Configuring Monitoring Scenarios


Topic Last Modified: 2006-08-17

The Exchange Management Pack for MOM 2005 includes several key monitoring scenarios that are configurable. The following scenarios are covered in this section:

  • Service Verification Script Configuration

  • Exchange Traffic Analysis Reports

  • Mail Flow Verification Scripts Configuration

  • Disk Capacity Planning

  • Collecting Operating System Server Information

  • Configuring Exchange Mail Queue Thresholds

Periodically, the Service Verification Script runs to determine whether particular services are running on your Exchange server. The list of services that are checked are specified in a registry key.

You can configure service verification using the Exchange 2003 Management Pack Configuration Wizard at

Rule Group: Server Availability\Verify Exchange Services.

Rule Name: Service verification. Check services script.

Specify the Exchange-related services to be monitored in the following registry key on each of the managed Exchange servers.

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
To create the registry key
  1. Create the following key in Registry Editor.

  2. In this key, create the entry Monitored Services as a string.

  3. Fill this string with a comma-delimited list of the services for which you want to receive notification if the services are not running.

    Example setting for this entry:

    MSExchangeIS, MSExchangeSA, MSExchangeMTA, SMTPSVC, POP3SVC, IMAP4SVC

    In a cluster configuration, you must add this entry on each cluster node.

The Exchange Management Pack includes a timed event rule that collects information from the message tracking logs and analyzes it to assemble the Exchange Traffic Analysis reports, which detail various aspects of the messaging traffic. This event rule analyzes the message tracking log for the previous day.

Rule Group: Microsoft Exchange Server 2003\Report Collection Rules\Message Tracking Log Analysis\Event Rules

Rule Name: Report Collection - Message Tracking Log Data

Reports: Reports in the "Exchange 2003 Traffic Analysis" reports

To produce the Exchange 2003 Traffic Analysis report, message tracking must be enabled on the monitored servers. By default, the Configuration Wizard will enable this. If message tracking becomes disabled, these reports can no longer be generated.

To enable message tracking
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.

  2. In the left pane, locate the server for which you want to enable message tracking. Right-click the server name, and then click Properties.

  3. To record the subject of any message sent to, from, or through the server, on the General tab, select the Enable subject logging and display check box.

  4. To log information about the sender, the time the message was sent or received, the message size and priority, or the message recipients, select the Enable message tracking check box.

  5. To change the directory in which the log file is stored, click Change, and enter the new directory name where the Message Tracking Log Files will be stored.

  6. Click OK to save your changes and close the Properties dialog box.

If you let log files accumulate on the server, they can consume a large section of disk space and affect performance. You should remove log files periodically; however, make sure that you leave log files on the server long enough for you to review files if a problem occurs with your message flow. As an additional step, you can move the log files to a server that can handle the size requirements.

To specify how long log files remain on a server
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.

  2. In the left pane, locate the server for which you want to configure log file settings. Right-click the server name, and then click Properties.

  3. On the General tab, select the Remove log files check box.

  4. In Remove log files older than (days), type the number of days that you want a file to be saved in the Exchsrvr\<servername>.log directory before it is removed.

In some cases, Exchange cannot resolve the sender for a piece of mail from the message tracking log event 1031 "Not available" used to track sent mail. Two Exchange traffic analysis reports: "SMTP Out - Top 100 Senders by Count" and "SMTP Out - Top 100 Senders by Size" show that the sender is not available.
This inability to resolve the sender occurs when the mail was sent to a distribution list that is configured as "Do not send delivery reports" on the Exchange Advanced tab of the Distribution List properties dialog box. (In this case, Active Directory attributes reportToOriginator and reportToOwner are both false.)
Additionally, if "Send delivery reports to group owner" is selected for a distribution list, all mail sent to this distribution list has the owner of the list appearing as the sender in the message tracking log. The default for distribution lists is "Send delivery reports to message originator," and, in this case, Exchange will report the real sender in the message tracking log.

These scripts periodically send mail and verify that the mail has been received. You must configure the sending and receiving servers to know where to send mail and from where to expect mail.

Before customizing these scripts, configure mail flow verification by using the Exchange Management Pack Configuration Wizard. This wizard is located in the \Tools folder of the MOM 2005 installation CD or on the Exchange 2003: Management Pack Configuration Wizard Web site at

Rule Group: Availability Monitoring\Verify Mail Flow\Event Rules

Rule Name: Send mail flow messages

Rule Name: Receive mail flow messages

The mail flow verification script uses the mailbox access account (named <servername>MOM) created in the previous procedure. For each server participating in the mail flow verification (as senders, receivers, or both), follow these configuration steps.

Any rule that you customize should ideally have its own rule group. This ensures that the rule is not overwritten when you upgrade the Exchange Management Pack.
To configure the mail flow verification script execution interval
  1. Configure the time interval to send/receive mail according to your Exchange installation (the default is 15 minutes):

    1. From the MOM 2005 Administrator Console, expand Microsoft Operations Manager\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003.

    2. In the left pane, expand Availability Monitoring, and then expand Verify Mail Flow.

    3. In the Verify Mail Flow rule group, click Event Rules.

    4. In the right pane, right-click Send Mail Flow Messages, and then click Properties.

    5. In the Event Rule Properties dialog box, click the Data Provider tab.

    6. On the Data Provider tab, in the Provider name box, click Schedule every 15 minutes synchronize at 00:04, and then click OK.

    7. Repeat these steps for the Receive mail flow messages event rule. Select Schedule every 15 minutes synchronize at 00:09.

  2. Configure the number of failed attempts to receive mail before generating an alert (the default is four attempts):

    1. In the Verify Mail Flow\Event Rules rule group, right-click Receive mail flow messages, and then click Properties.

    2. In the Event Rule Properties dialog box, click the Responses tab.

    3. On the Responses tab, click Exchange 2003 - Mail flow receiver, and then click Edit.

    4. In the Launch a Script dialog box, double-click MaxSafeMissedRuns. In the Value box, enter a value greater than or equal to 1 and then click OK to close all dialog boxes.

Although it is not required, you can configure the <servername>MOM mailboxes so that they receive mail only from the other test mailboxes that are expected to send mail to them.

To configure <servername>MOM mailboxes to receive mail only from intended sources
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the left pane, expand the domain and then expand the organizational unit that contains the user account that you want to modify.

  3. In the right pane, double-click the mailbox-enabled user you want to modify.

  4. On the Exchange General tab, click Delivery Restrictions.

  5. In the Delivery Restrictions dialog box, under Message restrictions, select Only from, and then click Add.

  6. In the Select Recipient dialog box, under Name, select the recipients whose e-mail the mailbox-enabled user can receive, and then click Add. Repeat this step for each recipient.

Test mailboxes not used in mail flow verification—specifically those named with any additional suffix (for example, <servername>MOM1)—can be similarly configured to not accept any mail by following the same steps and leaving blank the "Only from" list in step 5.

You can conduct disk capacity planning by using views of the disk space used. The data for these views comes from the Logical Disk performance monitor counters. Disk capacity planning is only necessary in Microsoft Windows® 2000 Server (including service packs). These counters are permanently enabled in Windows Server 2003.

To enable disk capacity planning
  1. At the command prompt, type diskperf –y to enable counters on all monitored Exchange servers.

  2. Restart the server for this change to take effect.

No configuration is required for this rule.

Rule Group: Server Utilization Logging: Reporting and Views\Report Collection Scripts\Windows Server Configuration

Rule Name: Report Collection – Windows Server Configuration Information

Report: Exchange Server Configuration

Depending on the amount of mail traffic through your Exchange deployment, you may want to adjust the following rules in the Mail Queue Thresholds rule group. Adjusting the rules makes sure that they are sensitive to large queues but do not issue an alert from typical fluctuations.

  • Exchange 2003: SMTP: Categorizer Queue > 50

  • Exchange 2003: SMTP: Local Queue > 50

  • Exchange 2003: SMTP: Local Retry Queue > 50

  • Exchange 2003: SMTP: Messages Pending Routing > 50

  • Exchange 2003: SMTP: Messages in SMTP Queue Directory > 500

  • Exchange 2003: SMTP: Remote Queue > 500

  • Exchange 2003: SMTP: Remote Retry Queue > 500

  • Exchange Information Store service Queue of Messages to MTA > 50

  • Information Store Queue of Messages from MTA > 25

  • Information Store Transport Temp Table Entries > 600

  • MTA Queue Length per Connection > 50

  • MTA Work Queue > 50

  • Mailbox Store: Receive Queue > 25

  • Mailbox Store: Send Queue > 25

Other performance counter threshold rules in the Exchange Management Pack do not have to be adjusted. To select appropriate Exchange mail queue thresholds, create a performance baseline for your environment that records the queue fluctuations over an extended time period (for example, a week) and watch the typical fluctuations. The queue threshold can then be set to be just over these fluctuations.

Generally, it is a best practice to make a copy of the rules that have to be modified. Then, make changes in the copy instead of changing the rules directly in the Exchange Management Pack.
To change the thresholds for the mail queue performance rules with State-Monitoring enabled
  1. In the MOM 2005 Administrator Console, locate Microsoft Operations Manager\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Mail Queue Thresholds\Performance rules.

  2. In the right pane, right-click the rule, and then click Properties.

  3. Click the Alert tab, and then click Edit in the Alert properties dialog box.

  4. Select the If statement, and then click Edit.

  5. Modify the threshold value to reflect your preferred threshold.

This section discusses best practice scenarios when configuring the Exchange Management Pack.

  • Custom and standard mailboxes   Custom mailboxes are test mailboxes that do not follow the standard naming convention of server_nameMOM*, where server_name is the name of your Exchange server, and * is an incremental number used for unique identification within that server. The Configuration Wizard cannot be used to create custom mailboxes, although it can be used to recognize them. You can also use the command-line utility to correctly configure these accounts after they have been manually created in Active Directory and after the xml configuration file has been manually configured. The mail flow scripts generate event 9561 if no appropriate mailbox (either custom or standard) is detected by the script. If both custom mailboxes and standard mailboxes exist, the scripts will use the custom mailboxes. Either the standard mailboxes can be used for mail flow verification, or a custom mailbox can be used, but not both. To use the standard mailboxes, remove any custom mailboxes before installation. You can remove the custom configuration by running the Configuration Wizard and disabling the mail flow test in addition to the mailbox availability monitoring. This process will remove all registry entries and let you reconfigure monitoring to use the standard mailboxes.

  • Event log replication in a cluster configuration   In a cluster configuration, disable event log replication to prevent duplicate alerts from the physical cluster nodes. For more information about this configuration, see Microsoft Knowledge Base article 224969, "How to configure event log replication in Windows 2000 and Windows Server 2003 cluster servers" (

  • Making changes to the Management Pack   It should not be necessary to significantly change the configuration rules and scripts in the Exchange Management Pack. However, if you have to do this, the best practice is to make copies of rules, change them outside the Microsoft Exchange Server 2003 rule group, and disable the original rules. Record the rules you have disabled because re-importing the Management Pack causes your changes to be overwritten by the new management pack.

  • Using a mailbox access account that is defined in your Exchange server's resource domain instead of one defined in your user domain   By default, the Configuration Wizard creates the mailboxes and user accounts that you use for mail flow tests in the root domain. If you want the accounts to be in a different domain, create the accounts in the domain where you want them before running the wizard. The Configuration Wizard searches all of Active Directory for the accounts before it creates new accounts.

  • The Mailbox Access Account requires permissions to read and write to the %systemroot%\temp\exmppd directory   This directory is where temporary MAPI logon profiles are created. To verify that your account has appropriate permissions, log on to the server as the Mailbox Access Account and create a test file in this directory.

  • The Mailbox Access Account requires local logon rights on each Exchange server   These rights are required for the MAPI Logon and Mail Flow tests. The Configuration Wizard automatically grants the required rights.

  • Do not explicitly change the Default Access Permissions   If you have manually added an account to Default Access Permissions, the System account will not be granted Default Access Permissions and you will not receive event ID 9986 on the MOM server after installing the agent on your Exchange server. Event 9986 can be found in the Event Viewer on the MOM server by searching for events associated with the specific Exchange server. You will then receive subsequent errors indicating a permissions issue. For more information, see Microsoft Knowledge Base article 274696, "Actions such as search and drag and drop do not work because the default access permissions have been changed in the Dcomcnfg.exe tool" (

  • Do not configure "Send As" and "Receive As" permissions on the Organization object to "Deny"   If your organization has "Send As" and "Receive As" permissions configured as "deny" at the organization level, the mailbox access account will not be able to log on to your Exchange server. This configuration causes MAPI Logon verification tests to fail.

  • Verify that a domain controller is accessible to the monitoring server   MAPI logon verification tests will fail if the monitoring server cannot access a domain controller, or if the domain controller does not respond in a timely manner.

  • Verify that the Mailbox Access Account Display Name and samAccountName are identical   If they are not identical, ambiguous name resolution will fail, which causes the Mail Flow script to fail to run and MAPI_E_AMBIGUOUS_RECIP errors to be logged.

  • Verify that all backend servers have an agent installed   If any of the back-end servers that your front-end server communicates with do not have an agent installed, the Configuration Wizard returns an error on your front-end server.

  • Verify that SSL is configured on all applicable virtual directors on the Exchange 2003 front-end server   SSL is required for the Exchange Management Pack Script Dependencies. front-end server, Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync availability scripts to function correctly.

  • Use the Net Time command to synchronize system clocks   Timing synchronization issues between servers can cause inaccurate Mailflow latency report results. The format for this command is:

    net time \\server_fully_qualified_domain-name /set /y
  • The Agent Service Account and the Agent Action account must be running as Local System   By default, these accounts run as Local System. If you configure either of these accounts to run as an account other than Local System, several Exchange Management Pack scripts will fail. For a list of script dependencies, see Exchange Management Pack Script Dependencies.

The location of views and rules has changed in the Exchange Management Pack for Exchange 2003. Exchange 2000 views are located at Microsoft Exchange Server\Exchange 2000 and Exchange 2003 views are located at Microsoft Exchange Server\Exchange 2003.

If you use the Exchange Management Pack for Exchange 2000, the Report Collection Events view will display all report collection events for both versions of Exchange.

  • Rule Groups   You can view performance counters in the Microsoft Exchange Server 2003\Report Collection Rules\Mailbox Statistics Analysis and Microsoft Exchange Server 2003\Report Collection Rules\Public Folder Statistics Analysis rule groups.

    The mailbox and public folder analyses send the results to the corresponding reports as performance counters with an object named McExchDG. Over time, hundreds of counters can accumulate, which can delay getting a view of all performance counters on a server. Views exist for most Exchange 2003 performance counters in the Management Pack. Generally, it is a good practice to create additional views for other frequently used performance counters instead of obtaining the list of all performance counters for a particular server.

  • Full-text indexing and CPU measurements   Total CPU measurements might not indicate a CPU resource bottleneck because full-text indexing consumes all CPU resources that are otherwise unused. If you use full-text indexing, you may want to disable the %CPU rules located in Microsoft Exchange Server 2003\Performance Counter Logging Rules\Server Resource Utilization\CPU Usage Logging to prevent false alerts of high CPU usage.

  • Service availability reports   Consider whether you want to use the following service availability reports: "Windows NT/2000: Service Availability by Computer," "Windows NT/2000: Service Availability by Server," and "Windows NT/2000: Service Availability by Service." The data for these reports can consume lots of space in the MOM data warehouse. If they are not required, disable collecting the service availability events by going to Administration\Global Settings, accessing the properties of the Agents object, clicking the Service Monitoring tab, and then clearing the Enable service monitoring check box.

  • MAPI logon check functionality   This relates to the Availability and State Monitoring\MAPI Logon Check and Availability Reporting rule group (MAPI Logon Check in Exchange 2000) and Check mailbox store availability–MAPI logon test.

    The MAPI logon check functionality generates data for the Exchange Server Availability report. This is done by the Exchange 2003 - MAPI logon verification script that records events every time there is a successful logon to the Exchange store. This event has the source Exchange MOM and is number 9980. Because these events are recorded every five minutes, they can amount to a significant fraction of all events in the Microsoft Operations Manager database. To use the MAPI logon check functionality only for monitoring and not for reporting, you can request that the script not record these success events by changing the value of the parameter LogPerfData for this script. The values for this parameter are:

    •  0 = record success events

    •  1 = record performance data instead of success events

    • -1 = record neither success events nor performance data

    When the value is non-zero, there is no data for the Exchange Service Availability report, and it is empty. When this parameter is 1, the counter named Exchange MP\MAPI Logon Status is populated with the value of the event number that would have been created otherwise (for example, 9980, 9981, and so on).