Auditing or managing an Exchange configuration for a customer -- for instance, in the context of a managed Exchange account -- brings with it many of the same challenges and difficulties as auditing your own Exchange environment. The big difference as an Exchange provider is that you're doing it for multiple Exchange configurations, whether physical servers or virtual hosts, making it an exponentially more difficult project. The good news is that there are ways to do all this without driving yourself crazy.
Exchange auditing features and tools
As you probably know, Exchange has a number of built-in features to audit system activity; two of the most obvious are event logging and diagnostic logging. The former consists of the same event logs that every Windows application can write to. On a single server, trawling the system's event logs is not quite so bad, but trying to deal with event logs from even two servers at a time is problematic; it's terribly cumbersome to skip and switch between them, so you need a way to aggregate the event logs into a single report. Event logs are also the first places you'll find warnings about potentially serious problems, such as persistent delivery or queue issues.
Microsoft offers one way to do this kind of cross-server aggregation: Microsoft Operations Manager or MOM. Aside from aggregation and reporting, it allows you to set up alerts for specific conditions that may arise. MOM's main obstacle is its per-seat price and requirements (SQL Server is needed), although in a big environment -- such as one where Exchange hosting is provided as a service -- this pricing dilemma won't pose the same hurdles it may for a smaller shop.
That said, here are some worthy and functionally similar alternatives.
- NetIQ Exchange Administrator: This product includes auditing and reporting but allows enterprise-wide administration of Exchange in many other ways. In fact, the NetIQ product is arguably a more effective choice for hosted-Exchange administration for precisely that reason.
- STEALTHbits Technologies StealthAUDIT: This sports a couple of nice Exchange-specific features that ought to be highly useful to managed Exchange hosts, such as enabling you to establish baselines for a given Exchange install.
Exchange activity to audit
Aside from error logs, there are a number of other conditions to watch for that aren't in themselves errors. That is, they aren't logged as errors, but they are conditions that may indicate something is decidedly wrong with that particular instance of Exchange. These could be a sudden spike or drop in the volume of incoming or outgoing mail; mail stuck perpetually in the delivery queue; an abnormally large increase in the size of the store; a spike in CPU activity that doesn't resolve itself; and so on.
Finally, there are the things to watch as customer metrics. For instance, you must keep an eye on the size of the database or the number of mailboxes, that might affect how much you're charging the customer for hosting. All of these things are far easier to audit and track in an automated fashion.
Diagnostic logging warning
I also mentioned diagnostic logging, which is the ability to return detailed operational information for specific Exchange actions. Diagnostic logging should be treated the same way in a hosted Exchange environment as you would in a regular one; in other words, use it to troubleshoot specific chronic issues and don't leave it on continually. It's medicine, not vitamins. The load imposed on the system by turning on diagnostics may vary -- many diagnostics don't slow the server down perceptibly -- but it's all too easy to turn them on, forget about them and have other diagnostics cumulatively slow the system when turned on. This in essence creates all new problems while solving others, and when you're dealing with 20 servers or more instead of just once, it's not a trap you want to put yourself in.
About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.