The affected clients include Microsoft Outlook, Quest Migration Manager for Exchange, and BlackBerry Enterprise Server.
Note Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion.
Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is intended for use only together with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.
How to modify the registry to allow for additional NSPI connectionsWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
- Click the Parameters key.
- On the Edit menu, point to New, and then click DWORD Value.
- Type NSPI max sessions per user, and then press Enter.
- Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.
Note Although the upper limit of this setting is 0xffffffff (or 4294967295), a server configuration that has a value that is larger than the default value will consume additional memory (one new page per connection) on the server. If this value is set too high, and too many connections are created for each user application instance, the server will run low on memory or become completely unresponsive. The lower default NSPI connection limit in Windows Server 2008 was based on customer experience in which previous operating systems would allow themselves to be overwhelmed by third-party products in what is essentially a denial of service attack. You should use a common sense approach to increase the maximum session setting beyond the default value. For example, start by using decimal 250 (hex 0x000000FA), and then test to see the memory overhead that is created and whether the errors have stopped. Your long-term solution must be to contact the vendor of your NSPI product to ask them to change this behavior. A change in the registry value is only as a workaround to provide error relief.
- Exit Registry Editor.
- Restart the computer or restart Active Directory Domain Services.
For Windows Server 2008 onlyNote Windows Server 2008 R2 and later versions log this event by default. In Windows Server 2008, this is a verbose level of event logging that may generate many events. This verbose level of event logging includes events that are unrelated to the diagnosis of this issue. We recommend that you restore this setting to the default value after you finish troubleshooting.
To verify in Windows Server 2008 whether you encountered the issue that is described in the "Symptoms" section, enable event logging for NSPI connections. To do this, follow these steps:
- On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.
- Locate and then double-click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events
- In the Value data box, type 5, and then click OK.
Note The default value of this registry entry is 0 (zero).
- On the File menu, click Exit.
Event ID: 2820
NSPI max connection limit for the user has reached.
You need to do NSPI unbind on old connections before making new connections.
Max NSPI connections per user:
A network capture of the failure may contain packets that resemble the following.
|ServerIP||ClientIP||NSPI||NspiBind response, Status: MAPI_E_LOGON_FAILED|