O'Reilly logo

Exchange Server Cookbook by Devin L. Ganger, Missy Koslosky, Paul Robichaux

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.7. Controlling Diagnostic Logging


You want to capture more information on the operation of the various Exchange protocols and components to aid in your diagnosis and troubleshooting efforts.


Using a graphical user interface

  1. Launch the Exchange System Manager (Exchange System Manager.msc).

  2. Choose the administrative group in which the server you wish to troubleshoot resides. Expand the Server node.

  3. Right-click your selected server and choose Properties from the menu. Click the Diagnostics Logging tab.

  4. In the left pane, you will see a listing of the various services and components that are running on that server. As you select different services, the right pane will update the specific categories or actions that the service provides logging for, and will list what level of logging is currently configured for each one.

  5. Select a category and choose the radio button under Logging Level at which you wish that category to be logged: None, Minimum, Medium, or Maximum.

  6. When you have finished setting new levels for each service and category desired, click OK to close the server properties dialog and activate your new logging settings. (Note that unlike Exchange 5.5, Exchanges 2000 and 2003 don't require that the services be restarted after changing the logging level.)

Using VBScript

Each component listed in Table 4-2 has its own registry key under HKLM\System\CurrentControlSet\Services\<servicename>\Diagnostics. Each category of the component has a DWORD value that sets the logging level for that particular component. Annoyingly, there's no real naming scheme for the category values; one component might use "1 General" as the name of the logging control value for general logging, while another might use "9005 General." Some complex components, like the information store, actually have subkeys under the Diagnostics key, so the best way to write a script to set logging values is to spend a couple of minutes locating the exact component value you want to toggle.

Once that's done, you can set the value using a script like this:

' This code sets diagnostic logging to "maximum" on the Logons 
' component of the information store
strDiagKey = "HKEY_LOCAL_MACHINE\System\CurrentControlSet\
' ------ END CONFIGURATION ---------

Set objWSH = wscript.CreateObject("WScript.Shell")
objWSH.RegWrite strDiagKey & "90015 Logons", 5, "REG_DWORD"

The actual value you attach to the category value can be any of the values described in the Discussion section.


Exchange provides granular level of control over diagnostic logging for the various components within the Exchange server. Events generated by diagnostic logging are stored in the application event log. The log settings themselves are helpfully gathered, for the most part, in one convenient place. That these controls are accessible only via the GUI is less convenient, especially when problems may involve multiple servers in your organization; having to adjust multiple sets of categories by hand is somewhat annoying and possibly prone to errors. Every category can have one of five logging values associated with it:


No logging. Use this value to disable logging on a category. Critical errors and warnings will still be logged.


Minimum. This value produces log entries for informational and warning events, but without much detail.


Medium. This value adds more informational events and gives you more details for those events that would have been logged at minimum logging.


Maximum. This value logs pretty much everything that happens in the category.


Field engineering. This value, which isn't accessible through the ESM GUI, logs everything that happens in the category. Normally, you'll turn this on only when Microsoft support is working with you to troubleshoot a problem.

The following components are included in the default Exchange installation and are available for detailed diagnostic logging:


The IMAP4 protocol service.


The ActiveSync service for PocketPC and SmartPhone users.


The Active Directory Synchronization service keeps Active Directory properly updated when running in a mixed Exchange 5.5/200x organization.


The Recipient Update Service.


The DSAccess component is the central Active Directory proxy for all other Exchange services.


The Information Store controls the storage of mailboxes and public folders and is broken into three subservices: System, Public Folder, and Mailbox.


The Message Transport Agent provides X.400 and Exchange 5.5-compatible RPC transports.


This service keeps the Exchange server information in Active Directory and the local IIS metabase synchronized.


The System Attendant performs important monitoring and housekeeping tasks.


Active only in mixed-mode organization, the Site Replication service allows the replication of site and server information with Exchange 5.5 servers.


The Transport service handles the default SMTP transport and maintains the routing tables.


The POP3 protocol service.

There are several additional services that make up the various connectors; these services and their corresponding categories will only be present on servers that have these connectors installed:

  • The Microsoft Exchange Calendar Connector (MSExchangeCalCon) replicates free/busy information with both Lotus Notes and Novell GroupWise.

  • The Microsoft Exchange Connector for Novell GroupWise (LME-GWISE) provides message flow between Exchange and GroupWise. There is also the Microsoft Exchange Router for Novell GroupWise (MSExchangeGWRtr).

  • The Microsoft Exchange Connector for Lotus Notes (LME-NOTES) provides message flow between Exchange and Notes.

Generally, you will want to leave all logging levels at None; running them at higher levels can quickly generate an abnormally large number of event log entries. Keep careful track of which services and categories are being logged in more detail and be sure to reset them to no extra logging as soon as you have gathered the necessary information.

Note that even with the services and categories that provide logging for protocols such as IMAP and SMTP, these options do not provide logging of the actual commands being issued and received on these connections. Troubleshooting an inbound SMTP connection, for example, may require an actual look at the SMTP commands the client connection is attempting to use. If this is the kind of logging you need, you need to enable protocol logging; see Recipe 8.23 for more details.

Table 4-3 provides a list of the default services in Exchange Server 2003 SP1 and the categories provided by each of them.

Table 4-3. Services and categories for diagnostic logging




ConnectionsAuthenticationClient ActionConfigurationContent EngineGeneral


OMA Push CategorizerOMA Push Event Sink


ReplicationAccount managementAttribute mappingService ControllerLDAP Operations


LDAP OperationsService ControlAttribute MappingAccount managementAddress List Synchronization




RecoveryGeneralConnectionsTable CacheContent EnginePerformance MonitorMove MailboxDownloadVirus ScanningExchange VSS WriterExchange Backup RestoreExchange Client Monitoring

MSExchangeIS\Public Folder

Transport GeneralGeneralReplication AD UpdatesReplication Incoming MessagesReplication Outgoing MessagesNon-delivery ReportsTransport SendingTransport DeliveringMTA ConnectionsLogonsAccess ControlSend On Behalf OfSend AsRulesStorage LimitsReplication Site FoldersReplication ExpiryReplication ConflictsReplication BackfillBackground CleanupReplication ErrorsIS/AD SynchronizationViewsReplication GeneralDownloadLocal Replication


Transport GeneralGeneralTransport SendingTransport DeliveringTransfer Into GatewayTransfer Out Of GatewayMTA ConnectionsMTA ConnectionsLogonsAccess ControlSend On Behalf OfSend AsRulesStorage LimitsBackground CleanupReplication ErrorsIS/AD SynchronizationViewsDownloadLocal Replication


X.400 ServiceResourceSecurityInterfaceField EngineeringMTA AdministrationConfigurationDirectory AccessOperating SystemInternal ProcessingInteroperabilityAPDU




Mailbox ManagementNSPI ProxyRFR InterfaceOAL GeneratorProxy GenerationRPC CallsRPC-HTTP Management


Knowledge Consistency CheckerSecurityExDS InterfaceReplicationGarbage CollectionInternal ConfigurationDirectory AccessInternal ProcessingLDAP InterfaceInitialization/TerminationService ControlField EngineeringSite Consistency Checker


Routing Engine/ServiceCategorizerConnection ManagerQueuing EngineExchange Store DriverSMTP ProtocolNTFS Store DriverNDRAuthentication


ConnectionsAuthenticationClient ActionConfigurationContent EngineGeneral

See Also

Recipe 8.23 for using protocol logging, MS KB 821912 (How to Collect Diagnostic Data to Help Troubleshoot Information Store Issues), MS KB 555232 (Exchange server diagnostic logging levels), and MS KB 295307 (How to Enable and Increase Logging for Microsoft Exchange Connectivity Controller Connectors)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required