How Message Tracking Works
Find out how to enable message tracking in Exchange and how to use log files to see where a message went.
May 31, 1998
How many times have users complained that a message they sent hasn't been delivered? In a world of heterogeneous messaging systems, proving that a message has made it to a recipient's mailbox is sometimes difficult. But inside an Exchange organization, message tracking can make your job easier.
Exchange Server's message tracking feature can record every stage of a message's journey from originator to recipient across multiple servers. The Message Tracking Center, in Microsoft Exchange Administrator, can examine information that Exchange records in log files. Exchange captures message data from all clients—Messaging API (MAPI), Internet Message Access Protocol (IMAP) 4, Post Office Protocol (POP) 3, and Webbrowsers—and you can track them all in the same way. In this article, I'll tell you how to enable message tracking and how to use log files to see where a message went.
Enabling Tracking
To begin, check Enable message tracking on the Site Configuration Properties page's General tab. You must enable message tracking on all the components that contribute to message routing:
The Information Store service, which handles delivery of messages to local recipients (mailboxes on the same server).
The Message Transfer Agent (MTA), which handles message fan-out, the process that provides copies of messages to all the connectors required to transfer messages to recipients. Screen 1 shows message tracking enabled on the MTA Site Configuration object.
The connectors that route messages to destinations such as Microsoft Mail, the Internet, and Lotus Notes.
Because you set message tracking on the objects in the Site Configuration container, logging occurs for the relevant components on all servers within a site.
Enabling message tracking for the MTA automatically logs messages that the Site and X.400 connectors process. Exchange integrates these connectors into the MTA and runs them as threads within the EMSMTA.EXE process. Message tracking helps you trace the path of messages as Exchange transfers them from the Information Store to the MTA and then to another site or foreign mail system. Writing tracking information to the log files doesn't create much system overhead, unless a server regularly runs at a CPU load of more than 80 percent. If your server is under such a load, you need to tune your system's performance or think about replacement hardware.
Finding the Logs
Exchange stores message tracking logs in a Windows NT file share called tracking.log, usually a subdirectory of EXCHSRVR, the directory where you install most Exchange files. If you want to change the location, you can change the following Registry parameter:
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSetServicesMSEx
changeSAParametersLogDirectory
(Caution: Changing the Registry incorrectly can cause NT and Exchange to fail.) The change becomes effective the next time you start the System Attendant service.
Screen 2 shows a typical set of tracking logs. Exchange creates a new log at midnight each day; the log contains information about all the messages that a server has handled in the past 24 hours. Exchange keeps logs for 10 days. If you want to retain a log for more than 10 days, you must copy logs out of the tracking.log directory to another location.
Exchange records information for all types of messages, including interpersonal mail, public folder replication, and directory replication. It also captures information for messages that enter the system via the various connectors. The server that Screen 2 shows acts as the hub for a 15-site Exchange organization, so the logs hold many records for replication traffic. As you can see, message tracking has captured just over 93MB of data in 10 logs; the process captures an average of approximately 10MB of data per day. Servers that host large user communities can generate up to 100MB of logs each day, but even so, the amount of space that logs occupy is not a reason to disable message tracking.
You can use the WordPad editor to view the content of a log. Every message generates an entry for each stage that the message goes through. Each entry has an event number. Chapter 17 of the Exchange Administrator's Guide, part of the product's documentation, defines event numbers, and Table 1 lists the most common events.
Using the Message Tracking Center
After you enable message tracking, you can track messages by invoking the Message Tracking Center from Tools, Track Message in Exchange Administrator. Identify the server that's the source of the messages you want to trace, and then specify some characteristics of the messages you're interested in. You can run the Message Tracking Center from any server in your organization as long as you connect to the server and hold administrative permission. As you can see from Screen 3, you can specify the source mailbox of the message, the person it was sent to, the number (up to 10) of days you want to review, and the server to begin the search from (if the message originated from another server). When you're ready to begin, click Find Now. Exchange will list messages that meet the criteria you've selected.
Because NT holds message tracking logs in an NT file share, you can access the logs on a server only if the system can authenticate you into the domain where the server is installed. Therefore, whenever possible, install all Exchange servers in the same domain. You can track messages across domains, but tracking across domains relies on trust relationships that let you access the logs on each server along the path of a message.
Zeroing In on a Message
The initial search identifies some local messages that meet your criteria. Select one of the messages to give the Message Tracking Center a unique message identifier to use to search through logs. Screen 4 shows the message identifier for a selected message and the steps in the message's progress from its initiation to its delivery. The sidebar "What a Tracking Log Tells You," page 4, explains the message's progress in detail. Briefly, here's what happened:
I clicked Send to dispatch a message addressed to a distribution list.
Because the MTA expands distribution lists, the Information Store handed the message to the MTA on the dedicated server PLATINUM.
PLATINUM expanded the distribution list and returned it to the original server.
One of the recipients (Daragh Morrissey) has an Inbox Assistant rule that forwards copies of messages to an Internet address. Exchange delivered the message to Daragh Morrissey's mailbox and to the Internet Mail Service (IMS), which queues and sends the message.
Exchange made local deliveries to the remaining recipients in the distribution list.
You can examine a message's properties as it passes through the various stages. For example, if you select the final point (when Exchange delivers the message to multiple recipients), you can view the complete recipient list and identify who received a copy. Screen 5 shows Message Properties at the point when Exchange delivers a copy of the message to an external Simple Mail Transfer Protocol (SMTP) address. The display shows the SMTP identifier (in the Remote ID field) and the remote SMTP domain and address that the message is delivered to (in the Recipients list).
Exchange can't trace the course of a message after Exchange delivers the message to a foreign mail system via a connector. You can trace the message further only if the foreign system supports message logging and you can use an identifier (e.g., the SMTP identifier) to search for the message.
Tracking Incoming Mail
Discovering information about incoming messages is more complicated than tracking a message within an Exchange organization. The first time Exchange knows about an incoming message is when it arrives at a connector; therefore, this point is the earliest that Exchange can begin tracking an incoming message.
The Message Tracking Center lets you search for incoming messages. You can specify the sender, the intended recipient (you can specify multiple recipients), the connector that the message arrived through, and the number of days to examine. Screen 6, page 6, shows how I searched for all Internet messages that arrived for me on a specific date.
After a message arrives in the organization, Exchange can deliver it to a local recipient, transfer it to another server or site, or relay it to another system, such as Microsoft Mail, via a connector. You can track the message as long as it stays inside the Exchange organization.
Be Prepared
Message tracking is a feature that a systems administrator is unlikely to use every day. However, you'll be glad you have it if someone loses an important message or wonders whether a message has arrived. Be prepared: Enable message tracking on all your Exchange servers.
About the Author
You May Also Like