put simply, a template was built from a server and with each new install you simply import the template and it locks down the server to what you have previously set.
POP/IMAP. If you are having trouble with POP/IMAP on Exchange 2016, here are commands that you can run (change imap3.domain.com and pop3.domain.com to your URLs):
Set-ImapSettings -server Serv
er1 -ExternalConnectionSettings "imap3.domain.com:993:SSL","imap3.domain.com:143:TLS" -X509CertificateName imap3.domain.com
Set-ImapSettings -server Server1 -InternalConnectionSettings "imap3.domain.com:993:SSL","imap3.domain.com:143:TLS" -X509CertificateName imap3.domain.com
Set-PopSettings -server Server1 -ExternalConnectionSettings "pop3.domain.com:995:SSL","pop3.domain.com:110:TLS" -X509CertificateName pop3.domain.com
Set-PopSettings -server Server1 -InternalConnectionSettings "pop3.domain.com:995:SSL","pop3.domain.com:110:TLS" -X509CertificateName pop3.domain.com
Clearing logs. Exchange 2013, Exchange 2016, and Exchange 2019 create a whole stack of log files and if not kept in check, you will fill up your Exchange server disk and stop mail flow and dismount your stores. I created a script that you can download and schedule to remove all the logs and keep that space in check. You can find the blog post here.
That is my list of Exchange tweaks and customizations. It will grow over time with the newer versions but for the folks not in a hurry to move from an older Exchange to the Exchange 2019 version, these tweaks and customizations may help you and ease the strain on your servers.
Featured image: Shutterstock