Monitoring Important Exchange Server 2003 Components
As a client/server messaging system, Microsoft® Exchange Server 2003 relies on active server services. Some are specific to Exchange 2003, such as the Microsoft Exchange Information Store service, which maintains the messaging databases. Other components are provided by the operating system, such as Active Directory® directory service and Internet Information Services (IIS). You must understand the interdependencies among all these components to evaluate their influence on the overall system state of an Exchange server.
Core components of Exchange 2003 include:
Domain Name System (DNS) You should deploy the DNS Management Pack for MOM 2005 to monitor your DNS system. Exchange 2003 relies on host name resolution for both local and external SMTP-based messaging systems in the network. Host name resolution is based primarily on DNS, and DNS is a critical network service. As mentioned, DNS is required for Active Directory and Exchange Server 2003.
Active Directory This is the directory service of Exchange 2003. Exchange servers and messaging clients, such as Microsoft Office Outlook® 2003, access Active Directory in situations such as when logging on to the network and connecting to a mailbox, or accessing server-based address lists. Your messaging environment requires a dependable Active Directory infrastructure. For information about monitoring Active Directory, see Active Directory Management Pack for MOM 2005 at https://go.microsoft.com/fwlink/?linkid=36080.
System Attendant This is an Exchange-specific service that contains a DSAccess module that communicates with Active Directory to retrieve and cache directory information. Another important component of system attendant is DSProxy, which forwards MAPI-based address lookups to a global catalog server. System attendant also manages mailbox-enabled user properties, generates routing tables, and communicates with other components, such as IIS and Active Directory. Most of the other Exchange services depend on the system attendant. You should monitor this service as part of the overall Exchange system monitoring.
Microsoft Exchange Information Store This is one of the most important services of Exchange 2003, and it should be monitored continuously. The Microsoft Exchange Information Store service maintains all user mailboxes and public folders in messaging databases. If the Microsoft Exchange Information Store service is stopped, users cannot gain access to the e-mail messages stored in their mailboxes.
SMTP Transport Engine This is the core transport subsystem of Exchange 2003. All messages must pass through the SMTP transport engine, whether they are sent to users on the Internet, to another server in the same Exchange 2003 organization, or to the sender's local server. Monitoring this service and its associated message queues, and reacting quickly to issues related to the SMTP service lets you make sure that messages can reach their destinations with minimum delays.
Message Transfer Agent (MTA) This service provides the necessary routing functions when communicating with Microsoft Exchange Server 5.5, with X.400 messaging systems, or with non-Exchange messaging systems through Connector for Lotus Notes or Connector for Novell GroupWise. You should monitor this service if you are responsible for a complex environment that includes a mixed Exchange 5.5 or a non-Exchange messaging system. It is recommended that Microsoft Exchange MTA Stacks service is running on every Exchange server.
Complementary Services Complementary services are primarily those that integrate with IIS to support several messaging clients, such as the Network News Transfer Protocol (NNTP) service, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4rev1 (IMAP4), Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync®. The complementary services that you must monitor depend on the messaging clients that your information workers are using to access their mailboxes.
Monitoring these components for availability and ensuring reliable performance requires understanding the purpose and scope of the components. The key components of Exchange 2003 are explained in the following sections.
System Attendant and DSAccess
The system attendant service, with its internal DSAccess component, is a critical part of the Exchange 2003 architecture and must be running before Microsoft Exchange Information Store service and Exchange MTA Stacks service can start. If you start the Microsoft Exchange Information Store service when system attendant is stopped, the system attendant service will be started automatically.
DSAccess is used for the major communication between Exchange 2003 and Active Directory. When Exchange starts, it uses DSAccess to locate a domain controller for access to Active Directory information. Exchange 2003 uses both domain controllers and global catalog servers. DSAccess uses domain controllers to obtain configuration and schema information about classes and attributes, and to make system changes, such as changing server properties and applying policies to administrative groups. DSAccess queries global catalog servers to access data replicated from domain controllers about user and group objects. You can determine the domain controller and global catalogs that Exchange 2003 is using in Exchange System Manager at the server's Directory Access property page.
To decrease server load and excessive queries to Active Directory, DSAccess maintains a cache of configuration information from resultant query data. After information is queried from a domain controller or a global controller, DSAccess stores it in the cache. When the same information is queried again, Exchange uses the DSAccess cache instead of obtaining Active Directory data from a domain controller or a global controller.
Event Log Entries
The Exchange Management Pack tracks many events that the MSExchangeDSAccess and MSExchangeSA components write to the event log, so that you can monitor system attendant. MSExchangeSA and MSExchangeDSAccess are the most important sources of event log entries pertinent to system attendant. You can view a list of event categories for these components when you display the properties of your Exchange server in Exchange System Manager, and then click the Diagnostics Logging tab. The categories correspond to the event categories in Event Viewer.
MSExchangeSA This source includes the following event categories:
Monitoring
E-mail address generation
Remote Processing Calls (RPCs)
Statistics gathering
MAPI session
Offline Address List (OAL) generator
Replication configuration
Mailbox management
Routing table generation
Directory Service Referral (RFR) interface
Name Service Provider Interface (NSPI) proxy
Proxy generation
MSExchangeDSAccess This source represents the DSAccess component and includes the following event categories:
Cache
Configuration
Lightweight Directory Access Protocol (LDAP)
Topology
Performance Counters
The Exchange Management Pack also uses performance counters to monitor system attendant and its internal components. The performance counters of system attendant include:
MSExchangeDSAccess Caches This object deals with monitoring the DSAccess cache. It includes counters to track configuration data object expiry, insertion, searches, LDAP queries, objects not found, and total entries in the cache.
MSExchangeDSAccess Processes This object includes counters to monitor LDAP search calls and time taken to send search and read requests and receive a response. It checks the following instances:
MAD.EXE The system attendant executable.
STORE.EXE The Microsoft Exchange Information Store service executable.
INETINFO.EXE The IIS main executable that includes SMTP virtual server functionality.
EMSMTA.EXE The MTA executable.
MSExchangeDSAccess Global Counters This object includes counters for DNS query and topology discovery duration in addition to in-site and out-site numbers of available global controllers and domain controllers.
MSExchangeDSAccess Domain Controllers This object includes counters that monitor LDAP calls, connection, searches, search times, and Active Directory synchronization data.
MSExchangeSA – NSPI Proxy This object includes counters for monitoring connections by the NSPI proxy from and to clients and NSPI proxy connect operations to the domain controller.
Microsoft Exchange Information Store Service
The Microsoft Exchange Information Store service and associated databases are important components in Exchange 2003. Exchange Server 2003 stores user mailboxes and public folders in messaging databases. Microsoft Exchange Information Store service maintains these databases, and it is important to monitor this service to be informed about potential problem sources before they can affect the availability of the Microsoft Exchange Information Store service.
The Microsoft Exchange Information Store service relies on Extensible Storage Engine (ESE) to work with the actual database structures. Messaging databases are managed in storage groups and include transaction log files, a MAPI-based database file, and a streaming database. ESE uses transaction log files to store transactions that have been committed to memory in a persistent file without the overhead of performing a complex database operation. This makes sure that no data is lost if there is an unexpected server shutdown. Later, transactions are committed from the transaction log file to the MAPI-based database file. For messages in Internet format that are received through the SMTP transport service, Exchange uses a streaming database to store the messages without the overhead of converting them to MAPI-based format. This is done later if a MAPI-based client, such as Microsoft Outlook®, requests the message.
When monitoring the Microsoft Exchange Information Store service, remember that you must also monitor ESE, because memory, transaction log files, and messaging databases make up the database. All these parts must be considered when planning administration and maintenance.
Microsoft Exchange Information Store Service Dependencies
The Microsoft Exchange Information Store service depends on the following:
ExIFS The Exchange Installable File System (ExIFS) represents the drive interface installed with Exchange 2003. It enables Exchange to read and write to and from folders.
Web Storage System (WSS) The ExIFS depends on the Web Storage System (WSS), which combines the file system and the database into a cohesive collaboration system. The WSS can be accessed in several ways, including MAPI clients, XML, HTTP, WebDAV, and Win32® API calls. These combined components enable the Microsoft Exchange Information Store service to use disk space in an organized way.
Microsoft Exchange System Attendant As previously mentioned, System Attendant provides monitoring, maintenance, and Active Directory lookup services. With the Microsoft Exchange Information Store service, system attendant triggers the defragmentation of the databases.
Event Log Entries
The Exchange Management Pack uses the following event sources to monitor the Exchange store:
MSExchangeIS This source records events that are related to client logon and authentication, configuration and replication, internal database consistency and operations, virus scanning, transfers to and from gateways, and client actions.
MSExchangeIS Public Folder Similar to the MSExchangeIS event source, the MSExchangeIS Public Folder event source records events that specify logons, move mailbox operations, database consistency and operations, downloads, views, transfers in and out of the gateway, replication status, recover, and message transfer agent (MTA) connections.
MSExchangeIS Mailbox This source logs the same events as MSExchangeIS public folder, except it deals with the mailbox store instead of the public folder store.
Performance Counters
The following performance counters enable the Exchange Management Pack to monitor Exchange store instances:
MSExchangeIS This object includes counters to track the following:
Access control list (ACL) upgrade failures, tries, and completions
Active and anonymous user counts and connections
Appointment creation and deletion (both single and recurrent)
Client latencies
RPC failures, RPC successes, RPC tries, and RPC clients bytes, packets, and requests
Distribution list membership cache
Memory allocation and use through Exchmem.dll file
Maximum users and connections
Recurring appointments
Results from virus scan operations
Virtual memory use
MSExchangeIS Mailbox and MSExchangeIS Public These objects include tracking counters for delivery time, clients logged on, WebDAV, message send and receive, queue sizes, and items retained for Item Recovery in the public folder store and mailbox store.
MSExchangeIS Transport Driver This object includes counters to track the following:
MTA delivery, receipt, and message amounts
Message size
Local delivery reads and writes
MAPI client submissions, deletions, and lists
Transport temporary tables
SMTP Transport Engine
The core transport engine in Exchange 2003 is the Simple Mail Transfer Protocol (SMTP), which is based on the following components:
Routing module This component manages how the messages arrive at their destination.
Categorizer This component resolves sender and recipients against Active Directory, determines destination, and applies limits such as maximum message size.
Protocol engine This component communicates with neighboring SMTP services to transfer messages from server to server across the messaging network.
Store driver This component provides the interface between the SMTP service and the Microsoft Exchange Information Store service. It uses ExIPC for inter-process communication, and more.
Exchange 2003 uses SMTP virtual servers to provide a transport mechanism for Exchange communication within routing groups. SMTP connectors can also be used to connect separate Exchange routing groups or an entire Exchange 2003 organization to the Internet. SMTP connectors provide a means to streamline message routing. For the actual message transfer, however, SMTP connectors rely on the specified SMTP virtual servers.
SMTP Transport Dependencies
Your SMTP virtual servers and the SMTP service must be functional for both internal communication and communication with outside organizations to occur. Because the SMTP service integrates with Internet Information Services (IIS), IIS must be functional. Monitor all these components to verify that all messages arrive at their destinations in a timely manner. Any monitoring of message transfer efficiency and reliability involves inbound and outbound messages, message queues, transport rates, and connections, in addition to the IIS Admin Service and SMTP service.
Event Log Entries
The Exchange Management Pack uses events from MSExchangeTransport event source to monitor the components of the SMTP transport service. This includes the following categories:
Categorizer This category logs events related to message processing, LDAP queries, and recipient lookup information.
Connection Manager This category provides message delivery notification logging.
Exchange Store Driver This category logs events that occur between Microsoft Exchange Information Store service and the queuing engine.
Queuing engine This category logs events related to queue operations such as writes, reads, and sizes.
Routing Engine/Service This category logs routing service results such as DNS lookups and next routing hop information.
SMTP Protocol This category logs SMTP service operations.
Performance Counters
The related performance counters that the Exchange Management Pack uses to track system performance are listed below:
SMTP Server Specifically, the Local and Categorizer queues of the SMTP server component, together with message retries are important because queue growth can indicate a transfer problem, and determining the point of failure can be challenging because of the various components involved. This main performance object for the SMTP service includes several monitoring counters, such as:
Local versus remote recipients
Average retries of message deliveries
Message statistics about badmail (e-mail messages that are contained in the BadMail folder. Typically, these are messages that cannot be delivered to your organization or returned to the sender.)
Total bytes, sent, received, and per second
Categorizer counters for lookups, failure, completions, LDAP connections, message submission and categorization, and the Categorizer queue length
Messages processed for local delivery, message bytes received and sent
DNS queries
Queue length
Inbound and outbound connections
Routing table lookups
SMTP Routing This object includes monitors for link state changes, server cache refreshes, and local ResetRoutes.
SMTP NTFS Store Driver This object includes counters for total messages allocated, deleted, or put in the queue, in addition to open message bodies and streams.
Message Transfer Agent (MTA)
The MTA has been replaced with SMTP as the preferred message transport mechanism in Exchange 2000 and Exchange 2003. However, the MTA is still essential in the Exchange architecture, especially when Exchange 2003 is deployed in complex environments with mixed server architectures. For example, Exchange 2003 communicates with Exchange 5.5 through the MTA, if Exchange 2003 is installed in the local site of the Exchange 5.5 server.
MTA Dependencies
Microsoft Exchange MTA Stacks depends primarily on system attendant for communication with Active Directory through DSAccess, which was discussed earlier in this section. When communicating with other Exchange 5.5 servers installed in the local site/routing group, the MTA uses RPCs. When communicating with remote Exchange servers or non-Exchange remote MTAs, the Exchange MTA uses X.400 connector instances, which require an MTA transport stack for TCP/IP or X.25 installed on the local computer. RPC-based MTA communication relies on dynamic port assignments, managed by RPC endpoint mapper.
Event Log Entries
The Exchange Management Pack tracks events from the event source MSExchangeMTA to monitor the Microsoft Exchange MTA Stacks service. This includes the following categories:
X.400 Service This is for X.400 protocol events, such as submission and delivery reports.
Resource This is for events related to the use of MTA resources.
Security This is for events related to attempted security violations.
Interface This is for communication among MTA components and between MTAs. Includes RPC use.
Field Engineering This is for internal debugging trace.
MTA Administration This is for administration program access to MTA queues and routing information.
Configuration This is for the configuration of internal parameters or problems in one or more MTA configuration files.
Directory Access This is for events related to use of the directory by MTA.
Operating System This is for events related to the use of Microsoft Windows NT® functions by MTA, such as thread creation and file operations.
Internal Processing This is for events related to the internal operation of MTA application code. Error events in this category indicate serious problems in the MTA.
Interoperability This is used to track the binary content of protocol messages. Use this category and interface to log stack traces and XAPI traces to MTADATA\AP*.LOG.
APDU The Application Protocol Data Unit is used to track full P1 content (MTA send/receive) and fully encoded P1 APDU (communication between remote MTAs) to diagnose interoperability or conformance problems.
Performance Counters
The Exchange Management Pack uses two main performance counters to track the MTA. The performance objects are:
MSExchangeMTA The counters that make up the MSExchangeMTA object include bytes transmitted and received through TCP/IP, X.25, XAPI, in messages, and on the LAN, in addition to disk reads/writes, threads, and administrative connections.
MSExchangeMTA Connections This performance object includes counters to monitor the number of messages, the amount of data in messages, and the number of associations that are used to transfer messages over X.400 connections.
Complementary Services
Besides core Exchange components, such as Microsoft Exchange Information Store service, SMTP, and system attendant, complementary services enhance and extend Exchange collaboration and communication abilities, and integrate with IIS 6.0. The critical services are:
Internet-based protocol engines These engines enable Internet-based clients, such as Microsoft Outlook Express, to communicate with Exchange 2003 through POP3, IMAP4, or NNTP.
Outlook Web Access This component enables users to access their data on Exchange through a Web interface. The interface appears similar to the Outlook 2003 application.
Outlook Mobile Access This component enables users with mobile devices to access their Exchange accounts.
Exchange ActiveSync This component is helpful for mobile users because it enables synchronization of their personal data to mobile devices.
Internet-based Protocol Engines
The IIS Admin Service implemented in the inetinfo.exe executable integrates with Exchange 2003 to provide support for protocols, engines, and features. The following Exchange components depend, directly and indirectly, on IIS:
Network News Transfer Protocol NNTP Through NNTP, newsreaders and newsfeeds can access information stored in the public folder.
Microsoft Exchange IMAP4 IMAP4 enables mail access with some advanced features, such as folder synchronization and browsing subjects before downloading messages to the client.
Microsoft Exchange POP3 POP3 enables a client to access mail on the server. It is a simple read-only protocol that enables access of only the Inbox.
Microsoft Exchange Routing Engine The routing engine provides topology and routing information for message delivery.
Simple Mail Transfer Protocol (SMTP) This service is used to transport messages. If a client uses a protocol such as POP3 or IMAP4 to read mail, SMTP is necessary to send and deliver messages.
Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync are also integrated in IIS. Supplementary extensions and access methods such as WebDAV provide access to these services.
To communicate with the Exchange store, a dedicated layer named Exchange Interprocess Communications Layer (ExIPS) is provided. Service extensions and protocols communicate with the Exchange store directly through ExIPC. IIS shares memory space with the Exchange store, which results in rapid communication. ExIPC is implemented in epoxy.dll and is part of the Microsoft Exchange Information Store service.
Monitoring these separate processes is vital if users use several clients to access their mailboxes on an Exchange 2003 server.
Dependencies of Complementary Services
The complementary services rely on core Exchange components such as system attendant, SMTP, and Microsoft Exchange Information Store service, in addition to other components such as:
IIS Admin Service This central IIS component provides a common center and interface for Web, NNTP, SMTP, IMAP4, POP3, Outlook Mobile Access, Outlook Web Access, and Exchange ActiveSync components. IIS integrates with parts of Exchange to enable Active Directory information queries and access to the databases and configuration information.
WebDAV HTTP is required for Outlook Web Access, and WebDAV enhances HTTP by providing more methods of operations to manage document properties, documents, and folders. More information about WebDAV is available at https://www.webdav.org.
Event Log Entries
The Exchange Management Pack uses the following event sources to track events about complementary services:
MSExchangeActiveSyncNotify This source logs events for Always-Up-To-Date Notifications in Exchange 2003.
MSExchangeOMA This source records events that are related to devices, disk, network, services, shell, and printers that deal with Outlook Mobile Access.
MSExchangeWEB Similar to MSExchangeOMA, this source records events that are related to devices, disk, network, services, shell, and printers that deal with Outlook Web Access.
POP3SVC and IMAP4SVC The source events for these two types of log events that relate to the content engine, connections, client engine, and configuration in the protocol services.
IISADMIN and DAVEX Both of these source types log devices, disk, network, printers, services, shell, and system events.
Performance Counters
The Exchange Management Pack uses the following performance objects to provide tracking for complementary services:
MSExchangeOMA This object includes counters to monitor rates and counts of instances, maximum and real-time browses, and rates and totals for requests of mailboxes, contacts, tasks, and calendars.
MSExchange Web Mail The Outlook Web Access component is monitored primarily by this object. It includes counters for both Microsoft Internet Explorer 5 and later, and non-Internet Explorer instances such as:
Appointment saves, deletions, opens, sends, and updates
Authentication instances and authentication cache
Folder operations such as saves, renames, views, and reads
Message tracking for attachments, moves, edits, amount opened, number sent
Saved navigation options
Folder template data
Recipients
MSExchangeActiveSyncNotifyOmaPush This object tracks categorizer notifications and notifications from Outlook Mobile Access sinks. The counters include monitors for amount sent, processed, discarded, ignored, and expired, both as a cumulative and as a per-second measure.
MSExchangePOP3 This object tracks connections and instances of commands sent when using the POP3 protocol. This includes commands such as AUTH and USER, used in authentication, and Inbox operations commands such as LIST, DELE, and UIDL.
MSExchangeIMAP4 This object tracks connections and instances of commands used through the IMAP4 protocol. The counters include authentication and security commands such as AUTHENTICATE, LOGIN, and LOGOUT, and mail operations commands such as SEARCH, STORE, SELECT, RENAME, LIST, FETCH, EXPUNGE, DELETE, and COPY.
NNTP Commands This object also tracks per second and total instances of commands and connections. Authentication commands, in addition to commands to browse, post, search, and list topics in newsgroups are included.
NNTP Server This object tracks overall NNTP server operations. It includes counters to track articles deleted and posted, bytes sent and received, and message failures and successes, in addition to totals for feeds, connections, users, and logons.