Microsoft Exchange 2000 Server Maintenance, Monitoring, and Queuing
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
from Chapter 15, Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek.
With the exception of backup and recovery, no administration tasks are more important than maintenance, monitoring, and queue tracking. You must maintain Microsoft Exchange 2000 Server in order to ensure proper flow and recoverability of message data. You need to monitor Exchange Server to ensure that services and processes are functioning normally, and you need to track Exchange Server queues to ensure that messages are being processed.
Tracking and Logging Activity in the Organization
This section examines message tracking, protocol logging, and diagnostic logging. You use these features to monitor Exchange Server and to troubleshoot messaging problems.
Using Message Tracking
You use message tracking to monitor the flow of messages into the organization and within it. With message tracking enabled, Exchange Server maintains daily log files with a running history of all messages transferred within the organization. You use the logs to determine the status of a message, such as whether a message has been sent, received, or is waiting in the queue to be delivered. Because Exchange Server handles postings to public folders in much the same way as e-mail messages, you can also use message tracking to monitor public folder usage.
Tip Tracking logs can really save the day when you're trying to troubleshoot delivery and routing problems. The logs are also useful in fending off problem users who blame e-mail for their woes. Users can't claim they didn't receive e-mails if you can find the messages in the logs.
Enabling Messaging Logging
Each Exchange server in your organization can have a different message logging setting. Standard message tracking allows you to search for messages by standard header information (date, time, message ID) as well as by sender and recipient. Extended message tracking allows you to perform searches based on message subject lines, header information, sender, and recipient.
To configure message logging, complete the following steps:
Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.
Expand Servers, right-click the server you want to work with, and then select Properties. This displays the dialog box shown in Figure 15-1.
.gif "Cc722538.exch1501(en-us,TechNet.10).gif")
Figure 15-1. Use the server's Properties dialog box to configure message tracking, but keep in mind that the log files can use a considerable amount of disk space.
To enable standard logging, select Enable Message Tracking.
To enable extended logging, select Enable Message Tracking, and then select Enable Subject Logging And Display.
By default, Exchange Server removes log files that are more than seven days old. If you'd like to maintain log files for a different length of time, type the new interval in the Remove Files Older Than (Days) field. If you'd like to keep all log files, clear Remove Log Files.
Click OK.
Caution: Message log files can use a considerable amount of disk space. In most cases you want Exchange Server to delete log files after a certain period of time. If you don't do this, the log files may use up all the space on the hard disk.
.gif "Cc722538.exch1501(en-us,TechNet.10).gif")
Searching Through the Tracking Logs
You use the Message Tracking Center to search through the message tracking logs. The tracking logs are very useful in troubleshooting problems with routing and delivery. You can search the logs in several ways:
By sender
By recipient
By date
By message ID
By subject (if subject logging is enabled)
To begin a search, you must specify one or more of the previously listed identifiers as the search criteria. You must also identify a server in the organization that has processed the message in some way. This server can be the sender's server, the recipient's server, or a server that relayed the message.
To search through the message tracking logs, complete the following steps:
Start System Manager, and then in the console tree, double-click Tools.
Right-click Message Tracking Center, and then click Track Message. You should now see the Message Tracking Center dialog box as shown in Figure 15-2.
To search for messages, you're required to identify only the name of a server that processed the message within the organization and the search interval. All other search parameters are optional.
You use the fields in the General tab to set the following search criteria:
From Sets the sender's e-mail address
Sent To Sets the e-mail address of one or more recipients
Server(s) Sets the name of one or more servers that processed the message within the organization
Note: Only messages that match all the search criteria you've specified are displayed. If you want to perform a broad search, specify a limited number of parameters. If you want to focus the search precisely, specify multiple parameters.
.gif "Cc722538.exch1502(en-us,TechNet.10).gif")
Figure 15-2. Use the Message Tracking Center to search for user messages, system messages, and postings to public folders.
Use the fields in the Date & Time tab to set the search interval:
On Searches for messages on the designated date only
Between Searches for messages from a starting date and time to an ending date and time
During The Previous Searches for messages sent through the server over a period of days
If you know the ID of the message you want to search for, you can type the value in the Message ID field in the Advanced tab.
Click Find Now to begin the search. Messages matching the search criteria are displayed. If you need to cancel the search operation, click Stop.
Select a message to view its message tracking history, as shown in Figure 15-3. The Message History dialog box display gives you several options:
You can view more detailed information for each processing entry. Select an entry in the Message History dialog box, and then click Details.
You can save the message history as a text file. Click Save, and then use the Save As dialog box to specify the location and file name for the message history file.
You can close the message history or stop the active history iteration by clicking Close or Stop, respectively.
.gif "Cc722538.exch1503(en-us,TechNet.10).gif")
Figure 15-3. The Message History dialog box tells you how the message was processed. At each stage you can view more detailed information by selecting an entry and clicking Details.
.gif "Cc722538.exch1502(en-us,TechNet.10).gif")
.gif "Cc722538.exch1503(en-us,TechNet.10).gif")
Reviewing Message Tracking Logs Manually
Exchange Server creates message tracking logs daily and stores them in the Exchsrvr\ServerName.log directory, where ServerName is the name of the Exchange server. Each log file is named by the date on which it was created; using the format YYYYMMDD.LOG, such as 20000925.LOG.
The log files are written as tab-delimited text, and they begin with a header that shows the following information:
A statement that identifies the file as a message tracking log file
The version of the Exchange System Attendant that created the file
A tab-delimited list of fields contained in the body of the log file
You can view the log files with any standard text editor, such as Microsoft Notepad. You can also import the log files into a spreadsheet or a database. Follow these steps to import a log file into Microsoft Excel 2000:
Start Excel 2000. From the File menu, choose Open. Use the Open dialog box to select the log file you want to open. Click Open.
The Text Import Wizard is started automatically. The wizard should detect all the appropriate settings, so click Finish immediately.
The log file should now be imported. You can view, search, and print the log as you would any other spreadsheet.
Deleting Message Tracking Logs
By default, Exchange Server removes log files that are more than seven days old. If you'd like to maintain log files for a different length of time, you'll need to change the default settings by completing the following steps:
Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.
Expand Servers, right-click the server you want to work with, and then select Properties.
If you'd like to keep all log files, clear Remove Log Files. If you'd like Exchange Server to automatically delete log files at a specified interval, select Remove Log Files, and then type the removal interval in the Remove Files Older Than (Days) field.
Click OK.
Using Protocol Logging
Protocol logging allows you to track commands that virtual servers receive from clients. You use protocol logging to troubleshoot problems with Hypertext Transfer Protocol (HTTP ), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP). But you shouldn't use protocol logging to monitor Exchange activity. This is primarily because protocol logging is process and resource intensive, which means that Exchange server has to perform a lot of work in order to log activity that's related to a particular protocol.
Working with Protocol Logging Properties and Fields
When you enable protocol logging, you specify the properties that you want to track. The more properties you track, the more system resources protocol logging requires.
Table 15-1 summarizes key properties that you'll want to track. The first column shows the name of the logging property. The second column shows the name of the field in the protocol log file.
Table 15-1. Key Protocol Logging Properties and Fields
Property Name |
Log Field |
Description |
|---|---|---|
Date |
date |
Connection date. |
Time |
time |
Connection time. |
Client IP Address |
c-ip |
IP address of the client making the request. |
User Name |
cs-username |
Account name of an authenticated user. |
Service Name |
s-sitename |
Name of the service processing the command. |
Server Name |
s-computername |
Server on which the log entry was generated. |
Server IP Address |
s-ip |
IP address of the server on which the log entry was generated. |
Method |
cs-method |
Protocol command sent by the client. |
Protocol Status |
sc-status |
Protocol reply code. |
Win32 Status |
sc-win32-status |
Microsoft Windows 2000 status or error code. Zero indicates success. |
Bytes Sent |
sc-bytes |
Bytes sent by the server. |
Bytes Received |
cs-bytes |
Bytes received by the server. |
Time Taken |
time-taken |
Length of time the action took in milliseconds. |
HTTP, SMTP, and NNTP support a slightly different set of properties. If a protocol doesn't support a property, the related field is recorded with a dash (-) or a zero (0).
Enabling Protocol Logging for HTTP, NNTP, and SMTP
You enable protocol logging on each virtual server separately. You use HTTP virtual servers to track protocol logging for HTTP and Outlook Web Access (OWA). You use SMTP virtual servers to track protocol logging for SMTP mail submission and SMTP mail transport. You use NNTP virtual servers to track protocol logging for NNTP newsgroups.
To enable protocol logging for HTTP, SMTP, or NNTP, complete the following steps:
Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.
Note: You can't configure the default HTTP virtual server (Exchange Virtual Server) using this procedure. Instead, start Internet Services Manager, right-click the Default Web Site, and then select Properties. You can now configure this site as explained in the following Steps 4-9.
In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.
Expand HTTP, SMTP, or NNTP as appropriate. Right-click the virtual server you want to work with, and then select Properties.
In the General tab, select Enable Logging. Use the Active Log Format selection list to choose one of the following log formats:
W3C Extended Log File Format Writes the log in ASCII text following the W3C extended log file format. Fields are space-delimited, and each entry is written on a new line. This style is the default.
Microsoft IIS Log File Format Writes the log in ASCII text following the IIS log file format. Fields are tab-delimited, and each entry is written on a new line.
NCSA Common Log File Format Writes the log in ASCII text following the National Center for Supercomputing Applications (NCSA) Common log file format. Fields are space-delimited and each entry is written on a new line.
ODBC Logging Writes each entry as a record in the Open Database Connectivity (ODBC)-compliant database you specify.
Tip W3C Extended Log File Format is the preferred logging format. Unless you're certain that another format meet your needs, you should use this format with HTTP, SMTP, and NNTP protocol logging.
Click Properties to display a dialog box similar to the one shown in Figure 15-4. You can now set the log time period. In most cases you'll want to create daily or weekly logs, so select either Daily or Weekly.
.gif "Cc722538.exch1504(en-us,TechNet.10).gif")
Figure 15-4. Use the Extended Logging Properties dialog box to set the log time period, directory, and other properties.
Use the Log File Directory field to set the main folder for log files. By default, log files are written to a subdirectory of %SystemRoot%\System32\LogFiles.
Use the Log File Name field to determine the subdirectory and the name format used with the log files. The specific directory used for logging and the log file name depend on the type of virtual server you're configuring and the log time period. For example, if you're configuring the default SMTP virtual server with daily log files, the full path to the log file subdirectory is %SystemRoot%\System32\LogFiles\SmtpSvc1 and the log file is named using the format EXYYMMDD.LOG, such as EX000925.LOG.
If you selected W3C Extended Log File Format, select the Extended Properties tab, and then choose the fields that should be recorded in the logs.
Click OK twice.
.gif "Cc722538.exch1504(en-us,TechNet.10).gif")
Working with Protocol Logs
Protocol log files can help you detect and trace problems with HTTP, SMTP, and NNTP. By default, protocol log files are written to a subdirectory of %SystemRoot%\System32\LogFiles. You can use the logs to determine
Whether a client was able to connect to a specified virtual server and if not, what problem occurred
Whether a client was able to send or receive protocol commands and if not, what error occurred
Whether a client was able to send or receive data
How long it took to establish a connection
How long it took to send or receive protocol commands
How long it took to send or receive data
Whether server errors are occurring and if so, what types of errors are occurring
Whether server errors are related to Windows 2000 or to the protocol itself
Whether a user is connecting to the server using the proper logon information
Most protocol log files are written as ASCII text. This means you can view them in Notepad or another text editor. You can import these protocol log files into Excel 2000 in much the same way as you import tracking logs.
Log files, written as space-delimited or tab-delimited text, begin with a header that shows the following information:
A statement that identifies the protocol or service used to create the file
The protocol, service, or software version
A date and time stamp
A space-delimited or tab-delimited list of fields contained in the body of the log file
If you recorded the log files in an ODBC database, you'll need to perform database queries to search for log entries. Contact your database administrator for assistance.
Using Diagnostic Logging
You use diagnostic logging to detect performance problems related to Exchange services. Unlike other logging methods, diagnostic logs aren't written to separate log files. Instead, log entries are written to the Windows 2000 event logs and you use Event Viewer to monitor the related events.
Understanding Diagnostic Logging
All Exchange services record significant events in the Windows 2000 event logs. For key services, however, you can configure additional levels of logging, and then use the additional information to diagnose performance problems.
Like protocol logging, diagnostic logging can significantly affect the performance of Exchange Server. For this reason, you should enable diagnostic logging only when you're trying to troubleshoot a performance problem. And when you do enable it, you should select the level of logging that makes the most sense.
Exchange Server supports four levels of diagnostic logging:
None The default level of diagnostic logging. At this level, Exchange Server records only significant events. These events are written to the application, system, and security event logs along with other information, warning, and error events generated by Exchange services.
Minimum Writes summary entries in the event logs. At this level, Exchange Server records one entry for each major task they perform. You can use minimum logging to help identify where a problem may be occurring but not to pinpoint the exact problem.
Medium Writes both summary and details entries in the event logs. At this level, Exchange Server records entries for each major task performed and for each step required to complete a given task. Use this logging level once you've identified where a problem is occurring and need to get more information to resolve it.
Maximum Provides a complete audit trail of every action that a service performs. At this level, Exchange Server records everything they're doing, and, as a result, server performance is severely affected. You'll need to watch the log files closely when you use this level. If you don't, they may run out of space.
Table 15-2 provides a summary of Exchange services that support diagnostic logging. Entries written to the event logs are recorded according to the event source that generated the event. The event source relates directly to an Exchange service that you've configured for diagnostic logging. You can use the category of an event to determine what major task is being performed by the event source and thus troubleshoot a related problem.
Table 15-2. Exchange Services that Support Diagnostic Logging
Service Name |
Event Source |
Description |
|---|---|---|
Microsoft Exchange Connector for Novell GroupWise |
LME-GWISE |
Links Exchange Server and Novell GroupWise |
Microsoft Exchange Connector for Lotus Notes |
LME-Notes |
Links Exchange Server and Lotus Notes |
Microsoft Exchange Connector for Lotus cc:Mail |
MSExchangeCCMC |
Links Exchange Server and Lotus cc:Mail |
Microsoft Exchange Router for Novell GroupWise |
MSExchangeGWRtr |
Routes messages between Exchange Server and Novell GroupWise |
MS Mail Connector Interchange |
MSExchangeMSMI |
Links Exchange Server and MS Mail |
MS SchedulePlus Free-Busy Connector |
MSExchangeFB |
Links Exchange Server and Microsoft SchedulePlus |
Microsoft Exchange Directory Synchronization |
MSExchangeADDXA |
Synchronizes Active Directory directory service with previous versions of Exchange Server |
Microsoft Exchange IMAP4 |
IMAP4Svc |
Provides Microsoft Exchange IMAP4 Services |
Microsoft Exchange Information Store |
MSExchangeIS |
Manages Microsoft Exchange Information Storage |
Microsoft Exchange MTA Stacks |
MSExchangeMTA |
Provides Microsoft Exchange X.400 services |
Microsoft Exchange POP3 |
POP3Svc |
Provides Microsoft Exchange POP3 Services |
Microsoft Exchange Routing Engine |
MSExchange Transport |
Processes Microsoft Exchange message routing and link state information for SMTP |
Microsoft Exchange Site Replication Service |
MSExchangeSRS |
Replicates Exchange information within the organization |
Microsoft Exchange System Attendant |
MSExchangeSA, MSExchangeAL, MSExchangeDX |
Monitors Microsoft Exchange Server and provides essential services |
Enabling and Disabling Diagnostic Logging
You configure diagnostic logging separately for each Exchange server in the organization. Logging begins immediately at the level you specify. The default logging level is None.
To enable diagnostic logging, complete the following steps:
Identify the performance problems that users are experiencing and use Table 15-2 to identify services on which you may want to configure diagnostic logging in order to resolve the performance problems.
Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.
Expand Servers. Right-click the server you want to work with, and then select Properties.
Click the Diagnostics Logging tab as shown in Figure 15-5.
.gif "Cc722538.exch1505(en-us,TechNet.10).gif")
Figure 15-5. Use the Diagnostics Logging tab to configure diagnostic logging separately for each Exchange server in the organization.
Use the Services list to select a service you want to track. The Categories list should now display a list of major activities that you can track, such as Replication, Authentication, or Connection.
In the Categories list, select an activity to track, and then choose a Logging Level—either Minimum, Medium, or Maximum. Repeat this step for other activity categories that you want to track.
As necessary, repeat Steps 5 and 6 for other services that you want to track.
Click OK.
.gif "Cc722538.exch1505(en-us,TechNet.10).gif")
To disable diagnostic logging, complete the following steps:
Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.
Expand Servers. Right-click the server you want to work with, and then select Properties.
Click the Diagnostics Logging tab. Use the Services list to select each service in turn. Watch the Categories list. If any activities are being tracked, select the activity to track, and then choose a Logging Level of None.
Click OK.
Viewing Diagnostic Events
Events generated by diagnostic logging are recorded in the Windows 2000 event logs. The primary log that you'll want to check is the Application log. In this log you'll find the key events recorded by Exchange 2000 services. Keep in mind that related events may be recorded in other logs, including the Directory Service, DNS Server, Security, and System logs. For example, if the server is having problems with a network card and this card is causing message delivery failure, you'll have to use the System log to pinpoint the problem.
You access the Application log by completing the following steps:
Start Computer Management. Click Start, point to Programs, point to Administrative Tools, and then select Computer Management.
In the console tree, right-click the Computer Management entry and choose Connect To Another Computer from the shortcut menu. You can now choose the server whose logs you want to manage.
Expand the System Tools node by clicking the plus sign (+) next to it, and then double-click Event Viewer. You should now see a list of logs as shown in Figure 15-6.
Select Application Log.
.gif "Cc722538.exch1506(en-us,TechNet.10).gif")
Figure 15-6. Event Viewer displays events for the selected log.
.gif "Cc722538.exch1506(en-us,TechNet.10).gif")
Entries in the main panel of Event Viewer provide an overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click its entry. The event type precedes the date and time of the event. Event types include
Information An informational event, which is generally related to a successful action.
Warning: Details for warnings are often useful in preventing future system problems.
Error An error, such as the failure of a service to start.
In addition to type, date, and time, the summary and detailed event entries provide the following information:
Source The application, service, or component that logged the event.
Category The category of the event, which is sometimes used to further describe the related action.
Event An identifier for the specific event.
User The user account that was logged on when the event occurred.
Computer The name of the computer where the event occurred.
Description In the detailed entries, this provides a text description of the event.
Data In the detailed entries, this provides any data or error code output created by the event.
Use the event entries to detect and diagnose Exchange performance problems.
from Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.
.gif "Link")