SolutionBase: Interpreting MOM reports for Exchange Server

Microsoft Operations Manager can help you get a handle on managing your entire network, including your Exchange server. Part of the trick to getting it to work is to understand the reports that MOM generates. Here's how.

The Management Pack for Exchange into Microsoft Operations Manager (MOM) gives you the ability to use MOM to control how Exchange works in complex environments. In this article, I'll show you the various reporting options that the Exchange Server Management Pack gives you.

Author's Note

Before I get started, I want to clarify which software versions I will be discussing. For the purposes of this article, I am assuming that you are running MOM 2005 with Service Pack 1 on top of Windows Server 2003 Enterprise Edition with Service Pack 1. I am also assuming that you are using the management pack for Exchange Server 2003 (there are separate management packs depending on which version of Exchange Server you are running).

Accessing Exchange-specific information

In my opinion, the MOM 2005 console isn't the most intuitive interface ever invented. If you haven't worked with MOM much, then the console definitely takes a little getting used to. One thing that you can do to make using the console easier though is to set a filter so that you are only looking at Exchange related information. To do so, click on the Alerts link in the lower left quadrant of the screen.

When you do, the top node in the upper left quadrant will be displayed as All | Alert View. Right-click on All | Alert View and select the Show Views From | Exchange 2003 commands from the resulting shortcut menus. When you do, you will see a screen similar to the one shown in Figure A.

Figure A

The Exchange 2003 Alert View displays any warnings or errors that have occurred on your Exchange Servers.

If you look at Figure A, you will notice that there are no Exchange related alerts in my organization at the present time. Even so, it's still worth paying attention to the figure because when something does go wrong, this is where you will find out about it. If you select the Exchange 2003 Alert Views container, you will see any general Exchange related alerts appear in the columns to the right.

The Exchange 2003 Alert View contains four sub containers.

  • Exchange Health Monitoring
  • Exchange Utilization and Performance
  • Server Configuration and Security
  • Server Resource Utilization

These categories contain specific types of alerts. For example, the Exchange Utilization and Performance container would contain alerts related to the Active Directory Connector, POP3, SMTP, and things like that.

Remember when I said that the MOM console wasn't very intuitive? One of the reasons why I said that was because when you are working in the Alert Views mode, it is very easy to completely miss out on an alert. For example, if an SMTP related alert were to occur, you would never even know about it unless you happened to drill down through the alert view to Exchange 2003 Alert Views | Exchange utilization and Performance | SMTP. That might not sound like a big deal, but MOM contains dozens of Exchange related alert containers. Going through each container individually would be extremely cumbersome.

If you really want a comprehensive picture of the Exchange related alerts that have occurred on your server, then click the Computers and Groups link in the lower, left quadrant of the screen. When you do, the upper, left quadrant of the screen will continue to reflect an almost identical tree structure to what you saw in Figure A.

The difference is that you are now looking at alerts on a per server basis rather than on the basis of the type of alert. The Alerts view is useful if you wanted to look for a specific type of error across your entire Exchange organization. For example, if you wanted to look at any SMTP related alerts across all of your Exchange Servers, then the Alerts view would be ideal. If you wanted to troubleshoot a specific computer though, the Computers and Groups view is much more effective.

If you look at Figure B, you can see that the upper, right quadrant of the screen displays the status of both of the Exchange Servers on my network. The server Relevant is showing a success state, which indicates that there are no Exchange related alerts on the server. The server Tazmania is showing three alerts though. When I click on Tazmania, MOM displays a list of the current alerts on that server, as shown in Figure C. As I select a particular alert, the lower, right quadrant of the screen displays detailed information about the alert.

Figure B

The Computer and Groups view allows you to see Exchange related errors on a per computer basis.

Figure C

If you double-click on a server, you can see a list of the current alerts.

Exchange events

As a whole, MOM is event driven. The Exchange Management Pack is little more than a set of rules pertaining to how MOM should respond to various events that occur. These Exchange events are not completely transparent though. If you want to gain a clearer picture of what is going on with your server, you can actually view the various events that have occurred. To access MOM's Event Viewer, simply click on the Events link in the lower, left quadrant of the Operator Console.

The Event Views are another area in which the MOM user interface can be a little bit confusing. The tree in the upper, left quadrant of the screen is pretty much the same as the tree that you have seen in the previous screen shots. What tends to be confusing about this tree is that not every container in this tree is capable of displaying events.

If you look at Figure D, you will notice that some of the objects in the tree use the event icon, while others use the basic file folder icon. Only branches of the tree which display the event icon are even capable of displaying events. Furthermore, just because a branch of the tree is capable of having events associated with it, it does not mean that that there will necessarily be any events. If you look at Figure D, you will see that I have the All Server Configuration Events container selected. This container is certainly capable of storing event information, but at the present time no events have occurred, so the container is empty.

Figure D

Just because a container can store events it doesn't mean that any events have occurred.


So far I have talked primarily about ways that you can spot error conditions and track down somewhat obscure system events. This is certainly not the only type of information that MOM can produce though.

If you have ever taken an MCSE class on Windows Server, then you are no doubt familiar with the Windows Performance Monitor. The Performance Monitor is a tool that you can use to determine the system's health by watching various counters. The Performance Monitor is a fantastic tool, but it can be complicated to use. MOM frees you from the burden of tracking Performance Monitor counters though. MOM tracks the various performance monitor counters for you and offers a variety of reports based on those counters.

To access the performance related reports, click the Performance link in the lower, left quadrant of the screen. When you do, you will see the tree in the upper, left portion of the screen fill with links to performance related reports. Although there are dozens of reports available, you should keep in mind that we are still looking solely at Exchange related information. MOM offers additional reports for the base Windows operating system.

To access a performance related report, just navigate through the tree and select the type of report that you want, and it will be displayed on the right half of the screen. For example, suppose that you wanted to see the percentage of processor time that was being used on each Exchange Server. To do so, you would navigate through the tree to Exchange 2003 Performance Views | Exchange Health Monitoring | Exchange Core Health Metrics | Total % CPU Usage.

When you do, you would see a report appear on the right side of the screen that shows the amount of CPU time that each server was using when last sampled, as shown in Figure E.

Figure E

The Performance Views allow you to view reports based on Performance Monitor counters.

One of the cool things about the performance views is that you can create a graph that compares certain aspects of the server's performance across your entire Exchange organization. For example, suppose that you wanted to compare CPU utilization across all of your Exchange Servers. You could select the check box next to each server listed, and then click the Draw Graph button. The graph is kind of empty looking because I only have two Exchange Servers on my network, but Figure F shows what the graph looks like.

Figure F

MOM allows you to create graphs that allow you to compare system performance across multiple servers.

My views

Hopefully by now, you are starting to see that once you get used to MOM's interface, MOM is an excellent tool for mining data related to your Exchange organization's health. So far I have shown you most of the types of reports that MOM can produce in relation to your Exchange organization. We aren't done yet though. There is still at least one type of report that you may find very useful.

If you click on the My Views link found in the lower, left quadrant of the Operator Console, the screen will basically go blank. The upper left quadrant of the screen where MOM's now familiar tree structure normally resides is now empty aside from a lone container named All My Views. The right side of the screen is also completely empty.

Don't let this emptiness fool you though. The My Views section is one of the most powerful areas of the Operator Console. It allows you to create custom views that display the data that's important to you. The idea is that if you have a specific report that you use all the time, then there is no reason why you should have to fumble with MOM's cumbersome interface every time you want to access that particular data. Instead, you can just set the report up through My Views so that it is easier to access.

For me personally, one of the views that I use the most often is the Computer Level View that tells me how many alerts are open on each server. If you wanted to create such a view in the My Views section, you would right click on All My Views and select the New | Computers View from the resulting shortcut menus. You will now see a screen with several computer level views to choose from. The very first option on the list is Computers With Open Alerts. Select this option and click Next. You are now asked to enter a name for the view and an optional description. Enter this information, and click Finish. Your selected view will now be added to the My Views section.

The view that I just showed you how to create was based on a pre-defined view. However, you do have the option of creating views that are truly custom. For example, in the computer related view section, you can create a view consisting of computers in a specified group or of computers that satisfy some special criteria of your choice. For example, you could create a view of computers that have not had a heartbeat in X number of minutes, or of computers that are running in maintenance mode.