One of the most often performed tasks for administrators is that of troubleshooting their hardware and software products. Hardware can range from networking devices such as switches and routers to high-end multiprocessing server systems while software ranges from commercial off the shelf applications such as email servers to home-grown customized applications and major operating systems. And administration of all these products requires the ability to troubleshoot problem situations.
A major step in the troubleshooting process is the need to review the error logs and diagnose the cause of the error messages.
Error logs can help administrators to troubleshoot almost any problem associated with the Exchange server operation. Knowing where in the error logs to look and what to look for can save any administrator valuable time and money.
The Microsoft Event Viewer can help administrators to review the application log and the system log files for errors, warnings, and informational events that are related to the operation of Exchange Server, the SMTP service, and other applications. Administrators should make it a practice to review the log files as their first step in the troubleshooting process. Reviewing the log files can help administrators to identify the cause of email message flow issues based on the event sources and their IDs.
Here is a list of some of the more common event sources, their IDs, some examples and their descriptions.
- MSExchangeTransport Events that are recorded when SMTP is used to route messages.
- IMAP4Svc Events that are related to the service that allows users to access mailboxes and public folders through IMAP4.
- MSExchangeAL Events that are related to the service that addresses e-mail messages through address lists.
- MSExchangeIS Events that are related to the service that allows access to the Exchange Information Store service.
- MSExchangeMTA Events that are related to the service that allows X.400 connectors to use the message transfer agent (MTA).
- MSExchangeMU Events that are related to the metabase update service, a component that reads information from Active Directory and transposes it to the local IIS metabase.
- MSExchangeSA Events that are recorded when Exchange uses Active Directory to store and share directory information.
- MSExchangeSRS Events that are recorded when Site Replication Service (SRS) is used to replicate computers running Exchange 2003 with computers running Exchange 5.5.
- POP3Svc Events that are recorded whenever Post Office Protocol version 3 (POP3) is used to access e-mail.
- ESE Events related to Exchange Server’s Extensible Storage Engine
- Event Source: POP3SVC Event Category: Content Engine Event ID: 1023 Date: 9/09/2008 Time: 10:18:52 User: N/A Computer: SERVER Description: Error 0×8004050a occurred while rendering message 0001-0000000b11ca for download for user
- Event Source: smtpsvc Event Category: None Event ID: 4006 Date: 4/4/2008 Time: 11:00:11 AM User: N/A Computer: XXXXX Description: Message delivery to the host ‘(IP address)’ failed while delivering to the remote domain ‘domainname.com’ for the following reason: The remote server did not respond to a connection attempt.
- Event log ID: 1025 Source: MSExchangeIS mailbox Category: General Type: warning user: N/A Description: An error occurred on database ” first storage groupmailbox database” Function name or description of problem:restrict/ SetsearchCriteria Error:1162 Warning: fail to apply search optimization tofolder (FID 1-214F20xxx)retrying without optimization.
- MSExchangeAL – Address Lists – Example ID 8026, network problem, or LDAP configuration
- MSExchangeIS – Exchange Information Store – Example ID 9518, trying to start a store which is offline
- MSExchangeMTA – Message delivery – Example ID 9411, disk is full MTA needs 10 MB free space
- MSExchangeSA – Active Directory related (System Attendant) – Example ID 9543. Permissions error
- MSExchangeTransport – SMTP Routing – Example, ID 4000, possible cause DNS with incorrect MX record
- Event Source: MSExchangeActiveSyncNotify Component: Microsoft Exchange Transport Event ID: 994 Version: 6.5.7638.0 Message: Following connector’s link state is suppressed because it either points to or comes from a leaf RG node. Explanation: Exchange automatically suppresses a connector’s link state if Exchange determines that it is not needed. There is probably only a single path between servers in a leaf routing group.
- Event Source: Exchange Migration Event Category: Move Mailbox Event ID: 1007 Date: 3/08/2008 Time: 4:24:48 User: N/A Computer: SERVER Description: Mailbox ‘(user name)’ has been moved.
- Event Source: Exchange Migration Event Category: Move Mailbox Event ID: 9354 Date: 3/08/2008 Time: 4:25:01 User: N/A Computer: SERVER Description: Mailbox ‘CN=John Smith,OU=USERS,DC=domain,DC=local’ is deleted from the Exchange store ‘CN=Mail Store,CN=First Storage Group,CN=InformationStore,CN=EXCHANGE2003SERVER,CN=Servers, CN=First Administrative Group, CN=Administrative Groups,CN=Exchange Organisation,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=domain,DC=local’ on server ‘exchange2003server.domain.local’.
- Event Source: MSExchangeIS Mailbox Store Event Category: Rules Event ID: 1154 Date: 3/08/2008 Time: 5:00:33 User: N/A Computer: SERVER Description:Rule synchronization has successfully completed. The mailbox folder is Top of Information StoreInbox on database “Storage GroupMailbox Database”. The distinguished name of the owning mailbox is /o=Exchange Organisation/ou=First Administrative Group/cn=Recipients/cn=johnsmith.
- Event Source: MSExchangeCluster Event Category: Services Event ID: 1005 Date: 6/08/2006 Time: 2:00:43 User: N/A Computer: SERVER Description: Exchange HTTP Virtual Server Instance 101 (XCH-VN02) : The IsAlive check for this resource failed.
- Event Source: MSExchangeIS Mailbox Store Event Category: Rules Event ID: 1154 Date: 16/08/2007 Time: 15:00:43 User: N/A Computer: SERVER Description: Rule synchronization has successfully completed.
- Event Source: ESE Version: (version number) Component: Microsoft Exchange Extensible Storage Engine Message: <process name> (<process id>) <instance> The backup has been stopped because it was halted by the client or the connection with the client failed. A possible cause for this is the use of a virus scanning application enabled in Exchange Server 2003 Service Pack 1.
Filed under: Exchange
