Monitoring Important Exchange Server 2003 Components


Topic Last Modified: 2006-04-07

As a client/server messaging system, Microsoft® Exchange Server 2003 relies on active server services. Some are specific to Exchange 2003, such as the Microsoft Exchange Information Store service, which maintains the messaging databases. Other components are provided by the operating system, such as Active Directory® directory service and Internet Information Services (IIS). You must understand the interdependencies among all these components to evaluate their influence on the overall system state of an Exchange server.

Core components of Exchange 2003 include:

  • Domain Name System (DNS)   You should deploy the DNS Management Pack for MOM 2005 to monitor your DNS system. Exchange 2003 relies on host name resolution for both local and external SMTP-based messaging systems in the network. Host name resolution is based primarily on DNS, and DNS is a critical network service. As mentioned, DNS is required for Active Directory and Exchange Server 2003.

  • Active Directory   This is the directory service of Exchange 2003. Exchange servers and messaging clients, such as Microsoft Office Outlook® 2003, access Active Directory in situations such as when logging on to the network and connecting to a mailbox, or accessing server-based address lists. Your messaging environment requires a dependable Active Directory infrastructure. For information about monitoring Active Directory, see Active Directory Management Pack for MOM 2005 at

  • System Attendant   This is an Exchange-specific service that contains a DSAccess module that communicates with Active Directory to retrieve and cache directory information. Another important component of system attendant is DSProxy, which forwards MAPI-based address lookups to a global catalog server. System attendant also manages mailbox-enabled user properties, generates routing tables, and communicates with other components, such as IIS and Active Directory. Most of the other Exchange services depend on the system attendant. You should monitor this service as part of the overall Exchange system monitoring.

  • Microsoft Exchange Information Store   This is one of the most important services of Exchange 2003, and it should be monitored continuously. The Microsoft Exchange Information Store service maintains all user mailboxes and public folders in messaging databases. If the Microsoft Exchange Information Store service is stopped, users cannot gain access to the e-mail messages stored in their mailboxes.

  • SMTP Transport Engine   This is the core transport subsystem of Exchange 2003. All messages must pass through the SMTP transport engine, whether they are sent to users on the Internet, to another server in the same Exchange 2003 organization, or to the sender's local server. Monitoring this service and its associated message queues, and reacting quickly to issues related to the SMTP service lets you make sure that messages can reach their destinations with minimum delays.

  • Message Transfer Agent (MTA)   This service provides the necessary routing functions when communicating with Microsoft Exchange Server 5.5, with X.400 messaging systems, or with non-Exchange messaging systems through Connector for Lotus Notes or Connector for Novell GroupWise. You should monitor this service if you are responsible for a complex environment that includes a mixed Exchange 5.5 or a non-Exchange messaging system. It is recommended that Microsoft Exchange MTA Stacks service is running on every Exchange server.

  • Complementary Services   Complementary services are primarily those that integrate with IIS to support several messaging clients, such as the Network News Transfer Protocol (NNTP) service, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4rev1 (IMAP4), Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync®. The complementary services that you must monitor depend on the messaging clients that your information workers are using to access their mailboxes.

Monitoring these components for availability and ensuring reliable performance requires understanding the purpose and scope of the components. The key components of Exchange 2003 are explained in the following sections.

The system attendant service, with its internal DSAccess component, is a critical part of the Exchange 2003 architecture and must be running before Microsoft Exchange Information Store service and Exchange MTA Stacks service can start. If you start the Microsoft Exchange Information Store service when system attendant is stopped, the system attendant service will be started automatically.

DSAccess is used for the major communication between Exchange 2003 and Active Directory. When Exchange starts, it uses DSAccess to locate a domain controller for access to Active Directory information. Exchange 2003 uses both domain controllers and global catalog servers. DSAccess uses domain controllers to obtain configuration and schema information about classes and attributes, and to make system changes, such as changing server properties and applying policies to administrative groups. DSAccess queries global catalog servers to access data replicated from domain controllers about user and group objects. You can determine the domain controller and global catalogs that Exchange 2003 is using in Exchange System Manager at the server's Directory Access property page.

To decrease server load and excessive queries to Active Directory, DSAccess maintains a cache of configuration information from resultant query data. After information is queried from a domain controller or a global controller, DSAccess stores it in the cache. When the same information is queried again, Exchange uses the DSAccess cache instead of obtaining Active Directory data from a domain controller or a global controller.

The Exchange Management Pack tracks many events that the MSExchangeDSAccess and MSExchangeSA components write to the event log, so that you can monitor system attendant. MSExchangeSA and MSExchangeDSAccess are the most important sources of event log entries pertinent to system attendant. You can view a list of event categories for these components when you display the properties of your Exchange server in Exchange System Manager, and then click the Diagnostics Logging tab. The categories correspond to the event categories in Event Viewer.

  • MSExchangeSA   This source includes the following event categories:

    • Monitoring

    • E-mail address generation

    • Remote Processing Calls (RPCs)

    • Statistics gathering

    • MAPI session

    • Offline Address List (OAL) generator

    • Replication configuration

    • Mailbox management

    • Routing table generation

    • Directory Service Referral (RFR) interface

    • Name Service Provider Interface (NSPI) proxy

    • Proxy generation

  • MSExchangeDSAccess   This source represents the DSAccess component and includes the following event categories:

    • Cache

    • Configuration

    • Lightweight Directory Access Protocol (LDAP)

    • Topology

The Exchange Management Pack also uses performance counters to monitor system attendant and its internal components. The performance counters of system attendant include:

  • MSExchangeDSAccess Caches   This object deals with monitoring the DSAccess cache. It includes counters to track configuration data object expiry, insertion, searches, LDAP queries, objects not found, and total entries in the cache.

  • MSExchangeDSAccess Processes   This object includes counters to monitor LDAP search calls and time taken to send search and read requests and receive a response. It checks the following instances:

    • MAD.EXE   The system attendant executable.

    • STORE.EXE   The Microsoft Exchange Information Store service executable.

    • INETINFO.EXE   The IIS main executable that includes SMTP virtual server functionality.

    • EMSMTA.EXE   The MTA executable.

  • MSExchangeDSAccess Global Counters   This object includes counters for DNS query and topology discovery duration in addition to in-site and out-site numbers of available global controllers and domain controllers.

  • MSExchangeDSAccess Domain Controllers   This object includes counters that monitor LDAP calls, connection, searches, search times, and Active Directory synchronization data.

  • MSExchangeSA – NSPI Proxy   This object includes counters for monitoring connections by the NSPI proxy from and to clients and NSPI proxy connect operations to the domain controller.

The Microsoft Exchange Information Store service and associated databases are important components in Exchange 2003. Exchange Server 2003 stores user mailboxes and public folders in messaging databases. Microsoft Exchange Information Store service maintains these databases, and it is important to monitor this service to be informed about potential problem sources before they can affect the availability of the Microsoft Exchange Information Store service.

The Microsoft Exchange Information Store service relies on Extensible Storage Engine (ESE) to work with the actual database structures. Messaging databases are managed in storage groups and include transaction log files, a MAPI-based database file, and a streaming database. ESE uses transaction log files to store transactions that have been committed to memory in a persistent file without the overhead of performing a complex database operation. This makes sure that no data is lost if there is an unexpected server shutdown. Later, transactions are committed from the transaction log file to the MAPI-based database file. For messages in Internet format that are received through the SMTP transport service, Exchange uses a streaming database to store the messages without the overhead of converting them to MAPI-based format. This is done later if a MAPI-based client, such as Microsoft Outlook®, requests the message.

When monitoring the Microsoft Exchange Information Store service, remember that you must also monitor ESE, because memory, transaction log files, and messaging databases make up the database. All these parts must be considered when planning administration and maintenance.

The Microsoft Exchange Information Store service depends on the following:

  • ExIFS   The Exchange Installable File System (ExIFS) represents the drive interface installed with Exchange 2003. It enables Exchange to read and write to and from folders.

  • Web Storage System (WSS)   The ExIFS depends on the Web Storage System (WSS), which combines the file system and the database into a cohesive collaboration system. The WSS can be accessed in several ways, including MAPI clients, XML, HTTP, WebDAV, and Win32® API calls. These combined components enable the Microsoft Exchange Information Store service to use disk space in an organized way.

  • Microsoft Exchange System Attendant   As previously mentioned, System Attendant provides monitoring, maintenance, and Active Directory lookup services. With the Microsoft Exchange Information Store service, system attendant triggers the defragmentation of the databases.

The Exchange Management Pack uses the following event sources to monitor the Exchange store:

  • MSExchangeIS   This source records events that are related to client logon and authentication, configuration and replication, internal database consistency and operations, virus scanning, transfers to and from gateways, and client actions.

  • MSExchangeIS Public Folder   Similar to the MSExchangeIS event source, the MSExchangeIS Public Folder event source records events that specify logons, move mailbox operations, database consistency and operations, downloads, views, transfers in and out of the gateway, replication status, recover, and message transfer agent (MTA) connections.

  • MSExchangeIS Mailbox   This source logs the same events as MSExchangeIS public folder, except it deals with the mailbox store instead of the public folder store.

The following performance counters enable the Exchange Management Pack to monitor Exchange store instances:

  • MSExchangeIS   This object includes counters to track the following:

    • Access control list (ACL) upgrade failures, tries, and completions

    • Active and anonymous user counts and connections

    • Appointment creation and deletion (both single and recurrent)

    • Client latencies

    • RPC failures, RPC successes, RPC tries, and RPC clients bytes, packets, and requests

    • Distribution list membership cache

    • Memory allocation and use through Exchmem.dll file

    • Maximum users and connections

    • Recurring appointments

    • Results from virus scan operations

    • Virtual memory use

  • MSExchangeIS Mailbox and MSExchangeIS Public   These objects include tracking counters for delivery time, clients logged on, WebDAV, message send and receive, queue sizes, and items retained for Item Recovery in the public folder store and mailbox store.

  • MSExchangeIS Transport Driver   This object includes counters to track the following:

    • MTA delivery, receipt, and message amounts

    • Message size

    • Local delivery reads and writes

    • MAPI client submissions, deletions, and lists

    • Transport temporary tables

The core transport engine in Exchange 2003 is the Simple Mail Transfer Protocol (SMTP), which is based on the following components:

  • Routing module   This component manages how the messages arrive at their destination.

  • Categorizer   This component resolves sender and recipients against Active Directory, determines destination, and applies limits such as maximum message size.

  • Protocol engine   This component communicates with neighboring SMTP services to transfer messages from server to server across the messaging network.

  • Store driver   This component provides the interface between the SMTP service and the Microsoft Exchange Information Store service. It uses ExIPC for inter-process communication, and more.

Exchange 2003 uses SMTP virtual servers to provide a transport mechanism for Exchange communication within routing groups. SMTP connectors can also be used to connect separate Exchange routing groups or an entire Exchange 2003 organization to the Internet. SMTP connectors provide a means to streamline message routing. For the actual message transfer, however, SMTP connectors rely on the specified SMTP virtual servers.

Your SMTP virtual servers and the SMTP service must be functional for both internal communication and communication with outside organizations to occur. Because the SMTP service integrates with Internet Information Services (IIS), IIS must be functional. Monitor all these components to verify that all messages arrive at their destinations in a timely manner. Any monitoring of message transfer efficiency and reliability involves inbound and outbound messages, message queues, transport rates, and connections, in addition to the IIS Admin Service and SMTP service.

The Exchange Management Pack uses events from MSExchangeTransport event source to monitor the components of the SMTP transport service. This includes the following categories:

  • Categorizer   This category logs events related to message processing, LDAP queries, and recipient lookup information.

  • Connection Manager   This category provides message delivery notification logging.

  • Exchange Store Driver   This category logs events that occur between Microsoft Exchange Information Store service and the queuing engine.

  • Queuing engine   This category logs events related to queue operations such as writes, reads, and sizes.

  • Routing Engine/Service   This category logs routing service results such as DNS lookups and next routing hop information.

  • SMTP Protocol   This category logs SMTP service operations.

The related performance counters that the Exchange Management Pack uses to track system performance are listed below:

  • SMTP Server   Specifically, the Local and Categorizer queues of the SMTP server component, together with message retries are important because queue growth can indicate a transfer problem, and determining the point of failure can be challenging because of the various components involved. This main performance object for the SMTP service includes several monitoring counters, such as:

    • Local versus remote recipients

    • Average retries of message deliveries

    • Message statistics about badmail (e-mail messages that are contained in the BadMail folder. Typically, these are messages that cannot be delivered to your organization or returned to the sender.)

    • Total bytes, sent, received, and per second

    • Categorizer counters for lookups, failure, completions, LDAP connections, message submission and categorization, and the Categorizer queue length

    • Messages processed for local delivery, message bytes received and sent

    • DNS queries

    • Queue length

    • Inbound and outbound connections

    • Routing table lookups

  • SMTP Routing   This object includes monitors for link state changes, server cache refreshes, and local ResetRoutes.

  • SMTP NTFS Store Driver   This object includes counters for total messages allocated, deleted, or put in the queue, in addition to open message bodies and streams.

The MTA has been replaced with SMTP as the preferred message transport mechanism in Exchange 2000 and Exchange 2003. However, the MTA is still essential in the Exchange architecture, especially when Exchange 2003 is deployed in complex environments with mixed server architectures. For example, Exchange 2003 communicates with Exchange 5.5 through the MTA, if Exchange 2003 is installed in the local site of the Exchange 5.5 server.

Microsoft Exchange MTA Stacks depends primarily on system attendant for communication with Active Directory through DSAccess, which was discussed earlier in this section. When communicating with other Exchange 5.5 servers installed in the local site/routing group, the MTA uses RPCs. When communicating with remote Exchange servers or non-Exchange remote MTAs, the Exchange MTA uses X.400 connector instances, which require an MTA transport stack for TCP/IP or X.25 installed on the local computer. RPC-based MTA communication relies on dynamic port assignments, managed by RPC endpoint mapper.

The Exchange Management Pack tracks events from the event source MSExchangeMTA to monitor the Microsoft Exchange MTA Stacks service. This includes the following categories:

  • X.400 Service   This is for X.400 protocol events, such as submission and delivery reports.

  • Resource   This is for events related to the use of MTA resources.

  • Security   This is for events related to attempted security violations.

  • Interface   This is for communication among MTA components and between MTAs. Includes RPC use.

  • Field Engineering   This is for internal debugging trace.

  • MTA Administration   This is for administration program access to MTA queues and routing information.

  • Configuration   This is for the configuration of internal parameters or problems in one or more MTA configuration files.

  • Directory Access   This is for events related to use of the directory by MTA.

  • Operating System   This is for events related to the use of Microsoft Windows NT® functions by MTA, such as thread creation and file operations.

  • Internal Processing   This is for events related to the internal operation of MTA application code. Error events in this category indicate serious problems in the MTA.

  • Interoperability   This is used to track the binary content of protocol messages. Use this category and interface to log stack traces and XAPI traces to MTADATA\AP*.LOG.

  • APDU   The Application Protocol Data Unit is used to track full P1 content (MTA send/receive) and fully encoded P1 APDU (communication between remote MTAs) to diagnose interoperability or conformance problems.

The Exchange Management Pack uses two main performance counters to track the MTA. The performance objects are:

  • MSExchangeMTA   The counters that make up the MSExchangeMTA object include bytes transmitted and received through TCP/IP, X.25, XAPI, in messages, and on the LAN, in addition to disk reads/writes, threads, and administrative connections.

  • MSExchangeMTA Connections   This performance object includes counters to monitor the number of messages, the amount of data in messages, and the number of associations that are used to transfer messages over X.400 connections.

Besides core Exchange components, such as Microsoft Exchange Information Store service, SMTP, and system attendant, complementary services enhance and extend Exchange collaboration and communication abilities, and integrate with IIS 6.0. The critical services are:

  • Internet-based protocol engines   These engines enable Internet-based clients, such as Microsoft Outlook Express, to communicate with Exchange 2003 through POP3, IMAP4, or NNTP.

  • Outlook Web Access   This component enables users to access their data on Exchange through a Web interface. The interface appears similar to the Outlook 2003 application.

  • Outlook Mobile Access   This component enables users with mobile devices to access their Exchange accounts.

  • Exchange ActiveSync   This component is helpful for mobile users because it enables synchronization of their personal data to mobile devices.

The IIS Admin Service implemented in the inetinfo.exe executable integrates with Exchange 2003 to provide support for protocols, engines, and features. The following Exchange components depend, directly and indirectly, on IIS:

  • Network News Transfer Protocol NNTP   Through NNTP, newsreaders and newsfeeds can access information stored in the public folder.

  • Microsoft Exchange IMAP4   IMAP4 enables mail access with some advanced features, such as folder synchronization and browsing subjects before downloading messages to the client.

  • Microsoft Exchange POP3   POP3 enables a client to access mail on the server. It is a simple read-only protocol that enables access of only the Inbox.

  • Microsoft Exchange Routing Engine   The routing engine provides topology and routing information for message delivery.

  • Simple Mail Transfer Protocol (SMTP)   This service is used to transport messages. If a client uses a protocol such as POP3 or IMAP4 to read mail, SMTP is necessary to send and deliver messages.

Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync are also integrated in IIS. Supplementary extensions and access methods such as WebDAV provide access to these services.

To communicate with the Exchange store, a dedicated layer named Exchange Interprocess Communications Layer (ExIPS) is provided. Service extensions and protocols communicate with the Exchange store directly through ExIPC. IIS shares memory space with the Exchange store, which results in rapid communication. ExIPC is implemented in epoxy.dll and is part of the Microsoft Exchange Information Store service.

Monitoring these separate processes is vital if users use several clients to access their mailboxes on an Exchange 2003 server.

The complementary services rely on core Exchange components such as system attendant, SMTP, and Microsoft Exchange Information Store service, in addition to other components such as:

  • IIS Admin Service   This central IIS component provides a common center and interface for Web, NNTP, SMTP, IMAP4, POP3, Outlook Mobile Access, Outlook Web Access, and Exchange ActiveSync components. IIS integrates with parts of Exchange to enable Active Directory information queries and access to the databases and configuration information.

  • WebDAV   HTTP is required for Outlook Web Access, and WebDAV enhances HTTP by providing more methods of operations to manage document properties, documents, and folders. More information about WebDAV is available at

The Exchange Management Pack uses the following event sources to track events about complementary services:

  • MSExchangeActiveSyncNotify   This source logs events for Always-Up-To-Date Notifications in Exchange 2003.

  • MSExchangeOMA   This source records events that are related to devices, disk, network, services, shell, and printers that deal with Outlook Mobile Access.

  • MSExchangeWEB   Similar to MSExchangeOMA, this source records events that are related to devices, disk, network, services, shell, and printers that deal with Outlook Web Access.

  • POP3SVC and IMAP4SVC   The source events for these two types of log events that relate to the content engine, connections, client engine, and configuration in the protocol services.

  • IISADMIN and DAVEX   Both of these source types log devices, disk, network, printers, services, shell, and system events.

The Exchange Management Pack uses the following performance objects to provide tracking for complementary services:

  • MSExchangeOMA   This object includes counters to monitor rates and counts of instances, maximum and real-time browses, and rates and totals for requests of mailboxes, contacts, tasks, and calendars.

  • MSExchange Web Mail   The Outlook Web Access component is monitored primarily by this object. It includes counters for both Microsoft Internet Explorer 5 and later, and non-Internet Explorer instances such as:

    • Appointment saves, deletions, opens, sends, and updates

    • Authentication instances and authentication cache

    • Folder operations such as saves, renames, views, and reads

    • Message tracking for attachments, moves, edits, amount opened, number sent

    • Saved navigation options

    • Folder template data

    • Recipients

  • MSExchangeActiveSyncNotifyOmaPush   This object tracks categorizer notifications and notifications from Outlook Mobile Access sinks. The counters include monitors for amount sent, processed, discarded, ignored, and expired, both as a cumulative and as a per-second measure.

  • MSExchangePOP3   This object tracks connections and instances of commands sent when using the POP3 protocol. This includes commands such as AUTH and USER, used in authentication, and Inbox operations commands such as LIST, DELE, and UIDL.

  • MSExchangeIMAP4   This object tracks connections and instances of commands used through the IMAP4 protocol. The counters include authentication and security commands such as AUTHENTICATE, LOGIN, and LOGOUT, and mail operations commands such as SEARCH, STORE, SELECT, RENAME, LIST, FETCH, EXPUNGE, DELETE, and COPY.

  • NNTP Commands   This object also tracks per second and total instances of commands and connections. Authentication commands, in addition to commands to browse, post, search, and list topics in newsgroups are included.

  • NNTP Server   This object tracks overall NNTP server operations. It includes counters to track articles deleted and posted, bytes sent and received, and message failures and successes, in addition to totals for feeds, connections, users, and logons.