Get IT Done: Monitor Exchange 2000 mail flow with additional logging options

Figure out how email flows through an Exchange 2000 system

When troubleshooting mail flow issues within Microsoft Exchange 2000, you need to make sure that mail is flowing through the MTA queues and that your server has connectivity with the rest of your Exchange organization and the outside world, as I explained in "Troubleshoot Exchange 2000 mail flow issues."

As handy as those tricks are, though, they don’t always get the job done. That’s because the problem may not always be related to a malfunctioning queue or to a connectivity issue. In such cases, you may have to do a little more digging before you can find the true culprit. Fortunately, Microsoft has a number of mechanisms built into Exchange that can help you uncover the problem.

Diagnostic logging
One mechanism you can use to help track down the problem is diagnostic logging. Diagnostic logging is disabled by default because it tends to consume a lot of processor time and because the log files can quickly grow to outrageous sizes if you aren’t careful.

To enable diagnostic logging, open the Exchange System Manager and navigate to your organization\Administrative Groups\your administrative group\Servers\your server. Right-click on the server for which you want to enable diagnostic logging, and select the Properties command from the resulting shortcut menu. On the server’s Properties sheet, select the Diagnostic Logging tab to open a screen similar to the one shown in Figure A.

Figure A
The Diagnostic Logging tab allows you to enable logging for an aspect of the Exchange Server.

As you can see in the figure, the Diagnostic Logging tab presents a number of services for the server you've selected. If you're troubleshooting an Exchange mail flow problem, you'll probably be most interested in the MSExchangeMTA and MSExchangeTransport services. Once you select a service, the pane to the right will display all the various logging categories for that service. To enable logging, simply select a category and then choose the logging level you want to assign to that category. You can enable logging for multiple categories. When you’re done, click OK to start the logging process. Before you enable logging, however, note that diagnostic logging can be extremely resource-intensive. Don't use too many different logging categories, and be careful about using the maximum logging level.

The logging levels for each category can be set to None, Minimum, Medium, or Maximum. None is set by default, but it’s actually a little deceptive. Setting a logging level to None doesn’t really mean that nothing will be logged for that category. Instead, critical events are logged, but nothing else. The other logging levels look at the logging level of each specific event that occurs. Minimum logs events with a logging level of 1 or lower; Medium logs events with a logging level of 3 or lower; and Maximum logs events with a level of 5 or lower.

In case you're wondering, all the events that are logged are written to the normal Windows 2000 event logs in the Application Log section, which brings me to an important point. In the past, I've had more than one instructor in an MCSE class say that you should check the event logs for any warning messages or error messages when trying to troubleshoot a problem. While it’s certainly helpful to look for warnings and errors, if that’s all you look for when analyzing your diagnostic logs, you're missing half of the benefits of diagnostic logging.

Keep in mind that when you're trying to troubleshoot a problem, it’s just as important to know what is working as what isn’t working. Therefore, refrain from automatically ignoring events that don’t indicate an error or a warning. Reading the informational events can often help you diagnose the problem much more quickly than if you simply ignored such events.

Protocol logging
Another useful mechanism for diagnosing Exchange 2000 mail flow issues is protocol logging, which allows you to gather statistical data on how the server is being used. For example, you can use protocol logging to see which users are connecting to the server and where they are connecting from. You can log a number of other user actions as well. This type of logging is very useful if only a certain subset of users is experiencing a problem. You can use protocol logging to see what, if anything, these users have in common. For example, perhaps they're all connecting through OWA or from a particular subnet on your network. Maybe they're all trying to send a message to a specific distribution list. You never know what you might find.

To enable protocol logging, open the Exchange System Manager and navigate to your organization\Administrative Groups\your administrative group\Servers\your server\Protocols\SMTP\Default SMTP Virtual Server. Right-click on Default SMTP Virtual Server, and select the Properties command from the resulting shortcut menu. You'll then see the Default SMTP Virtual Server Properties sheet.

On the General tab in the Properties (Figure B), select the Enable Logging check box. Be careful about doing this because, depending on how busy your server is, the logs can quickly consume a lot of hard disk space.

Figure B
Protocol logging lets you log events occurring at the SMTP level.

After you enable logging, you'll want to select a log file format. The default option is W3C Extended Log File Format. This format usually gives you the most detail, so I recommend sticking with it.

While the diagnostic logging writes events to the Windows event logs, protocol logging does not. If you click the Properties button, you'll see the Extended Logging Properties dialog box, shown in Figure C. This dialog box allows you to control the destination that the log files will be written to, and how often new logs are created. By default, log files are written to the \WINNT\System32\LogFiles folder, and new log files are created daily.

Figure C
You can control the destination of log files and how often new log files are created.

One other point that’s worth mentioning: If you select the Extended Properties tab in this dialog box, you'll see a screen that gives you the option of logging a lot more information. For example, you can have information such as the client’s IP address or username included with the logs. I strongly suggest using this option when you're creating logs for diagnostic purposes. Figure D shows an example of this screen.

Figure D
The Extended Properties tab allows you to include additional information in the logs.

When your Exchange server has mail flow problems that aren’t easily solved through the usual methods, it's important to gather diagnostic information. Diagnostic logging and protocol logging can help you get to the bottom of mail flow issues.

Editor's Picks