Chapter 8. Exchange Server 2013 maintenance, monitoring, and queuing
Few administration tasks are more important than maintenance, monitoring, and queue tracking. You must maintain Microsoft Exchange Server 2013 to ensure proper flow and recoverability of message data. You need to monitor Exchange Server to ensure that services and processes are functioning normally, and you need to track Exchange Server queues to ensure that messages are being processed.
Performing tracking and logging activities in an organization
This section examines message tracking, protocol logging, and diagnostic logging. You use these features to monitor Exchange Server and to troubleshoot messaging problems.
Using message tracking
You use message tracking to monitor the flow of messages into, out of, and within an organization. With message tracking enabled, Exchange Server maintains daily log files, with a running history of all messages transferred within an organization. You use the logs to determine the status of a message, such as whether a message has been sent, has been received, or is waiting in the queue to be delivered. Because Exchange Server handles postings to public folders in much the same way as email messages, you can also use message tracking to monitor public folder usage.
Tip
Tracking logs can really save the day when you’re trying to troubleshoot delivery and routing problems. The logs are also useful in fending off problem users who blame email for their woes. Generally speaking, users can’t claim they didn’t receive emails if you can find the messages in the logs. That said, if you use third-party applications that integrate with Outlook, those applications could potentially delete messages before the user sees them.
Configuring message tracking
By default, all Edge Transport and Mailbox servers perform message tracking. You can enable or disable message tracking on a per-server basis by setting the –MessageTrackingLogEnabled parameter of the Set-TransportService cmdlet to $true or $false, as appropriate. The following example disables message tracking on MailServer34:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogEnabled $falseTip
You can configure basic message tracking options in the Exchange Admin Center. To do this, select Servers in the Features pane, and then select Servers. In the main pane, double-tap or double-click the server you want to configure to display the related Properties dialog box. On the Transport Logs page, select or clear the Enable Message Tracking Log check box. If you enable message tracking, you can enter the desired directory path for logging as well or accept the default setting.
Each Edge Transport and Mailbox server in your organization can have different message tracking settings that control the following:
Where logs are stored
How logging is performed
The maximum log size and maximum log directory size
How long logs are retained
By default, message tracking logs are stored in the %ExchangeInstallPath%TransportRolesLogsMessageTracking directory. Generally, message tracking does not have high enough input/output activity to warrant a dedicated disk. However, in some high usage situations, you might want to move the tracking logs to a separate disk. Before you do this, however, you should create the directory you want to use and set the following required permissions:
Full Control for the server’s local Administrators group
Full Control for System
Full Control for Network Service
After you’ve created the directory and set the required permissions, you can change the location of the tracking logs to any local directory by setting the –MessageTrackingLogPath parameter of the Set-TransportService cmdlet to the desired local directory. The following example sets the message tracking directory as G:Tracking on MailServer34:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogPath "G:Tracking"Note
When you change the location of the message tracking directory, Exchange Server does not copy any existing tracking logs from the old directory to the new one. If you want all the logs to be in the same location, you should manually copy the old logs to the new location before you use Set-TransportService to change the message tracking directory.
By default, all Edge Transport and Mailbox servers perform extended message tracking, which allows you to perform searches based on message subject lines, header information, sender, and recipient. If you don’t want to collect information on potentially sensitive subject lines, you can disable subject line tracking by setting the –MessageTrackingLogSubjectLoggingEnabled parameter of the Set-Transport-Service cmdlet to $false, as shown in the following example:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogSubjectLoggingEnabled $falseExchange Server continues to write to message tracking logs until a log grows to a specified maximum size, at which point Exchange Server creates a new log and then uses this log to track current messages. By default, the maximum log file size is 10 megabytes (MB). You can change this behavior by setting the –MessageTrackingLogMaxFileSize parameter to the desired maximum file size. You must qualify the desired file size by using B for bytes, KB for kilobytes, MB for megabytes, or GB for gigabytes. The following example sets the message log file size to 50 MB:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogMaxFileSize "50MB"Exchange Server overwrites the oldest message tracking logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. By default, the maximum age is 30 days and the maximum log directory size is 1,000 MB. You can use the –MessageTrackingLogMaxAge parameter to set the maximum allowed age in the following format:
DD.HH:MM:SS
DD is the number of days, HH is the number of hours, MM is the number of minutes, and SS is the number of seconds. The following example sets the maximum age for logs to 90 days:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogMaxAge "90.00:00:00"You can set the maximum log directory size by using the –MessageTrackingLogMaxDirectorySize parameter. As with the maximum log file size, the qualifiers are B, KB, MB, and GB. The following example sets the maximum log directory size to 2 GB:
Set-TransportService -Identity "MailServer34"
-MessageTrackingLogMaxDirectorySize "2GB"Searching through the tracking logs
The tracking logs are useful in troubleshooting problems with routing and delivery. In the Exchange Management Shell, you use Get-MessageTrackingLog to search through the message tracking logs. The related syntax is:
Get-MessageTrackingLog [-Start DateTime] [-Server ServerId] [-End DateTime] {AddtlParams} {AddtlParams} [-DomainController DCName] [-EventId {"BadMail" | "Defer" | "Deliver" | "DSN" | "Expand" | "Fail" | "PoisonMessage" | "Receive" | "Redirect" | "Resolve" | "Send" | "Submit" | "Transfer"} ] [-InternalMessageId MessageTrackingLogId] [-MessageId MessageId] [-MessageSubject Subject] [-Recipients SMTPEmailAddress1, SMTPEmailAddress2,...] [-Reference ReferenceField] [-ResultSize NumEntriesToReturn] [-Sender SMTPEmailAddress]
These parameters allow you to search the message tracking logs in the following ways:
By date
By event ID
By message ID
By message subject
By recipients
By sender
By server that processed the messages
To begin a search, you must specify one or more of the previously listed identifiers as the search criteria. You must also identify a server in the organization that has processed the message in some way. This server can be the sender’s server, the recipient’s server, or a server that relayed the message.
You set the search criteria by using the following parameters:
–End. Sets the end date and time for the search
–EventID. Specifies the ID of the event for which you want to search, such as a RECEIVE, SEND, or FAIL event
–InternalMessageID. Specifies the ID of the message tracking log entries for which you want to search
–MessageID. Specifies the ID of the message for which you want to search
–MessageSubject. Specifies the subject of the message for which you want to search
–Recipients. Sets recipient’s SMTP email address or addresses to return
–Reference. Specifies the reference field value within the message for which you want to search
–Sender. Sets the sender’s SMTP email address (listed in the From field of the message) to return
–Server. Sets the name of the Transport or Mailbox server that contains the message tracking logs to be searched
–Start. Sets the start date and time for the search.
Using the –Start and –End parameters, you can search for messages from a starting date and time to an ending date and time. Using the –Server parameter, you specify the server to search. Consider the following example:
Get-MessageTrackingLog -Start "05/25/2014 5:30AM" –End "05/30/2014 7:30PM" -Server MailServer18 –Sender [email protected]
In this example, you search for a messages sent by [email protected] between 5:30 A.M. May 25, 2014 and 7:30 P.M. May 30, 2014.
Reviewing message tracking logs manually
Exchange Server creates message tracking logs daily and stores them by default in the %ExchangeInstallPath%TransportRolesLogsMessageTracking directory. For US-English, each log file is named by the date on which it was created, using one of the following formats:
MSGTRKYYYYMMDD-N.log, such as MSGTRK20140325-1.log for the first log created on March 25, 2014 by the Transport service.
MSGTRKMAYYYYMMDD-N.log, such as MSGTRKM20140325-1.log for the first log created on March 25, 2014 and used with moderated messages for tracking approvals and rejections.
MSGTRKMDYYYYMMDD-N.log, such as MSGTRKM20140325-1.log for messages delivered to mailboxes by the Mailbox Transport Delivery service.
MSGTRKMSYYYYMMDD-N.log, such as MSGTRKM20140325-1.log for messages sent from mailboxes by the Mailbox Transport Submission service.
The message tracking logs store each message event on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:
A statement that identifies the file as a message tracking log file
The version of the Exchange Server that created the file
The date on which the log file was created
A comma-delimited list of fields contained in the body of the log file
Table 8-1 summarizes message event fields and their meaning. Not all of the fields are tracked for all message events.
LOG FIELD | DESCRIPTION |
Client-hostname | The hostname of the client making the request |
Client-ip | The IP address of the client making the request |
Connector-id | The identity of the connector used |
Custom-Data | Optional custom data that was logged |
Date-Time | The connection date and time |
Directionality | An indication of the source of the message |
Event-id | The type of event being logged, such as Submit |
Internal-message-id | The internal identifier used by Exchange to track the message |
Message-id | The message identifier |
Message-info | Any related additional information on the message |
Message-subject | The subject of the message |
Original-client-ip | The IP address for the original client |
Original-server-ip | The IP address for the original server |
Recipient-address | The email addresses of the message recipients |
Recipient-count | The total number of recipients |
Recipient-status | The status of the recipient email address |
Reference | The references, if any |
Related-recipient-address | The email addresses of any related recipients |
Return-path | The return path on the message |
Sender-address | The distinguished name of the sender’s email address |
Server-hostname | The server on which the log entry was generated |
Server-ip | The IP address of the server on which the log entry was generated |
Source | The messaging component for which the event is being logged, such as StoreDriver |
Source-context | The context of the event source |
Tenant-id | A tenant identifier |
Total-bytes | The total size of the message in bytes |
You can view the message tracking log files with any standard text editor, such as Microsoft Notepad. You can also import the message tracking log files into a spreadsheet or a database. Follow these steps to import a message tracking log file into Microsoft Excel:
With Excel 2007 or Excel 2010, click the Microsoft Office Button, and then tap or click Open. With Excel 2013, select File and then select Open. On the Open panel, select Computer and then select Browse.
Use the Open dialog box to select the message tracking log file you want to open. Set the file type as All Files (*.*), select the log file, and then tap or click Open.
The Text Import Wizard starts automatically. Tap or click Next. On the Delimiters list, choose Comma. Tap or click Next, and then tap or click Finish.
The log file should now be imported. You can view, search, and print the message tracking log as you would any other spreadsheet.
Note
You also can use Log Parser Studio to work with Exchange logs. See “Using Log Parser Studio” in Chapter 9.
Getting delivery reports
As part of message tracking, you can create delivery reports in Exchange Admin Center. Delivery reports allow you to search for the delivery status of messages sent to or from user’s in your organization. In delivery reports, messages are listed by sender, recipients, and date and time sent. If subject line tracking is enabled, the subject line of messages is also included in reports.
You can track messages for up to 14 days after they were sent or received by completing the following steps:
In Exchange Admin Center, select Mail Flow in the Features pane, and then select Delivery Reports. As shown in Figure 8-1, the main pain provides options for tracking messages.
Each delivery report is for messages sent to or from a specific mailbox. Under Mailbox To Search, click Browse. Select the mailbox to search, and then tap or click OK.
Use the options provided to specify whether you want to search for messages sent from or to the mailbox you’re searching. Keep the following in mind:
To find messages sent to specific users or groups from the mailbox you’re searching, select Search For Messages Sent To, and then tap or click Select Users. In the Select Users dialog box, select a user or group from the list, and then click Add. Repeat as necessary to add other users and groups. Tap or click OK when you’re finished.
To find all messages sent from the mailbox you’re searching, select Search For Messages Sent To and then don’t select any specify users or groups. By leaving the field blank, you create delivery reports for messages sent from the mailbox to anyone.
To find messages sent by a specific user to the mailbox you’re searching, select Search For Messages Received From, and then tap or click Select A User. In the Select Members dialog box, select a user from the list, and then click Add. Tap or click OK when you are finished. If you choose this option, you must select a user and cannot leave the field blank.
Optionally, if subject line tracking is enabled, you can restrict the search to messages with specific keywords in the subject line. In the Search For These Words… box, type one or more keywords to search for in the subject line of messages. To search for an exact phrase, enclose the phrase in quotation marks.
When you’re ready to begin the search, tap or click Search. If any matching messages are found, they are listed in the Search Results pane with the following fields:
From. The display name, email address or alias of the person who sent the message
To. The display name, email address or alias of each message recipient
Sent. The date and time the message was sent
Subject. The subject line of the message
View the delivery status and detailed delivery information for a message by selecting the message in the Search Results pane, and then selecting Details. When messages are sent to distribution groups, the details tell you the specific delivery status of each recipient in the group. When messages are moderated, the details tell you whether the moderator approved or rejected the message.
Using protocol logging
Protocol logging allows you to track Simple Mail Transfer Protocol (SMTP) communications that occur between servers as part of message routing and delivery. These communications could include both Exchange servers and non-Exchange servers. When non-Exchange servers send messages to an Exchange server, Exchange does the protocol logging of the communications.
You use protocol logging to troubleshoot problems with the Send and Receive connectors that are configured on Mailbox and Edge Transport servers. However, you shouldn’t use protocol logging to monitor Exchange activity. This is primarily because protocol logging can be processor intensive and resource intensive, which means that an Exchange server may have to perform a lot of work to log protocol activity. The overhead required for protocol logging depends on the level of messaging activity on the Exchange server.
Configuring protocol logging
By default, protocol logging isn’t enabled on custom connectors. As long as you know the identity of the custom connector with which you want to work, you can configure protocol logging for a specified connector. To retrieve a list of available Send and Receive connectors for a server, use the Get-SendConnector and Get-ReceiveConnector cmdlets, respectively. If you run either cmdlet without specifying additional parameters, a list of all available Send or Receive connectors is returned.
You enable or disable protocol logging on a per-connector basis. For Send connectors, you use the Set-SendConnector cmdlet to enable protocol logging. For Receive connectors, you use the Set-ReceiveConnector cmdlet to enable protocol logging. Both cmdlets have a –ProtocolLoggingLevel parameter that you can set to Verbose to enable protocol logging or to None to disable protocol logging. Here is an example:
Set-ReceiveConnector -Identity "Corpsvr127Custom Receive Connector" -ProtocolLoggingLevel 'Verbose'
In the Transport service on every Mailbox server and in the Front End Transport service on every Client Access server is an implicitly created Send connector, referred to as the intra-organization Send connector. The Transport service on Mailbox servers uses the intra-organization Send connector to relay messages to other Transport servers in the Exchange organization. By default, the Transport service on Mailbox servers doesn’t perform protocol logging on the intra-organization Send connector. You enable or disable protocol logging for this Send connector on a Mailbox server by using the -MailboxDeliveryConnectorProtocolLoggingLevel parameter of the Set-MailboxTransportService cmdlet. Use Verbose to enable protocol logging or to None to disable protocol logging. Here is an example:
Set-MailboxTransportService -Identity MailServer18 -MailboxDeliveryConnectorProtocolLoggingLevel 'Verbose'
The Frontend Transport service uses the intra-organization Send connector to relay messages to the Transport service on Exchange 2013 Mailbox servers. By default, the Front End Transport service on Client Access servers performs protocol logging on the intra-organization Send connector. You enable or disable protocol logging for this Send connector on a Client Access server by using the -IntraOrgConnectorProtocolLoggingLevel parameter of the Set-FrontEndTransportService cmdlet. Use Verbose to enable protocol logging or set to None to disable protocol logging. Here is an example:
Set-FrontEndTransportService -Identity CAServer26 -IntraOrgConnectorProtocolLoggingLevel 'Verbose'
Although you enable protocol logging on a per-connector basis, you configure the other protocol logging parameters on a per-server basis for either all Send connectors or all Receive connectors by using the Set-TransportService cmdlet. As it does with message tracking logs, Exchange Server overwrites the oldest protocol logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. If you decide to move the protocol log directories, you should create the directories you want to use and then set the following required permissions:
Full Control for the server’s local Administrators group
Full Control for System
Full Control for Network Service
Because the parameters are similar to those for message tracking, I’ll summarize the available parameters. Table 8-2 shows the Send connector parameters for configuring protocol logging. Table 8-2 shows the Receive connector parameters for configuring protocol logging. In the default path for logs, the ServerType can be FrontEnd, Mailbox, or Hub. Under FrontEndProtocolLogs, you’ll find logs for the Front End Transport service on Client Access servers. Under HubProtocolLogs, you’ll find logs for the Transport service on Mailbox servers. Under MailboxProtocolLogs, you’ll find logs for the Mailbox Transport service on Mailbox servers.
PARAMETER | DESCRIPTION | DEFAULT |
SendProtocolLogMaxAge | Sets the maximum age for Send connector protocol logs | 30.00:00:00 |
SendProtocolLogMaxDirectorySize | Sets the maximum size for the Send connector protocol log directory | 250 MB |
SendProtocolLogMaxFileSize | Sets the maximum size for Send connector protocol logs | 10 MB |
SendProtocolLogPath | Sets the local file path for protocol logging of Send connectors | %ExchangeInstallPath%TransportRolesLogsServerTypeProtocolLogsSmtpSend |
PARAMETER | DESCRIPTION | DEFAULT |
ReceiveProtocolLogMaxAge | Sets the maximum age for Receive connector protocol logs | 30.00:00:00 |
ReceiveProtocolLogMaxDirectorySize | Sets the maximum size for the Receive connector protocol log directory | 250 MB |
ReceiveProtocolLogMaxFileSize | Sets the maximum size for Receive connector protocol logs | 10 MB |
ReceiveProtocolLogPath | Sets the local file path for protocol logging of Receive connectors | %ExchangeInstallPath%TransportRolesLogsServerTypeProtocolLogsSmtpReceive |
Tip
You can configure send and receive protocol log paths in the Exchange Admin Center. To do this, select Servers in the Features pane, and then select Servers. In the main pane, double-tap or double-click the server you want to configure to display the related Properties dialog box. On the Transport Logs page, the Protocol log panel shows the current send and receive protocol log paths. You can specify the log file path by entering the desired directory path for logging or accept the default setting.
Working with protocol logging properties and fields
When protocol logging is enabled, a Mailbox server or a transport server creates protocol logs daily. Mailbox and transport servers store logs in either the %Exchange-InstallPath%TransportRolesLogsServerTypeProtocolLogSmtpSend or %Exchange-InstallPath%TransportRolesLogsServerTypeProtocolLogSmtpReceive directory as appropriate for the type of server and connector being logged. For POP, IMAP, and other non-SMTP content aggregation, related logs are in the %ExchangeInstallPath%TransportRolesLogsProtocolLogHTTPClient directory. Each log file is named by the date on which it was created, using the format SENDYYYYMMDD-N.log or RECVYYYYMMDD-N.log, such as SEND20140605-1.log for the first Send connector log created on June 5, 2014. Additional protocol logs are found in subdirectories of the %ExchangeInstallPath%Logging directory. In the AddressBook Service subdirectory, you’ll find logs for the Address Book service. In the RPC Client Access subdirectory, you’ll find logs for Remote Procedure Calls for Client Access services.
The protocol log stores each SMTP protocol event on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:
A statement that identifies the file as either a Send connector protocol log or a Receive connector protocol log
The date on which the log file was created
The version of the Exchange Server that created the file
A comma-delimited list of fields contained in the body of the log file
Table 8-4 summarizes SMTP event fields and their meanings. Not all of the fields are tracked for all protocol events. You can view the protocol log files with any standard text editor, such as Notepad. You can also import the protocol log files into a spreadsheet or a database.
LOG FIELD | DESCRIPTION |
Connector-id | The distinguished name of the connector associated with the event. |
Context | The context for the SMTP event. |
Data | The data associated with the SMTP event. |
Date-time | The date and time of the protocol event in a locale-specific format. For U.S. English, the format is YYYY-MM-DDTHH: MM:SSZ, such as 2014-06-05T23:30:59Z. |
Event | The type of protocol event: + for Connect, – for Disconnect, > for Send, < for Receive, and * for Information. |
Local-endpoint | The local endpoint of the SMTP session, identified by the Internet Protocol (IP) address and Transmission Control Protocol (TCP) port. |
Remote-endpoint | The remote endpoint of the SMTP session, identified by the IP address and TCP port. |
Sequence-number | The number of the event within an SMTP session. The first event has a sequence number of 0. |
Session-id | The globally unique identifier of the SMTP session. Each event for a particular session has the same identifier. |
Optimizing protocol logging for HTTP
Client Access servers have web-based applications and virtual directories that use Microsoft Internet Information Services (IIS) to provide the related services. In IIS 7.0 and later, protocol logging for HTTP is a feature available when the HTTP Logging module is installed and logging is enabled. By default, this module is installed with IIS and enabled. The default configuration is to use one log file per website per day.
You can view and manage the logging settings by completing the following steps:
Start Internet Information Services (IIS) Manager. Start Server Manager, tap or click Tools, and select Internet Information Services (IIS) Manager.
Note
By default, IIS Manager connects to the services running on the local computer. If you want to connect to a different server, select the Start Page node in the left pane, and then tap or click the Connect To A Server link. This starts the Connect To Server Wizard. Follow the prompts to connect to the remote server. Keep in mind that with IIS 7.0 and later, the Windows Remote Management Service must be configured and running on the remote server.
When you install the Client Access role, the default website is created (or updated) to include the virtual directories and web-based applications used to provide front-end services for Exchange Server. If a server has the Mailbox role, a website named Exchange Back End is created and has virtual directories and web-based applications used to provide back-end services for Exchange Server. In IIS Manager, double-tap or double-click the entry for the server with which you want to work, and then double-tap or double-click Sites.
In the left pane, select the website that you want to manage, and then double-tap or double-click Logging in the main pane to open the Logging feature as shown in Figure 8-2.
If all logging options are dimmed and the server is configured for per-site logging, you can tap or click Enable in the Actions pane to enable logging for this site. Otherwise, if logging is configured per server, you need to configure logging at the server level rather than at the site level; the procedure is similar.
Use the Format selection list to choose one of the following log formats:
W3C Extended Log File Format. Writes the log in ASCII text following the World Wide Web Consortium (W3C) extended log file format. Fields are space-delimited, and each entry is written on a new line. This style is the default. Using this option allows you to include extensive information about clients, servers, and connections.
Microsoft IIS Log File Format. Writes the log in ASCII text following the IIS log file format. Fields are tab-delimited, and each entry is written on a new line. Using this option allows you to collect basic information about clients, servers, and connections.
NCSA Common Log File Format. Writes the log in ASCII text following the National Center for Supercomputing Applications (NCSA) common log file format. Fields are space-delimited, and each entry is written on a new line. When you use this option, log entries are small because only basic information is recorded.
On the Log File panel, use the Directory text box to set the main folder for log files. By default, log files are written to a subdirectory of %SystemDrive%inetpublogsLogFiles.
On the Log File Rollover panel, select Schedule and then use the related selection list to choose a logging time period. In most cases, you’ll want to create daily or weekly logs, so select either Daily or Weekly.
If you selected W3C, tap or click Select Fields, and then choose the fields that should be recorded in the logs. Tap or click Apply.
Working with HTTP protocol logs
On Client Access servers, HTTP protocol log files can help you detect and trace problems with HTTP, Outlook Web App, Microsoft Exchange ActiveSync, and Outlook Anywhere. By default, Exchange Server writes protocol log files to a subdirectory of %SystemDrive%inetpublogsLogFiles. You can use the logs to determine the following:
Whether a client was able to connect to a specified server and, if not, what problem occurred
Whether a client was able to send or receive protocol commands and, if not, what error occurred
Whether a client was able to send or receive data
How long it took to establish a connection
How long it took to send or receive protocol commands
How long it took to send or receive data
Whether server errors are occurring and, if so, what types of errors are occurring
Whether server errors are related to Windows or to the protocol itself
Whether a user is connecting to the server using the proper logon information
Most protocol log files are written as ASCII text. This means you can view them in Notepad or another text editor. You can import these protocol log files into Excel in much the same way as you import tracking logs.
Log files, written as space-delimited or tab-delimited text, begin with a header that shows the following information:
A statement that identifies the protocol or service used to create the file
The protocol, service, or software version
A date and time stamp
A space-delimited or tab-delimited list of fields contained in the body of the log file
The name of the subdirectory used for logging depends on the number of websites hosted on a server. Typically, when a server has either the Client Access role or the Mailbox role, the subdirectory name is W3SVC1, which identifies the website as the first created for IIS. When a server has the Client Access role and the Mailbox role, the W3SVC1 subdirectory typically is used for front-end logging and the W3SVC2 subdirectory is used for back-end logging. As discussed in Chapter 9, you also can use Log Parser Studio to work with HTTP protocol logs.
Servers can have additional websites or may not have websites created in the expected order, such as when you deploy a Mailbox server and then later add the Client Access role to this server. In this case, you’ll want to confirm the identity of the logging subdirectory by using the following command:
Get-OwaVirtualDirectory -Server ServerID -ShowMailboxVirtualDirectories
|fl identity, metabasepathServerID is the host name or fully-qualified domain name of the Exchange server to check, such as:
Get-OwaVirtualDirectory -Server MailServer21 -ShowMailboxVirtualDirectories |fl identity, metabasepath
The output will show the website identity and metabase path for the Outlook Web App (OWA) virtual directories created on the server. If the server has front-end and back-end virtual directories for OWA, the output will be similar to the following:
Identity : MAILSERVER21owa (Exchange Back End) MetabasePath : IIS://MAILSERVER21.pocket-consultant.com/W3SVC/2/ROOT/owa Identity : MAILSERVER21owa (Default Web Site) MetabasePath : IIS://MAILSERVER21.pocket-consultant.com/W3SVC/1/ROOT/owa
In the output, note that the name of the associated website is shown in parenthesis as part of the identity and the subdirectory path can be extrapolated from the metabase path. Here, the back-end virtual directory is named Exchange Back End and has the associated subdirectory W3SVC2 (which is shown as W3SVC/2 in the metabase path). The front-end virtual directory is named Default Web Site and has the associated subdirectory W3SVC1 (which is shown as W3SVC/1 in the metabase path).
Using connectivity logging
Connectivity logging allows you to track the connection activity of outgoing message delivery queues. You use connectivity logging to troubleshoot problems with messages reaching their designated destination Mailbox server or recipient.
Configuring connectivity logging
By default, Exchange Server performs connectivity logging. Exchange Server creates connectivity logs when clients connect to the Front End Transport service on Client Access servers and when clients are proxied or redirected to the Transport service on Mailbox servers. Exchange Server also creates connectivity logs for communications with the mailbox databases on a Mailbox server. Generally, Exchange Server creates connectivity logs to track:
When the Mailbox Transport Delivery receives SMTP messages from the Transport service and connects to local mailbox databases.
When the Mailbox Transport Submission service connects to local mailbox databases to retrieve messages and submit them to the Transport service for delivery.
You manage connectivity logging for the Front End Transport service by using Set-FrontEndTransportService, the Transport service by using Set-TransportService, and the Mailbox Transport service by using Set-MailboxTransportService. With any of these cmdlets, you can enable or disable connectivity logging for the service by setting the –ConnectivityLogEnabled parameter to $true or $false, as appropriate. The following example disables connectivity logging for the Transport service on MailServer34:
Set-TransportService -Identity "MailServer34"
-ConnectivityLogEnabled $falseTip
You can use the Exchange Admin Center to configure basic logging options for the Transport service (but not for other services). To do this, select Servers in the Features pane, and then select Servers. In the main pane, double-tap or double-click the server you want to configure to display the related Properties dialog box. On the Transport Logs page select or clear the Enable Connectivity Logging check box. If you enable connectivity logging, you can specify the log file path, and then tap or click OK.
The Front End Transport service, the Transport service, and the Mailbox Transport service can have different connectivity logging settings:
Use the –ConnectivityLogMaxAge parameter to set the maximum log file age. The default maximum age is 30.00:00:00.
Use the –ConnectivityLogMaxDirectorySize parameter to set the maximum log directory size. The default maximum log directory size is 250 MB.
Use the –ConnectivityLogMaxFileSize parameter to set the maximum log file size. The default maximum log file size is 10 MB.
Use the –ConnectivityLogPath parameter to move the log directory to a new location. The default logging directory depends on the service with which you are working.
As it does with other logs, Exchange Server overwrites the oldest connectivity logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. If you decide to move the protocol log directories, you should create the directories you want to use and set the following required permissions:
Full Control for the server’s local Administrators group
Full Control for System
Full Control for Network Service
Working with connectivity log properties and fields
Exchange Server creates connectivity logs daily and stores them in the %Exchange-InstallPath%TransportRolesLogsServerTypeConnectivity directory. In the default path for logs, the ServerType can be FrontEnd, Mailbox, or Hub. Under FrontEndConnectivity, you’ll find logs for the Front End Transport service on Client Access servers. Under HubConnectivity, you’ll find logs for the Transport service on Mailbox servers. Under MailboxConnectivity, you’ll find a Submission subdirectory containing logs for the Mailbox Transport Submission service on Mailbox servers, and a Delivery subdirectory containing logs for the Mailbox Transport Delivery service on Mailbox servers.
Each log file is named by the date on which it was created, using the format CONNECTLOGYYYYMMDD-N.log, such as CONNECTLOG20140521-1.log for the first connectivity log created on May 21, 2014. The connectivity log stores outgoing queue connection events on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:
A statement that identifies the file as a connectivity log
The date on which the log file was created
The version of Exchange Server that created the file
A comma-delimited list of fields contained in the body of the log file
Table 8-5 summarizes connectivity logging fields and their meanings. Not all of the fields are tracked for all outgoing queue connection events. You can view the connectivity log files with any standard text editor, such as Notepad. You can also import the connectivity log files into a spreadsheet or a database, as discussed previously.
LOG FIELD | DESCRIPTION |
Date-time | The date and time of the outgoing queue connection event. |
Session | The globally unique identifier of the SMTP session. Each event for a particular session has the same identifier. For Messaging Application Programming Interface (MAPI) sessions, this field is blank. |
Destination | The name of the destination Mailbox server, smart host, or domain. |
Direction | The direction of the event: + for Connect, – for Disconnect, > for Send, and < for Receive. |
Description | The data associated with the event, including the number and size of messages transmitted, Domain Name Server (DNS) name resolution information, connection success messages, and connection failure messages. |
Monitoring events, services, servers, and resource usage
As an Exchange administrator, you should routinely monitor event logs, services, servers, and resource usage. These elements are the keys to ensuring that the Exchange organization is running smoothly. Because you can’t be on-site 24 hours a day, you may want to set alerts to notify you when problems occur.
Important
Exchange 2013 includes a built-in monitoring and problem resolution architecture that can resolve many types of issues automatically. The automated responders will take recovery actions automatically, which can include restarting services and restarting servers. For more information, see Chapter 9.
Viewing events
System and application events generated by Exchange Server are recorded in the Windows event logs. The primary log that you’ll want to check is the application log. In this log, you’ll find the key events recorded by Exchange Server services. Keep in mind that related events might be recorded in other logs, including the directory service, DNS server, security, and system logs. For example, if the server is having problems with a network card and this card is causing message delivery failures, you’ll have to use the system log to pinpoint the problem.
You access the application log by completing the following steps:
In Server Manager, tap or click Tools, and then select Event Viewer.
If you want to view the logs on another computer, in the console tree, press and hold or right-click the Event Viewer entry, and choose Connect To Another Computer from the shortcut menu. You can now choose the server for which you want to manage logs.
Double-tap or double-click the Windows Logs node. You should now see a list of logs.
Select the Application log, as shown in Figure 8-3.
Entries in the main panel of Event Viewer provide an overview of when, where, and how an event occurred. To obtain detailed information on an event, select its entry. The event level precedes the date and time of the event. Event levels include the following:
Information. An informational event, generally related to a successful action
Warning. Details for warnings are often useful in preventing future system problems
Error. An error such as the failure of a service to start
In addition to level, date, and time, the summary and detailed event entries provide the following information:
Source. The application, service, or component that logged the event
Event ID. An identifier for the specific event
Task category. The category of the event, which is sometimes used to further describe the related action
User. The user account that was logged on when the event occurred
Computer. The name of the computer on which the event occurred
Description. In the detailed entries, this event entry provides a text description of the event
Data. In the detailed entries, this event entry provides any data or error code output created by the event
Use the event entries to detect and diagnose Exchange performance problems. Exchange-related event sources include the following:
ESE. Helps you track activities related to the Extensible Storage Engine (ESE) used by the Information Store. Watch for logging and recovery errors, which might indicate a problem with a database or a recovery action. For example, Event ID 300 indicates the database engine initiated recovery steps; Event ID 301 indicates the database engine has begun replaying a log file for a mailbox database; and Event ID 302 indicates the database engine has successfully completed recovery steps. If you want to track the status of online defragmentation, look for Event ID 703. Additional related sources include ESENT and ESE Backup.
MSExchange ActiveSync. Helps you track activities related to the Exchange ActiveSync and connection requests from mobile devices. For example, Event ID 1021 indicates a non-compliant device is trying to connect with Exchange ActiveSync.
MSExchange Antimalware, MSExchange Antispam, MSExchange Anti-spam Update. Helps you track activities related to anti-malware and anti-spam agents. When you’ve configured Exchange to use Microsoft Update to retrieve anti-spam updates, watch for errors regarding update failure. You might need to change the Microsoft Update configuration or the way updates are retrieved.
MSExchange Assistants, MSExchangeMailboxAssistants. Helps you track activities related to the Microsoft Exchange Mailbox Assistants service. The Microsoft Exchange Mailbox Assistants service performs background processing and maintenance of mailboxes. Watch for processing errors, which can indicate database structure problems.
MSExchange EdgeSync. Helps you track activities related to the Edge Synchronization processes. The Microsoft Exchange EdgeSync service uses the Exchange Active Directory Provider to obtain information about the Active Directory topology. If the service cannot locate a suitable domain controller, the service fails to initialize and edge synchronization fails as well.
MSExchange TransportService, MSExchangeTransport. Helps you track activities related to the Microsoft Exchange Transport service and message transport in general. Watch for errors that can indicate issues with storage or shadow redundancy. Related sources include MSExchangeDelivery and MSExchangeTransportDelivery for tracking the Mailbox Transport Delivery service, and MSExchangeSubmission and MSExchangeTransportSubmission for tracking the Mailbox Transport Submission service.
MSExchangeADAccess. Helps you track activities related to the Exchange Active Directory Provider, which is used for retrieving information for Active Directory and performing the DNS lookups that Exchange uses to locate domain controllers and global catalog servers. Watch for topology discovery failures and DNS lookup failures, which can indicate problems with the DNS configuration as well as with the Active Directory site configuration.
MSExchangeDiagnostics, MSExchangeHM. Helps you track activities related to the Microsoft Exchange Diagnostics service and the Microsoft Exchange Health Manager, respectively. With diagnostics, watch for errors related to low disk space and low available memory. With the health manager, watch for errors related to the working processes. Also MSExchangeHMHost.
MSExchangeFrontEndTransport, MSExchange Front End HTTP Proxy. Help you track activities related to Front End Transport service and Front End HTTP proxying of web applications, respectively. Related sources include MSExchange OWA for tracking the Outlook Web App, MSExchange Web Services for tracking Exchange Web Services, and MSExchange RPC Over HTTP Autoconfig for tracking the configuration of Outlook Anywhere.
MSExchangeIS. Helps you track activities related to the Microsoft Exchange Information Store service and mailbox databases. If a user is having problems logging on to Exchange, you might see multiple logon errors. You might also see a lot of logon errors if someone is trying to hack into an Exchange mailbox. Watch also for errors related to high availability.
MSExchangeRepl. Helps you track activities related to Active Manager and database failover. Watch for errors related to mounting, moving, or unmounting databases.
Managing essential services
Most of Exchange Server’s key components run as system services. If an essential service stops, its related functionality will not be available and Exchange Server won’t work as expected. When you are troubleshooting Exchange Server problems, you’ll want to check to ensure that essential services are running as expected early in your troubleshooting process. To manage system services, you can use the Services console or the Services node in the Computer Management console. You can start and work with the Services console by completing the following steps:
In Server Manager, tap or click Tools, and then select Services.
If you want to manage the services on another computer, press and hold or right-click the Services entry in the console tree, and select Connect To Another Computer on the shortcut menu. You can now choose the system with which you want to work.
As Figure 8-4 shows, you’ll now see the available services. Services are listed by
Name. The name of the service.
Description. A short description of the service and its purpose.
Status. The status of the service. If the entry is blank, the service is stopped.
Startup Type. The startup setting for the service.
Log On As. The account the service logs on as. The default in most cases is the local system account.
Tip
Any service that has a startup type of Automatic should have a status of Started. If a service has a startup type of Automatic and the status is blank, the service is not running and you should start it (unless another administrator has stopped it to perform maintenance or troubleshooting).
If a service is stopped and it should be started, you need to restart it. If you suspect a problem with a service, you can try to diagnose the problem as discussed in Chapter 9, and you might also want to stop and then restart it. To start, stop, or restart a service, complete the following steps:
Access the Services console.
Press and hold or right-click the service you want to manage, and then select Start, Stop, or Restart, as appropriate.
After you start or restart a service, you should check the event logs to see if there are errors related to the service. Any related errors you find might help you identify why the service wasn’t running. Keep in mind that Exchange 2013 automatically restarts services that are found to not be responding or otherwise need restarting as part of the Managed Availability architecture. The automated processes can also reset IIS and restart servers. Although these automated processes work well, they won’t always resolve service issues as quickly as you could by manually intervening.
Monitoring Exchange messaging components
When you are troubleshooting or optimizing a server for performance, you can use performance monitoring to track the activities of Exchange messaging components. Performance Monitor graphically displays statistics for the set of performance parameters you’ve selected for display. These performance parameters are referred to as counters. Performance Monitor displays information only for the counters you’re tracking. Thousands of counters are available, and these counters are organized into groupings called performance objects.
When you install Exchange Server 2013 on a computer, Performance Monitor is updated with a set of objects and counters for tracking Exchange performance. These objects and counters are registered during setup in the Win32 performance subsystem and the Windows registry. You’ll find several hundred related performance objects for everything from the Microsoft Exchange Active Manager to the Microsoft Exchange Journaling Agent to Microsoft Exchange Outlook Web App.
You can select which counters you want to monitor by completing the following steps:
In Server Manager, select Tools, and then select Performance Monitor. Next, select the Performance Monitor entry in the left pane, as shown in Figure 8-5.
The Performance Monitor tool has several views and view types. Ensure that you are viewing current activity by tapping or clicking View Current Activity on the toolbar or pressing Ctrl+T. You can switch between the view types (Line, Histogram Bar, and Report) by tapping or clicking the Change Graph Type button or pressing Ctrl+G.
To add counters, tap or click Add on the toolbar or press Ctrl+N. This displays the Add Counters dialog box shown in Figure 8-6.
In the Select Counters From Computer combo box, enter the Universal Naming Convention (UNC) name of the Exchange server with which you want to work, such as \MailServer18, or leave it at the default setting of <Local computer> to work with the local computer.
Note
You need to be at least a member of the Performance Monitor Users group in the domain or the local computer to perform remote monitoring. When you use performance logging, you need to be at least a member of the Performance Log Users group in the domain or the local computer to work with performance logs on remote computers.
In the Available Counters panel, performance objects are listed alphabetically. If you select an object entry by tapping or clicking it, all related counters are selected. If you expand an object entry, you can see all the related counters and you can then select individual counters by tapping or clicking them. For example, you can expand the entry for the MSExchangeTransport Database object and then select the DataRow clones/sec, Database Connections Current and MailItem new/sec counters.
When you select an object or any of its counters, you see the related instances, if any. Choose All Instances to select all counter instances for monitoring separately. Choose _total to view a single combined value reflecting data for all available instances. Or select one or more counter instances to monitor. For example, when you select MSExchangeIS Store, you’ll find separate instances for each database on the server and you could select an individual database to specifically track that database.
When you’ve selected an object or a group of counters for an object in addition to the object instances, tap or click Add to add the counters to the graph. Repeat steps 5 through 6 to add other performance parameters.
Tap or click OK when you’re finished adding counters. You can delete counters later by tapping or clicking their entry in the lower portion of the Performance window, and then tapping or clicking Delete.
Using performance alerting
Data Collector Sets are used to collect performance data. When you configure Data Collector Sets to alert you when specific criteria are met, you are using performance alerting. Windows performance alerting provides a fully automated method for monitoring server performance and reporting when certain performance thresholds are reached. You can use performance alerting to track the following:
Memory usage
CPU utilization
Disk usage
Messaging components
Using notifications, you can then provide automatic notification when a server exceeds a threshold value.
Tracking memory usage
Physical and virtual memory is critical to normal system operation. When a server runs low on memory, system performance can suffer and message processing can grind to a halt. To counter this problem, you should configure performance alerting to watch memory usage. You could then increase the amount of virtual memory available on the server or add more random access memory (RAM) as needed. However, keep in mind that increasing virtual memory isn’t something you should do without careful planning. For detailed guidance on tuning virtual memory, see Chapter 10, “Performance Monitoring and Tuning,” in Windows Server 2012 Inside Out (Microsoft Press, 2012).
You configure a memory alert by completing the following steps:
In Server Manager, select Tools, and then select Performance Monitor. Next, expand the Data Collector Sets node, and then select User Defined. You should see a list of current alerts (if any) in the right pane.
Press and hold or right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
In the Create New Data Collector Set Wizard, type a name for the Data Collector Set, such as Memory Usage Alert. Select the Create Manually option, and then tap or click Next.
On the What Type Of Data Do You Want To Include page, the Create Data Logs option is selected by default. Select the Performance Counter Alert option, and then tap or click Next.
On the Which Performance Counters Would You Like To Monitor page, tap or click Add. This displays the Add Counter dialog box. Because you are configuring memory alerts, expand the Memory object in the Performance Object list. Select Available MBytes by tapping or clicking it, and then tap or click Add.
Expand the Paging File object in the Performance Object list. Tap or click %Usage. In the Instances Of Selected Object panel, select _Total, and then tap or click Add. Tap or click OK.
On the Which Performance Counters Would You Like To Monitor page, you’ll see the counters you’ve added. In the Performance Counters panel, select Available MBytes (as shown in Figure 8-7), set the Alert When list to Below, and then enter a Limit value that is approximately 5 to 8 percent of the total physical memory (RAM) on the server for which you are configuring alerting. For example, if the server has 8 GB of RAM, you could set the value to 512 MB to alert you when the server is running low on available memory.
In the Performance Counters panel, select %Usage. Set the Alert When list to Above, and then type 98 as the Limit value. This ensures that you are alerted when more than 98 percent of the paging file is being used.
Tap or click Next, and then tap or click Finish. This saves the Data Collector Set and closes the wizard.
In the left pane, under User Defined, select the related Data Collector Set, and then double-tap or double-click the data collector for the alert in the main pane. This displays the data collector Properties dialog box.
On the Alerts tab, use the Sample Interval options to set a sample interval, as shown in Figure 8-8. The sample interval specifies when new data is collected. Don’t sample too frequently, however, because you’ll use system resources and might cause the server to seem unresponsive. By default, Performance Monitor checks the values of the configured counters every 15 seconds. A better value might be once every 10 to 30 minutes. Generally, you’ll want to track performance periodically over several hours at a minimum and during a variety of usage conditions.
If you want to log an event rather than be alerted every time an alert limit is reached, on the Alert Action tab, select the Log An Entry In The Application Event Log check box. Selecting this option ensures that an event is logged when the alert occurs but does not alert you via the console.
Tap or click OK to close the Properties dialog box. By default, alerting is configured to start manually. To start alerting, select the User Defined node in the left pane, tap or click the alert in the main pane to select it, and then tap or click the Start button on the toolbar.
To manage an alert, select the User Defined node in the left pane, press and hold or right-click the alert in the main pane, and then select one of the following options:
Delete. Deletes the alert
Properties. Displays the alert’s Properties dialog box
Start. Activates alerting
Stop. Halts alerting
Tracking CPU utilization
You can use a CPU utilization alert to track the usage of a server’s CPUs. When CPU use is too high, Exchange Server can’t effectively process messages or manage other critical functions. As a result, performance can suffer greatly. For example, CPU utilization at 100 percent for an extended period of time can be an indicator of serious problems on a server. To recover, you might need to use Task Manager to end the process or processes with high CPU use, or you might need to take other corrective actions to resolve the problem, such as closing applications you are running while logged on to the server.
You’ll also want to closely track process threads that are waiting to execute. A relatively high number of waiting threads can be an indicator that a server’s processors need to be upgraded.
You configure a CPU utilization alert by completing the following steps:
In Server Manager, select Tools, and then select Performance Monitor. Next, expand the Data Collector Sets node, and then select User Defined. You should see a list of current alerts (if any) in the right pane.
Press and hold or right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
In the Create New Data Collector Set Wizard, type a name for the Data Collector Set, such as CPU Utilization Alert. Select the Create Manually option, and then tap or click Next.
On the What Type Of Data Do You Want To Include page, the Create Data Logs option is selected by default. Select the Performance Counter Alert option, and then tap or click Next.
On the Which Performance Counters Would You Like To Monitor page, tap or click Add. This displays the Add Counter dialog box. Because you are configuring CPU alerts, expand the Processor object in the Performance Object list. Tap or click % Processor Time. In the Instances Of Selected Object panel, select _Total, and then tap or click Add.
Expand the System object in the Performance Object list. Tap or click Processor Queue Length, and then tap or click Add. Tap or click OK.
On the Which Performance Counters Would You Like To Monitor page, you’ll see the counters you’ve added. Select % Processor Time. Then set the Alert When list to Above, and type 98 as the Limit value. This ensures that you are alerted when processor use is more than 98 percent.
In the Performance Counters panel, select Processor Queue Length. Then set the Alert When list to Above, and type 3 as the Limit value. This ensures that you are alerted when more than three processes are waiting to execute, which can be an indicator that a server’s processors need to be upgraded.
Tap or click Next, and then tap or click Finish. This saves the Data Collector Set and closes the wizard.
Finish configuring the alert by following steps 10 through 13 under “Tracking memory usage” earlier in this chapter.
Tracking disk usage
Exchange Server uses disk space for data storage, logging, tracking, and virtual memory. To ensure ample disk space is always available, Exchange Server monitors free disk space. If free disk space drops below specific thresholds, Exchange will gracefully shut itself down. When Exchange is in this state, it is likely that data could get lost. To prevent serious problems, you should monitor free disk space closely on all drives used by Exchange Server.
You’ll also want to track closely the number of system requests that are waiting for disk access. A relatively high value for a particular disk can affect server performance and is also a good indicator that a disk is being overutilized or that there may be some problem with the disk. To resolve this problem, you’ll want to try to shift part of the disk’s workload to other disks, such as by moving databases, logs, or both.
You configure disk usage alerting by completing the following steps:
In Server Manager, select Tools, and then select Performance Monitor. Next, expand the Data Collector Sets node, and then select User Defined. You should see a list of current alerts (if any) in the right pane.
Press and hold or right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
In the Create New Data Collector Set Wizard, type a name for the Data Collector Set, such as Disk Usage Alert. Select the Create Manually option and then tap or click Next.
On the What Type Of Data Do You Want To Include page, the Create Data Logs option is selected by default. Select the Performance Counter Alert option, and then tap or click Next.
On the Which Performance Counters Would You Like To Monitor page, tap or click Add. This displays the Add Counter dialog box. Because you are configuring disk alerts, expand the LogicalDisk object in the Performance Object list. Tap or click % Free Space. In the Instances Of Selected Object panel, select all individual logical disk instances that you want to track. Do not select _Total or <All Instances>. Tap or click Add.
Expand the PhysicalDisk object in the Performance Object list. Tap or click Current Disk Queue Length. In the Instances Of Selected Object panel, select all individual physical disk instances except _Total, and then tap or click Add. Tap or click OK.
On the Which Performance Counters Would You Like To Monitor page, you’ll see the counters you’ve added. Select the first logical disk instance, set the Alert When list to Below, and then type 5 as the Limit value. This ensures that you are alerted when available free space is less than 5 percent. Repeat this procedure for each logical disk.
In the Performance Counters panel, select the first physical disk instance, set the Alert When list to Above, and then type 2 as the Limit value. This ensures that you are alerted when more than two system requests are waiting for disk access. Repeat this procedure for each physical disk.
Tap or click Next, and then tap or click Finish. This saves the Data Collector Set and closes the wizard.
Finish configuring the alert by following steps 10 through 13 under “Tracking memory usage” earlier in the chapter.
Working with queues
As an Exchange administrator, it’s your responsibility to monitor Exchange queues regularly. Mailbox and Edge Transport servers use queues to hold messages while they are processing them for routing and delivery. If messages remain in a queue for an extended period, problems could occur. For example, if an Exchange server is unable to connect to the network, you’ll find that messages aren’t being cleared out of queues.
Understanding Exchange queues
Queues are temporary holding locations for messages that are waiting to be processed, and Exchange Server 2013 uses an Extensible Storage Engine (ESE) database for queue storage. Exchange Server 2013 uses the following types of queues:
Submission queue. The submission queue is a persistent queue that is used by the Exchange Categorizer (a transport component) to temporarily store all messages that have to be resolved, routed, and processed by transport agents. All messages that are received by a transport server enter processing in the submission queue. Messages are submitted through SMTP-receive, the Pickup directory, or the store driver. Each transport server has only one submission queue. Messages that are in the submission queue cannot be in other standard queues at the same time.
Edge Transport servers use the Categorizer to route messages to the appropriate destinations. Mailbox servers use the Categorizer to expand distribution lists, to identify alternative recipients, and to apply forwarding addresses. After the Categorizer retrieves the necessary information about recipients, it uses that information to apply policies, route the message, and perform content conversion. After categorization, the transport server moves the message to a delivery queue or to the Unreachable queue.
Mailbox delivery queue. Mailbox delivery queues hold messages that are being delivered to a Mailbox server by using encrypted Exchange RPC. Only Mailbox servers have mailbox delivery queues, and they use the queue to temporarily store messages that are being delivered to mailbox recipients whose mailbox data is stored on a Mailbox server that is located in the same site as the Mailbox server. Mailbox servers have one mailbox delivery queue for each destination Mailbox server associated with messages currently being routed. After queuing the message, the Mailbox server delivers the messages to the distinguished name of the mailbox database.
Relay queue. Relay queues hold messages that are being relayed to another server. Only Mailbox servers have relay queues, and they use the queue to temporarily store messages that are being delivered to mailbox recipients whose mailbox data is being relayed through a connector, designated expansion server, or non-SMTP gateway. Mailbox servers have one relay queue for each connector, designated expansion server, or non-SMTP gateway. After queuing a message, the Mailbox server relays the message.
Remote delivery queue. Remote delivery queues hold messages that are being delivered to a remote server by using SMTP. Edge Transport servers can have remote delivery queues, and they use the queue to temporarily store messages that are being routed to remote destinations. On an Edge Transport server, these destinations are external SMTP domains or SMTP connectors. Edge Transport servers have one remote delivery queue for each remote destination associated with messages currently being routed. After queuing the message, the transport server delivers it to the appropriate server, smart host, IP address, or Active Directory site. Mailbox servers running Exchange 2013 do not have remote delivery queues.
Poison message queue. The poison message queue is used to hold messages that are detected to be potentially harmful to Exchange Server 2013 after a server failure. Messages that contain errors that are potentially fatal to Exchange Server 2013 are delivered to the poison message queue. Each Mailbox server has one poison message queue, as does each Edge Transport server. Although this queue is persistent, it typically is empty and, as a result, is not displayed in queue viewing interfaces. By default, all messages in the poison message queue are suspended and can be manually deleted.
Shadow redundancy queue. The shadow redundancy queue is used to prevent the loss of messages that are in transit by storing queued messages until the next transport server along the route reports a successful delivery of the message. If the next transport server doesn’t report successful delivery, the message is resubmitted for delivery. This queue is nonpersistent. Mailbox and Edge Transport servers have one for each hop to which the server delivered the primary message.
Safety Net queue. The Safety Net queue keeps a redundant copy of messages that have been successfully processed by a Mailbox server. If a message needs to be redelivered, a Mailbox server can resend the message from the Safety Net queue. Each Mailbox server has one primary Safety Net queue and one shadow Safety Net queue. These queues are nonpersistent.
Transport dumpster queue. The transport dumpster queue is used to hold messages that are being delivered. This queue is nonpersistent. Edge Transport servers have one queue for each Active Directory site. Mailbox servers do not have a transport dumpster queue.
Unreachable queue. The unreachable queue contains messages that cannot be routed to their destinations. Each Mailbox server has one unreachable queue, as does each Edge Transport server. Although this queue is persistent, it typically is empty and, as a result, is not displayed in queue viewing interfaces.
When a transport server receives a message, a transport mail item is created and saved in the appropriate queue within the queue database. Exchange Server assigns each mail item a unique identifier when it stores the mail item in the database. If a mail item is being routed to more than one recipient, the mail item can have more than one destination and, in this case, there is a routed mail item for each destination. A routed mail item is a reference to the transport mail item, and it is the routed mail item that Exchange queues for delivery.
Accessing the Queue Viewer
Using the Queue Viewer, you can track message queues and mail flow. On any computer in which you’ve installed the Exchange management tools, you’ll be able to access the Queue Viewer from the Exchange Toolbox. Open Exchange Toolbox from Start. With Windows Server 2008 R2, select Start, choose All Programs, and then use the Microsoft Exchange Server 2013 menu. With Windows Server 2012, you’ll find an Exchange Toolbox tile on the Start screen.
By default, the Queue Viewer connects to the queuing database on the local server (if applicable). To connect to a different server, on the Actions pane, select Connect To Server. In the Connect To Server dialog box, tap or click Browse. Select the Exchange Server with which you want to work, and then tap or click OK. Finally, tap or click Connect.
As shown in Figure 8-9, the Queue Viewer provides an overview of the status of each active queue, including the following information:
A folder icon indicates an active state.
A folder icon with a green check mark indicates the queue has a ready status.
A folder icon with a blue button and a small down arrow indicates a retry state.
A folder icon with a red exclamation point indicates a warning state, such as Not Available or Error.
Managing queues
You usually won’t see messages in queues because they’re processed and routed quickly. Messages come into a queue, Exchange Server performs a lookup or establishes a connection, and then Exchange Server either moves the message to a new queue or delivers it to its destination.
Understanding queue summaries and queue states
Messages remain in a queue when there’s a problem or if they have been suspended by an administrator. To check for problem messages, use the Queue Viewer to examine the number of messages in the queues. If you see a queue with a consistent or growing number of messages, there might be a problem. Again, normally, messages should come into a queue and then be processed quickly. Because of this, the number of messages in a queue should gradually decrease over time as the messages are processed, provided no new messages come into the queue.
Whenever you tap or click the Queues tab in the Queue Viewer, you get a summary of the currently available queues for the selected server. Although queue summaries provide important details for troubleshooting message flow problems, you do have to know what to look for. The connection status is the key information to look at first. This value tells you the state of the queue. States you’ll see include the following:
Active. An active queue has messages that are being transported.
Ready. A ready queue is needed to allow messages to be transported. When queues are ready, they can have a connection allocated to them.
Retry. A connection attempt has failed and the server is waiting to retry.
Suspended. The queue is suspended, and none of its messages can be processed for routing. Messages can enter the queue, but only if the Exchange Categorizer is running. You must resume the queue to resume normal queue operations.
Administrators can choose to enable or disable connections to a queue by pressing and holding or right-clicking the queue and selecting Suspend. If a queue is suspended, it’s unable to route and deliver messages.
You can change the queue state to Ready by pressing and holding or right-clicking the queue and selecting Resume. When you do this, Exchange Server should immediately enable the queue, which allows messages to be routed and delivered. If a queue is in the retry state, you can force an immediate retry by using the Retry command.
Other summary information that you might find useful in troubleshooting include the following:
Delivery Type. Tells you what type of recipient messages are being queued for delivery.
Next Hop Domain. Tells you the next destination of a delivery queue. For mailbox delivery, relay, and remote delivery queues, this field tells you the next hop domain. Messages queued for delivery to an EdgeSync server list the associated site and destination, such as EdgeSync–Default-First-Site To Internet.
Message Count. Tells you the total number of messages waiting in the queue. If you see a large number, you might have a connectivity or routing problem.
Next Retry Time. When the connection state is Retry, this column tells you when another connection attempt will be made. You can tap or click the Retry command to attempt a connection immediately.
Last Retry Time. When the connection state is Retry, this column tells you when the last retry attempt was made.
Last Error. Tells you the error code and details of the last error to occur in a particular queue. This information can help you determine why a queue is having delivery problems.
You can add or remove columns by using the Add/Remove Columns dialog box. Display this dialog box by choosing View in the Actions pane and then selecting Add/Remove Columns.
Refreshing the queue view
Use the queue summaries and queue state information to help you find queuing problems, as discussed in the Understanding queue summaries and queue states section earlier in this chapter. By default, the queue view is refreshed every 30 seconds, and the maximum number of message items that can be listed on each page is 1,000.
To change the viewing options, follow these steps:
In the Queue Viewer, on the View menu, tap or click Options.
To turn off automatic refresh, clear the Auto-Refresh Screen check box. Otherwise, enable automatic refresh by selecting the Auto-Refresh Screen check box.
In the Refresh Interval text box, type a specific refresh rate in seconds.
Type the desired maximum number of messaging items to be displayed per page in the Number Of Items To Display text box. Tap or click OK.
Working with messages in queues
To manage queues, you must enumerate messages. This process allows you to examine queue contents and perform management tasks on messages within a particular queue.
The easiest way to enumerate messages is to do so in sets of 1,000. To display the first 1,000 messages in a queue, follow these steps:
On the Queues tab in the Queue Viewer, you should see a list of available queues. Double-tap or double-click a queue to enumerate the first 1,000 messages, as shown in Figure 8-10.
After you enumerate messages in a queue, you can examine message details by double-tapping or double-clicking the entries for individual messages. This enumerates the first 1,000 messages in the selected queue by filtering the message queues based on the queue identifier of the selected queue.
You can also create a filter to search for specific types of messages. To do this, follow these steps:
Double-tap or double-click the queue with which you want to work. This enumerates the first 1,000 messages in the selected queue by filtering the message queues based on the queue identifier of the selected queue.
Tap or click Add Expression. Use the first selection list to specify the field you want to use for filtering messages. You can filter messages by the following criteria: Date Received, Expiration Time, From Address, Internet Message ID, Last Error, Message Source Name, Queue ID, SCL, Size (KB), Source IP, Status, and Subject.
Use the second selection list to specify the filter criteria. The available filter criteria depend on the filter field and include Equals, Does Not Equal, Contains, Does Not Contain, Greater Than, and Less Than.
Use the text box provided to specify the exact criteria to match. For example, if you are filtering messages using the Status field, you might want to see all messages in which the Status field equals Retry.
To apply the new filter criteria, tap or click Apply Filter.
Forcing connections to queues
In many cases, you can change the queue state to Ready by forcing a connection. Simply press and hold or right-click the queue, and then select Retry. When you do this, Exchange Server should immediately enable connections to the queue, and this should allow messages to be routed to and delivered from the queue.
Suspending and resuming queues
When you suspend a queue, all new message transfer activity out of that queue stops and only messages being processed will be delivered. This means that messages can continue to enter the queue, but no new messages will leave it. To restore normal operations, you must resume the queue.
You suspend and resume a queue by completing the following steps:
On the Queues tab in the Queue Viewer, you should see a list of available queues. Press and hold or right-click a queue, and then select Suspend.
When you’re done troubleshooting, press and hold or right-click the queue, and then select Resume.
Another way to suspend messages in a queue is to do so selectively. In this way, you can control the transport of a single message or several messages that might be causing problems on the server. For example, if a large message is delaying the delivery of other messages, you can suspend that message until other messages have left the queue. Afterward, you can resume the message to resume normal delivery.
To suspend and then resume individual messages, complete the following steps:
On the Messages tab in the Queue Viewer, you should see a list of queued messages.
Press and hold or right-click the message you want to suspend, and then select Suspend. You can select multiple messages by using Shift and Ctrl.
When you’re ready to resume delivery of the message, press and hold or right-click the suspended message, and then select Resume.
Deleting messages from queues
You can remove messages from queues if necessary. To do this, follow these steps:
On the Messages tab in the Queue Viewer, you should see a list of queued messages.
Press and hold or right-click the message you want to remove. You can select multiple messages by using Shift and Ctrl, and then press and hold or right-click. Select one of the following options from the shortcut menu:
Remove (With NDR). Deletes the selected messages from the queue, and notifies the sender with a nondelivery report (NDR)
Remove (Without Sending NDR). Deletes the message or messages from the queue without sending an NDR to the sender
When prompted, tap or click Yes to confirm the deletion.
Deleting messages from a queue removes them from the messaging system permanently. You can’t recover the deleted messages.