[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 420
  • Last Modified:

MS Exchange 2003 - Logging /Event Viewer - Stopped!??

For the last year and a half I've been using the (540) logs to generate 'exchange usage' reports, mainly for OWA. These logs were availible in the event viewer/security and appeared as 540 event type.
For some reason this loggin stopped about a week ago.

It's been a while since I set this up... but I went into System Manager, right clicked on the server and checked MSExchangeIS/Mailbox. The logging level for Logons, Access Control Send As, etc (three others) are all set to either MAX or MIN.

The only record currently in the security log is from EARLY this morning... 'The audit log was cleared'. (It was, by me)

Any idea HOW to troubleshoot this?
Nothing has changed, but logging seems to have stopped?

Thanks,

E.D.
0
edalzell
Asked:
edalzell
  • 16
  • 11
1 Solution
 
abhaighCommented:
how long has it been since you last rebooted that system?
0
 
edalzellAuthor Commented:
I rebooted it over the weekend.
Nothing in the event viewer/security log since April 28th. :-(

Thanks for your response!
0
 
abhaighCommented:
nothing in the application log at all?

what happens when you try to stop/restart that service?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
edalzellAuthor Commented:
Ahhh.... yes there is. (Application log)
There are a bunch of these.
LDAP Bind was unsuccessful on directory server.domain.com for distinguished name.

I suspect this is causing the problem..... although I'm not entirely sure how to address.
Note: An 'old' server (formerly a DC - several years ago) was recently decommissioned.
I assume this could have caused the issue....
0
 
abhaighCommented:
yeah - that'll do it

check the directory access tab on the properties sheet for that server - ensure that the system is referencing a live domain controller and not the defunct one
0
 
edalzellAuthor Commented:
abhaigh,

This is what is listed:

Show: All Domain Controllers
DC      Site      Domain Type      LDAP            Port
PDC       DFSN      domain.com      Config(Auto)      389
SDC      DFSN      domain.com      DC (Auto)      389
PDC       DFSN      domain.com      DC (Auto)      389            
SDC      DFSN      domain.com      GC (Auto)      3268
PDC       DFSN      domain.com      GC (Auto)      3268

PDC, is, of course, our primary domain controller.
SDC is our other (seconary... if that applies anymore) DC.

I assume this looks ok??
0
 
edalzellAuthor Commented:
I've done some more reading and may have found the issue.

In the Exchange Sys Manager/Recipients/Recipient Update Service I have the following:
Recipient Update Service (Enterprise Config.) - it points to dc.domain.com.
If I try to change it... and select domain.com it's fine.

I have a second service: Recipient Update Service (DOMAIN)
It also points to domain.com. If I try to change it, by selecting it again.. I get an error:
an object with the following name cannot be found: dc.domain.com

What does the second service do? Should I point it to our SDC?

abhaigh, thanks for your help! :-)
0
 
abhaighCommented:
that looks fine

however I would take a closer look at your ldap errors from the app log and resolve them
0
 
abhaighCommented:
I'd aim it at one of your global catalogs
0
 
edalzellAuthor Commented:
abhaigh,

Things are getting hairy! :-)
On the DC, looking in the ActDir Sites and Services.... under Server, I see 4.
OLDSERVER (demoted!)
DC (NTDS Global Catalogue / Replicate from SDC)
EXCHANGE
SDC (NTDS Global Catalogue / Replicate from DC)  

Should I be removing OLDSERVER? Should our EXCHANGE box be listed here?

Thanks!
0
 
abhaighCommented:
if both machines are dc/gc's - then leave them alone

if they aren't - then they shouldn't be there and can be safely removed from ADS&S
0
 
edalzellAuthor Commented:
abhaigh,

I'm no longer seeing these error messages.
LDAP Bind was unsuccessful on directory server.domain.com for distinguished name

Will an off-hours reboot help?
(my Logging /Event Viewer/Security that is....)
It still has only one record.

Thanks again for all your help! :-)
0
 
abhaighCommented:
a reboot certainly won't hurt
0
 
edalzellAuthor Commented:
Great, I'll ty it this evening and report back.

Thanks again! :-)
0
 
edalzellAuthor Commented:
abhaigh,

Did a reboot last night, no luck with logs appearing in 'event viewer/security' .

One thing I did come across is on the DC (inActive Dir), exchange Props/delegration, it's listed as DO NOT TRUST THIS COMPUTER FOR DELEGRATION.

Would this be an issue?
Any idea why there wouldn't be a ERROR in the event viewer regarding exchange logs NOT being written?
BTW, since reboot, event viewer/application is error free - in fact no errors at all in event viewer.

Thanks again!
0
 
abhaighCommented:
no events at all? not even informational? You aren't filtering the view are you?
0
 
edalzellAuthor Commented:
In EVENT VIEWER/SECURITY I have one event - The audit log was cleared, from 9:32:08 AM this morning.

Thoughts?

BTW - My tech recently installed Symantec EndPoint!
0
 
edalzellAuthor Commented:
More info!!!
Even though Microsoft Exchange Management says it's running when I go into services... when I use te Message tracking Centre...it says the search could not completed - check to see if Microsoft Exchange Management is running.

This too, is a first!!!!

Thanks! :-)
0
 
abhaighCommented:
did this problem start shortly after symantec was installed? if so, have you tried either disabling it or uninstalling it to see if that makes a difference?

are you running into disk space or log file size issues?

any problems with the credentials these services are running under?

this is a very odd one indeed
0
 
edalzellAuthor Commented:
I've uninstalled Symantec - no luck.
I've got 11 GB remaining on the C drive.
The only records in the security log are 513 & 517.
I've restored 'defaults' for security logs, hopig this might fix things....

In C:\WINDOWS\System32\config.... I have
SecEvent.Evt 64 KB
SECURITY 256 KB
SECURITY.LOG 1 KB
Does this sound correct?

Thanks again! :-)
0
 
edalzellAuthor Commented:
Another update....this logging actually stopped RIGHT after a 612-Policy change.
When  got into the policy editor --? Comp Config/Windows Settings/Security Settings/Local Policies/User Rights Assign., the Manage auditing and security logs has the following account 'Administrators' & 'Domain\Exchange Enterprise Server'. Does this sound right?

This seems like it's related to the exact issue we are experiencing!

Thanks!
0
 
abhaighCommented:
time to investigate just what has changed in your policy

some info on what that event means

612: Audit Policy Change
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=612
0
 
edalzellAuthor Commented:
Here's silly question... (I think I am start to understand this a little more)

The stuff under MSExchageIS is all logged under the Application Log.
My issue is with the 'disappearance' of the Logon/Logoff records (Category) in the Security log.... where is this set?

The only ones I see are 'system events' (only 5) - I suspect this has been shutoff, either manually or by policy.
Any thoughts?

Thanks again!

BTW... I will have a look at your recommendation now as well!

E.D.
0
 
abhaighCommented:
it is set in the local security policy for that machine or the gpo that is in effect on it
0
 
edalzellAuthor Commented:
abhaigh,

I think that's it... just having a look now.
Will report back!

Thanks again!
0
 
edalzellAuthor Commented:
abhaigh!

That was it!
Local Policy coming from a GPO that I didn't admin! Ughhhhh.
Audit account logons were set to NO AUDITING.

Anyway, thanks again for all your help!

E.D.
0
 
edalzellAuthor Commented:
abhaigh, thanks a TON for the help!!!!! You're great!
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 16
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now