348 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

350 CHAPTER 8 KEEPING AN EYE ON EXCHANGE 2003 USAGE Server Health Statistics In a couple of environments, I have set up a System Monitor report that monitors the health of the server. I usually set up a dedicated computer in the help desk area that monitors the critical health-related events for the Exchange servers. In this case, health relates to available disk space, queue lengths, uptime of services, and other basic statistics. Figure 8.15 shows a sample report that contains some of these counters. This report is more of a point-in-time report because it does not track statistics over time; you can configure the Performance console to create log files of these counters, too. Figure 8.15 Server health statistics Of course, creating a report like this and then dedicating a computer in the help desk area to displaying the report all the time has two problems. First, someone has to actually look at the screen sometimes. Second, can the person looking at the counters actually interpret the counters and determine whether things are normal? TIP Many of the counters in this section are much easier to monitor and used to generate alerts using the Exchange System Manager s Monitoring and Status feature described earlier in this chapter. Another alternative is to create a Performance console alert where you specify actual thresholds that are monitored. It sends a notification or runs a script when those thresholds are exceeded. Figure 8.16 shows an alert that checks free disk space and queue lengths once every 90 seconds; if the Free Megabytes on the C: drive drops to less than 2,000MB, an alert will be generated. You have to highlight each counter in order to set the alert threshold. On the alert s Action property page, you can configure what should be done in the event that an alert is triggered, including the following: . Log an event to the Application event log. . Send a network pop-up message to a user or computer. . Start performance logging. . Run a program.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

348 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

BARGAIN-BASEMENT REPORTING TOOLS 349 You may also be interested in watching statistics about how many messages your system sends and receives and the amount of data that is being transferred. Table 8.4 shows some counters that are useful to watch if you are interested in the number of messages being processed by SMTP and the Advanced Queuing Engine. NOTE Microsoft Knowledge Base article 231734, Performance Monitor Counters for Message Categorizer, has a complete list of the SMTP server counters that are used to monitor the Advanced Queuing Engine s message categorizer. Table 8.4: Useful SMTP Message Transport Counters Object Counter Explanation SMTP Server %Recipients Local The percentage of mail recipients who are delivered either locally or via a remote server. This will give you an idea of where the majority of your messages are going. SMTP Server %Recipients Remote SMTP Server Messages Received Total The total number of messages accepted/sent by an SMTP virtual server. SMTP Server Messages Sent Total SMTP Server Refused for Size Messages that were rejected because they exceeded size limitations. SMTP Server DNS Queries/sec The number of DNS queries per second. SMTP Server Connection Errors/sec The number of errors per second that are being generated by SMTP connections. This number should be low. More than one or two errors per second may indicate a network connection problem. SMTP Server Cat: LDAP Searches/sec Total number of LDAP searches that the categorizer submits per second. SMTP Server Remote Queue Length The number of messages queued to be delivered remotely. SMTP Server Outbound Connections Refused The number of connections this SMTP virtual server has initiated but remote servers have refused. A high number may indicate that your server is on a black-hole list or that your users are sending messages frequently that are too large for a receiving domain. SMTP NTFS Store Driver Messages in the Queue Directory Total number of messages stored in the queue directory for a particular SMTP virtual server. This indicates inbound messages.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

348 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

348 CHAPTER 8 KEEPING AN EYE ON EXCHANGE 2003 USAGE MSExchangeIS Public Total Size of Recoverable Items MSExchangeIS Mailbox Total Count of Recoverable Items The number of messages used by deleted items in the private (or public) Information Store database. MSExchangeIS Public Total Count of Recoverable Items MSExchangeIS Mailbox Single Instance Ratio The average ratio of mailbox pointers to each message in the store. Many organizations consider themselves lucky if this value is greater than 1.8. This value will change over time as the users delete copies of messages with several recipients. A very low value may indicate that most of the messages sent and received are coming from and going to points beyond the Exchange server. This number is maintained on a store-by-store basis. So if your Exchange 2003 server has five mailbox stores, you will have five different ratios. This is not a server-by-server number! MSExchangeIS Private Messages Submitted The total number of messages submitted to the private (or public) Information Store databases since the Information Store service was started. MSExchangeIS Public Messages Submitted SMTP Server Messages Received The total number of messages received from the specified SMTP virtual server. SMTP Server Store/MSExchangeMTA Submits The total number of messages received by the message transport driver from the mailbox stores and the MTA. MSExchangeMTA Message Bytes/sec The number of message bytes being processed by the MTA every second. Divide this value by the Messages/sec counter to get the average message size. MSExchangeMTA Outbound Message Total The total number of messages the MTA has delivered off the server since the service was started. MSExchangeMTA Inbound Message Total The total number of messages the MTA has received since the MTA service was started. MSExchangeIS Virus Scan Messages Processed The total number of messages that have been scanned by the virus API since the Information Store was started. Table 8.3: Additional System Monitor Counters (continued) Object Counter Explanation

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

TROUBLESHOOTING OUTLOOK USING PORT QUERY 795 Figure 20.11

OUTLOOK 2003 TROUBLESHOOTING 797 The first is the Connection Status tool. To view this dialog box (shown in Figure 20.12), you need the secret handshake. Hold the Ctrl key down, click the Outlook icon in the system tray, and then choose Connection Status. This image is a little different from one shown earlier in this chapter. This one indicates the connection type is TCP/IP and that the client is connecting directly to the domain controllers instead of being proxied through the Exchange server, which is the case with HTTPS connections. Figure 20.12 Viewing Outlook 2003 connection status From the Connection Status screen, you can see the connections your Outlook client has to the Exchange servers and Global Catalog servers. In Figure 20.12, you can see I have two connections to directory servers (Global Catalog servers) called CTAHNL2 and CTAHNL3. The Outlook client has three connections to the mailbox server; this is normal. The Conn column will say either TCP/IP (indicating a standard RPC connection) or HTTPS (indicating RPC over HTTP). The Req/Fail indicates the number of successful and failed requests to the Exchange server. The Avg Resp column indicates the average response time (in milliseconds). The Version indicates the version of Exchange; 6944 is the RTM version of Exchange 2003. What Avg Resp numbers are good? I like to think that anything below 200 is good on a LAN or high-speed WAN; the numbers you saw in Figure 20.12 are connections over a VPN connection through several T1s and my cable modem connection. For lower-speed WANs or dial-up connections, almost any number is acceptable provided you are not seeing a high failure rate (this would indicate that RPC requests are timing out and being re-sent). Don t panic if you see Avg Resp numbers that are greater than 1,000; as long as your performance is good and you are not seeing a large number of failures (more than 10 percent), this is probably not a problem. There are two Global Catalogs in Figure 20.12, and for some reason the second GC always has a much higher response time. Another useful troubleshooting feature of Outlook 2003 is the ability to log communication between the Outlook client and its mail servers. The log recorded is a text file. To enable mail logging, from Outlook 2003, choose Tools Options Other Advanced Options. Check the Enable Mail Logging (Troubleshooting) box, click OK twice, and restart Outlook. WARNING Don t forget to disable logging when you are finished; otherwise, the log file will keep growing!

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

TROUBLESHOOTING OUTLOOK USING PORT QUERY 795 Figure 20.11

796 CHAPTER 20 SUPPORTING MAPI CLIENTS UUID: 469d6ec0-0d87-11ce-b13f-00aa003bac6c MS Exchange System Attendant Public Interface ncacn_ip_tcp:192.168.254.52[5000] UUID: 469d6ec0-0d87-11ce-b13f-00aa003bac6c MS Exchange System Attendant Public Interface ncacn_http:192.168.254.52[6002] UUID: 83d72bf0-0d89-11ce-b13f-00aa003bac6c MS Exchange System Attendant Private Interface ncacn_http:192.168.254.52[6002] UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd09 MS Exchange Directory RFR Interface ncacn_ip_tcp:192.168.254.52[5000] UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd09 MS Exchange Directory RFR Interface ncacn_http:192.168.254.52[6002] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_ip_tcp:192.168.254.52[3500] Total endpoints found: 217 In this example, the Information Store has been statically mapped to TCP port 5002, the System Attendant s NSPI interface is 5001, and the domain controller s RPC interface is 3500. I statically mapped these using Registry keys you can find in Chapter 19, Exchange and Firewalls. The RPC over HTTP ports also appear in the preceding list, the Information Store is 6001, and the System Attendant s NSPI interface is 6002. I can use the PORTQRY.EXE program to identify whether each service is responding over the network. For example, if I want to see whether the Information Store is active and responding, I can type the following: C:>portqry.exe -n kilauea -p tcp -e 5002 Querying target system called: kilauea Attempting to resolve name to IP address… Name resolved to 192.168.254.52 TCP port 5002 (unknown service): LISTENING Outlook 2003 Troubleshooting If you cannot already tell, I am a big fan of Outlook 2003. Even if you don t use the RPC over HTTP functions of Outlook 2003, local caching mode alone is worth the trouble of upgrading. Outlook 2003 included a couple of additional troubleshooting features that are worth mentioning.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

TROUBLESHOOTING OUTLOOK USING PORT QUERY 795 Figure 20.11

TROUBLESHOOTING OUTLOOK USING PORT QUERY 795 Figure 20.11 Mail delivery location options Another common problem occurs when a user uses a POP3 client to retrieve their messages. All of the messages in the Inbox will be downloaded to the POP3 client. Troubleshooting Outlook Using Port Query Microsoft has released a particularly useful troubleshooting utility called Port Query (PORTQRY.EXE); you can download this utility via Microsoft Knowledge Base article 310099, Description of the Portqry.exe command-line utility. I briefly discussed the graphical version of this utility in Chapter 13, but I want to approach this from the perspective of troubleshooting Outlook clients. Knowledge Base article 310298, How to Use Portqry.exe to Troubleshoot Microsoft Exchange Server Connectivity Issues, may also be useful when figuring out how to troubleshoot Exchange problems. PORTQRY.EXE is frequently useful when confirming connectivity to specific port numbers. This can be useful for Outlook when you need to confirm that a particular Exchange server or domain controller is responding on the appropriate ports. To query all of the RPC endpoints on server KILAUEA, here is a sample command: portqry.exe -n kilauea -p tcp -e 135 This query will return a lot of RPC endpoints for various applications that are using RPCs. The following is a list of endpoints that are relevant to Exchange. I filtered out the other 200-something endpoints. You will see various RPC endpoints for the Information Store, but only the one labeled ncacn_ip_tcp is relevant on most networks. The service assigned to endpoint is uniquely identified by a GUID such as a4f1db00-ca47-1067-b31e-00dd010662da. TCP port 135 (epmap service): LISTENING Querying Endpoint Mapper Database… Server’s response: UUID: a4f1db00-ca47-1067-b31e-00dd010662da Exchange Server STORE ADMIN Interface ncacn_ip_tcp:192.168.254.52[5002] UUID: a4f1db00-ca47-1067-b31e-00dd010662da Exchange Server STORE ADMIN Interface ncacn_http:192.168.254.52[6001]

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

342 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

344 CHAPTER 8 KEEPING AN EYE ON EXCHANGE 2003 USAGE (Prohibit Send), and exceed their send and receive limit (Mailbox Disabled). Once exported to a text file, you can then retrieve the file to Excel and manipulate the data as necessary, as shown in Figure 8.12. One good reason to keep a list of which mailboxes are located on each server and mailbox store is if a server or store is going to be offline for any length of time, you know who needs to be notified. Figure 8.12 Exported mailbox list in Excel Generating a Notice When Users Exceed Their Mailbox Limits You can configure Exchange to automatically report to the Application event log the users who are exceeding mailbox store limits. To configure reporting of which mailboxes are being sent warning messages about their storage space, follow these steps: 1. Start Exchange System Manager. 2. Confirm that each mailbox store has a Warning Message Interval designated (on the Limits property page). 3. Under the Servers container, right-click the Exchange 2003 server you want to report on storage warnings, and then click Properties. 4. Click the Diagnostics Logging tab, open MSExchangeIS, and then click Mailbox. 5. Click Storage Limits, and then set the logging level to Maximum. Click OK. Once this is completed, you will see the following event IDs in the Application log on the Exchange 2003 server you are monitoring: . Event ID 1077 indicates which mailboxes exceed their storage warning limit. . Event ID 1078 indicates which mailboxes exceed their prohibit send limit. . Event ID 1218 indicates which mailboxes exceed their prohibit send and receive limit (mailbox disabled).

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

342 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

BARGAIN-BASEMENT REPORTING TOOLS 343 Bargain-Basement Reporting Tools If your 1,000-user company has just sunk $100,000 into an Exchange Server 2003 e-mail system, it may not be anxious to spend much more money to give you some bells-and-whistles software to help you make the system run more smoothly. I m betting this applies to most of the readers of this book. You may be saying, Wait $100,000 for 1,000 users! That is surely out of line. Actually, by the time you throw in Exchange software, Exchange client access licenses, antivirus software, hardware, and backup media, you may even exceed that amount. So naturally, with this type of investment, management may be curious as to how it is being used. And they are not always willing to fork over the dough so that it is easy for you to find out. The next section includes some suggestions, tips, and tools for performing some basic monitoring and reporting of Exchange 2003 in addition to Monitoring and Status features or message tracking. Most of the suggestions in this section are things you can do with little or no additional investment. Creating Mailbox Location Reports I have had a few customers maintain and keep up-to-date information about the placement of resources such as mailboxes. Although I mentioned this in Chapter 4, Understanding Exchange 2003 Data Storage, it bears repeating once again. You can easily export a list of mailboxes from each mailbox store. To do this, right-click on the Mailboxes container under the mailbox store, choose Export List, enter a filename, and chose the type of file you want to export. Although I prefer CSV files, I recommend exporting to a text (tab-delimited) format because the data fields may have commas in them. You can include the Storage Limits column by adding that column to the view (View Add/Remove Columns). The Storage Limits column lets you see which users have no limits (No Checking), have not met their limits (Below Limit), exceed their warning limit (Issue Warning), exceed their send limit Big Brother Is Watching You Like many administrators in large, multiserver, multirouting group Exchange organizations, XYZ s Exchange administrators frequently used the Exchange message tracking feature to locate stalled messages or missing messages, determine connectors in use, and analyze Exchange usage. Even the help desk had been taught how to track messages when users reported problems. In a departmental meeting, this feature was mentioned and immediately drew the ire of the company s security officer. The situation only went downhill from there as the security officer discovered that senior Exchange administrators could also open users mailboxes if necessary. The security officer s concern was that the user community was not explicitly aware of these features and the fact that message tracking was regularly used by the IT department. The director of IT ordered the use of message tracking halted until a notification could be sent to all users. From this minor brouhaha came the organization s first acceptable use policy, which included a section on the capabilities of the IT department and what could be monitored. This is just one more example of organizations not clearly thinking through the political ramifications of some features they implement in their messaging system. Many of the organization s users that I work with would not care about someone tracking their messages, but in some organizations (military, health care, government, legal) this can be a sticky issue.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

342 CHAPTER 8 KEEPING AN EYE ON EXCHANGE

342 CHAPTER 8 KEEPING AN EYE ON EXCHANGE 2003 USAGE NOTE For some basic scripts that parse and report on data found in the message-tracking logs, visit www.swinc.com/resource/scripts.htm . Message-subject The first 256 bytes of the message s subject is displayed, if subject display is enabled on the server that generated this log entry. Sender-address The SMTP, X.400, or distinguished name (DN) of the sender of the message. The DN is used if the user has been selected from the global address list. If you see a <>, this indicates that the message is a delivery status report. Table 8.2: Common Message-Tracking Log Event IDs Event ID Explanation 1000 Message is for local delivery. 1010 Message is queued for SMTP outbound. 1019 Message is submitted to Advanced Queuing Engine. 1023 Message is designated for local delivery. 1020 Message transfer outbound via SMTP begins. 1025 Message processing begins. 1024 Message is submitted to categorizer. 1028 Message is delivered to local store by SMTP. 1027 Message is submitted to SMTP by local store. 1031 Message transfer outbound via SMTP is completed. Should You Keep Old Message-Tracking Logs? As stated earlier, the default time to keep old message-tracking logs is seven days, but this is configurable. On a server with a few thousand mailboxes, these logs may exceed 50MB per day, but they are text files and compress fairly well. Should you keep these log files any longer than seven days? One of the nice features of having these logs is that you can import them in to a third-party tool or run a script against them to do reports on the number of messages you are handling per day. Keeping log files (or at least keeping the data from the log files) can give you an idea of the number of messages you are processing per day and how your message use has grown over time. Table 8.1: Message-Tracking Log File Headings (continued) Field Explanation

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

USING MESSAGE-TRACKING LOGS 339 4. To view the

USING MESSAGE-TRACKING LOGS 341 Table 8.1: Message-Tracking Log File Headings Field Explanation Date Date of the event adjusted for GMT. Time Time of the event adjusted for GMT. Client-IP If the message originated from SMTP, this is the IP address of the client. If the message is local, this field will contain a hyphen (-). Client-hostname If the message originated from SMTP, this is the host name of the SMTP client. If the message is local, this field will contain a hyphen. Partner-name The name of the messaging service that handed this message to the current component. This field may contain SMTP, X.400, STORE, IMAP4, or POP3, or the field may be blank. Server-hostname The host name of the server that requested that this log entry be made. This is usually the local server s host name. Server-IP The IP address of the server that requested that this log entry be made. This is usually the local server s IP address. Recipient-address The SMTP or X.400 address of the message recipient. Event-ID The number of the event corresponding to the type of action logged. MSGID The message s message ID. Priority The priority of the message. A priority of 0 is normal, 1 is high, and 5 is low. Recipient-report-status This value is used only for delivery reports. It indicates the result of an attempt to deliver a report to the recipient. A value of 0 indicates the message was delivered, and a value 1 indicates it was not delivered. Total-bytes The size of the message in bytes. Number-recipients Total number of recipients in the message. Origination-time Time that the message originated in GMT. This value is blank for delivery recipients and NDRs. Encryption Specifies whether the message body is encrypted. A value of 0 indicates the message is not encrypted. A value of 1 indicates the message is signed. A value of 2 indicates the message is encrypted. If the message is encrypted, you cannot determine whether it is also signed. Service-version Version of the service making the log entry. You will see non-Exchange 2003 service versions making log entries here, such as the SMTP service. Linked-MSGID If there is a message ID generated by a different mail system (such as X.400), that message ID will be found here.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services