In times of trouble Exchange provides additional logging options that can help you diagnose special problems. The Event Viewer typically shows critical problems related to various Exchange system services but sometimes the information provided is simply not enough or you might have a problem but nothing out of the ordinary is logged in neither the Application nor the System logs.
The diagnostic logging options are available on the server object “Diagnostics Logging” property page in Exchange System Manager.
To effectively use logging options one must know what the various components of Exchange are. My experience shows that turning up the logging even to the Minimum setting can easily flood the Event Viewer application log. Therefore, it is best to know which component of Exchange needs tending to.
Exchange Components Architecture
IMAP4Svc – The IMAP4 protocol is not widely used with Exchange though some places that have non-Microsoft machines (such as UNIX) use IMAP4 to store their mail on Exchange. Basically it allows similar functionality as regular Outlook MAPI protocol, minus Calendaring, Contacts and Tasks.
MSExchangeAL – This component deals with creation of Exchange address lists and adding attributes to users and groups in Active Directory. Logging this service is useful if you notice that new users are not being stamped with e-mail addresses or added to the Exchange address lists.
MSExchangeDSAccess – The directory Exchange uses is Active Directory. What this component is logging is actually Exchange calls to Active Directory using the LDAP protocol. Active Directory stores all of the Exchange configuration information regarding components such as connectors, Administrative Groups, Routing Groups and the like so this is a good place to look if you have configuration problems.
MSExchangeIS – This is a major category that includes Exchange mailboxes and public folders including the system folders which have their own sub-category. Some of the options here can be used to audit events, that is log events that do not indicate errors but are can be useful for tracking and gathering statistics.
MSExchangeMTA – This legacy component was extremely important in Exchange 5.5. All message transfer activities went through this component, including internal traffic from connectors and other Exchange servers and Internet E-mail. Since Exchange 2000 now is mostly SMTP based, The MTA is used to transfer messages to Exchange 5.5 servers in the organization, to some connectors and for moving mailboxes between servers. See http://support.microsoft.com/default.aspx?scid=kb;en-us;q163033 for more information.
MSExchangeMU – The Metabase Update component is responsible for communications with the IIS Metabase where some of the Exchange Internet protocols are stored. The origin of most of the information comes from Active Directory and the Exchange installation. Logging this component can be useful if you suspect a Metabase corruption or permissions have been altered.
MSExchangeSA – Exchange components that communicate with Global Catalog servers to provide management and communication services that are MAPI based.
NSPI is the service that Global Catalog servers use to refer Outlook clients to their appropriate server when defining Outlook profiles.
RFR is the opposite service to NSPI, referring Outlook clients trying to connect to Exchange 2000 servers to a Global Catalog server holding the Exchange directory information. This is required when Outlook 98 and below logon because they are used to having the directory available on the Exchange server as was the case with Exchange 5.5. It is also used on newer Outlook version during the first logon to Exchange 2000 when the Outlook profile is resolved
OAL – Generates the Offline Address Book to be downloaded by roaming Outlooks.
Mailbox Management – Co-ordinates Active Directory and Exchange mailbox operations.
MSExchangeSRS – This is the Exchange 5.5 emulator for mixed Exchange 2000/5.5 sites. This category is useful using migration operations.
MSExchangeTransport – This service is responsible for the routing of (mostly) SMTP mail around, deciding which goes where.
POP3Svc – Responsible for POP3 calls to Exchange.
Logging Level
Most of the time you would pick “Minimum”. If Minimum doesn’t provide the results you expected, crank it up but beware, some categories can overwhelm the Event Viewer.
Before starting the logging level process, you might choose to clear the Application Log, so you would have a clear starting point. Also, you might want to configure the applications log to retain more than the default 512K of information and Overwrite old events. Otherwise, the Event Viewer will not register new events if the allotted size is exceeded.
For a clearer view you might choose to configure filter the Application Log to show just warnings and errors, though sometimes useful information provided by logging is presented as Information.
This concludes the way to troubleshoot Exchange using diagnostics logging options. As I mentioned in the beginning of the article, it is a powerful tool if you have a good knowledge of how Exchange works, and it will save you plenty of time when communicating with Microsoft support services.
