Troubleshooting Exchange with LogParser:RCA logs

In this post I’m going to show you how to troubleshoot connectivity issues, specifically RPC Client Access.

Do you think this is only a topic for Exchange 2010? That’s not true as Exchange 2013 has still the service Microsoft Exchange RPC Client Access. And there are still logs written for.

What do you need in order to parse those logs?

• LogParser
• a server from where you will run the script. this server needs SMB access to all Exchange server as we will access the RCA logs via UNC path
• adjust the execution policy. Here is an example, which bypass the policy only for the running process:

  Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

• the script itself

How it works?

The script uses this function to determine all the relevant Exchange servers from AD. Then it starts to build an array of paths, one path for each server. The default path is $exinstall\Logging\RPC Client Access.

The script accepts the following parameters:

Parameter	Description
Mailbox	a given mailbox, which you want to query the logs for. The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d”
Logonaccount	a given logonaccount, which is used to access mailboxes
StartDate	this is used for filtering the logfiles to be parsed. The format must be yyMMdd
EndDate	this is used for filtering the logfiles to be parsed. The format must be yyMMdd
ErrorReport	any error for a given mailbox or logonaccount
Hourly	only logon operations will be count per hour. Could be combined with mailbox or logonaccount
ClientReport	this is used to collect all clients. Note: This will NOT report the number of unique clients. only the number of total hits.
Logparser	this is used for the path to LogParser.exe
ADSite	here you can define in which ADSite is searched for Exchange server
Outpath	where the output will be found
LogFolders	which folders to parse on Exchange 2010 servers. It must be an UNC path without the server name and could have multiple path comma deliminated. The default is “C$\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access”
LogFolders2013	which folders to parse on Exchange 2013 servers. It must be an UNC path without the server name and could have multiple path comma deliminated. The default is “C$\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access”
Exchange2013	looks only for Exchange 2013 mailbox server. By default the script looks only for Exchange 2010 servers. As the structure between Exchange versions is different we cannot parse all at the same time.
Localpath	if you have log files in a local folder. There is no filtering by date! All files will be analyzed. Logs across server versions cannot be mixed

This is the default output and in the following format:

yyMMdd_RCA_Result_yyMMdd_HH-mm-ss.csv

Output	Description
TimeUTC	The logentry in UTC format
Mailbox	The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d”
Server	The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name.
LogonAccount	The account, which was used to logon
DelegateLogonAccount	To which mailbox the user else logged on (e.g.: Shared mailbox or manager mailbox in a delegate scenario)
OwnerLogonAccount	The mailbox to which the user logged on with OwnerLogon
Operation	Which operation was performed. The script will report only Connect, DelegateLogon and Ownerlogon.
Client	The logged client
Version	The logged client version
Mode	The mode the client is using e.g.: Cached, Classic(online)
Protocol	Which protocol was used e.g.:ncacn_ip_tcp or ncacn_ip_http
Time taken in MS	How long the operation took
Flags	Any MAPI specific flag, which was used

When you use the switch -ErrorReport you will get only the errors for a given mailbox or all errors at all in the following format:

yyMMdd_RCA_Result_ErrorReport_yyMMdd_HH-mm-ss.csv

Output	Description
TimeUTC	The logentry in UTC format
Mailbox	The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d”
Client	The logged client
Version	The logged client version
Mode	The mode the client is using e.g.: Cached, Classic(online)
Server	The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name.
RPCStatus	The logged RPC specific status
Failures	The logged failure

You can use the switch -ClientReport in order to get a report of all used clients. You can filter either by mailbox or LogonAccount. The format is as follows:

yyMMdd_RCA_Result_ClientReport_yyMMdd_HH-mm-ss.csv

Output	Description
Client	The logged client
Version	The logged client version
TotalHits	Total number of hits of this client

for a hourly statistic use the switch -Hourly. It will then parse the logs and correlate the logged entries by hour for each mailbox or logonaccount. Output file looks like this:

yyMMdd_RCA_Result_Hourly_yyMMdd_HH-mm-ss.csv

Output	Description
Hour	The hour in UTC
Server	The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name.
Mailbox	The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d”
Connect	Number of Connect operations
Delegateconnect	Number of Delegateconnect operations

Examples

# collect all "connect" and "DelegateLogon" operations for a specific mailbox
.\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214

# collect all "connect" and "DelegateLogon" operations for a specific mailbox on Exchange 2013 server
.\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214 -Echange2013

# collect all failures for a specific mailbox
.\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214 -errorreport

# count all "connect" per hour and could be combined with mailbox or logonaccount
.\Get-RCAStats.ps1 -hourly

# count all "connect" per hour for a specific mailbox
.\Get-RCAStats.ps1 -hourly -Mailbox Administrator

# count all "connect" per hour for a specific mailbox with non-default logfolder path
.\Get-RCAStats.ps1 -hourly -Mailbox Administrator -LogFolders "D$\Exchange\Logging\RPC","C$\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access"

Now you should be ready for troubleshooting connectivity issues related to RPC calls. As an example:

I have very often complains about poor performance. When I asked the users if they have multiple mailboxes configured in their profile I always get the answer: No!

Well, very often I just run the script for a day and I can see that they do have configured a bunch of mailboxes (you will see those in the section DelegateLogonAccount and the Operation DelegateLogon). When a user has multiple mailboxes configure he will be most likely throttled, which leads into a poor end-user experience.

The all-time record I’ve seen was a user with additional 34 mailboxes configured in his profile! Of course this person had no fun and struggled almost every day.

Happy parsing! Feedback is always welcome!