Beruflich Dokumente
Kultur Dokumente
Operations Guide
Microsoft Corporation
Abstract
The Exchange Server 2003 Operations Guide provide guidelines for disaster recovery tasks,
and for daily, weekly, and monthly maintenance tasks.
Copyright.............................................................................................................................. 109
5
Information about the daily maintenance tasks that are required to ensure the availability
and reliability of your Exchange Server 2003 organization. Some of the many daily
maintenance areas are as follows: performing backups, checking disk usage, monitoring
server and network performance, and enforcing security measures.
Information about the scheduled maintenance tasks used for collecting data for trend
analysis and capacity planning. Maintenance tasks include generating reports and
identifying trends, reviewing protocol logs, monitoring Microsoft Office Outlook® Web
Access, managing mailboxes, the BadMail folder, and the postmaster mailbox, and
conducting weekly status meetings
Information about on-demand tasks, such as defragmenting mailbox and public folder
stores, verifying mails and public folder store integrity, checking queues using Queue
Viewer, and configuring System Monitor to monitor Exchange server performance.
Note:
Download Microsoft Exchange Server 2003 Operations Guide to print or read offline.
For more information about backup strategies and disaster recovery operations for you
Exchange Server 2003 organization, see the Exchange Server 2003 Disaster Recovery
Operations Guide.
6
This topic gives you the understanding, tools, and best practices required to maintain an
Exchange Server 2003 environment. It explains how the management of Exchange
Server 2003 fits in with the overall MOF model. It will help you design your operational
management environment and give you the means to implement procedures to keep your
environment running smoothly.
7
Microsoft consulting and support teams and their experiences working with enterprise
customers and partners, as well as internal IT operations groups at Microsoft.
The IT Infrastructure Library (ITIL), which describes the processes and best practices
required for the delivery of mission-critical service solutions.
ISO/IEC 15504 from the International Organization for Standardization (ISO), which
provides a normalized approach to assessing software process maturity.
MOF complements and integrates with the Microsoft Solutions Framework (MSF). MSF is a
disciplined approach to managing technology projects based on Microsoft internal practices,
the experiences of Microsoft Product Support Services in working with customers and
partners, and industry best practices in software development and project management. MSF
is a deployment approach for the design and implementation of IT systems (for example, a
migration project to move from Lotus Notes to Exchange Server 2003), whereas MOF
addresses the daily management of a system or environment, such as an Exchange
Server 2003 organization.
From the figure, you can see how the MOF process model moves clockwise and is split into
four integrated quadrants, as follows:
Changing
Operating
Supporting
Optimizing
These quadrants form a spiral life cycle that applies to IT operations from a specific
application to a complete operations environment with multiple data centers. The process
model is supported by Service Management Functions (SMFs) and an integrated team model
and risk model. Each quadrant is supported by a corresponding operations management
review (also known as review milestone), during which the effectiveness of that quadrant's
SMFs are assessed. You should understand that although the model describes the MOF
quadrants sequentially, activities from all quadrants can be occurring at the same time.
Changing A change is planned and tested during the changing phase. After a Release
Readiness Review, the change is rolled out to the production environment and enters the
operating phase. The Release Readiness Review should not be the first time the release
9
is evaluated; it should be a final review milestone before the actual deployment. Using
SMFs provides a process and task road and guarantees a successful deployment and
rollout for managed releases.
Supporting The supporting phase is the process of maintaining the system, using these
tools and procedures. This quadrant contains the main SMFs required to provide ongoing
support to the users of the IT service solutions. As with any process, system, application,
or service, problems can start when operations start. The support and operations staff
must identify, assign, and resolve problems quickly to meet the requirements set forth in
the service level agreements (SLAs). The SLA Review is a measurement of how
effectively the system is performing. Issues that come out of the SLA Review may
highlight areas where improvements are required.
Optimizing The mission of service for this quadrant is to reduce costs while maintaining
or improving service levels. An improvement to the system might require a change to
hardware, software, or procedures. The Release Approved Review evaluates the
proposals for change, accounting for items like costs, risks, and benefits. Approved
changes are fed into the changing quadrant and the process starts over. This iterative
process typically occurs naturally as the various teams gradually introduce changes to
the system to achieve improvements.
The MOF framework formally describes the steps involved in this improvement cycle,
assigning responsibilities for each step and enabling the whole process to be managed. At
the end of each phase, there is a review point. With a large IT department, this is likely to be
a review meeting between the people or teams involved, such as release management,
operations, and security. In a smaller company, review points are possibly only a checkpoint
that indicated you are ready to proceed. Figure 1.2 shows the relationship between MOF and
MSF.
10
The MSF process can help develop a solution in response to a business need such as the
requirement to consolidate server resources. In this case, the solution may outline how to
deploy powerful mailbox servers that are running Exchange Server 2003. After the solution is
deployed, the design and deployment team hands the environment to the teams described in
the MOF model. These teams manage the daily operations, and provide feedback about
requirements or suggestions for change to the design team. Again, this is an iterative process
that you can use to refine and continuously improve your solution.
The MOF Team Model defines seven role clusters. These roles frequently reflect how teams
are organized in a medium to large environment. The role clusters are discussed in this
section:
Release The release team manages the roll-out of changes into the production
environment, is responsible for configuration management, maintains licensing
information, and forms a liaison between development and operations groups.
Support The support team represents the liaison between users and helpdesk support.
This team manages compliance with SLAs, provides incident and problem resolution, and
maintains a knowledge base of common resolutions. This team is also responsible for
providing customer feedback to design teams.
Partner The partner team liaises between suppliers and partners such as Internet
Service Providers (ISPs). This team manages contractual SLAs with third parties,
evaluates alternative suppliers, manages procurement, and makes purchasing decisions.
Security The security team detects virus attacks, intrusion attempts, denial of service,
and other attacks. This team must monitor the usage of IT resources and compliance with
standards and audit tracking and reporting. This team frequently manages Public Key
Infrastructure (PKI) technologies required for message signing and encryption, as well as
external testing including mail relay testing and penetration testing.
This detailed MOF model forms the basis for organizing resources and responsibilities to
operate, support, optimize, and make changes to an IT infrastructure.
Capacity Management
Capacity management involves planning, sizing, and controlling service capacity to ensure
that the minimum performance levels specified in your SLA are exceeded. Good capacity
management ensures that you can provide IT services at a reasonable cost and still meet the
levels of performance defined in your SLAs with the client. These criteria can include the
following:
System Response Time This is the measured time that the system takes to do typical
actions. Examples include, the time taken for a client to log on and authenticate to the
domain, the time allowed to do a full backup of an Exchange store, and the time taken to
retrieve an item from a mailbox or public folder.
Slow retrieval of documents from a public Ensure that a replica of the public folder is
folder available locally
Access through Microsoft Office Outlook® Increase the available bandwidth of the
Web Access is too slow Internet connection
17
Shortage of free space on a network share Add more disks to the server or storage
array
Availability Management
Availability management is the process of ensuring that any IT service consistently and cost-
effectively delivers the level of availability required by the customer. Availability management
is not concerned only with minimizing loss of service, but also with ensuring that appropriate
action is taken if service is lost. In an Exchange Server 2003 environment, you may be
concerned about whether the Exchange store service is available, whether an SMTP
connector is functioning, and so on. An SLA defines what frequency and length of outages
are acceptable, allowing for certain periods when the system is unavailable for planned
maintenance and unexpected failures.
If you need to provide reports to your management about systems availability, or if you have
financial or other penalties associated with missing availability targets, you must record
availability data. Even if you do not have such formal requirements, it is a good idea to at
least know how frequently a system has failed in a certain time period, for example, system
availability in the last 12 months and how long it took to recover from each failure. This
information will help you measure and improve your team’s effectiveness in responding to a
system failure. It can also provide you with useful information if there is a dispute.
18
Time to Repair This is the time taken to recover a service after a failure has occurred
and is sometimes expressed at Mean (or average) Time To Repair (MTTR).
For example, if a server fails twice over a six-month period and is unavailable for an average
of 20 minutes, the MTBF is three months or 90 days and the MTTR is 20 minutes. Therefore,
Availability = (90 days – 20 minutes) / 90 days = 99.985%
Availability management is the process of ensuring that availability is maximized and kept
within the parameters defined in SLAs. Availability management includes the following
processes:
Improvement If availability falls under targets defined in the SLAs, or where the trend is
toward reduced availability, the availability management process should define what
steps are planned. This should include working with other responsible teams to highlight
reasons for outages and to plan remedial actions to prevent a recurrence of the outages.
Capacity and availability measurements are repetitive tasks that are ideally suited to
automated tools and scripts such as Microsoft Operations Manager, which is discussed later
in this topic.
Change Management
Sometimes you must introduce changes to your IT environment, such as new technologies,
systems, applications, hardware, tools, and processes, and also changes in roles and
responsibilities. An effective change management system lets you introduce changes to your
IT environment quickly and with minimal service disruption. A change management system
brings together the teams involved in modifying a system. An example is the introduction of
19
Microsoft Office Outlook® Web Access. Outlook Web Access is an integrated component of
Exchange Server 2003 that uses a Web browser and an Internet or intranet connection to
enable you to read your corporate e-mail messages, schedules, and other information that is
stored on an Exchange server. Deployment of Outlook Web Access in your organization
requires involvement from several teams such as:
Test Team This team must load-test Outlook Web Access on a test server and provide
the instructions to implement Outlook Web Access on the production servers. The test
team must evaluate Outlook Web Access by using specified types and versions of
popular Web browsers, such as Internet Explorer 6.0.
Network Team This team is responsible for changes in firewall rules to allow access
from the Internet to the Outlook Web Access servers.
Security Team This team assesses security and minimizes risks. The security team
must review known vulnerabilities and ensure that security risks are minimized.
User Acceptance Team This team is composed of users who are willing to test the
system and offer feedback for improvements.
The change management process defines the responsibilities of each team and schedules
the work to be performed, incorporating checks and tests where they are required. Change
controls will vary depending on the complexity and expected effect of a change. They can
vary from automatic approval of minor changes, to change review meetings, to full project-
level reviews. To illustrate this better, the groups of changes are discussed in this section.
Major Changes Major changes have a global effect on the system and may require
input from various teams. An example of this is upgrading from Exchange Server 5.5 to
Exchange Server 2003. Major changes affect many different teams and perhaps different
systems. The change management process may follow a similar procedure to the
example discussed earlier about deploying Outlook Web Access in your organization, but
will probably include one or more change review meetings to inform the teams that will be
involved in the change or be affected by the change.
Standard Changes Standard changes are performed regularly and are well understood
and documented. Examples include creating a new mailbox or changing the scope of
20
The following example of change management examines how different teams interact and
the actions that are performed when a new service pack is deployed. These actions are
organized and managed by the change management process.
Raise a change request The security team has assessed the latest service pack and
confirmed that it resolves a possible vulnerability in the production system. The team
raises a Change Request to have the new service pack applied to all Exchange servers.
Service pack release notes review The Exchange administrator team reviews the
service pack release notes to identify the effect on the system.
A series of lab tests is done The Exchange administrator team must perform test
updates on a server in a non-production environment to decide whether the service pack
can be applied successfully without affecting any of the installed applications and server
systems. If there are third-party or internally-created applications that interface with
Exchange in a production environment, these should be also tested. These tests can also
be used to estimate the time required to perform the upgrades.
Users are informed of the outage The Exchange administrator team or user help desk
informs all affected users about the planned maintenance cycle and how long the server
will be unavailable.
A full backup of the Exchange store is performed before the upgrade The Exchange
administrator team must ensure that there is a valid backup in place to be able to revert
to the original system state if the service pack installation fails. It is recommended that
the backup be restored to a standby server to have this system readily available if there
are problems.
The service pack is deployed The Exchange administrator team does the installation
during the planned maintenance cycle.
expense claim application fails, it may be difficult to decide which change should be rolled
back. There should be regular maintenance periods set up between IT and management to
test the changes and accept them.
Configuration Management
Configuration management is the process of recording and tracking hardware and software
assets and system configuration information. It is generally used to track software licenses,
maintain a standard hardware and software build for client computers and servers, and define
naming standards for new computers. Configuration management generally covers the
following categories:
Software This category tracks what software is installed on each computer, the version
number, and where the licenses are held. This information helps plan upgrades, ensure
that software is licensed, and detect the existence of unauthorized (and unlicensed)
software.
Standard Builds This category tracks the current standard build for the client
computers and servers and whether the client computers and servers meet this standard.
The existence and enforcement of standard builds helps support staff because they are
required to maintain only a limited number of versions of each piece of software.
Service Packs and Hotfixes This category tracks which service packs are tested and
approved for use and which computers are up-to-date. This information is important to
minimize the risk of computers being compromised and to detect users who have
installed unapproved updates.
constantly changing systems, the discovery of assets and collection of detailed information
must be automated. Decide what information is relevant to your organization and record it in
a database.
The configuration management database is a useful tool for support staff and management in
the following areas:
Security Audits The database enables you to identify Exchange servers and client
computer systems that need to have hotfixes applied or that have missed the installation
of a service pack or the latest antivirus updates.
Software Installation If you identify client computers that already have Microsoft Office
Outlook 2003 installed, this will save time if you are manually deploying Outlook 2003.
Configuration Information If you maintain an up-to-date list of all Exchange 2003
connectors to mail systems, fax servers, and so on, you will be able to troubleshoot
connectivity problems quicker and more effectively.
Automated Scripts You can write simple scripts to report items like the operating
system, service pack level, and existence of software on a specific set of computers. You
can specify these scripts to an organization’s exact requirements; however, the number of
scripts required and their complexity can make scripts expensive to create and maintain.
There are also tools that can be used to record configuration data and make it accessible to
the appropriate IT personnel:
23
Public Folders These can be useful for storing configuration data, because they can be
accessed throughout the organization and can be easily controlled so that only
appropriate staff can view or change items.
Automated Tools Tools such as SMS not only automatically gather the data, but store it
in a central database where it can be used to do standard and custom queries, and
reports on the data.
Conversely, if a new software package is rolled out, the change management process should
feed this information to the configuration management system. The configuration
management tools will probably need to be configured to identify the new software so that
they can discover and track where and when the software is deployed.
System Administration
System administration includes the day-to-day administrative tasks, both planned and on-
demand, that are required to keep an IT system operating smoothly. Typically, system
administration tasks are covered by written procedures. These procedures ensure that the
same standard tools and methods are used by all support staff.
Standard Procedures
There are several resources that help you define what standard procedures are required in
your organization and how to do them. For more information about how to administer your
Exchange organization, see the Exchange Server 2003 Administration Guide
(http://go.microsoft.com/fwlink/?LinkId=21769). Because each organization is unique, you will
have to customize and adapt these resources to suit your requirements.
Standard procedures will change and documentation will occasionally need to be revised. As
changes are made, the change management process should identify how each change is
likely to affect how administrative tasks are performed. Use the change management function
to update and control the documentation.
Frequently, change management takes over where system administration finishes. If a task is
covered by a standard procedure, it is part of the system administration function. If there is no
standard procedure for a task, it should be handled using the change management function.
System Troubleshooting
An organization must be prepared to deal with unexpected problems and should have a
procedure to manage problems from the point at which they are reported until their resolution.
Information about how support staff diagnosed a problem should be recorded and used in the
future, to avoid unnecessarily repeating work that has already been completed.
25
Classify and Prioritize This task is typically performed by the service desk. For
example, a problem may be grouped as a messaging issue or a hardware issue. The
problem is then routed to the appropriate support team for investigation. The rules for
determining the priority of a problem, together with the time to respond and time to
resolve, are typically defined in the SLA.
Investigate and Diagnose The appropriate support team diagnoses the problem and
proposes changes to resolve the problem. If the solution is simple and does not require
change control, the solution can be applied immediately. If the solution is not simple, a
request for change should be raised and the proposed work should be managed by the
change management process, frequently under a “fast-track” procedure. Any changes
that are made should be recorded using the configuration management process.
Close and Record After testing the resolution, the problem should be closed. If there
are lessons to be learned from the problem, an entry should be created in the knowledge
base.
External Customers
If your customer is external, the SLA may be part of a legal contract with financial incentives
and penalties for performance that falls inside or outside defined levels of service. Defining
these levels of service should be part of the overall contract negotiation.
As with all contracts, it is important that both parties understand what is expected of them and
what to expect. The SLA defines these expectations. The contents of the document should
change infrequently and only because of negotiations with the customer.
Internal Customers
If your customer is internal, you may still want to define the services expected of operations
teams and of IT systems. The SLA may be created by the operations staff and intended as a
set of goals for the availability of IT services within your organization. Alternatively,
performance levels may be set by management and used as benchmarks when assessing
staff performance.
Typical Criteria
Service level agreements include components that define criteria of minimum levels of
availability, support, and capacity.
27
Availability Define the hours and the operating systems on which e-mail and other
Exchange services will be available (this may include handheld PDAs and mobile
phones). Any routine maintenance that affects service availability should be defined.
Define external factors that affect service, for example the loss of Internet connectivity.
Support Define the hours when support for a system will be available. Specify methods
for customers to contact support staff, how incidents are grouped, and target time to
respond and to resolve the incident. Define frequency and content of feedback to the
customer.
Capacity Define the maximum allowed size of a user’s mailbox, together with steps to
take if the limit is exceeded. Define the maximum allowed time to do standard tasks, such
as the time to retrieve a document from a public folder. Define the maximum number of
users and agree to a process to follow to increase capacity if more users are added.
Documentation
The Microsoft Operations Framework (MOF) model is composed of many service
management functions. Documentation about how and when tasks are performed can be
shared with members of the same team or with other teams. The method of storing and
sharing documentation can vary according to the type of function. For example, the
procedures for system administration may be stored as Word documents because they are
likely to be printed and referenced frequently. Configuration management information may be
automatically generated and stored in a database for easy searching and indexing. Some
documentation may be sensitive and should be restricted. An example of sensitive
documentation is a document describing security measures to prevent e-mail spoofing, spam,
virus, and attacks from malicious users. These documents should be made available only to
the appropriate people. A mechanism for version control has to be in place so when
documentation changes old copies in circulation can be replaced.
Databases
Several tools and management functions have been discussed that are suited to using
databases. The configuration management process is likely to use automated processes that
28
store large amounts of data that require indexing and searching. Support staff may search a
database of past problems and resolutions when troubleshooting new problems.
It is likely that there will be different databases being used for different purposes. Decide if
these databases should be linked or consolidated. For example, if the service desk identifies
several problems with a common theme (such as new software causing a problem with a
particular network card), they can query the configuration database to predict how many
computers might be affected.
There are many more complex monitoring tasks that are not commonly automated and these
should be covered by regular manual checks. For more information about the need for
regularly documented checks and maintenance task, see "System Administration" earlier in
this topic. The following are lists of some of the standard tasks relevant to Exchange
Server 2003. Use these lists as a basis for generating standard procedures for your
organization. These lists will be discussed in more detail later in this topic.
Examine the Windows Event Logs for Exchange warnings and errors The
Exchange server event logs should be checked for unexpected warnings and errors. You
can do this manually on each Exchange server or by using a tool like Microsoft
Operations Manager (MOM), which can consolidate logs and filter out certain entries.
Check Backup Jobs Ensure that the previous night’s backup jobs have run and
investigate any errors or warnings. There should be a procedure for media rotation,
labeling, and storage, according to the backup strategy being used. If applicable (based
on the type of the backup that was run), determine whether the transaction logs have
been flushed from the disk as part of the backup process.
Check Intrusion Detection Logs If you have dedicated intrusion detection software or
if your firewall produces logs of intrusion attempts, review the logs for the previous day,
investigating repeated authentication attempts and other suspicious activity.
Check Antivirus Updates Check that the automatic antivirus signature update has
been working on each Exchange server and/or gateway and that all the signatures are
up-to-date. If you manually update antivirus signatures, do them daily.
Archive Event Logs If event logs are not configured to overwrite events as required,
they must be regularly archived and purged. This is especially true of security logs, which
may be required when investigating attempted security breaches.
Check for Security Updates Identify any new service packs, hotfixes, or updates. If
appropriate, test these in a test lab and use the change control procedures to arrange for
deployment to the production servers.
Review SLA Performance Figures Check the key performance data for the previous
week. Review performance against the requirements of the SLA. Identify trends and
items that have not met their targets.
Archive Data Archive data to CD, DVD, tape, or similar media. After a user has left and
depending on your organization’s policy, you may have to leave the mailbox for a period
of time and then archive it to maintain a reasonable Exchange store size.
Capacity Planning Review capacity figures for the previous month and produce a plan
for any upgrades that may be required in the coming months to keep the system
operating within limits specified by the SLA.
Disaster Recovery Test Do a system recovery for a single server to test hardware. This
will simulate a complete hardware failure for one server and ensure that the resources,
30
plans, and data are available for recovery. Try to rotate each month, so that failure of a
different server or other piece of equipment is tested every time. For example, mail relay
server, front-end Exchange server, back-end Exchange server, firewall, and so on.
New Users and Leavers New users typically require a user account, a mailbox, certain
rights and group memberships, possibly an e-mail copy of the organization’s IT and
security procedures, and so on. For this to occur quickly, the exact procedure should be
documented. People who leave the organization must have access to their mailbox and
other systems revoked (often urgently). You may require a policy to define what should
be done with e-mail destined for the user (should it be re-routed or rejected). You will also
need a procedure to explain what happens to a user’s Exchange data after they leave.
Public Folder Creation You can grant users permission to create some public folders,
but other folders (especially top-level folders) should be created by administrators only. A
procedure should define who can make requests and what permissions should be
applied.
tools. This section outlines some of the tools for managing the operations of an Exchange
Server 2003 organization. These management tasks and tools are divided into six groups:
Note:
MBSA looks for security updates on Exchange Server 5.5 and above. It will not
check how Exchange is configured.
part is referred to as URLScan, which prevents malicious and malformed requests from
Web browsers. There are templates provided within IIS Lockdown for various server roles
that disable only the services that are not required for a specific server role. When you
are running IIS Lockdown on an Exchange server, make sure that you use the template
for the appropriate version of Exchange. For more information about the IIS Lockdown
Wizard, see Microsoft Knowledge Base article 325864, "HOW TO: Install and Use the IIS
Lockdown Wizard" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=325864).
Each agent gathers configuration data from the device and passes the information back
to the central database. It can therefore be used to automate many of the regular
changes discussed in the change management section. Windows Server 2003 software
deployment services can be used to deploy software to computers or users across an
organization or in a specific organizational unit (OU). With the flexibility of Systems
Management Server you could, for example, deploy software only to clients within a
specific OU, running Windows XP, with at least 2 GB of free disk space, and at least
256 MB RAM. For more information about System Management Server, see
http://go.microsoft.com/fwlink/?LinkId=34976.
Ensures that the performance requirements of your service level agreements (SLAs) are
being met.
Ensures that specific administrative tasks, such as daily backup operations and checking
server health, are being successfully completed.
Enables you to detect and address issues, such as bottlenecks in the server performance
or need for additional resources, in your Exchange organization before they affect
productivity.
The following daily maintenance tasks let you establish criteria for what is normal for your
organization and to detect any abnormal activity. It is important to implement these daily
maintenance tasks so that you can capture and maintain data about your Exchange
organization, such as usage levels, possible performance bottlenecks, and administrative
changes. The following tasks are discussed in detail this topic:
Performing backups
Event Viewer maintains logs about application, security, and system events on your
computer. Both Exchange Server and Windows report warnings and error conditions to the
event logs. Therefore, make sure that you review event logs daily. For more information about
35
Event Viewer, see the Windows Server 2003 Help documentation. You can also use Event
Viewer as a troubleshooting tool. For more information about using Event Viewer as a
troubleshooting tool, see Microsoft Knowledge Base article 302542, "How to Diagnose
System Problems with Event Viewer in Windows Server 2000"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=302542).
A computer that is running a Windows Server 2003 operating system records events in three
types of logs:
System logs The System log contains events logged by Windows system components.
For example, the failure of a driver or other system component to load during startup is
recorded in the System log. The event types logged by system components are
predetermined by the server.
Note:
Using the maximum logging settings is not recommended unless you are instructed
to do this by Microsoft Product Support Services. Maximum logging drains significant
resources and can give many "false positives," that is, errors that get logged only at
maximum logging but are really expected and are not a cause for concern. It is also
recommended that you do not keep diagnostic logging on permanently. It should be
used only when troubleshooting.
Within each Event Viewer log, Exchange Server records informational, warning, and error
events. Monitor these logs closely to track the types of transactions being conducted on your
Exchange servers. You should periodically archive the logs or use automatic rollover to avoid
running out of space. Because log files can occupy a finite amount of space, increase the log
size (for example, to 50 MB) and set it to overwrite, so that Exchange Server can continue to
write new events.
You can also automate event log administration by using tools and technologies such as the
Event Comb, Eventtriggers, and Microsoft Operations Manager (MOM).
The Event Comb tool lets you gathers specific events from the event logs of several
computers to one central location. It also lets you report on only the event IDs or event
36
sources you specify. For more information about Event Comb, see the Account Lockout
and Management Tools Web site (http://go.microsoft.com/fwlink/?linkid=35607).
You can also use command-line tools to create and query event logs and associate
programs with particular logged events. Eventtriggers.exe lets you create event triggers
that will run programs when specific events occur. For more information about
Eventtriggers, see the Windows Server 2003 documentation.
You can use Microsoft Operations Manager to monitor the health and use of Exchange
servers. Exchange Server 2003 Management Pack extends Microsoft Operations
Manager by providing specialized monitoring for servers that are running Exchange
Server 2003. This management pack includes a definition of health for an
Exchange 2003 server and will raise an alert message to the administrator if it detects a
state that requires intervention. For more information about Exchange 2003 Management
Pack, see the Microsoft Operations Manager Web site (http://go,microsoft.com/fwlink/?
linkid=16198).
The following section gives you information about the types of events to monitor.
Normal Events
Reviewing event logs daily will help you establish a baseline for typical events for your
system. Examine your event logs for the following application log events (Table 1) on your
Exchange servers.
Table 1 Normal events
Event ID Status
8000 and 8001 This event indicates the start and end of a
backup process.
700 and 701 This event indicates the start and end of the
online defragmentation process.
1206 and 1207 This event indicates the start and end of the
clearing of the deleted items process.
Event ID Status
Event ID Status
Event ID Status
Event ID Status
Performing Backups
Performing backups of your servers is your first line of defense in planning for a disaster. You
must have a well planned and well rehearsed disaster recovery plan for your Exchange
organization. Your disaster recovery plan should include backing up your Exchange data and
Active Directory data daily. You must back up all critical data from many sources, including
server configuration, the Active Directory database, and the Microsoft Exchange Information
42
Store service. You should also back up all logged event and performance data. Make sure
that you back up records such as Active Directory data, application software, Exchange
Server 2003 message tracking log files, and databases and log files. For more information
about disaster recovery planning, see the Exchange Server 2003 Disaster Recovery
Operations Guide (http://go.microsoft.com/fwlink/?LinkId=30250).
You can use the NTBackup tool (included with Windows Server 2003) to back up Windows
Server 2003 and Exchange Server 2003 data. You can also use a third-party backup tool that
supports Exchange Server 2003. The NTBackup tool helps you back up Exchange
Server 2003 databases, directories, selected files, and System State data, which includes
Windows Server 2003 operating system registry information.
The recommended minimum backup strategy is a daily "online" backup. For your daily
backup strategy, depending on the size, speed of backup software, hardware capacity, and
time requirements, you can choose between full backup, incremental backup, or differential
backup of your Exchange data. These options are discussed in more detail in this section.
For more information about these backup strategies as well as disaster recovery operations,
see the Exchange Server 2003 Disaster Recovery Operations Guide
(http://go.microsoft.com/fwlink/?LinkId=30250).
NTBackup
NTBackup is the native Windows backup tool that enables you to back up files to tape and
restore files from tape. If Exchange Server or System Manager is installed on the server, the
registry is modified on each Exchange server to extend the capabilities of the tool. As soon as
it is extended, the tool can be used to back up Exchange data either locally or across the
wire.
For more information about NTBackup, see the Windows Server 2003 documentation. For
more information about how to perform an online backup using NTBackup, see Microsoft
Knowledge base article 258243, "How to Back Up and Restore an Exchange Computer by
Using the Windows Backup Program," (http://go.microsoft.com/fwlink/?
linkid=3052&kbid=258243).
Full Backup
A full backup is also known as a normal backup. You should perform a full backup of your
database files and transaction logs every day. After completion of a full backup of a storage
group, the committed transaction log files on the Exchange databases are purged (deleted)
from the server. Doing a full backup gives you the advantage of speed in a recovery scenario,
because you need only one tape set to restore all data.
43
Incremental Backup
Depending on your organization's requirements, you may choose to do a full backup
periodically and perform incremental backups more frequently, possibly daily. An incremental
backup captures only that data that has changed since the last full or incremental backup by
backing up the transaction log files (not database files). After the incremental backup is
completed, the committed logs files are purged. This kind of backup is not enabled if you
have configured a storage group to use circular logging.
You can choose this backup strategy if you have large databases that have a lot of daily
activity. Know that when recovering from an incremental backup, you will need the tape sets
from your last full backup and all the subsequent incremental backups. The extra time
needed to manage the additional tape sets should be factored in to your SLA.
Differential Backup
Depending on the needs of your organization, you may choose to do a full backup
periodically and perform a differential backup more frequently, possibly daily. Differential
backups capture data that has changed since the last full backup. A differential backup copies
all log files (not database files) when it is run. After the differential backup is complete, no log
files are purged. This means that the number of files backed up each day will continue to
increase until a full backup is performed (which purges the log files). This kind of backup is
not enabled if you have configured a storage group to use circular logging.
The advantage of a differential backup is that you need only one tape set for recovery of all
log files after the last full backup is restored from the tape.
Windows Explorer Use Windows Explorer to check for disk space on volumes that
store Exchange logs and databases. You should monitor the disk space regularly to
ensure that the Microsoft Exchange Information Store service will not be negatively
44
Running a script Monitor disk space by running a script that will send you an alert
message if the hard disk space falls below 100 MB. You can find a sample script on the
TechNet Script Center Web site (http://go.microsoft.com/fwlink/?linkid=33284).
Alert users to close their mailboxes before a planned maintenance of your Exchange
system.
Monitor the size of users' mailboxes to identify which users are using the most storage
resources.
Gather information about the current state of the full-text indexing for mailbox and public
folder stores (if indexing is used).
Export this date to a file so that it can be used for historical trending or other reporting
purposes. You can also automate the collection of information about Exchange stores by
using third-party tools and Windows Management Instrumentation (WMI). For more
information about WMI, see the "Monitoring Network Performance" topic.
process ensures that records of transactions exist if a store is damaged between backups. In
many cases, recovering a damaged store means restoring the store from a backup, replaying
any backed up log files, and then replaying the most recent log files to recover transactions
that were made after the last backup.
If a disaster occurs, and you must rebuild a server, use the latest transaction log files to
recover your databases. If you have access to the latest backup and the transaction log files
since the backup, you can recover all your data. For more information about how transaction
logs function, see "Understanding Exchange 2003 Database Technology" in the Exchange
Server 2003 Disaster Recovery Operations Guide (http://go.microsoft.com/fwlink/?
LinkId=30250). By default, Exchange stores transaction log files in the following folder:
%windir%:\Program Files\Exchsrvr\MDBDATA. This folder is in the same partition where you
installed Exchange Server 2003.
You can set notifications in Monitoring and Status to alert administrators when connectors or
services fail or when defined resource thresholds are reached (for example, when the free
disk space on a particular disk reaches a specific capacity). To access the Monitoring and
Status feature in Exchange System Manager, expand Tools in the console tree. For
procedural information about how to use Monitoring and Status, see Exchange Server 2003
Help.
Setting Notifications
You can set notifications to alert an administrator of many potential problems. You can set e-
mail notifications or you can use a script to respond to server or connector problems. You can
send notifications only in the following circumstances:
After an alert is sent, you can use the Status window to view the state of a server or
connector and use the Monitor tab to view server resource monitor states. Table 5 describes
the server resource states and the potential cause for the state.
46
You can use Exchange System Manager to direct Exchange to send an e-mail message or
start a script when the server resources that you are monitoring perform outside defined
thresholds. These messages or scripts that notify you when something is wrong are referred
to as notifications.
Table 6 shows these additional resources and provides guidelines for setting their respective
thresholds. These resources are discussed in detail in this section.
Table 6 Additional resources
CPU Utilization Set warning and critical limits for CPU usage
over a sustained period. CPU usage should
not exceed 80 percent over 5 minutes.
Free disk space Set warning and critical levels for available
space on a volume. Monitor the volumes
used for system binaries, Exchange Server
databases, and Exchange Server
transaction logs. Configure the monitor to
issue a warning when a drive has less than
100 megabytes (MB) of disk space
remaining and to issue a critical alert when a
disk drive has less than 25 MB of disk space
remaining.
You can also use the Windows Server 2003 System Monitor for establishing a baseline of
performance and for troubleshooting performance issues. You can also review event logs to
monitor server resources.
Virtual Memory
Virtual memory stores data. Problems can occur if there is insufficient virtual memory. You
can set the virtual memory threshold in minutes that the virtual memory can stay under the
specified limit before an alert status is displayed. You can specify the Warning state to
indicate the smallest percentage of virtual memory on which your server can operate before a
warning is displayed. If you have both warning and critical state limits specified, the critical
48
limit must be a smaller percentage (less virtual memory available) than the amount specified
for the warning state.
For more information about fragmented virtual memory issues, see Microsoft Knowledge
Base article 325044," HOW TO: Troubleshoot Virtual Memory Fragmentation in
Exchange 2003 and Exchange 2000," http://go.microsoft.com/fwlink/?
linkid=3052&kbid=325044.
CPU Utilization
CPU utilization provides information about how busy your CPUs processors are. You can
monitor the percent of your server's CPU utilization. When your server's CPU utilization is too
high, Exchange Server 2003 may stop responding.
Note:
During some server events, CPU utilization may increase to high levels for a period
of time. When the server event is complete, CPU utilization returns to normal levels.
Ensure that the duration that you specify is more than the number of minutes that
such system events normally run.
You can specify the number of minutes that the CPU utilization threshold must exceed before
an alert status of warning or critical is displayed. You can set the warning state limit to specify
the maximum percent of CPU utilization that can occur before a warning is displayed. You
can also set a critical state limit to indicate the maximum percent of CPU utilization that can
occur before a critical state alert is displayed. A critical limit value must be a larger percentage
than a warning limit value.
can also set the Critical state (in minutes) to specify the maximum time an SMTP queue can
grow continuously before a critical alert is displayed. If you set both Warning and Critical state
thresholds, the Critical state threshold must be greater than the Warning state threshold.
Exchange server performance is affected by many factors such as user profiles, system
architecture, software, and hardware components. Make sure that Windows is functioning
correctly because if it is not, your Exchange performance will be affected.
Monitoring server performance ensures that your servers are functioning correctly and helps
you identify bottlenecks in the system. You can use the performance monitoring data to
identify problems and apply corrective action. You can also use the monitoring data to
enhance the performance of your servers by identifying areas that need additional resources.
For example, you may need to increase your storage capacity to handle the growing number
50
of users in your organization. For more information about enhancing the performance and
scalability of your organization, see the Exchange Server 2003 Performance and Scalability
Guide (http://go.microsoft.com/fwlink/?LinkId=28660).
The Windows Performance console is composed of System Monitor and Performance Logs
and Alerts. You can also use Task Manager to obtain information about the processes and
programs that are running on your local computer.
There are important differences between Task Manager and the Performance console, such
as the Performance console captures data to a file whereas the Task Manager can end a
process. Task Manager is primarily a troubleshooting aid, and the Performance console is
used for more detailed troubleshooting and analysis.
System Monitor
Using the System Monitor tool, you can define, collect, and view extensive data about the
usage of hardware resources and the activity of system services on computers that you
administer. System Monitor lets you monitor a single computer or several computers
simultaneously. This flexibility can be helpful when you want to locate a problem in your
system. You can specify the type of data you want to monitor, the source of the data, and
establish sampling parameters, such as manual or automatic, within a time interval on real-
time data. You can even change the appearance of your System Monitor to use graph,
histogram, or report views.
An alert is a system-generated event that is triggered when counters that you are tracking
perform outside predefined thresholds. You use Performance Logs and Alerts to configure
51
alerts. For example, you can configure an alert to notify you when the MSExchangeIS
Mailbox object’s Send Queue Size counter exceeds 25 messages.
Note:
The alert functionality depends on the Windows 2003 Messenger Service, the
Windows 2003 Alerter Service, and the existence of the recipient account registration
in the Windows Internet Name Service (WINS). The Messenger and Alerter services
are disabled by default and must be enabled and started to allow network messages
to be transmitted.
For more information about creating and configuring alerts in Windows Server 2003, see
Microsoft Knowledge Base article 324752, "How to Create and Configure Performance
Monitor Alerts in Windows Server 2003," (http://go.microsoft.com/fwlink/?
linkid=3052&kbid=324752).
Task Manager
Task Manager (Taskmgr.exe) is a Windows Server 2003 tool that provides information about
the processes and programs that are running on your local computer. You can use Task
Manager to monitor key indicators of your computer's performance. You can see the status of
the programs that are running and end programs that have stopped responding. You can also
assess the activity of running processes using up to 15 parameters, and see graphs and data
on CPU and memory usage. Additionally, you can view the network status and see how your
network adapter is functioning. If you have more than one user logged on to your computer,
you can see who is connected, what they are working on, and you can send them a
message.
By default, message tracking is turned off. Besides verifying that the Exchange Management
Service is started, you can enable message tracking by:
Creating a system policy to enable message tracking and applying the policy to the
servers for which you want to track messages.
Editing the properties of each server for which you want to track messages.
Message Tracking Center lets you reference the message tracking logs stored on each
server and view the history of sent messages. If the message does not appear in a tracking
log, check the Queue Viewer to see if the message is waiting in a queue for an available
52
connection or for routing information before it can be delivered. For more information about
the Message Tracking Center and Queue Viewer, see the Exchange Server 2003
Administration Guide (http://go.microsoft.com/fwlink/?LinkId=21769).
To search for a specific system message in Message Tracking Center, search for the
Message ID. If you do not know the Message ID, you can find system messages manually by
reviewing the message tracking logs. Exchange automatically creates these logs if you have
message tracking enabled on a server. To search for other types of messages, you can
search by sender, recipient, or server.
Before you enable messages to appear in Message Tracking Center, you must enable
subject logging on the Exchange server. However, enabling subjectlogging causes the
subject lines of messages in SMTP and MAPI queues to be displayed in the Subject column
of Queue Viewer. By default, the Subject column is left empty to preserve confidentiality. For
example, some Exchange organizations prefer to keep low-level administrators from viewing
message subjects. Therefore, verify your organization's policy about revealing subject line
information before you enable subject logging.
When you enable message tracking on an individual server, messages routed through the
server are added to the message tracking logs. These logs are text files that you can review
to monitor and troubleshoot message flow. The Exchange System Attendant service on each
server maintains these log files.
To access Queue Viewer, in Exchange System Manager, expand the server you want, and
then click Queues. Expanding Queues reveals one or more system queues, which are
default queues specific to the protocol transporting the messages (SMTP, X.400, or MAPI).
The system queues are always visible. The link queues are also visible in the Queues
container. These queues are visible only if the SMTP virtual server, X.400 object, or
connector is currently holding or sending messages to another server. Link queues contain all
outgoing messages queued on each connector.
Settings
Finding messages
System queues are default queues for each protocol that hold messages only while certain
required routing tasks are performed, such as content conversion and address resolution.
Settings
The Settings option lets you determine the frequency at which all the queues are refreshed,
with the default rate being every two minutes. You can set the refresh rate to one minute, five
minutes, 10 minutes, or Never refresh. If you are investigating an issue with message
delivery, you may consider reducing the frequency to one minute to see the changes in the
queues sooner.
Finding messages
You can use the Finding messages option to search for messages by specifying search
criteria (such as the sender or recipient) or the message state (such as frozen). You can also
specify the number of messages that you want your search to return.
Queue States
You can check the state of all queues by looking at the State column. Queues in the Ready
state and queues that are delivering messages correctly usually have few messages queued
for transfer. If a queue is continually retrying to send a message, it may indicate that the
destination is not available. It is important to monitor queue growth. If you find messages
queued for extended periods and the queue is in Retry state, it may mean that one or more
basic routing functions is failing in your Exchange organization.
If you want to prevent outgoing mail from a particular remote queue, instead of disabling all
SMTP queues, you can freeze the messages in that particular queue. For example, if it
appears that a 5-MB message is holding up the transfer of many messages, temporarily
freeze the 5-MB message to allow other messages to transfer out. When the queue is
emptier, unfreeze the 5-MB message.
Note:
X.400-based queues cannot be frozen.
To find the messages that may be causing problems in message delivery, you must
enumerate messages in the queue by using the Find Messages feature. Table 7 lists the
types of queue states.
55
Table 7 Queue states
These online maintenance tasks include, but are not limited to:
Checking Active Directory to determine whether there are any deleted mailboxes.
Permanently removing any messages or mailboxes that are older than the configured
retention policy.
Online maintenance performs an Active Directory lookup for each user who has a mailbox on
the store that runs maintenance, in the database. These searches are used to keep the
56
mailbox store synchronized with Active Directory changes (specifically, look for deleted
mailboxes). The effect that online maintenance has on Active Directory is proportional to the
number of users in each server database. If you have many users or have global data centers
that serve customers in different times zones, you may want to consider staggering the online
maintenance.
Online maintenance also permanently removes any messages or mailboxes that are older
than the retention policy (Mailbox Manager), and performs online defragmentation of data in
the database. These tasks are disk-intensive and affect the server where the online
maintenance is being run. Your server may seem to be slow if many databases are set to
perform online maintenance at the same time. In corporate scenarios, you may want to do
online maintenance during non-business hours when the server can better handle the
additional load. In a global data center, consider staggering the database schedule (with
regard to each other on a single server to spread disk-intensive tasks over a greater period of
time.
Exchange database online defragmentation refers to rearranging mailbox store and public
folder store data to fill database pages more efficiently and optimize how objects are stored to
try to reduce disk I/O. The defragmentation process provides more database space without
actually changing the file size of the database.
You must ensure that neither your index maintenance, nor your online backups conflict with
your scheduled "maintenance interval" for any databases in the same storage group. If there
is a conflict, backup will stop the online defragmenting part of the scheduled maintenance and
the database may not be able to finish defragmenting.
You can plan the correct online maintenance strategy for your organization by examining the
user profile (such as times of low and high activity); knowing how many users, databases,
and servers are in the site; and coordinating this information with the online backup strategy.
Network Monitor
You can also use third-party monitoring tools or Microsoft Operations Manager (MOM) to
monitor your Exchange system. For more information about MOM 2005, see the MOM 2005
Product Documentation Web site (http://go.microsoft.com/fwlink/?linkid=35627).
57
Network Monitor
Network Monitor, a Window Server 2003 tool, is used to collect, display, and analyze
resource usage on a server and measure network traffic. Network Monitor exclusively
monitors network activity. By capturing and analyzing network data and using this data with
performance logs, you can determine your network usage, identify network problems, and
forecast your network needs for the future.
Exchange Server 2003 provides many WMI classes that you can use to monitor and analyze
Exchange servers, track messages, and check mail flow status. The Exchange Server 2003
SDK contains complete information about the Exchange WMI providers, including many
sample scripts to help you get started. You can download or view the Exchange 2003 SDK
from the Microsoft Exchange Server Downloads page on MSDN®
(http://go.microsoft.com/fwlink/?LinkId=29301).
Table 8 lists the Exchange services dependencies that are required in any environment.
58
NNTP
SMTP
NNTP
SMTP
59
Microsoft Search
Windows Services
You should verify that Windows services such as World Wide Web and SMTP are started.
Because Exchange Server also relies on Windows services, if the services are not configured
correctly, Exchange Server will not work efficiently. You should also monitor the following
services:
Active Directory
60
For more information about the services dependencies of the Exchange Setup process, see
the Exchange Server 2003 Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=21768).
Active Directory
Exchange Server relies on Active Directory for correct functionality. Among other things,
Active Directory contains information about objects (such as users, contacts, groups, and
configuration) on the network and makes this information available for authorized
administrators and users. Exchange Server uses Directory Access (DSAccess) to discover
the Active Directory topology, detect domain controllers and global catalog servers, and
maintain a list of valid directory servers that are usable by the Exchange Server components.
You should monitor Active Directory servers to identify trends before actual issues, such as
the delay in authentication of client computers, occur.
You can use Active Directory Sites and Services to verify replication by helping you identify
any Active Directory replication issues that may cause performance issues for Exchange
Server. For more information about monitoring Active Directory performance, see the
Windows Server 2003 documentation.
Before you perform any cluster administration tasks, familiarize yourself with the clustering
concepts described in "Checklist: Preparation for installing a cluster"
(http://go.microsoft.com/fwlink/?LinkId=16302) in the Microsoft Windows Server™ 2003
61
Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference
(http://go.microsoft.com/fwlink/?LinkID=27137).
Also, make sure that you are familiar with "Using Server Clustering" in Chapter 5, "Planning
for High Availability" in Planning an Exchange Server 2003 Messaging System
(http://go.microsoft.com/fwlink/?LinkId=21766) and with Chapter 7, "Deploying
Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=21768)
You can also use Cluster Administrator to remotely administer a server cluster. Computers
that are used to administer a server cluster remotely must be secure and restricted to trusted
personnel. For more information about Cluster Administrator, see "Best practices for securing
server clusters" in the Windows Server 2003 Enterprise Edition Online Help
(http://go.microsoft.com/fwlink/?LinkId=18173).
Active/passive clusters are the recommended configuration for Exchange 2003 clusters. You
can monitor active/passive clusters just as you would stand-alone server deployments.
Exchange 2003 also supports active/active clusters with at most two nodes. However,
active/active clusters are not a recommended configuration for Exchange 2003 clusters. If
you have an active/active cluster, use a monitoring application such as System Monitor to
monitor the cluster. For more information about deploying Exchange Server 2003 in a cluster,
see Chapter 7, "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003
Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=21768)
62
For more information about monitoring and troubleshooting virtual memory counters, see
Microsoft Knowledge Base article 325044, "HOW TO: Troubleshoot Virtual Memory
Fragmentation in Exchange 2003 and Exchange 2000," (http://go.microsoft.com/fwlink/?
linkid=3052&kbid=325044).
The warning logged if the largest free block is smaller than 32 MB
EventID: 9582
Severity: Warning
Category: Performance
The virtual memory that is required to run your Exchange server is fragmented in such
a way that performance may be affected. It is highly recommended that you restart all
Exchange services to correct this issue.
The error logged if the largest free block is smaller than 16 MB
EventID: 9582
Severity: Error
Category: Performance
The virtual memory that is required to run your Exchange server is fragmented in such
a way that normal operation may begin to fail. It is highly recommended that you
restart all Exchange services to correct this issue.
MSExchangeIS\VM Largest Block Size Monitor this counter to make sure that it
stays above 32 megabytes (MB). When this
counter drops under 32 MB, Exchange
Server 2003 logs a warning (Event ID=9582)
in the event log and logs an error when this
counter drops under 16 MB.
MSExchangeIS\VM Total 16MB Free Blocks Monitor this counter to predict when the
number of 16-MB blocks is likely to drop
under three. If the number of blocks drops
under three, restart all the services on the
node.
MSExchangeIS\VM Total Free Blocks Monitor this counter to measure how much
available virtual memory is being
fragmented. The average block size is the
Process\Virtual Bytes\STORE instance
divided by MSExchangeIS\VM Total Free
Blocks.
MSExchangeIS\VM Total Large Free Block Monitor this counter to ensure that this
Bytes counter does not drop under 32 MB. If the
number of blocks drops under 32 MB, fail
over the Exchange Virtual Servers
and restart all the Exchange services on the
node.
Antivirus measures
Anti-spam measures
Microsoft supplies two tools to help you stay current with Microsoft Windows® service packs,
hotfixes, and updates: Microsoft Network Security Hotfix Checker (Hfnetchk) and Microsoft
Baseline Security Analyzer (MBSA). Hfnetchk is a tool that lists which updates have been
applied to a computer; MBSA identifies common security misconfigurations. Hfnetchk is
available through the command line interface of the MBSA. You can download these tools
from the Microsoft Baseline Security Analyzer Web site (http://go.microsoft.com/fwlink/?
linkid=17809). You can also use third-party tools for updates management.
You can keep current with updates available for your organization by subscribing to Microsoft
Security Bulletins. To be notified of any new updates, you can subscribe for automatic
notifications to the Microsoft Security Bulletins (http://go.microsoft.com/fwlink/?LinkId=12322).
Make sure that you test the updates in a lab environment before you deploy them.
For more information about Windows Server 2003 updates management processes, see the
Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?linkid=16717).
Antivirus Measures
E-mail viruses can slow server performance by introducing excess network traffic and they
can attack individual computer systems or your entire e-mail environment. You must ensure
that you have sufficient protection against viruses in your Exchange Server 2003
environment. At a minimum, you must deploy antivirus software designed for messaging
systems at either the Simple Mail Transfer Protocol (SMTP) gateway or on the Exchange
servers that host mailboxes. You should also run antivirus software on the client computers. If
you are running antivirus software designed for messaging systems (meaning that it can
parse and scan MIME) at the gateway or on the Exchange server, running a file-level scanner
on client computers is usually sufficient. However, you must assess if running a file-level
scanner is sufficient for your organization.
Regardless of your virus scanning solution, you must ensure that the following is done:
Implement a daily method to update antivirus signature files on all computers in the
organization manually or set up automatic updates. You should monitor the automation to
ensure that automatic updates are successful.
65
Create an action plan that explains what to do when a virus is detected. For example, you
can isolate the infected computer and disinfect it, educate users about steps to take when
their computers become infected, and update software with any required updates to
prevent additional vulnerability.
Ensure that your solution can scan message attachments for viruses. New viruses and
worms that can do extensive damage by causing heavy network traffic can spread
through e-mail messages. Additionally, when new viruses that propagate through e-mail
attachments appear, educate users about the correct steps to take when this occurs.
Quarantine files that you suspect are infected. Then, check files to see if they are critical
and necessary components. If they are necessary and if the files cannot be disinfected,
you must replace the files from a backup or other source.
Check the quarantine and empty unnecessary content. Files put in quarantine that can be
safely deleted should be deleted. The quarantine is a depository for administrative
inspection and should not be overloaded with files. Also, clean files should not be in
quarantine.
For added security and protection, you can set up filtering rules to filter messages.
Anti-Spam Measures
Unsolicited commercial e-mail (spam) is a major problem for many organizations. Spam is
costly in a number of ways, from lost user time in sorting and deleting it to wasted bandwidth
and storage space. There are several ways to combat spam, as follows:
When Exchange Server 2003 expands a distribution group that can only receive mail from
authenticated users or can only receive mail from distribution groups that have the
msExchRequireAuthToSendTo attribute set to true, the Exchange message categorizer does
not permit unauthenticated mail that is sent by using SMTP to be sent to the distribution
group. Mail to restricted distribution groups is accepted only if the messages are submitted by
using the store driver, the messages are authenticated by using SMTP, or if the Resolve
anonymous e-mail option is turned on in the SMTP virtual server.
For more information about restricted distribution groups in Exchange Server 2003, see
Microsoft Knowledge Base article 827616, "How to restrict the users who can send inbound
Internet e-mail to another user or to a distribution group in Exchange 2003,"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=827616). To learn more about the groups
that are used by Exchange Server 2003 for mail distribution and access control lists (ACLs),
see Microsoft Knowledge Base article 839949, "Troubleshooting mail transport and
distribution groups in Exchange 2000 Server and in Exchange Server 2003,"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=839949).
67
Sender filtering By default, SMTP connections that are created by senders on this list
are dropped. Use this feature to block e-mail messages from a list of senders
Recipient filtering Lets you set global restrictions on mail to specific recipients. Use
this feature to block e-mail messages to a list of internal recipients.
For more information about how filters are applied, see the guide What's New in Exchange
Server 2003 (http://go.microsoft.com/fwlink/?LinkId=21765).
Note:
Exchange Intelligent Message Filter can be installed only on a server that is running
Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise
Edition. When an external user sends e-mail messages through a server that is
running Exchange Server 2003 and that has Exchange Intelligent Message Filter
installed, the filter evaluates the content of the messages for recognizable patterns
and assigns the message a rating based on the probability that the message is
unsolicited commercial e-mail or spam. This rating is stored with the message as a
message property referred to as a spam confidence level (SCL). This rating persists
with the message when the message is sent to other servers that are running
Exchange Server and even other user inboxes.
Note:
The spam confidence level rating is used only by Outlook 2003 or later versions and
Exchange Server 2003.
For more information about Intelligent Message Filter, see the Exchange Intelligent Message
Filter Overview (http://go.microsoft.com/fwlink/?linkid=35656).
68
Before you install Intelligent Message Filter, read the Microsoft Exchange Intelligent Message
Filter Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=27922). If you do not
configure Intelligent Message Filter correctly, your messaging environment can be negatively
affected.
You can also obtain more information about uninstalling Intelligent Message Filter, known
issues, and answers to frequently asked questions in Microsoft Knowledge Base article
867633, "Intelligent Message Filter Release Notes," (http://go.microsoft.com/fwlink/?
linkid=3052&kbid=867633).
Managing mailboxes
Capacity planning Establish baselines for each service and monitor all levels of system
operations.
Capturing and reporting performance data Record and log system activity over time,
chart the activity in real time, and display information that is in log files.
Analyzing trends Capture data and analyze the reports that you create by using that
data.
Important:
Because some of these tools create accounts that have non-secure passwords,
these tools are intended for use in test environments, not in production environments.
For more information about capacity planning, see the Planning an Exchange Server 2003
Messaging System Guide (http://go.microsoft.com/fwlink/?LinkId=21766).
Configure Performance Logs and Alerts to collect data for the recommended
counters at set intervals, such as every 10 to 15 minutes.
Retain logs over extended periods of time by storing data in an archive with
performance log files on the hard disk or in a database such as Microsoft Access or
Microsoft SQL Server™. If you store the data in a database, you can use the
reporting features of those programs to create complex reports that you can use to
assess overall performance, do trend analysis, and do capacity planning.
Chart activity in real time and display information that is in log files by using System
Monitor. System Monitor is a Microsoft Management Console (MMC) snap-in that you
71
can use to monitor many subsystems and software. It provides a common infrastructure
for reporting data based on performance counters. For more information about System
Monitor, see Windows® Help. You can use System Monitor to do the following tasks:
Analyze processor activity and queues, which is useful in isolating problems with
specific components.
For more information about the tools you can use to verify the performance of your Exchange
Server 2003 environment, see "Exchange Performance Tools" in Appendix A of the Exchange
Server 2003 Performance and Scalability Guide (http://go.microsoft.com/fwlink/?
LinkId=28660).
Protocol log files can help you troubleshoot messaging problems and identify potential issues
with your HTTP, SMTP, and NNTP virtual servers. There are four types of protocol logs as
described in Table 1.
72
World Wide Web Consortium (W3C) Writes the log in ASCII text. Fields are
Extended Log space-delimited, and each entry is written on
a new line. This style is the default.
National Center for Supercomputing Writes the log in ASCII text following the
Applications (NCSA) Common Log National Center for Supercomputing
Applications (NCSA) Common Log file
format. Fields are space-delimited and each
entry is written on a new line.
Open Database Connectivity (ODBC) Log Writes each entry as a record in the Open
Database Connectivity (ODBC)-compliant
database that you specify.
Microsoft Internet Information Services (IIS) Writes the log in ASCII text following the IIS
Log log file format. Fields are tab-delimited, and
each entry is written on a new line.
Note:
W3C Extended Log File Format is the preferred logging format. Unless you are sure
that another format meets your needs, use this format with HTTP, SMTP, and NNTP
protocol logging.
You can enable protocol logging on the Properties tab of the SMTP or NNTP virtual servers
in Exchange System Manager. You enable logging on the HTTP Exchange Virtual Server
through the IIS Manager. For more information about how to enable logging for virtual
servers, see the Exchange Server 2003 Help. For more information about troubleshooting
transport issues, see Microsoft Knowledge Base article 821910, "How to Troubleshoot for
Exchange Server 2003 Transport Issues," (http://go.microsoft.com/fwlink/?
LinkId=3052&kbid=821910).
You can install HTTPMon from the resource kit by running Setup.exe from the \apps\httpmon
folder of the resource kit. After you install HTTPMon, you must run HTTPMon Configuration
Manager to configure the service. HTTP Configuration Manager lets you configure global
73
settings for your organization and add the Outlook Web Access servers you want to monitor.
You can use the Services MMC to start the HTTP Monitoring Service. After your tests start
running, you should review the .csv files for response codes, time taken by the sample to
return the text, and for the number of retry attempts made by HTTPMon. You can analyze this
data to detect problems with your Outlook Web Access servers, and you can review the
events logged by HTTPMon in Event Viewer.
SQL Reporting Server Gathers data from monitor servers and loads it into SQL Server
Client Monitor This component is a set of Web pages that displays the results from the
SQL Reporting Server database
You can then use Windows Management Instrumentation (WMI) or other technologies to
monitor the event log, or you can import the .csv file output to Microsoft Office Excel, SQL
Server, or another tool for more analysis. You can also use the SQL Server data and Client
Monitor to track your servers, and you can use the reporting features of SQL Server to
additionally analyze the data.
You can use HTTPMon to identify and troubleshoot issues with Outlook Web Access servers.
Make sure that you monitor Outlook Web Access regularly. Based on your organization's
requirements, you may want to consider monitoring your Outlook Web Access servers
weekly. You can increase or decrease the frequency of monitoring based on trend analysis of
your Outlook Web Access servers. For more information about installing and configuring
HTTPMon, see the Windows Server 2003 Resource Kit documentation.
Managing Mailboxes
Mailboxes are the delivery location for all incoming mail messages for a designated recipient.
A mailbox can contain messages, message attachments, folders, documents, and other files
such as calendar and contact objects. Information in a user's mailbox is stored in a mailbox
store database on an Exchange server. Mailboxes inherit many of their properties, such as
storage limits, from the mailbox store. You can create different mailbox stores for different
groups of users. For example, you may put mailboxes for your staff in one store and
mailboxes for executives in another store, and give the executives double the normal storage
limits by configuring the store instead of configuring the individual mailboxes. You must
actively manage the mailboxes in your organization to guarantee reliability and availability to
your users. Make sure that you manage mailbox limits for resource management of your
servers. For more information about managing mailboxes, see the Exchange Server 2003
Administration Guide (http://go.microsoft.com/fwlink/?LinkId=21769).
74
Option Description
Prevent send and receive at (KB) When a user's mailbox exceeds the
specified size limit, the user receives an e-
mail alert message to delete messages from
the mailbox. Additionally, e-mail messages
cannot be sent until the mailbox size is
reduced below the specified limit and
incoming e-mail messages are returned to
the sender with a non-delivery report (NDR).
The user still can receive system messages.
Option Description
Keep deleted items for (days) You can designate the number of days that
deleted items (such as e-mail messages)
remain on the server before they are
removed permanently. You can type a
number from 0 to 24855. If you type 0,
deleted items are removed from the server
immediately. As long as deleted items
remain on the server, Outlook users can
retrieve them using Outlook's Recover
Deleted Items function. Setting a high value
for this option could affect your database
sizes on the hard disk.
Keep deleted mailboxes for (days) You can designate the number of days that
deleted mailboxes remain on the server
before they are removed permanently. After
this value is set, you have the specified
number of days to recover mailboxes that
were deleted accidentally. You can type a
number from 0 to 24855. If you type 0,
deleted mailboxes are removed from the
server immediately. By default on a new
installation, this is set to 30.
Do not permanently delete mailboxes and You can keep deleted mailboxes and items
items until the store has been backed up on the server until a backup is performed.
After a backup is performed, mailboxes and
items are deleted, according to the settings
that you specified.
You can apply a policy to a mailbox store only if you have permissions to modify that mailbox
store. If you are using a distributed administration model, with multiple administrative groups
that have separate administrators, each administrator will be able to interact only with the
mailbox stores in that administrator's own administrative group.
76
You can select when you want the mailbox management process to start on a particular
server, according to the rules defined by associated recipient policies. The recipient policies
determine which mailbox or mailboxes Mailbox Manager cleans. You can also customize the
mailbox management schedule to suit your organizational requirements. For example, you
can create a custom schedule that runs Mailbox Manager on Saturday at midnight.
When you schedule Mailbox Manager, you can designate a mailbox, contact, or distribution
group to receive Mailbox Manager reports. You can also select the type of report to be
generated. The report can include information such as when Mailbox Manager ran, which
mailbox recipient policy settings were applied, which mailboxes were processed, which
folders were processed, the number of messages that were moved or deleted, and the size of
messages that were moved or deleted.
Most of the Mailbox Manager settings are controlled through recipient policy. You can add an
additional tab named Mailbox Manager Settings to an already existing policy, or a new
policy can be created. For each recipient policy you create, you can define the objects that
this recipient policy will apply to (this is done through defining the policy Filter) and select
whether you want to delete messages based on age, size, or both. You can also choose to
notify clients that their mailboxes were cleaned. In the Properties of the server object, on the
Mailbox Manager tab, you can choose to have reports sent to an administrator and can
choose the Administrator's mailbox.
The action that occurs when Mailbox Manager processes a message depends on the setting
that you select when creating the policy. By default, only a report is generated. No additional
action is taken. In addition to the default setting, there are four other options for how Mailbox
Manager processes messages that exceed the specified limits. Table 3 describes these
Mailbox Manager options.
77
Option Description
Move to Deleted Items folder Messages are moved to the Deleted Items
folder in each client mailbox. Messages are
handled as if deleted by the client. Users can
remove them from the Deleted Items folder if
they want to.
Move to System Cleanup folders A partial replica of the folder hierarchy of the
mailbox is created under a root folder named
System Cleanup. Affected messages are
moved to the appropriate subfolder of the
System Cleanup folder. This feature gives
users a way to recover recently deleted
items without losing information about the
original folder location of the items.
You can use the same limits for every folder that the mailbox recipient policy applies to, or
you can set custom limits on a folder-by-folder basis. Each folder must be configured
individually if its limits differ from the default limits.
By default, the BadMail folder is located in the virtual server's home directory. The default
location is \Exchsrvr\Mailroot\vsi #virtual server instance\badmail. Before Exchange
Server 2003 SP1, badmails were written to the BadMail folder until the hard disk became full
78
or messages were deleted from hard disk manually. In Exchange Server 2003 SP1, badmails
are not written to the disk. However, if you want to continue to receive the badmails, you can
use Registry Editor to add two registry keys that will ensure that you continue to receive
badmail messages. For more information about the BadMail folder and badmail messages,
see Microsoft Knowledge Base article 555164, "Exchange 2003 Service Pack 1 stops the
BadMail folder from collecting bad messages" (http://go.microsoft.com/fwlink/?
LinkId=3052&kbid=555164).
In Registry Editor, you must add the following registry key under the folder:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SMTPSVC\\Queuing
Use Windows Explorer to examine the BadMail folder contents for undeliverable messages.
Many undelivered messages could indicate a network or Domain Name System (DNS)
problem. You can create policies for monitoring the BadMail folder and remove messages
after a specified time (such as deleting messages once a week). You can also use the
Badmail Deletion and Archiving tool to automatically delete or archive files in the Badmail
directory of specified SMTP virtual servers. Installing this tool ensures that the size of the
Badmail directory does not exceed specific size limits and eliminates the administrative
overhead of manually archiving or deleting these files. To download the Badmail tool, see the
Downloads for Exchange Server 2003 Web site (http://go.microsoft.com/fwlink/?
linkid=25097).
Depending on your organization's requirements, you may want to change this default
assignment to avoid exposure of your administrator account to external users.
79
Note:
Requests for Comments (RFC) 2822 defines a reserved address for the postmaster.
For more information about RFCs, see http://www.rfc-editor.org/rfc.html.
To designate a specific user's mailbox as the postmaster mailbox for any local SMTP domain
that is created, you can manually add the proxy postmaster@localdomainname to the user's
list of SMTP proxy addresses.
Managing the postmaster mailbox may involve the following high-level tasks:
Depending on your organization's requirements, you may need to decide whether to:
Associate a single e-mail account with the postmaster, such as your Help desk
mailbox account.
Create a dedicated postmaster account that will be used when NDRs are sent.
If you are creating a dedicated postmaster account, you will need to designate access to
the postmaster’s mailbox to the appropriate support staff. You can manage a dedicated
mailbox in the following ways:
Create a dedicated account and log on as that account by using an Outlook profile,
and then respond to the account messages.
Delegate Send As permissions on the account to the person who typically manages
the mailbox, and then add the mailbox to their Outlook profile.
You should establish a regular schedule, such as a weekly schedule, for reviewing and
responding to the delivery reports in the mailbox. For example, you may want to respond
to messages in which the e-mail alias is incorrect and then notify the sender that they
must update their records. The schedule you establish should be based on your
organization’s requirements. Some organizations make this a daily task to try to reduce
the number of e-mail messages that are delivered to users who are no longer with the
company, while other companies make this a weekly or monthly maintenance task.
Determine whether you want a copy of all NDRs to be sent to the postmaster account.
Server and network status for the overall organization and segments
SLA reviews
Verify mailbox and public folder store integrity You can resolve inconsistencies in
Exchange databases by verifying and repairing the integrity of the database using
81
Information Store Integrity Checker (Isinteg.exe). You can also use the Eseutil.exe tool to
check database integrity.
Examining queues You can use Queue Viewer to examine queues. This activity lets
you identify normal and abnormal trends for messages that are visible in the queues.
Many messages backed up in the queue can indicate a security threat, a spam attack, or
a network performance issue.
Online Defragmentation
Online defragmentation is one of several database-related processes that occur during
Exchange database maintenance. By default, Exchange servers automatically run Exchange
Server database maintenance between 01:00 (1:00 A.M.) and 05:00 (5:00 A.M.) local time,
every day. Online defragmentation occurs while the Exchange Server databases remain
online. Therefore, your e-mail users have complete access to mailbox data during the online
defragmentation process.
The online defragmentation process involves automatically detecting and deleting objects that
are no longer being used. This process provides more database space without actually
changing the file size of the databases that are being defragmented.
Note:
To increase the efficiency of defragmentation and backup processes, schedule your
maintenance processes and backup operations to run at different times. Running the
online backup after the online defragmentation has started will end the online
defragmentation process at that time.
To schedule database defragmentation for a collection of mailbox stores and public folder
stores, use the Maintenance interval option on the Database (Policy) tab of a mailbox
store or a public folder store policy.
For more information about how to create a mailbox store policy or public folder policy, see
"Create a Mailbox Store Policy" and "Create a Public Folder Store Policy" in Exchange 2000
Server or Exchange Server 2003 Help.
Offline Defragmentation
Offline defragmentation involves using Exchange Server Database Utilities (Eseutil.exe).
Eseutil is an Exchange Server tool that you can use to defragment, repair, and check the
integrity of Exchange Server databases.
You can perform offline defragmentation only when your Exchange Server databases are
offline. Therefore, your e-mail users will not have access to mailbox data during the offline
defragmentation processes. The database has to be in the "clean shutdown" state for offline
defragmentation to run on it.
During the offline defragmentation process, Eseutil.exe creates a new database. It copies
only the in-use database records to the new database file, which results in a new compact
database file. An offline defragmentation is the only method that reduces the physical file size
of the databases. You should perform an offline defragmentation in the following situations:
Important:
You should consider an offline defragmentation only if many users are moved from an
Exchange Server database or after a database repair. Performing offline
defragmentation when it is not required could affect performance. To determine how
much space you will regain after the offline defragmentation of the database, check
event 1221 in the Exchange server’s Application log. You should also consider the
time factor when performing an offline defragmentation of the database because it is
a lengthy process.
83
Important:
It is also important to note that the offline defragmentation requires about 110% of the
space of the original database to succeed. This is because the Eseutil tool actually
creates a new database file, in addition to the original database file. Both files have to
coexist on the disk. It is possible however, to redirect the temporary database file to a
different hard disk by using the Eseutil /t switch. Using this switch increases the time
required to complete the defragmentation process. You can also use a network disk.
However, using a network disk is not recommended because it significantly increases
the time required to complete the defragmentation process. Also, you are subject to
the risk of network availability issues.
When you use Eseutil.exe to defragment your Exchange Server databases, consider the
following:
When you run Eseutil.exe in defragmentation mode (using the command Eseutil /d), you
can also include a /p switch. Including the additional /p switch during a defragmentation
operation preserves the original database being defragmented in case you need to revert
to this database. If the original database and the temporary databases are on different
drives during the offline defragmentation process, using the /p switch bypasses the need
to copy the defragmented database to the location of the original database. Then you
need to manually rename the newly created temporary database using the same
database name that the original database had and manually move the database to the
correct location using Windows Explorer.
Because offline defragmentation actually creates the new database, database files, and
log file signatures, you should create new backups of Exchange Server 2003 databases
immediately after offline defragmentation. A new defragmented database file will have a
different database signature on it. Because the databases and transaction logs point to
each other based on signatures, all previous backups of this database are invalidated by
the offline defragmentation. Table 1 provides information about the modes of operation of
Eseutil.
For more information about defragmenting Exchange Server databases, see Microsoft
Knowledge Base article 328804, "How to defragment Exchange databases,"
(http://go.microsoft.com/fwlink/?LinkId=3052&kbid=328804).
You can also obtain information in the Microsoft Exchange Team Blog, "Is offline
defragmentation considered regular Exchange maintenance?"
(http://go.microsoft.com/fwlink/?linkid=35348).
An item count on a mailbox or public folder store is inconsistent. This may indicate that
some of the counters and pointers in your mailbox or public folder store may be
corrupted.
You cannot move a mailbox. For example, if the Move Mailbox command or ExMerge
fails on a particular mailbox, the structure of the mailbox, or of a message inside the
mailbox, may be corrupted.
The e-mail client crashes frequently. For example, Microsoft Office Outlook® crashes
repeatedly when a user tries to access a particular message or mailbox. Running a store
integrity check may identify the cause of the errors.
Isinteg
Isinteg is a command-line tool that searches an offline Exchange store for integrity
weaknesses. You can also repair issues that Isinteg detects. The Microsoft Exchange
Information Store service must be online when Isinteg is started
85
Verifies whether the MSExchangeIS service is stopped, and then Isinteg does one of the
following tasks:
If the service is not stopped, Isinteg displays a list of databases to select from on that
server.
Browses all the cross-reference tables for errors. Isinteg builds an Exchange database,
Refer.mdb, of reference counts before it browses the tables.
Compares the counts found to the counts in the reference database. If Isinteg is running
with the -fix switch, these counts are updated to the true values, as determined by
Isinteg.
Important:
Isinteg cannot resolve physical database problems. If the database is damaged on
the physical database page level (for example, because of hard disk problems, the
file-level antivirus software modified the database, and so on), you may need to use
the Eseutil tool. The database must be in the “clean shutdown” state for Isinteg to run
on it.
<drive>:\<installation root>\exchsrvr\bin>isinteg /?
Use the information in Table 2 to determine which switch to use when you run the Isinteg tool.
Table 2 Isinteg switches
At a minimum, you must specify -test Testname or -dump at the command line to be able to
proceed.
The steps to run the Isinteg command-line tool based on a specific criteria are as follows:
For example, you can type c:\program files\exchsrvr\bin>isinteg -s servername -fix -test
alltests
To fix inconsistencies and errors in the Exchange store, at a command prompt, type:
For more information about the Isinteg tool, see Microsoft Knowledge Base article 182081,
"Description of the Isinteg utility" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=182081).
For more information about the command-line parameters used for Isinteg tool, see Microsoft
Knowledge Base article 301460, "Exchange Command-Line Parameters for the Isinteg.exe
Tool" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=301460).
You must develop a queue baseline so that you can identify the difference between normal
behavior and abnormal behavior for your organization. Typically, on-demand use of Queue
Viewer is the result of a support call indicating that e-mail delivery is slow or a message has
not been delivered.
For more information about Queue Viewer, see the topic "Checking Message Paths" in the
topic "Daily Operations."
For more information about each queue, common causes of problems in each queue, and
how you can troubleshoot mail-flow issues, see Microsoft Knowledge Base article 823489,
"How to Use Queue Viewer to Troubleshoot Mail Flow Issues"
(http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823489).
Messages that are queued for extended periods of time. Unless an Exchange 2003
server handles an extremely high volume of e-mail messages, the server will not typically
have queued messages for any extended duration. Having extended periods of queuing
87
typically indicates a system issue that warrants your attention. Review your performance
metrics to see if some other performance issues are causing e-mail messages to queue.
If not, look for connectors or servers that are down or not functioning. SMTP protocol
logging might also help you discover the problem.
Peaks in queued messages. Spikes in queued messages can occur when someone
sends:
These conditions are not cause for alarm. However, you must review the security of your
Exchange organization if either of the following conditions exists:
A large volume of messages is queued to one recipient or e-mail address. A large volume
of messages queued to one recipient or e-mail address can be a symptom of a spam
attack on an e-mail loop or a denial-of-service (DoS) attack.
You must be able to answer some basic questions about your system environment, including
the following:
Peak delivery rate, the peak period during the day, and the peak day of the week
You must create a Performance console that lets you see the entire system environment and
also register even minor changes in the performance of your servers. The guidelines for
creating a Performance console are as follows:
88
Create a Performance console with two charts that have two different sample times, such
as:
MSExchangeIS\RPC Requests
MSExchangeIS\RPC Operations/sec
MSExchangeIS\RPC Averaged Latency
PhysicalDisk(_Total)\Disk Transfers/sec
Examine your busiest server to gather information about why the server is so busy and to
understand what performance issues can be resolved when the server does not perform
as well as the other servers.
Save reference log files in order to develop historical baseline data that will enable you to
see what changes have occurred so you can then deal with them in growth over time.
For more information about creating a performance baseline for your server, see
Troubleshooting Microsoft Exchange Server 2003 Performance
(http://go.microsoft.com/fwlink/?LinkId=22811).
maintenance tasks required to keep your Exchange server performing optimally. Use these
following checklists as is, or adapt them to suit your company's specific needs.
Date:
90
Completed Task
Completed Task
IIS metabase
Completed Task
Completed Task
For example:
Event: 1221
Type: Information
Category: General
Event: 1221
Type: Information
Category: General
Checklist: Summary
Prepared by:
Date:
Completed Daily
Check backups
Check backups
Completed Weekly
Create reports
Completed Monthly
Do capacity planning
Prepared by:
Date:
Completed Task
Prepared by:
Date:
Completed Task
Prepared by:
Date:
97
Completed Task
Prepared by:
Date:
Completed Task
Prepared by:
Date:
Completed Task
Prepared by:
Date:
Completed Task
99
Prepared by:
Date:
Completed Task
Prepared by:
100
Date:
Completed Task
Prepared by:
Date:
Completed Task
Completed Task
% Processor Time
Available MBs
Prepared by:
Date:
Completed Task
102
Prepared by:
Date:
Completed Task
Note:
This process can be time-
consuming.
103
Prepared by:
Date:
Completed Task
Note:
If you are a medium-size
organization, examine your event
logs weekly.
Prepared by:
Date:
104
Completed Task
Prepared by:
Date:
Completed Task
Prepared by:
Date:
Completed Task
Prepared by:
Date:
Completed Task
Completed Task
Prepared by:
Date:
Completed Task
Completed Task
Prepared by:
Date:
Completed Task
Completed Task
Copyright
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, ActiveSync,
ActiveX, Entourage, Excel, FrontPage, Hotmail, JScript, Microsoft Press, MSDN, MSN,
Outlook, SharePoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows Mobile,
Windows NT, and Windows Server System are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.