Lesson 1: Performing Daily Exchange Server 2003 Monitoring and Maintenance | MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)

After this lesson, you will be able to

List the monitoring tasks that need to be performed daily
Explain the guidelines for checking logs
Explain the guidelines for monitoring services and cluster resources
Examine and interpret Exchange store statistics
Monitor Event Viewer entries for potential problems
Check Monitoring And Status in Exchange System Manager
Monitor queues by using Queue Viewer

Estimated lesson time: 90 minutes

Daily Monitoring Tasks

You need to monitor critical Exchange Server 2003 server services on a daily basis to ensure they are running properly. Daily monitoring should identify problems before they have an impact on your users. Monitoring also helps you to identify trends that indicate future problems and allow you to plan for future growth. Both Windows Server 2003 and Exchange Server 2003 provide utilities, such as Event Viewer, System Monitor, and Exchange System Manager, that monitor and analyze server components and Exchange Server 2003 server performance.

Maintenance tasks that you should perform on a daily basis include the following:

Monitor Event Viewer for error and warning events.
Check connector status and Exchange Server 2003 server status.
Use Queue Viewer to view the message load on your Exchange Server 2003 servers.
Review the logs generated by Event Viewer, the Performance console, virtual servers, and your antivirus product.
Check the available disk space on volumes that store Exchange Server 2003 logs and databases.
Monitor the required services for Exchange Server 2003 and Windows Server 2003.
Use the Windows Performance console to monitor Windows Server 2003 server and Exchange Server 2003 server performance.
Use Cluster Administrator to monitor failovers.
Use Active Directory Sites And Services to verify replication.
Use Exchange System Manager to examine Exchange Server 2003 store statistics.

Checking Logs

Much of the monitoring you perform on a daily basis is based on logs generated by the various logging tools, such as Event Viewer. Before looking at the specific tools, review some of the general guidelines for checking logs.

If you know what log content is typical in your environment, you can identify potential errors or anomalies to which you must respond immediately. In addition to checking event logs, performance logs, antivirus logs, and protocol logs daily, you should also archive logs so you can review them to obtain historical data and to identify trends that will require future action.

Event Viewer logs provide you with information about service failures, Active Directory replication errors, and warnings when system resources such as virtual memory or available disk space are running low. You should review Windows event logs daily because both Exchange Server 2003 and Windows Server 2003 report warning and error conditions to event logs. For example, if a volume has 10 percent or less disk space available, Windows Server 2003 reports this as "Event ID 2013: The disk is at or near capacity. You may be required to delete some files."

You can use system management utilities, such as the Performance console, to monitor the performance and capacity of your Exchange Server 2003 servers. You should configure these utilities to issue alerts when performance and capacity measurements fall outside normal operating parameters. You can, for instance, enable an alert if there is excessive memory paging or processor use. You also need to capture performance data to establish a performance baseline, and use the baseline for comparison against daily monitoring results in order to identify trends.

Caution

You can also configure the Performance Logs And Alerts tool to alert you when the usage of a physical disk or logical disk volume reaches a predefined percentage of total capacity. However, Microsoft recommends that you do not enable disk counters unless you have a very good reason for doing so. Disk counters use a significant amount of resource and can degrade performance. They are disabled by default and must be enabled using the Diskperf.exe utility. This having been said, some experienced administrators do enable these counters, believing that the performance loss is more than counterbalanced by the ability to continuously and automatically monitor disk usage.

Antivirus logs tell you when the last virus scan was performed, what was scanned, and what the results were. Review this information to ensure that the antivirus product is working correctly. If your log file indicates that a virus exists that cannot be removed, search the Web site of your antivirus vendor for a possible solution. In this case, you should also review the frequency with which you download virus signature files and security updates.

Simple Mail Transport Protocol (SMTP), Network News Transfer Protocol (NNTP), and Hypertext Transfer Protocol (HTTP) virtual servers generate logging information that tracks the commands the virtual server receives from client computers. You can, for example, view the client computer's IP address and domain name, the date and time of the message, and the number of bytes, for each message sent. You should use these log files to identify unusual activities, such as messages with suspicious attachments. If you identify unusual activity, you should review your security settings to prevent undesirable mail from being delivered to your server.

Monitoring Services and Resources

Exchange Server 2003 server performance degradation can result from service failures, insufficient system resources, network performance problems, and server performance problems. If you are using clustering, then cluster problems can also degrade performance. You need to monitor your servers, your network services, and your network daily to ensure that Exchange Server 2003 is performing as expected. If you are using clusters, then you also need to use the Cluster Administrator tool on a regular basis. Because clusters provide failover support, it is sometimes not immediately obvious when a cluster node fails.

Network Performance If the network is slow, then your Exchange organization is slow. You can verify the performance by using Network Monitor to capture, display, and analyze network traffic. You can also use Network Monitor to locate client-to-server connection problems, to find a computer that makes a disproportionate number of work requests, and to identify unauthorized users on your network.

Note

The version of Network Monitor supplied with Windows Server 2003 captures only network traffic into and out of the machine on which it is installed. If you want to capture frames that are sent between remote computers, then you must use the Network Monitor component that ships with Microsoft Systems Management Server (SMS).

Server Performance If Windows 2003 is not performing properly, then an Exchange Server 2003 server experiences performance problems. You can obtain information about programs and processes running on your computer by using Task Manager. You can use Task Manager, for example, to identify a process that consumes too much CPU or memory resource and to view pagefile and memory usage. This information helps you determine whether applications running on your Exchange Server 2003 server should be moved to another server or upgraded, or whether you must tune system resources or perform system upgrades.

The Performance console contains two utilities: System Manager and Performance Logs And Alerts. Both utilities monitor performance counters. You can monitor hardware counters and Exchange counters to determine whether performance bottlenecks exist, to identify trends, and to plan for upgrades.

Windows Services Incorrect configuration of Windows services also degrades Exchange Server 2003 server performance. The first indication you get about this problem is typically through Event Viewer. If you receive such an indication, you may need to verify or modify the configuration of the relevant service.

You should monitor Active Directory performance daily because Active Directory configuration has an immediate impact upon the performance of an Exchange organization. Monitoring Active Directory indicators lets you identify trends before actual problems occur. For example, a slow response during the authentication of client computers or the slow appearance of newly configured objects in Exchange Server 2003 indicates problems with the Active Directory directory service. You can use the Active Directory Sites And Services console to review your Active Directory configuration.

You also need to monitor Domain Name System (DNS) indicators regularly. Exchange Server 2003 depends on DNS for name resolution. If you see DNS errors in Event Viewer, or if you experience communication problems between your Exchange Server 2003 servers, then you should review your DNS settings. You can use the DNS Management console to ensure that address records exist for your domain controllers and global catalog servers, and that Host (A) and Mail Exchanger (MX) records exist for your Exchange Server 2003 servers.

The Internet Information Services (IIS) service provides access to Exchange Server 2003 servers through HTTP. You should monitor the IIS performance indicators daily. If performance problems are detected, you should review your default Web site configuration.

Cluster Resources You should use Cluster Administrator daily to monitor Exchange Server 2003 server clusters for failovers. Such monitoring is particularly important in an active/active cluster during a failover to ensure that enough resources are available to provide your users with the same level of performance that they experienced before the failover.

When you deploy Exchange Server 2003 server clusters, you should monitor virtual memory counters daily to determine when an Exchange virtual server must be restarted due to memory fragmentation. When the Microsoft Exchange Information Store (IS) service logs Event ID 9582, this can indicate that memory has become excessively fragmented.

Exchange Store Statistics

Exchange Server 2003 servers need free disk space to store and manipulate user databases and transaction logs and to run maintenance utilities. If you monitor Exchange store statistics daily, you can determine when free disk space is running low and take the appropriate action. You may need to add extra resources, but sometimes running a full backup and truncating the transaction log files will solve the problem. Event ID 1113 in the application event log indicates that an Exchange Server 2003 server is short of disk space.

You should use Windows Explorer daily to check the available free space. You can compare the available disk space on each of the Exchange Server 2003 server disk volumes with the expected rate of growth that you predict for your databases and transaction log files to determine when you will need additional disk resources. If you decide to enable the disk counters, you can also use System Monitor to check disk usage.

You also need to ensure that sufficient free disk space exists to run maintenance utilities by viewing the statistics for each of the Exchange databases and comparing these statistics with the available free space. As a general rule, available free disk space on a single drive must be equal to or greater than 110 percent of the size of the largest database.

Using Exchange System Manager, you can obtain additional information about the Exchange stores. Expanding a mailbox or public folder store lets you view the logged-on users. This functionality is useful if you need to perform maintenance and have to request connected users to close their mailboxes.

You can also use Exchange System Manager to view the size of individual mailboxes and identify the users who are consuming the most resources. You can obtain indexing statistics by viewing the index state, number of documents indexed, index size, last build time, index name, and index location. Finally, you can determine the size of individual public folders, the last time a folder was accessed, and the last time a replica was received. Figure 13-1 shows access and logon statistics for a public folder store.

click to expand
Figure 13-1: Public folder access and logon statistics

Real World: Removing a Public Folder

If you suggest removing a public folder to free disk resources, there will inevitably be someone who objects. Knowing the last time the folder was accessed can provide powerful support to your argument.

Event Viewer

Event Viewer is a Windows utility that you can use to monitor hardware and software activities. Exchange Server 2003 uses the application log in Event Viewer to record errors, warnings, and information events. You can review the data in the application log to identify problems that have occurred and to anticipate problems before they occur. For example, a corrupt database will log errors in Event Viewer during online maintenance and online backups. By monitoring Event Viewer, you can identify a corrupt database and repair it before the symptoms of the fault impinge on your users.

You need to distinguish between Event Viewer entries that indicate normal behavior for the Exchange Server 2003 server and events that indicate a problem. By reviewing the event logs daily, you can establish a baseline of typical events that will save you time in identifying the events that need your attention.

Normal Events

Table 13-1 lists some of the events you might see during normal operation. Such events are logged as information events. Figure 13-2 shows an Event Viewer event report.

click to expand
Figure 13-2: An Event Viewer event report

Table 13-1: Normal Exchange Server 2003 Events
Event number	Indication
700 and 701	Online defragmentation is beginning or has completed a full pass.
1206 and 1207	Starting cleanup of items past retention date for item recovery, or cleanup is complete.
1221	The database "…." has x megabytes of free space after online defragmentation has terminated.
9531 and 9535	Starting cleanup of deleted mailboxes that are past the retention date, or cleanup is complete.

Abnormal Events

Table 13-2 lists some of the events you might see if Exchange Server 2003 is experiencing problems. Such events are logged as warning or error events.

Table 13-2: Exchange Server 2003 Error or Warning Events
Event number	Indication
2064 and 2069	Directory service access problems caused by incorrect DNS configuration.
9582	Virtual memory is low or fragmented.
1018, 1018, and 1022	Joint Engine Technology (JET) error events that indicate possible file-level damage to an Exchange database.

You can select an event source in Event Viewer to monitor events related to specific functions. You should monitor the following on a regular basis:

MSExchangeTransport Select this event source to view events recorded when SMTP is used to route messages. Event ID 4000 indicates that a connection has failed for a reason other than a specific protocol error. DNS problems, the server not being online, and connections that are dropped when the server is overloaded or hits internal errors can also cause connection failures.
MSExchangeAL Select this event source to view events related to the service that addresses e-mail through address lists. Event ID 8026 indicates problems with network connectivity or Lightweight Directory Access Protocol (LDAP) configuration.
MSExchangeIS Select this event source to view events related to the service that allows access to mailbox and public folder stores. Event ID 9518 indicates a failure while starting an Exchange storage group—for example, if all databases in a storage group are offline or if an Extensible Service Engine (ESE) error occurred while starting a database within a storage group.
MSExchangeSA Select this event source to view events that are recorded when Exchange uses Active Directory to store and share directory information.

If you identify potential problems with your Exchange Server 2003 server during your daily monitoring, you can control the amount of information logged in the application log by increasing the logging level. The higher you set the logging level, the more events you can view in the application log. This can help you diagnose the problem.

You can open the application log in Event Viewer, access Event Source, and select an Exchange-related event source. You can configure diagnostic logging to set Event Viewer's logging level. This is done in Exchange System Manager rather than in Event Viewer itself. On the Diagnostics Logging tab of the Server Properties dialog box, you can configure the logging level for each service and category for which you want to configure diagnostic logging. Be aware that if you increase the logging levels for Exchange services, you may experience some performance degradation.

Tip

If you increase the logging levels on your Exchange server, also increase the size of the application log to contain all the data produced. Otherwise, you will receive frequent reminders that the application log is full.

The Monitoring And Status Utility

The Monitoring And Status utility provided as part of Exchange System Manager monitors key Exchange Server 2003 services by default. In addition, you can configure the utility to constantly monitor the performance level of other network and application services. You should use the Monitoring And Status utility daily to monitor the status of your servers and connectors and to determine if they are functioning properly.

You can use the Status column in Monitoring And Status to determine whether any service failures exist, whether system resources are running low, or whether messages are not flowing. Table 13-3 describes what each server status level indicates.

Table 13-3: Server Status Levels
Server status	What it indicates
Unreachable	One of the main services on the server is down or, if a server is in a different routing group, a connector between routing groups may be down or may not exist.
Unknown	System Attendant cannot communicate with the local server.
Critical or Warning	A monitored resource has reached the critical or warning state defined for that resource.
Unavailable	A communication service, such as the routing service, is not functioning on this connector.

Queue Viewer

You can use the Queue Viewer utility in Exchange System Manager to maintain and administer messaging queues in your Exchange organization. In Queue Viewer, the following queues can be displayed from either a local or a remote computer:

An SMTP virtual server queue
A Microsoft message transfer agent (MTA) object queue
A connector queue
DNS messages pending submission
A failed message retry queue
Messages queued for deferred delivery

As shown in Figure 13-3, the Queue Viewer utility provides the Disable Outbound Mail, Settings, and Find Messages options. There is also a pane (blank in the figure) for displaying additional queue information. You can monitor queues on a daily basis, and the utility is also used to identify problems that require on-demand maintenance.

click to expand
Figure 13-3: The Queue Viewer utility

Disable Outbound Mail

You can use the Disable Outbound Mail option to disable outbound mail on all SMTP queues. You may need to do this if, for example, a virus is active in your organization. The option does not disable the MTA or System queues.

If you want to prevent outbound mail from transmitting from a particular remote queue, then you can freeze the messages in that queue instead of disabling all SMTP queues. To do this, right-click the queue and then click Freeze. Right-click the queue and then click Unfreeze to unfreeze the messages.

Settings

You can use the Settings option to determine the frequency with which the queues are refreshed. The default refresh rate is once every two minutes. You can set the refresh rate to once every minute, every five minutes, every 10 minutes, or to Never Refresh. If you are trying to resolve a delivery problem, you may want to set the refresh interval to a small value, such as one minute, so that you can see changes to the queues sooner.

Find Messages

You can use the Find Messages option to display messages in the queue or to search for messages by specifying search criteria, such as the sender or recipient and the message state. You could, for example, search for all frozen messages. You can also specify the number of messages that you want your search to return. You can use this option if you are searching for a particular message or if you want to list the messages in the queues to see when the oldest message was submitted.

Additional Queue Information

You can use the Additional Queue Information option to view troubleshooting information about a particular queue. It also displays information about errors returned from Exchange-specific extensions to the SMTP service and indicates when a queue is unavailable—for example, when a service is not started.

Using Queue Viewer to Find Potential Problems

Exchange Server 2003 uses queues to hold messages while they are being processed for routing and delivery. If messages remain in a queue for an extended period, a problem may exist, such as an Exchange server not being able to connect to the network. It is therefore your responsibility as an Exchange Full Administrator to monitor Exchange queues daily.

You should first list messages in a queue by selecting the queue and by using the Find Messages feature. You can use Queue Viewer to determine if a problem exists with that queue. You can then review the State column in your search results to see which state the queue is in. Table 13-4 lists the message states.

Table 13-4: Message States in Queue Viewer
Message State	Description
Active	Indicates that a link queue has an active connection. No action is required.
Ready	Indicates that a link queue is ready to have a connection allocated to it. No action is required.
Retry	Indicates that a connection attempt has failed and that the server is waiting for a retry. You should review the State column again after a short period of time to ensure that this state has changed. If the message is still in the Retry state, then you need to identify the problem that is preventing the queue from delivering messages.
Scheduled	Indicates that the queue is waiting for a scheduled connection attempt. No action is required.
Remote	Indicates that the queue is waiting for a remote dequeue command. No action is required.
Frozen	Indicates that no messages can leave the link queue. Messages can be inserted in the queue if the Exchange routing categorizer is still running. If you have frozen the queue for a particular reason, such as during a virus attack, you need to unfreeze the queue when the virus problem is resolved.

You then need to review the Number Of Messages and Total Message Size (KB) columns to see if a large number of messages are backed up in the queue or if the message size of any message is too large for your Exchange organization. If a large number of messages are backed up in the queue, you can force a connection by right-clicking the queue and clicking Force Connection. If you have an extremely large message that is preventing other messages from being delivered, you should consider deleting the message.

You can also use the Find Messages feature to locate a specific message in the message queues. Typically, you look for a message in a queue if a user reports that he or she sent an important message that was not received. In this case, you can use the Search Results pane to view information about the messages located in the queue, such as whether the message is in the Retry state, what the size of the message is, what time the message was submitted, and at what time the message will expire. This information will help you to identify potential or current problems.

Practice: Configuring Diagnostic Levels and the Monitoring And Status Utility

You can control the events that are recorded in the application log of Event Viewer by changing the diagnostic logging level and by specifying events using the Monitoring And Status utility.

Exercise 1: Configure Diagnostic Logging

In this exercise, you check Event Viewer to determine whether any Exchange errors exist. You then change the diagnostic logging level and inspect the more detailed information that results from this configuration change. To view the application log and configure diagnostic logging, perform the following steps:

On Server01, from the Start menu, point to Administrative Tools, and then click Event Viewer.
In Event Viewer, in the console tree, click Application.
In the details pane, browse through the events, paying particular attention to any red stop events and yellow warning events.
Minimize the Event Viewer window.
Start Exchange System Manager.
Navigate to Administrative Groups\First Administrative Group\Servers. Right-click Server01, and then click Properties.
Select the Diagnostics Logging tab.
On the Diagnostics Logging tab, under Services, expand MSExchangeIS, and then click Mailbox.
Under Category, click General.
In the Logging Level box, select Maximum, as shown in Figure 13-4, and then click OK.

Figure 13-4: Setting a diagnostic logging level
Expand the Event Viewer window (or open Event Viewer if you closed it earlier).
On the View menu in Event Viewer, click Filter. This lets you filter the log and list entries for a specific type of Exchange-related event.
In the Application Properties dialog box, in the Event Source drop-down list, click MSExchangeIs Mailbox Store, as shown in Figure 13-5.

Figure 13-5: Selecting an event source
In the Application Properties dialog box, in the Category drop-down list, click General, and then click OK. You should see a list of events similar to those shown in Figure 13-6.

Figure 13-6: MSExchangeIS mailbox store events at maximum diagnostic logging level
On the View menu, click All Records to view all events, and then close Event Viewer.
In Exchange System Manager, right-click Server01, and then click Properties.
Select the Diagnostics Logging tab.
Under Services, expand MSExchangeIS, and then click Mailbox.
Under Categories, click General.
In the Logging Level drop-down list, select None, and then click OK.

Exercise 2: Specify Events to Monitor

In this exercise, you use the Monitoring And Status utility in Exchange System Manager to configure monitoring levels for key services and resources on an Exchange Server 2003 server.

Start Exchange System Manager.
Expand Tools, expand Monitoring And Status, and then click Status.
Check the details pane to determine whether Server01 or any of the listed connectors have a status of Unreachable, Unknown, Critical, Warning, or Unavailable.
Double-click Server01.

Click Add on the Monitoring tab.

Note

You can access the same control by navigating to Administrative Groups/First Administrative Group/Server/Server01, right-clicking Server01, clicking Properties, and then selecting the Monitoring tab.

In the Add Resource box, click Available Virtual Memory, and then click OK.
Specify virtual memory thresholds, as shown in Figure 13-7, and then click OK.

Figure 13-7: Specifying the virtual memory threshold levels
Click Add on the Monitoring tab.
In the Add Resource box, click CPU Utilization, and then click OK.
Specify CPU utilization thresholds, as shown in Figure 13-8, and then click OK.

Figure 13-8: Specifying CPU utilization threshold levels
Repeat the same procedure to specify free disk space thresholds. If you have more than one disk volume, you can repeat the procedure for each of them.
Specify SMTP queues growth and X.400 growth thresholds.
Click Add, then click Windows 2000 Service, and then click OK.

Off the Record
Currently, this says "Windows 2000 Service" rather than "Windows 2003 Service."
In the Services dialog box, in the pull-down menu next to When Service Is Not Running Change State To, select Critical, and then click Add.
Select Microsoft Exchange Information Store, and then click OK.
In the Name box, in the Services dialog box, type Information Store, and then click OK.
Your Server01 Properties dialog box should look similar to Figure 13-9. When the limits that you specified are exceeded, events will be written to the application log in Event Viewer.

Figure 13-9: Configuring events to be monitored
Click OK to close the Properties dialog box.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

A user reports that she sent important information to a colleague some time ago, but the message has not been received. A non-delivery report (NDR) has not been returned to the sender. What tool do you use to investigate, and what message parameters should you look at?
You want to monitor free disk space on an Exchange Server 2003 server and obtain a notification if this drops below a threshold value. You use the Monitoring And Status utility in Exchange System Manager to configure the free disk space monitoring level. Where would you look for notification that free disk space has dropped below the threshold level?
1. In your Inbox
2. In the system log in Event Viewer
3. On the Monitoring tab of the Server Properties dialog box in Exchange System Manager
4. In the applications log in Event Viewer
You want to view events recorded when SMTP is used to route messages. Which event source should you monitor in Event Viewer?
1. MSExchangeTransport
2. MSExchangeAL
3. MSExchangeIS
4. MSExchangeSA

Lesson Summary

You should review the following on a daily basis: the message load on your Exchange Server 2003 servers, the logs generated by Event Viewer, the Performance console, virtual servers, and your antivirus product. You should also check the available disk space on volumes that store Exchange logs and databases.
Events related to Exchange Server 2003 server operation are recorded in the applications log in Event Viewer. You can use the diagnostic logging function in Exchange System Manager to configure the detail of events that are logged.
You can use the Monitoring And Status utility in Exchange System Manager to monitor Exchange Server 2003 services, and Queue Viewer to monitor queues and get details of messages in these queues.
If you use Windows clustering, you should use Cluster Administrator daily to monitor Exchange Server 2003 server clusters for failovers. You use the Active Directory Sites And Services tool to monitor Active Directory replication.