Saturday, December 20, 2008

DPM SP1 is released

DAta Protection Manaer SP1 is relased. Some of the new feauteras are protection of Hyper-V, Exchange SCR machines, local data backup of files, servers in other forests.
Read the "Description of System Center Data Protection Manager 2007 Service Pack 1" at http://support.microsoft.com/default.aspx/kb/959605 for complete feature list, download and installation instruction

Friday, November 21, 2008

Tuesday, October 28, 2008

Named properties bloat

Every mail item has some MAPI properties on them perhaps some non MAPI properties. Each of these properties get’s an ID and is store in the Named properties cache table. This table is located in each Exchange database and consist of three categories, nonMAPI properties, MAPI properties and Replication ID’s
Named property cache has a limit of 32766 ID’s. You can monitor how much of the table that is used with performance counter but you must first enable additional Information Store logging. http://support.microsoft.com/?kbid=254606 Article is for older version of Exchange, but it still apply for Exchange 2007

Change the Library string located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\Performance
Change the string value from c:\exchsrvr\bin\mdbperf.dll to C:\Program Files\Microsoft\Exchange Server\bin\mdbperfX.dll (or to wherever your mdbperfx.dll is located)
After you modify this registry value, you must restart Performance Monitor to see the new counters. The new counters are located under the MSExchangeIS Mailbox and MSExchange Public object. Counters that you should monitor is:
Rows in NamedProps Table
Rows in ReplidMap Table
Rows in NamedProps Table
Rows in ReplidMap Table

How does the named properties table get populated?
Remember that this table is per database, this means that when a message is stored in a database, property ID’s from the message is stored in named properties table and if those ID doesn’t exist they will be added. So over time this table grows. Message can be from outlook, a public folder replication message or a message received by SMTP.

Properties on messages within Exchange are transferred with help of the XEXCH50 blob or with help of X- headers. X- Header in SMTP messages is not mandatory and is user defined. This means that if some application wants to add functionality to SMTP they can add their own commands with help of the X- header. For more info about X- header see RFC822 and Extension-Field and User-Defined-Field. http://tools.ietf.org/html/rfc822
X- headers cannot only be for additional SMTP verbs but also for transferring information so when Exchange receives a mail with some x- header in it, Exchange will translate this x-header to a named property.
Exchange writes info to application log when there is something added to namedprop table.
Here you see the ‘x-myownheader’ getting added.

EventID: 9873
Source: MSExchangeIS
A named property has been created for the database "/o=Home/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MB2/cn=Microsoft Private MDB".
ID: 0x8519
Named property GUID: 00020386-0000-0000-c000-000000000046
Named property name/ID: x-myownheader
The following user is attempting to create the named property: "N/A"
Protocol: MAPI
Client type: Transport
Client version: 2049.0.33059.1

This is all good, but there is one problem, you can run out of space in the named properties table and when this happens you’re in deep problem since it will cause mail flow issues.
Here is some more info about named properties http://technet.microsoft.com/en-us/library/bb851495(EXCHG.80).aspx there is also a resolution at the end of the article.
The short version is to move all mailboxes to another database, delete the original database files and move mailboxes back to its original database, nothing you want to do more than necessary.
Here is more info about this problem http://technet.microsoft.com/en-us/library/bb851492(EXCHG.80).aspx

When this table start to get near the quota limit you get warnings in the application eventlog like this.

The number of named properties created for database "SG02\Store02" is close to quota limit.
Current number of named properties: 8172
Quota limit for named properties: 8192
User attempting to create the named property: "MB2$"
Named property GUID: 00020386-0000-0000-c000-000000000046
Named property name/id: "x-myownheader"

There is some tweaking you can do regarding to the cache, but it will probably not help you in the long run since there is a hardcoded upper limit on 32766 ID’s in the table. http://technet.microsoft.com/en-us/library/bb851493(EXCHG.80).aspx

How to stop the named prop table population?
Well you cannot stop the population but you can stop unwanted x- headers to reach Information Store and that will stop most of the population. Most of these x- headers come with mail received from Internet. If you have a gateway that can strip out the x-headers from mail you’re lucky. If you don’t have this functionality in your gateway you can install the HeaderFilterAgent on your Exchange 2007 Edge or Hub server. Download and installation instruction is at http://www.codeplex.com/HeaderFilterAgent

This beautiful small piece of code strips all x- headers from anonymous received mail except from a white list that you can create. By only handle anonymous mail; you will allow mail between Exchange servers flow untouched.
This agent is something that help protect your databases from getting the named properties table full and you into trouble.

But what if you don’t have Exchange 2007?
With Exchange 2003 or Exchange 2000 you should be able to write a SMTP transport sink that does the same thing even though it’s much harder than writing managed code for Exchange 2007.
There is also KB 941060 http://support.microsoft.com/kb/941060 that doesn’t say it handles namedproperties cache but it contains some other handling that decrease the problem a bit.
of course you can also put an Exchange 2007 Edge or Hub server role in front of your Exchange 2000/2003 servers and run HeaderFilterAgent on Exchange 2007

Tuesday, October 14, 2008

Information about OCS 2007 R2

Finally Microsoft reveal information about next version of Office Communication Server, OCS 2007 R2 or simply OCS R2 as its sometimes called.
http://www.microsoft.com/presspass/press/2008/oct08/10-14OCSR2PR.mspx and
http://nomorephones.spaces.live.com/

Among the things I like most is SIP trunking, Persistant group chat and Attendant console

There is also info at Office Communication website http://www.microsoft.com/communicationsserver/en/us/default.aspx

Wednesday, October 8, 2008

Update Rollup 4 for Exchange Server 2007 SP1 (KB 952580)

Rollup 4 for Exhange Server 2007 SP1 is released.
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B492ED2-EA92-412F-A852-3AA1C58D9499&displaylang=en
This update is marked V2 for it to overwrite the accidental prerelase of RU4 one month ago.

This is must since it contains a lot on bugfixes. http://support.microsoft.com/?kbid=952580

Wednesday, October 1, 2008

Reawarded again

Got a mail this afternoon from Microsoft.

Dear Lasse Pettersson,

Congratulations! We are pleased to .........bla bla bla ..... MVP award.

So this means that I am rewarded again for another year with MVP status.

Sunday, September 21, 2008

Powershell scripts at SEForum

Recently I spoke at Sharepoint and Exchange forum http://www.seforum.se/ One of the session was about powershell scripts.

The two most valuable scripts are Get-ExchangeStoreageInfo.ps1 and Create-User.ps1
Get-ExchangeStorageInfo gather information about your Exchange databases, storagegroups, file and diskutilization. pretty handy to run now and then to monitor your Exchange storage.

The other script Create-User, creates windows accounts with homefolder, mailbox, joining the account to group, setting permission on folders etc. The script itself is not that fancy and could be more straightforward and smarter. Its intention was to show various techniques that can be used from powershell. One popular thing is to show a windowsform for userinput instead of questions in the script itself.

To make this script work there is a bunch of prerequisite, OU structure, variables, fileshare etc. so you will not be able do download it and just make it work, you have to put in some effort yourself.

The script can be downloaded from http://www.seforum.se/Pages/20088115544100.aspx

Sunday, August 17, 2008

The Autodiscover song

If you like Exchange 2007 Autodiscover functionality which you should, you might enjoy the Autodiscover song http://blog.seattlepi.nwsource.com/microsoft/archives/145822.asp

Info about Autodiscover http://technet.microsoft.com/en-us/library/bb124251.aspx and the White paper http://technet.microsoft.com/en-us/library/bb332063.aspx

Thursday, August 14, 2008

Exchange Server Remote Connectivity Analyzer

Have you ever needed to do some testing of your Exchange server from Internet?
Well here is a site that can do some pretty valuable tests of your server.

Exchange Server Remote Connectivity Analyzer https://www.testexchangeconnectivity.com/

Be carefull with the account and password that you submit, they should only be test account and should be deleted afterwards for best security.

Friday, July 25, 2008

Grant permission to change permission on mailboxes

To change mailbox permission on an Exchange 2003 mailboxes you must have the Exchange Full Administrator right. In many organizations there is just a few people that have this right, but the need to change mailbox permission is quite big, often the need is to give Full mailbox access to a user on a mailbox that is unmonitored.

And there we have a conflict, do we trust helpdesk or a novice Exchange administrator to have the Full Exchange Administrator permission? probably not. So what can be done?

Luckily there is a way to grant the permission to change permission on mailboxes without being the big Exchange administrator, sort of.

Use Exchange Management Console, drill down to a mailbox database, right click and click properties and select the security tab, add the helpdesk group and select Allow only Change Permission and Administer Information Store.
Change Permission will inherit down to mailboxes. The helpdesk group must also have Active Directory permission to manage user account. This is done with normal AD delegation.
Unfortunately helpdesk group must also have Administer Information Store permission to get what we want. With this right they can also dismount and mount that database.

Two links that help you understand things better.
http://support.microsoft.com/kb/329236
http://technet.microsoft.com/en-us/library/bb124053.aspx

This is not the ideal solution, but if there is a need for setting mailbox permission without being Full Exchange Administrator, this solution can help.

Thursday, July 17, 2008

Automatic installation of Rollups with Exchange 2007

Have you ever gotten tired of applying Service Packs or hotfixes after you installed Exchange? With Exchange 2007 you can do this automatically.
Copy complete Exchange DVD to a folder and then copy the rollup fix to the updates folder. Finished result looks like this.

2008-05-02 19:26 DIR scripts
2008-05-02 19:26 DIR Setup
2008-05-02 19:30 DIR Updates
2007-11-27 09:29 21244928 exchangeserver.msi
2007-11-27 09:29 63 autorun.inf
2007-11-27 09:29 361472 setup.com
2007-11-27 09:29 9228 relnotes.htm
2007-11-27 09:29 519296 setup.exe


In the updates folder you have readme.txt plus the rollup patch file.

2008-07-16 18:14 35991040 Exchange2007-KB949870-x64-EN.msp
2007-11-27 09:30 60 readme.txt

so when you run setup and install Exchange, the setup process will automatically apply the patch in the updates folder.
Pretty slick if you ask me

Thursday, July 3, 2008

ISA server 2006 SP1 is released

Finally ISA 2006 SP1 is released to public. It contains many new features such as Diagnistic log viewing, Traffic Simulator, better NLB support, better Kerberos Constrained Delegation support, support for client cert authentication without domain join, Configure Change Tracking log, support for SAN certificates which is a big thing for Exchange 2007 and OCS 2007 servers.
Read these articles before installing http://support.microsoft.com/kb/885957
Here is the update http://www.microsoft.com/downloads/details.aspx?FamilyID=d2feca6d-81d7-430a-9b2d-b070a5f6ae50&DisplayLang=en

Thursday, June 26, 2008

Hyper-V is released

Finally Hyper-V is relased. Download from http://www.microsoft.com/hyper-v.
It should also be available on Microsoft Update on July 8, 2008
More and good info is at http://blogs.technet.com/virtualization/archive/2008/06/26/wu-hoo-only-12-days-to-wu.aspx

Keep an eye open for more info about Exchange and Hyper-V within 60 days from now.

Saturday, June 21, 2008

Exchange Web Services Windows Vista Gadget Sample Application

If you’re in to vista sidebar gadgets or want to know how to use Exchange 2007 Web services, this one is for you.

It’s a vista gadget that retrieves Inbox, Calendar, and Task information from a user's Microsoft Exchange Server 2007 mailbox.
Link for download is here http://www.microsoft.com/downloads/details.aspx?FamilyID=f9a0d33c-c894-4ea1-ad20-4e418c715175&DisplayLang=en

Default installation directory is “C:\Program Files\Microsoft\ExDevCenterDownloads\EWSVistaGadgetSample” and there you will find a document with lots of info about this gadget
Also see “C:\Users\username\AppData\Local\Microsoft\Windows Sidebar\Gadgets\ExchangeWebServices.gadget” directory for the gadget HTML files

Friday, June 13, 2008

Testexchangeconnectivity website open

Microsoft has built a site for testing some Exchange 2007 functionality.
https://testexchangeconnectivity.com/
Be sure that you use a test account when entering credentials then sit back and enjoy the show.

Wednesday, June 11, 2008

Backup of Exchange 2007 on Windows 2008

With Windows 2008 there is no more NTBackup that you can use to backup Exchange 2007 server, and the windows team did not put in support for Exchange streaming backup in the new Windows 2008 backup software.

There is unsupported workarounds with copying DLL’s and use the old NTBackup, but that’s not the recommended way of doing it.

Thankfully Microsoft listened and acted on peoples requests and they will create an addon or whatever its going to be called to the Windows 2008 backup software that can be used for Exchange backups. It will also use the modern way of doing backup with help of the VSS framework.

The sad story is that it’s not downloadable at this moment, but the word is that it will be this summer.

IPV6 on Windows 2008 together with Exchange 2007 SP1

Exchange 2007 SP1 has support for IPV6 under certain circumstances. http://technet.microsoft.com/en-us/library/bb629624.aspx
Since most people don’t use IPV6 on there’s network I suggest that you disabled it (it cannot be uninstalled). This is done in 3 steps.
· Uncheck the IPV6 checkbox on your NIC settings.
· Edit the hosts file and disable the line “::1 localhost”, that is put a # sign at the front.
· And the last thing is to do is edit a registry value. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents and put in a DWORD with value of 0xffffffff
This will turn off IPV6 for everything except the loopback traffic and Exchange does not have an issue with that. For more ref. see http://support.microsoft.com/kb/929852
You have to reboot your server after editing this registry value.

Doing all this will also resolve some other issues, the most famous one is the problem with RPCProxy component only listening on IPV4 and make Outlook Anywhere work again.

Saturday, June 7, 2008

Remove proxyaddresses powershell script

A friend of mine approached me with a question about email addresses on his Exchange servers the other day. He wanted to remove some old SMTP addresses not used anymore and of course not doing this the manual way by clicking each recipient and remove the address, some sort of script was needed.
He is using Exchange 2007 so I figured a PowerShell script would do it. This is the PowerShell script I created. It can certainly be made more flexible and efficient, but this one still functions well.create a file “remove_proxyaddess.ps1” and edit line 6 and 13 to suit you environment

# Remove proxy addresses
# change the Get-Mailbox statement in line 6 to select only a subset of mailboxes
# change -like paratameter in line 13 to the domain you want to remove

#get mailboxes and iterate through
Get-Mailbox foreach {
# .emailaddresses returns array
# loop each email address
for ($i=0;$i -lt $_.EmailAddresses.Count; $i++)
{
$address = $_.EmailAddresses[$i]
# removes all addresses with test.com domain
if ($address.SmtpAddress -like "*@test.domain" )
{
Write-host("Remove smtp adress: " + $address.AddressString.ToString() )
# remove address in the array
$_.EmailAddresses.RemoveAt($i)
}
}
# save changes
$_ set-mailbox
}

Run script from Exchange Management console. Script will output info to the console so adjusting screen buffer size to a large value is a good thing so you can scroll through output and see what happened when running script.

Thursday, May 8, 2008

Sunday, May 4, 2008

Diskpart and Windows 2008

Microsoft claimes that there is no need to use diskpart on a Windows 2008 server with Exchange 2007 SP1. If you have build some larger servers with Exchange in the past this sounds wonderful to skip the diskpart stuff, but if you think about it for a while what exactly has Exchange to do with storage track boundaries. Exchange doesn’t know about this, it simply uses the partition presented by the OS. In my opinion this is simply a Windows 2008 server thing.

Why is Windows 2008 better than previous version of Windows?
When creating partitions with the built in Disk Management tool it created a partition that isn’t always aligned with the underlying disk layout , so sometimes when writing or reading from disk windows was forced to do two read or writes instead of one and that is of course bad for performance.
What Windows 2008 does when creating a partition is to move the starting point forward in the same way you manually did when using diskpart.exe so there should be no misalignment between the physical storage system and the logical partition layout. The storage layout has changed during the years from 32KB chunks to 64 and sometimes 256KB, Windows 2008 set the offset to 1MB to be safe in the future. Do anybody remember ‘no one should ever need more than 640KB memory’.

And yes, every application running on Windows 2008 will benefit from this, not only Exchange.

In case you’re interested in how to how to Align Exchange I/O with Storage Track Boundaries with diskpart.exe, here it is http://technet.microsoft.com/en-us/library/aa998219(EXCHG.80).aspx.
This is a must read if you don’t use Windows 2008

Sunday, April 20, 2008

Outlook Safelist aggregation

You use Exchange 2007 Content Filtering Agent for spam fighting, there is sometimes occasions when it classifies mail as spam even though it’s not. Content Filtering Agent is using a whitelist that is managed from outlook or OWA. This whitelist is by default not propagated to to your Edge servers or hub server if you have installed antispam agents on it. There is two steps to make this happen, first users must enter addresses into the safelist next step is for the administrator to aggregate this information and save it into AD user object.

This list can be edited in outlook by clicking ToolsOptionsJunk E-mail buttonSafe Senders tab. There is also an option here and there in outlook that says “Add Sender to Safe Senders List”. The list itself is stored inside each user mailbox located on the Exchange mailbox server.

Ok, so how can you get Exchange 2007 Edge server or if you have Exchange HUB/Transport server with antispam agents installed to read this info?

It will not happen automatically, the administrator must make this happen. The easiest way is to run Update- Safelist cmdlet on a scheduled basis. What this command does is reading the safelist inside users mailboxes and writes this info to users AD account. Email addresses are hashed before saved into msExchSafeSendersHash attribute so information cannot be read and used in a bad way.

If you’re using Exchange 2007 Edge server, the edge-sync process will synchronize this attribute from Active Directory to ADAM that Edge server leverage each time edge-sync is run.

The complete process is.
· User adds addresses to there’s safelist with help of outlook
· Administrator run the Update-Safelist cmdlet (this should be set up with a scheduled task)
· If you don’t have Edge servers and have antispam agents installed on your HUB/Transport server, you’re done, Content Filtering agent on Edge server have to wait for this info until edge-sync runs.

End users should not expect that there safelist will work at once because the Update-Safelist must be run and also the edge-sync process.

example
· mail from someone@microsoft.com is sent to user1
· user1 has no info in the safelist
· mail gets a high SCL value and is either blocked or rerouted to Junk E-mail folder

But if the user1 has someone@microsoft.com in the safelist and the administrator has run outlook-safelist command, content filter agent will set a SCL value of -1 to the mail and it’s therefore not blocked by content filter agent.

But if someone@microsoft.com is sent the same mail to user2 it will get the high SCL value and either be blocked or rerouted to Junk E-mail folder. You see the safelist is personal to each user.

You can see what mail and why Content Filter agent is blocking mail in the agent log file, default located in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

There is also a performance counter that is good to look at when dealing with Safe-Senders. Performance Object is “MSExchange Content Filter Agent” and the counter is “Bypassed recipients due to per-recipient Safe-Senders”. This number will tell you how many mail that have bypassed content filter agent because users have added mail addresses to there’s safelist.


How to schedule the safelist aggregation.

Create a powershell script file ex. “C:\Batch\safelist-aggregation.ps1”
You only need one line of code in that file.
Get-Mailbox where {$_.RecipientType -eq ‘UserMailbox’ } Update-Safelist -Type Both
This will update the safelist from all user mailboxes.
There may be need for filter the Get-Mailbox cmdlet in so you not get all mailboxes in the search but only those located on a specific server or databases.
“Get-Mailbox –Server …”
“Get-Mailbox –Database …”


Create a scheduled task to run the powershell script.
C:\WINDOWS\SYSTEM32\windowspowershell\v1.0\powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\Bin\ExShell.psc1" -Command C:\batch\safelist-aggregation.ps1

How often the scheduled task is run, is up to the administrator to decide. Factors are Active Directory replication, site layout, number of users to collect safelist from etc.
By enabling safelist aggregation users will be happier since mail from there’s contacts and safelist will not end up as spam in the Junk e-mail folder.

Sunday, April 6, 2008

Anonymous submission and relay of SMTP messages in Exchange 2007

When organizations install Exchange 2007 they often get problems because they have applications and sometimes users sending SMTP mail to there’s mail server. In previous version of Exchange this was not a problem since it allowed receiving of mail without authentication, with Exchange 2007 this is no longer the case. Default setting on the “Default servername” receive connector is not to allow anonymous users.












The easiest thing to do is to check the “Anonymous users”, but are you really sure you want to do this? There is a good reason not to allow anonymous submission of SMTP mail and that’s getting rid of the anonymity on your network. If you really need to accept anonymous submission then I suggest that you create a new receive connector that allow anonymous users and only accept mail from certain IP (look on the network tab and ) that cannot send mail authenticated, this also makes the “Default servername” receive connector have its default settings.A common misunderstanding is that by allowing anonymous users also makes it possible to relay mail, this is not the case. To allow relaying users or the application must authenticate the SMTP session. If mail is destined to internal users then there is no need to allow relaying, it’s only needed when mail is destined to external recipients.Default settings on receive connectors is set to allow “Exchange users” to relay. Exchange users is all users that have a mailbox, so by creating a mailbox for the application and make the application authenticate it will also be allowed to relay. Type of authentication is specified on the “Authentication” tab.













The most common authentication method is “Basic Auth.”. Exchange 2007 settings is to only allow basic auth after that TLS has been started, and that is not so common that applications can do TLS. TLS is similar to SSL and it encrypts the transmission so it’s a good thing if it can be enabled in the application. Integrated Windows Authentication is good to use if your applications can use it.
Another good thing if you can make your application authenticate when sending SMTP mail is they bypass spam checks done by Exchange. You can see this if you run
Get-ADPermission "receive connector name" where {$_.User -like 'NT AUTHORITY\Authenticated Users' -and $_.isinherited -eq $False} ft User, ExtendedRights –autosize





Spam checks are only done if you have installed the antispamagents on your HubTransport server.

If you really want to allow relay without authentication (=anonymous relay) you should read http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Monday, March 17, 2008

Exchange 2003 statistics with Logparser

Often when I try to get some information about customers current Exchange 2003 system they don’t have a clue how much mail going through the system, other question that is unanswered is size of mail, when is mail delivered. Gathering this type of information is important since it can generate numbers to use as input when sizing your upcoming Exchange 2007 servers.

Activate Message tracking:
In these examples I use Exchange Message Tracking log files to run Logparser against. Other sources of information can be the SMTP protocol log files, but this is another story.
Most Exchange admins have activated Message Tracking but if you don’t, start Exchange System Manager and drill down to the Server object, right click on it and select properties. Select the checkbox “Enable message tracking”. This activation is per server basis and if you have multiple servers it’s a good idea to activate it on all servers. It can be done with System server policy or by manually doing it on all servers. When activated; log files will be created in C:\Program Files\Exchsrvr\.log\ if you have installed Exchange in the default location.

Message tracking format:
When mail is sent in an Exchange server it goes through several steps before it actually arrives at the recipient inbox. Which steps involved also depends on where the message originates from and where it’s sent to. Each event write a line in the message tracking log file and therefore every mail is logged several times with different Event-ID in the file. See Microsoft KB article 821905 for Message tracking event IDs in Exchange Server 2003. As stated in the KB article there is no single event that is logged a single time for each mail but the closest match is Event-ID 1019. Event-ID’s is important depending on what information you want to get from log files.

Logparser:
What is Logparser? It’s a very nice command line tool for parsing log files. Most log files are in some kind of text format such as CSV, W3C but it can also be eventlog and netmon trace files.
Start by download and install logparser from http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&DisplayLang=en. If you want results to be displayed as graphs you also need Office web components http://www.microsoft.com/downloads/details.aspx?FamilyID=7287252C-402E-4F72-97A5-E0FD290D4B76&displaylang=en. They only exists for office 2003 but can be used even if you run office 2007. Logparser is also available as a COM object so it can be used from scripts you write. http://msexchangeteam.com/files/12/attachments/entry445704.aspx
You don’t need to install logparser on your Exchange server, simplest is to run it from your PC as long as you have access to the log files.

Running logparser:
Start by copy those message tracking log files you want to examine from your Exchange server to a local directory on your PC. If you open a log file it will be opened with notepad which not do a great job of formatting it, my suggestion is to use wordpad if you want to open and read message tracking log files manually.
Other important factors are from which server is log files copied, you would get different result if using log files from a mailbox server or from a server acting as a hub, also consider the Event-ID used when parsing log files.

A common request is getting the number of email per day.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email from *.log where Event-ID = 1019 Group By Day" -i:W3C

Output will look like
Day email
--------- -----
2008-2-29 22869
2008-3-1 8479
2008-3-2 7234
2008-3-3 24290
2008-3-4 25504
2008-3-5 25020
2008-3-6 25096
2008-3-7 23806
2008-3-8 16864
2008-3-9 12754
2008-3-10 26683
2008-3-11 47088
2008-3-12 26132
2008-3-13 28605

What happens is that each logfile in the current directory is examined for rows where ‘Event-ID = 1019’. The Date field is read and summed and then the output is grouped to get number of hits per day. In this example I have logfiles ranging from 29 Feb to 13 of Mar.

You can also output the result to jpg file
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email Into chart.jpg from *.log where Event-ID = 1019 Group By Day" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per day" -View:on





or to a little more fancy 3D graph
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email Into chart.jpg From *.log where Event-ID = 1019 Group By Day" -i:W3C -o:Chart -Charttype:Column3D -Charttitle:"Number of emails per day" -View:on



There are many different chart types available. If you run ‘logparser.exe –h –o:Chart’ you get a list of what charttype’s is available.
Line,LineMarkers, LineStacked,LineStackedMarkers, LineStacked100,LineStacked100Markers, Line3D,LineOverlapped3D, LineStacked3D,LineStacked1003D, SmoothLine,SmoothLineMarkers, SmoothLineStacked, SmoothLineStackedMarkers,SmoothLineStacked100, SmoothLineStacked100Markers, BarClustered,BarStacked, BarStacked100, Bar3D,BarClustered3D, BarStacked3D,BarStacked1003D, ColumnClustered,ColumnStacked, ColumnStacked100,Column3D, ColumnClustered3D,ColumnStacked3D, ColumnStacked1003D,Pie, PieExploded, PieStacked, Pie3D,PieExploded3D, ScatterMarkers,ScatterSmoothLine, ScatterSmoothLineMarkers, ScatterLine, ScatterLineMarkers, ScatterLineFilled, Bubble,BubbleLine, Area, AreaStacked,AreaStacked100, Area3D, AreaOverlapped3D, AreaStacked3D, AreaStacked1003D, Doughnut, DoughnutExploded,RadarLine, RadarLineMarkers,RadarLineFilled, RadarSmoothLine,RadarSmoothLineMarkers, StockHLC,StockOHLC, PolarMarkers, PolarLine,PolarLineMarkers, PolarSmoothLine,PolarSmoothLineMarkers

When examining this statistic we can see that there is low volume on 1,2,8,9 of Mars and that should not be a surprise since those days are weekends. On the 11th we can see a higher volume.

Number of emails per hour:
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Quantize(To_Timestamp(To_String(Extract_Prefix(Time,0,' ')),'h:m:s'),3600) as Hour,count(*) as email Into chart.jpg from 20080311.log where Event-ID = 1019 GROUP BY Hour ORDER BY Hour ASC" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per hour" -View:on

We can see that there is a high volume of email between 9 and 12 AM.
This logparser command reads the Time field and manipulates it to be in timestamp format in order for the Quantize parameter to work. Result from Quantize parameter is then summarized per hour and displayed in a line graph.


Or by adding all email from all log files per hour.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Quantize(To_Timestamp(To_String(Extract_Prefix(Time,0,' ')),'h:m:s'),3600) as Hour,count(*) as email Into chart.jpg from *.log where Event-ID = 1019 GROUP BY Hour ORDER BY Hour ASC" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per hour" -View:on

Other useful information is who is receiving most mail.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Recipient-Address as Recipient,Count(*) as hits From *.log Where Event-ID = 1019 Group By Recipient Order By hits DESC" -i:W3C


Who is sending most email.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Sender-Address as Sender,Count(*) as hits From *.log Where Event-ID = 1019 Group By Sender Order By hits DESC" -i:W3C



Which domain is receiving most email.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Extract_SUFFIX(Recipient-Address,0,'@') as Recipient,Count(*) as Hits from *.log Where Event-ID = 1019 Group By Recipient Order By Hits DESC" -i:W3C



Avarage size on email per day.
”C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date,AVG(total-bytes) From *.log Where Event-ID = 1019 Group By Date" -i:W3C

Date AVG(ALL total-bytes)
--------- --------------------
2008-2-29 156344
2008-3-1 53003
2008-3-2 104991
2008-3-3 158491
2008-3-4 190721
2008-3-5 178313
2008-3-6 188157
2008-3-7 168273
2008-3-8 25809
2008-3-9 46874
2008-3-10 170719
2008-3-11 89262
2008-3-12 180671
2008-3-13 181731

Or just the average size of email in all log files.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select AVG(total-bytes) From *.log Where Event-ID = 1019 " -i:W3C

AVG(ALL total-bytes)
--------------------
144804

This gives us an average message size of 141KB


Thursday, March 6, 2008

The first post

A couple of people are constantly telling me that I should start a blog about Exchange, and here IT is. So who am I? For starters I am a Microsoft Exchange server MVP and have been for a couple of years. I live in Sweden, just outside of Stockholm in the countryside with my family which include a couple of horses for relaxation from the hectic live of a IT consultant. I probably write most about Exchange but there will be other stuff such as OCS and non IT related.