Exchange 2007 Message Tracking

admin — Sun, 11 May 2008 00:14:00 +0000

Exchange 2007 Message Tracking

At some point in time most messaging administrator have received the age-old complaint about mail not arriving or being delivered. I revert to the message tracking logs quite often on the systems that I manage.

There are a number of logs available from the content agent logs for antispam, Protocol logs, Send/Receive logs but this article will focus on one of my favorites Message Tracking.

When working in mixed Exchange 2003 and Exchange 2007 you have to manage each logs separately as the tools provided will not allow us to parse logs from different versions of the products.

Another item I found out in early beta was the GUI provided in Exchange 2007 only searches the logs on the server we are running the query from, we must user EMS to query all our servers.

Configuring Message Tracking

By default Message Tracking is enabled on all servers running Hub, MBX, or Edge Server roles and Microsoft has added management features in SP1 to allow more configuration from EMC.

EMC

Lets open Exchange Management Conscole (EMC) and take a look at what we can see on our hub transport server

You can see the message tracking is ENABLED by defaultThe only 2 options we have from the EMC is :
1. Enable message tracking
2. specify the log path

If we look at the properties of the mailbox server we cannot manipulate any of the setting from

EMS
We can use the get-transportserver and get-mailboxserver cmdlets to show message tracking information.

get-mailboxserver

get-transportserver

We can see from the output from our cmdlets that we have much more information in EMS then in EMC.

This is a default configuration:
MessageTrackingLogSubjectLoggingEnabled : True

MessageTrackingLogEnabled : True
MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 250MB
MessageTrackingLogMaxFileSize : 10MB
MessageTrackingLogPath : C:\Program Files\Microsoft\Exchange S erver\TransportRoles\Logs\MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True

I cannot provide an answer as to what the settings above should be as these should be part of your company policy how long the logs must be retained.

At a minimum I recommend the log path be moved from the OS partition however if you limited a limited number of drives and your OS is a Raid 1 mirror the logs can perfrom find on the OS disk.

We can manipulate our settings with the Set-TransporServer and Set-Mailboxserver cmdlets

I am going to use the Get-TransportServer cmdlet and pipe it to the Set-transportserver cmdlets to set the Log path, Max Age and directory size

Get-TransportServer | Set-TransportServer -MessageTrackingLogMaxAge 60 -MessageTrackingLogMaxDirectorySize 500mb -MessageTrackingLogPath d:\MessageTrac kingLogs

We can use the Get-Transportserver to view our changes

Lets take a look at our log, we can see the location has been moved to our specified location

Lets look at the log in its native format

Searching Message Tracking Logs

Permissions:

Exchange 2007 RTM, the account you use must be delegated the following:

Exchange Server Administrator role and local Administrators group for the target server

Exchange 2007 SP1, the account you use must be delegated the following:

Exchange View-Only Administrator role

Edge Transport server role you must log on by using an account that is a member of the local Administrators group on that computer.

EMC

Lets take a look at some message tracking option in EMC

Click “toolbox” -> Under Mail flot tools –> Select Message tracking

when the this is first selected the tool will connect to Microsoft and see if there are any new updates.

next we are presented with the welcome screen

On the Message Tracking Parameters we have the ability to select from the following filters
Recipients, Sender, Server, Event ID (Receive, Send, Fail, DSN, Deliver, BadMail, Resolve, Expand), Message ID, Internal Message ID, Subject m reference, Start, and End

Once we have made our selections the window as the bottom shows up the EMS commands that will be run to retrive the logs

I sent a message from brian.tirch@vm.local to generate some log data, for my filters I selected Sender,Start, and End

We can see the 2 entries are returned 1. Receive and 1 for Deliver

We can see in the data returned that there are a number of fields listed that are not search able from EMC like client IP and Server IP

From this log we can see that the message was received from vmmbx1 to vmcashub and then delivered from vmcashub to vmmbx1

**Notice the only logs we have data are from the server which we ran the message tracking tool from**

http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx

Event name	Description
BADMAIL	A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.
DELIVER	A message was delivered to a mailbox.
DEFER	Message delivery was delayed.
DSN	A delivery status notification (DSN) was generated.
EXPAND	A distribution group was expanded.
FAIL	Message delivery failed.
POISONMESSAGE	A message is put in the poison message queue or removed from the poison message queue.
RECEIVE	A message was received and committed to the database.
REDIRECT	A message was redirected to an alternative recipient after an Active Directory directory service lookup.
RESOLVE	A message’s recipients were resolved to a different e-mail address after an Active Directory lookup.
SEND	A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.
SUBMIT	A message was submitted by an Exchange 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events.
TRANSFER	Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.

EMS:
Lets use EMS to search the message tracking logs and please reference the “How to Search Message Tracking Log” article below to see the differences between the available fields.

If we run the Get-Help command we can see the available switches.

C:\>get-help Get-MessageTrackingLog

Name
Get-MessageTrackingLog

SYNOPSIS
Use the Get-MessageTrackingLog cmdlet to search message information that i
stored in the message tracking log.

SyNTAX
Get-MessageTrackingLog [-DomainController ] [-End ] [-Even
Id ] [-InternalMessageId ] [-MessageId ] [-Message
ubject ] [-Recipients ] [-Reference ] [-ResultSi
e ] [-Sender ] [-Server ] [-Start ] []

let perform the same search as above and see if we get any different data:
Get-Messagetrackinglog -Sender “brian.tirch@vm.local” -Start “5/10/2008 7:42:00PM” -End “5/12/2008 7:52:00 PM”

you can see the first return is truncated

so we can pipe to the FL command to get more details

After viewing this the data both results are the same…..

Now we can add some parameters to our command so that we can pull logs from all servers.
Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog

by piping the Get-ExchangeServer cmdlet to the Where command we can pull logs from all hubs servers and mailbox server to limit our filter to pull from selected servers.

Lets run the same command for Get-Messagetrackinglog but add the leading Where statement.

We can see now that we have an additional entry for Submit

the Submit entry shows the log from our mailbox server submitting a message to a hub server for delivery.

We can see that the message tracking logs can be vary useful in determining any issues or validating messages delivery.

References:

How to Search Message Tracking Logs
http://technet.microsoft.com/en-us/library/bb124926.aspx

Managing Message Tracking

http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx

How to configure Message Tracking

http://technet.microsoft.com/en-us/library/aa997984(EXCHG.80).aspx

Exchange-Genie » Message tracking

Exchange 2007 Message Tracking