Microsoft Exchange 2000 Operations Guide — Version 1.064
One of the difficulties of viewing event logs is knowing which events are more worrisome
than others. In some cases, Exchange 2000 Server issues Stop events, which record tempo-
rary issues that resolve themselves in the course of time. In other cases it records warning
events, which are indicative of more substantial problems.
In general terms, the errors and warnings that are likely to cause the most problems are
Store errors, because they can affect the ability to access e-mail. 1018 and 1019 errors can
indicate major problems for Exchange, typically caused by faulty hardware. You should
watch for these two explicitly, and for Store errors and warnings in general.
You should also be careful to watch for errors indicating that domain controllers/global
catalog (GC) servers cannot be found. If a GC cannot be found, the store will automati-
cally dismount. Similarly, if the MTA service is temporarily unable to contact a domain
controller, it will shut down. Watching for these errors allows you to diagnose quickly why
services are being lost in the event of a problem.
One of the main problems with event viewing in Exchange 2000 Server is the sheer volume
of information Exchange produces when you increase the logging level. It is often benefi-
cial to use filters in the Event Log to produce only warning and critical events, or to use
utilities that only display the more significant events.
Log FilesAs well as logging events to Event Viewer directly, Exchange 2000 Server also produces a
series of log files that can prove useful in troubleshooting problems. The Protocol Logging
tool generates specific information about the commands being sent and received by SMTP
and NNTP.
To enable logging for SMTP or NNTP, select the properties of the appropriate virtual
server and enable logging. You can then alter the logging frequency and the name and
location of the log file.
To enable logging for HTTP on the default Web site, use IIS administrative tools.
Centralized Event MonitoringAs with performance monitoring, monitoring events centrally provides distinct benefits to
many organizations. A number of tools help you to do this efficiently, including Microsoft
Operations Manager, or MOM (formerly NetIQ Operations Manager) and NetIQ
AppManager.
Operations Manager pulls information from a variety of locations, including event logs,
WMI events, SNMP traps, and transaction logs. It consolidates these events from multiple
sources to give you an overall picture of the Exchange 2000 Server environment. You can
script responses to particular events, issuing notifications or taking predefined actions in
response to particular events. One particularly useful feature is the ability to integrate
events with a knowledge base, ensuring that useful explanations and recommended actions
are issued to operators when particular events occur.