Solved

MS Exchange 2003 - Logging /Event Viewer - Stopped!??

Posted on 2009-05-05
27
409 Views
Last Modified: 2012-05-06
For the last year and a half I've been using the (540) logs to generate 'exchange usage' reports, mainly for OWA. These logs were availible in the event viewer/security and appeared as 540 event type.
For some reason this loggin stopped about a week ago.

It's been a while since I set this up... but I went into System Manager, right clicked on the server and checked MSExchangeIS/Mailbox. The logging level for Logons, Access Control Send As, etc (three others) are all set to either MAX or MIN.

The only record currently in the security log is from EARLY this morning... 'The audit log was cleared'. (It was, by me)

Any idea HOW to troubleshoot this?
Nothing has changed, but logging seems to have stopped?

Thanks,

E.D.
0
Comment
Question by:edalzell
  • 16
  • 11
27 Comments
 
LVL 15

Expert Comment

by:abhaigh
ID: 24312560
how long has it been since you last rebooted that system?
0
 

Author Comment

by:edalzell
ID: 24313675
I rebooted it over the weekend.
Nothing in the event viewer/security log since April 28th. :-(

Thanks for your response!
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24313747
nothing in the application log at all?

what happens when you try to stop/restart that service?
0
 

Author Comment

by:edalzell
ID: 24314191
Ahhh.... yes there is. (Application log)
There are a bunch of these.
LDAP Bind was unsuccessful on directory server.domain.com for distinguished name.

I suspect this is causing the problem..... although I'm not entirely sure how to address.
Note: An 'old' server (formerly a DC - several years ago) was recently decommissioned.
I assume this could have caused the issue....
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24314434
yeah - that'll do it

check the directory access tab on the properties sheet for that server - ensure that the system is referencing a live domain controller and not the defunct one
0
 

Author Comment

by:edalzell
ID: 24314585
abhaigh,

This is what is listed:

Show: All Domain Controllers
DC      Site      Domain Type      LDAP            Port
PDC       DFSN      domain.com      Config(Auto)      389
SDC      DFSN      domain.com      DC (Auto)      389
PDC       DFSN      domain.com      DC (Auto)      389            
SDC      DFSN      domain.com      GC (Auto)      3268
PDC       DFSN      domain.com      GC (Auto)      3268

PDC, is, of course, our primary domain controller.
SDC is our other (seconary... if that applies anymore) DC.

I assume this looks ok??
0
 

Author Comment

by:edalzell
ID: 24314802
I've done some more reading and may have found the issue.

In the Exchange Sys Manager/Recipients/Recipient Update Service I have the following:
Recipient Update Service (Enterprise Config.) - it points to dc.domain.com.
If I try to change it... and select domain.com it's fine.

I have a second service: Recipient Update Service (DOMAIN)
It also points to domain.com. If I try to change it, by selecting it again.. I get an error:
an object with the following name cannot be found: dc.domain.com

What does the second service do? Should I point it to our SDC?

abhaigh, thanks for your help! :-)
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24314837
that looks fine

however I would take a closer look at your ldap errors from the app log and resolve them
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24314949
I'd aim it at one of your global catalogs
0
 

Author Comment

by:edalzell
ID: 24315081
abhaigh,

Things are getting hairy! :-)
On the DC, looking in the ActDir Sites and Services.... under Server, I see 4.
OLDSERVER (demoted!)
DC (NTDS Global Catalogue / Replicate from SDC)
EXCHANGE
SDC (NTDS Global Catalogue / Replicate from DC)  

Should I be removing OLDSERVER? Should our EXCHANGE box be listed here?

Thanks!
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24315256
if both machines are dc/gc's - then leave them alone

if they aren't - then they shouldn't be there and can be safely removed from ADS&S
0
 

Author Comment

by:edalzell
ID: 24315314
abhaigh,

I'm no longer seeing these error messages.
LDAP Bind was unsuccessful on directory server.domain.com for distinguished name

Will an off-hours reboot help?
(my Logging /Event Viewer/Security that is....)
It still has only one record.

Thanks again for all your help! :-)
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24315537
a reboot certainly won't hurt
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:edalzell
ID: 24315555
Great, I'll ty it this evening and report back.

Thanks again! :-)
0
 

Author Comment

by:edalzell
ID: 24325749
abhaigh,

Did a reboot last night, no luck with logs appearing in 'event viewer/security' .

One thing I did come across is on the DC (inActive Dir), exchange Props/delegration, it's listed as DO NOT TRUST THIS COMPUTER FOR DELEGRATION.

Would this be an issue?
Any idea why there wouldn't be a ERROR in the event viewer regarding exchange logs NOT being written?
BTW, since reboot, event viewer/application is error free - in fact no errors at all in event viewer.

Thanks again!
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24326216
no events at all? not even informational? You aren't filtering the view are you?
0
 

Author Comment

by:edalzell
ID: 24327430
In EVENT VIEWER/SECURITY I have one event - The audit log was cleared, from 9:32:08 AM this morning.

Thoughts?

BTW - My tech recently installed Symantec EndPoint!
0
 

Author Comment

by:edalzell
ID: 24332274
More info!!!
Even though Microsoft Exchange Management says it's running when I go into services... when I use te Message tracking Centre...it says the search could not completed - check to see if Microsoft Exchange Management is running.

This too, is a first!!!!

Thanks! :-)
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24334459
did this problem start shortly after symantec was installed? if so, have you tried either disabling it or uninstalling it to see if that makes a difference?

are you running into disk space or log file size issues?

any problems with the credentials these services are running under?

this is a very odd one indeed
0
 

Author Comment

by:edalzell
ID: 24359629
I've uninstalled Symantec - no luck.
I've got 11 GB remaining on the C drive.
The only records in the security log are 513 & 517.
I've restored 'defaults' for security logs, hopig this might fix things....

In C:\WINDOWS\System32\config.... I have
SecEvent.Evt 64 KB
SECURITY 256 KB
SECURITY.LOG 1 KB
Does this sound correct?

Thanks again! :-)
0
 

Author Comment

by:edalzell
ID: 24366364
Another update....this logging actually stopped RIGHT after a 612-Policy change.
When  got into the policy editor --? Comp Config/Windows Settings/Security Settings/Local Policies/User Rights Assign., the Manage auditing and security logs has the following account 'Administrators' & 'Domain\Exchange Enterprise Server'. Does this sound right?

This seems like it's related to the exact issue we are experiencing!

Thanks!
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24366704
time to investigate just what has changed in your policy

some info on what that event means

612: Audit Policy Change
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=612
0
 

Author Comment

by:edalzell
ID: 24366942
Here's silly question... (I think I am start to understand this a little more)

The stuff under MSExchageIS is all logged under the Application Log.
My issue is with the 'disappearance' of the Logon/Logoff records (Category) in the Security log.... where is this set?

The only ones I see are 'system events' (only 5) - I suspect this has been shutoff, either manually or by policy.
Any thoughts?

Thanks again!

BTW... I will have a look at your recommendation now as well!

E.D.
0
 
LVL 15

Accepted Solution

by:
abhaigh earned 500 total points
ID: 24367040
it is set in the local security policy for that machine or the gpo that is in effect on it
0
 

Author Comment

by:edalzell
ID: 24367136
abhaigh,

I think that's it... just having a look now.
Will report back!

Thanks again!
0
 

Author Comment

by:edalzell
ID: 24368054
abhaigh!

That was it!
Local Policy coming from a GPO that I didn't admin! Ughhhhh.
Audit account logons were set to NO AUDITING.

Anyway, thanks again for all your help!

E.D.
0
 

Author Closing Comment

by:edalzell
ID: 31577992
abhaigh, thanks a TON for the help!!!!! You're great!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now