Exchange 2000's Message Tracking Center

Users are wonderful: They never lose messages, never forget to send messages, never forget to add someone important to an address list, never send a message to someone who shouldn't receive the message, and never forget to add an attachment. In fact, users are perfect.

However, on the rare occasion when a user makes a mistake, a tool that helps you determine the user error can be indispensable. Short of monitoring every keystroke, you can't be sure exactly what the user did. However, Microsoft Exchange Server 5.5 and earlier include a Message Tracking Center facility, and Exchange 2000 Server includes and enhances this facility. This tool can help you track a message's path between servers, as well as determine when the user sent the message, to whom the user sent the message, and other important pieces of information.

You can also use this data to evaluate your company's email trends—handy information when you need to request additional hardware. After you learn the basics of the Exchange 2000 Message Tracking Center, you can use tracking-log data to hunt down errant messages or investigate message flow across your organization.

Start the Logs Rolling
You can't expect to track a message if it passes invisibly between servers. In an Exchange Server organization, you can search for a message only when you've already configured the Exchange Server machines to generate message-tracking log files for you to interrogate.

Tracking is simple when a message remains on one server, more complicated when the message passes across multiple servers en route to its final destination, and even more complex when the message passes out across the Internet or across another messaging system. Exchange 2000 can't force every email system on the planet to generate and maintain tracking data in a common format and make that data available to any program that might request the data. Therefore, your options are restricted to tracking messages as they pass between servers within one Exchange Server organization.

When you enable tracking, every Exchange Server machine can maintain a set of message-tracking logs. Each server creates a new log daily and names the log according to the date in yyyymmdd format (e.g., 20000725.txt). The logs reside on a network share called server_name.log (in Exchange 2000) or tracking.log (in Exchange Server 5.5, Exchange Server 5.0, and Exchange Server 4.0). Prefixing the name of the Exchange Server system creates the full name of the share. For example, the full name of the share on an Exchange 2000 server named Excserver would read as follows:

\\excserver\excserver.log

Exchange 2000 supports the concept of virtual servers. On a Windows 2000 cluster, an Exchange Virtual Server (EVS) is a collection of the resources (e.g., an IP address, network name, disks, software) that an Exchange Server machine comprises. In a cluster, each EVS generates a set of message-tracking logs you can identify and access exactly as you would logs from standard servers. (For more information about EVSs and clustering Exchange 2000, see Jerry Cochran, "Clustering Exchange 2000, Part 1," page 145.)

When Exchange Server generates messages, it gives each message a unique identifier and records each identifier in the message-tracking logs, thus giving you the capability to trace a message as it makes its way to its final destination. A sample message identifier might read as follows:

BE8B1DCC92D77E4C9CC70E141E3B583B02226F@EXCSERVER.acme.org

The only part of this identifier that makes any sense to a human is the server name (i.e., EXCSERVER.acme.org). To create and control message-tracking logs, Exchange 2000 offers the following set of server properties, which Figure 1, page 140, shows.

Enable subject logging and display. Select the Enable subject logging and display check box to record message-subject information in the message-tracking logs and to display this information when you track a message. Message subjects can contain confidential information, so some installations opt not to collect this data. However, users shouldn't put confidential data into message subjects—truly confidential information should be secured through encryption. Also, the subject field is a good way to isolate a message when the sender generates a lot of traffic. In most cases, recording this data is harmless. By default, Exchange Server disables subject logging.

Enable message tracking. Select the Enable message tracking check box to instruct Exchange 2000 to begin creating and populating daily message-tracking logs. Exchange 2000 will log every message that passes through the transport engine. By default, Exchange Server disables message tracking.

Remove log files. Select the Remove log files check box to instruct the Exchange System Attendant process to clean up old logs shortly after midnight each day. By default, the System Attendant removes files older than 7 days. You can choose to keep files for a longer period; message-tracking logs don't usually occupy enough space to cause problems. However, most users won't wait longer than 7 days to request that you track a truly important message.

Because you can track messages only when servers are recording details in the tracking logs, you need to establish an enterprisewide decision whether to enable logging. The best practice is to enable logging on all servers because it provides a useful facility at very little cost.

Launch the Investigation
After you've enabled the creation of tracking logs, you can manage message tracking through Exchange 2000's Exchange System Manager (ESM) console's Tools node or through the Microsoft Management Console (MMC) Exchange Message Tracking Center snap-in. Both options use the same code: The ESM console comprises a set of MMC snap-ins.