IT tutorials
Applications Server

Exchange Server 2013 Management and Maintenance Practices (part 3) - Auditing the Environment

12/22/2014 8:01:01 PM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Mail Flow Tools

The Mail Flow Troubleshooter is a utility that assists with troubleshooting common mail flow issues in an Exchange Server environment. Administrators can input the issues they are encountering, and the utility gathers information, diagnoses the environment, and presents a recommended plan of action.

The Tracking Log Explorer utility allows administrators to search for messages and track them through the Exchange Server environment. Message tracking can be extremely useful for determining where a message was delayed or “stuck” in the messaging environment.

Message Tracking, which once was part of the Mail Flow Tools is not part of the Exchange Administration Center message tracking section. The messaging tracking enables an administrator to search the mail store for messages that meet a certain criteria.

Exchange Queue Viewer

The Exchange Queue Viewer is another utility included in the Exchange Toolbox. The Exchange Queue Viewer is used to view the contents of the queues for each particular protocol on a server. Although this tool is more of a troubleshooting tool, it is important to periodically check protocol queues (for example, SMTP or X.400 queues) to ensure that no delivery problems exist.

Details Templates Editor

The Details Templates Editor is used to modify the graphical user interface for document templates for contacts, users, groups, mailbox agents, public folders, and search dialog boxes. When an organization wants to modify the default templates to add a custom field, change the size or type of an existing field, or modify the template form, it should use the Details Templates Editor.

Active Directory Database Maintenance Using ntdsutil

Exchange Server 2013 uses Windows Active Directory to store all its directory information. As a result, it is important to keep AD as healthy as possible to ensure that Exchange Server 2013 remains reliable and stable.

Windows Server automatically performs maintenance on Active Directory by cleaning up the AD database on a daily basis. The process occurs on domain controllers approximately every 12 hours. One example of the results of this process is the removal of tombstones, which are the “markers” for previously deleted objects. In addition, the process deletes unnecessary log files and reclaims free space.

The automatic daily process does not, however, perform all maintenance necessary for a clean and healthy database. For example, the maintenance process does not compress and defragment the Active Directory database. To perform this function, the ntdsutil command-line utility is needed.


To avoid possible adverse effects with the AD database, run ntdsutil in Directory Service Restore mode. Reboot the server, press the F8 key, and then select this mode of operation.

To use ntdsutil to defragment the Windows Active Directory database, perform the following steps:

1. Restart the domain controller.

2. When the initial screen appears, press the F8 key.

3. From the Windows Advanced Options menu, select Directory Services Restore Mode.

4. Select the Windows Server operating system being used.

5. Log on to the Windows Server system.

6. Click OK when the informational message appears.

7. At a command prompt, create a directory where the utility can store the defragmented file. For example, C:\NTDS.

8. At a command prompt, type ntdsutil files, and then press Enter.

9. At the file maintenance prompt, type compact to <TargetDirectory>, where <TargetDirectory> identifies the empty directory created in step 7. For example:

compact to c:\ntds

This invokes the esentutl.exe utility to compact the existing database and write the results to the specified directory.

10. If compaction was successful, copy the new ntds.dit file to %systemroot%\NTDS, and delete the old log files located in that directory.

11. Type quit twice to exit the utility.

12. Restart the domain controller.

This typically needs to be done only following a large migration or reorganization of the Active Directory forest, rather than on a routine basis.

Database Maintenance with the eseutil Utility

The eseutil utility is a database-level utility that is not application-specific. It can, for example, be used to maintain, test, and repair both AD and Exchange Server databases. More specifically, eseutil is used to maintain database-level integrity, perform defragmentation and compaction, and repair even the most severely corrupt databases. It is also the utility to use when maintaining Exchange Server 2013 transaction log files to determine which transaction logs need to be replayed or which log file the Edb.chk file points to.


Using the eseutil utility on an AD or Exchange Server database can produce irreversible changes.

It is best to restore a copy of a suspected corrupt database in a lab environment, and then run eseutil against that copy prior to any attempts to use it in a production environment.


eseutil investigates the data that resides in the database table for any corruption or errors, which is why it is called a database-level utility. The eseutil options are shown in Table 1.

Table 1. eseutil Syntax


The eseutil tool repairs the mailbox and public folder databases (database files, tables, and indexes), whereas the isinteg tool repairs the contents of the mailbox and public folder databases (messages, links, and attachments).


Because Exchange Server 2013 data is commonly replicated using database availability groups (DAGs) and subsequent copies of Exchange databases are available on the network, the eseutil is not used that frequently anymore. While database corruption may exist in one copy of the database, another copy of the organization’s database may reside on another DAG copy without corruption. Eseutil should only be used when other alternatives for database repair do not exist, and eseutil is the last resort for data recovery.

Auditing the Environment

Various methods of auditing the Exchange Server environment exist to gather and store records of network and Exchange Server access and to assist with the monitoring and tracking of SMTP connections and message routing.

Typically used for identifying security breaches or suspicious activity, auditing has the added benefit of allowing administrators to gain insight into how the Exchange Server 2013 systems are accessed and, in some cases, how they are performing.

This article focuses on three types of auditing:

Audit logging—For security and tracking user access

SMTP logging—For capturing SMTP conversations between messaging servers

Message tracking—For tracking emails through the messaging environment

Audit Logging

In a Windows environment, auditing is primarily considered to be an identity and access control security technology that can be implemented as part of an organization’s network security strategy. By collecting and monitoring security-related events, administrators can track user authentication and authorization, as well as access to various directory services (including Exchange Server 2013 services).

Exchange Server 2013 relies on the audit policies of the underlying operating system for capturing information on user access and authorization. Administrators can utilize the built-in Windows Server event auditing to capture data that is written to the security log for review.

Enabling Event Auditing

Audit policies are the basis for auditing events on Windows Server systems. Administrators must be aware that, depending on the policies configured, auditing might require a substantial amount of server resources in addition to those supporting the primary function of the server. On servers without adequate memory, processing power or hard drive space, auditing can potentially result in decreased server performance. After enabling auditing, administrators should monitor server performance to ensure the server can handle the additional load.

To enable audit policies on a Windows Server 2008 or 2008 R2 server, perform the following steps:

1. On the server to be audited, log on as a member of the local Administrators group.

2. Select Start, Administrative Tools, and launch the Local Security Policy tool.


For a Windows Server 2012 environment, press the Windows key to bring up the Metro desktop menu, type local (which will start to search for any application or utility that has the word local in it), and choose the Local Security Policy tool.

3. Expand Local Policies and select Audit Policy.

4. In the right pane, double-click the policy to be modified.

5. Select to audit Success, Failure, or both.

6. Click OK to exit the configuration screen, and then close the Local Security Policy tool.

Figure 5 shows an example of typical auditing policies that might be configured for an Exchange server.


Figure 5. Windows Server 2008 audit policy setting example.

These audit policies can be turned on manually by following the preceding procedure, configuring a group policy, or by the implementation of security templates.


After enabling audit policies, Windows event logs (specifically the security log) will capture a significant amount of data. Be sure to increase the “maximum log size” in the security log properties page. A best practice is to make the log size large enough to contain at least a week’s worth of data, and configure it to overwrite as necessary so that newer data is not sacrificed at the expense of older data.

Viewing the Security Logs

The events generated by the Windows Server auditing policies can be viewed in the security log in the Event Viewer.

Understanding the information presented in the security log events can be a challenge. The event often contains error codes, with no explanation on their meaning. Microsoft has taken strides to make this easier by providing a link to the Microsoft Help and Support Center within the event.

When an administrator clicks on the link, the Event Viewer asks for permission to send information about the event to Microsoft. Administrators can select the option to always send information if they want, and can then click Yes to authorize the sending of the data. A connection is made to the Help and Support Center, and information about the Event ID is displayed. This information can be invaluable when trying to decipher the sometimes cryptic events in the security log.

Administrators can use the Filter feature (from the View menu) to filter the events based on various fields. In addition, when searching for a specific event within a specific time frame, administrators can select a specific window of time to filter on.

The information supplied here on viewing security log Event IDs is intended to help administrators get a basic understanding of the topic. There is much more that can be learned on the subject of security auditing and event monitoring, and the Microsoft website is an excellent resource for doing so.

- Exchange Server 2013 Management and Maintenance Practices (part 2) - Remote Connectivity Analyzer
- Exchange Server 2013 Management and Maintenance Practices (part 1) - Maintenance Tools for Exchange Server 2013
- Microsoft Sharepoint 2013 : Administering Sharepoint with Windows Powershell - Basic PowerShell Usage (part 3) - Controlling Output
- Microsoft Sharepoint 2013 : Administering Sharepoint with Windows Powershell - Basic PowerShell Usage (part 2) - PowerShell Help , PowerShell Variables
- Microsoft Sharepoint 2013 : Administering Sharepoint with Windows Powershell - Basic PowerShell Usage (part 1) - Listing the SharePoint Commands
- Microsoft Sharepoint 2013 : Administering Sharepoint with Windows Powershell - Commands
- Microsoft Sharepoint 2013 : Microsoft SharePoint 2013 Management Shell and Other Hosts
- Microsoft Lync Server 2013 : Dependent Services and SQL - Server Certificates - Installing Lync Certificates
- Microsoft Lync Server 2013 : Dependent Services and SQL - Domain Name System - DNS Load Balancing , Automatic Client Sign-in
- Microsoft Lync Server 2013 : Dependent Services and SQL - Active Directory (part 2) - Forest Prep, Domain Prep, Lync Server 2013 Security Groups
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
Popular tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS