In this post I’m going to show you how to troubleshoot connectivity issues, specifically RPC Client Access.
Do you think this is only a topic for Exchange 2010? That’s not true as Exchange 2013 has still the service Microsoft Exchange RPC Client Access. And there are still logs written for.
What do you need in order to parse those logs?
- LogParser
- a server from where you will run the script. this server needs SMB access to all Exchange server as we will access the RCA logs via UNC path
- adjust the execution policy. Here is an example, which bypass the policy only for the running process:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- the script itself
How it works?
The script uses this function to determine all the relevant Exchange servers from AD. Then it starts to build an array of paths, one path for each server. The default path is $exinstall\Logging\RPC Client Access.
The script accepts the following parameters:
Parameter |
Description |
---|---|
Mailbox | a given mailbox, which you want to query the logs for. The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d” |
Logonaccount | a given logonaccount, which is used to access mailboxes |
StartDate | this is used for filtering the logfiles to be parsed. The format must be yyMMdd |
EndDate | this is used for filtering the logfiles to be parsed. The format must be yyMMdd |
ErrorReport | any error for a given mailbox or logonaccount |
Hourly | only logon operations will be count per hour. Could be combined with mailbox or logonaccount |
ClientReport | this is used to collect all clients. Note: This will NOT report the number of unique clients. only the number of total hits. |
Logparser | this is used for the path to LogParser.exe |
ADSite | here you can define in which ADSite is searched for Exchange server |
Outpath | where the output will be found |
LogFolders | which folders to parse on Exchange 2010 servers. It must be an UNC path without the server name and could have multiple path comma deliminated. The default is “C$\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access” |
LogFolders2013 | which folders to parse on Exchange 2013 servers. It must be an UNC path without the server name and could have multiple path comma deliminated. The default is “C$\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access” |
Exchange2013 | looks only for Exchange 2013 mailbox server. By default the script looks only for Exchange 2010 servers. As the structure between Exchange versions is different we cannot parse all at the same time. |
Localpath | if you have log files in a local folder. There is no filtering by date! All files will be analyzed. Logs across server versions cannot be mixed |
This is the default output and in the following format:
yyMMdd_RCA_Result_yyMMdd_HH-mm-ss.csv
Output |
Description |
---|---|
TimeUTC | The logentry in UTC format |
Mailbox | The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d” |
Server | The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name. |
LogonAccount | The account, which was used to logon |
DelegateLogonAccount | To which mailbox the user else logged on (e.g.: Shared mailbox or manager mailbox in a delegate scenario) |
OwnerLogonAccount | The mailbox to which the user logged on with OwnerLogon |
Operation | Which operation was performed. The script will report only Connect, DelegateLogon and Ownerlogon. |
Client | The logged client |
Version | The logged client version |
Mode | The mode the client is using e.g.: Cached, Classic(online) |
Protocol | Which protocol was used e.g.:ncacn_ip_tcp or ncacn_ip_http |
Time taken in MS | How long the operation took |
Flags | Any MAPI specific flag, which was used |
When you use the switch -ErrorReport you will get only the errors for a given mailbox or all errors at all in the following format:
yyMMdd_RCA_Result_ErrorReport_yyMMdd_HH-mm-ss.csv
Output |
Description |
---|---|
TimeUTC | The logentry in UTC format |
Mailbox | The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d” |
Client | The logged client |
Version | The logged client version |
Mode | The mode the client is using e.g.: Cached, Classic(online) |
Server | The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name. |
RPCStatus | The logged RPC specific status |
Failures | The logged failure |
You can use the switch -ClientReport in order to get a report of all used clients. You can filter either by mailbox or LogonAccount. The format is as follows:
yyMMdd_RCA_Result_ClientReport_yyMMdd_HH-mm-ss.csv
Output |
Description |
---|---|
Client | The logged client |
Version | The logged client version |
TotalHits | Total number of hits of this client |
for a hourly statistic use the switch -Hourly. It will then parse the logs and correlate the logged entries by hour for each mailbox or logonaccount. Output file looks like this:
yyMMdd_RCA_Result_Hourly_yyMMdd_HH-mm-ss.csv
Output |
Description |
---|---|
Hour | The hour in UTC |
Server | The IP address or name of the server, where the entry was logged. If you parse local files the IP is reported. Otherwise the name. |
Mailbox | The last part from the LegacyExchangeDN is extracted for this e.g.:”/o=contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator37d” will be “Administrator37d” |
Connect | Number of Connect operations |
Delegateconnect | Number of Delegateconnect operations |
Examples
# collect all "connect" and "DelegateLogon" operations for a specific mailbox .\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214
# collect all "connect" and "DelegateLogon" operations for a specific mailbox on Exchange 2013 server .\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214 -Echange2013
# collect all failures for a specific mailbox .\Get-RCAStats.ps1 -Mailbox Administrator -startdate 130213 -enddate 130214 -errorreport
# count all "connect" per hour and could be combined with mailbox or logonaccount .\Get-RCAStats.ps1 -hourly
# count all "connect" per hour for a specific mailbox .\Get-RCAStats.ps1 -hourly -Mailbox Administrator
# count all "connect" per hour for a specific mailbox with non-default logfolder path .\Get-RCAStats.ps1 -hourly -Mailbox Administrator -LogFolders "D$\Exchange\Logging\RPC","C$\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access"
Now you should be ready for troubleshooting connectivity issues related to RPC calls. As an example:
I have very often complains about poor performance. When I asked the users if they have multiple mailboxes configured in their profile I always get the answer: No!
Well, very often I just run the script for a day and I can see that they do have configured a bunch of mailboxes (you will see those in the section DelegateLogonAccount and the Operation DelegateLogon). When a user has multiple mailboxes configure he will be most likely throttled, which leads into a poor end-user experience.
The all-time record I’ve seen was a user with additional 34 mailboxes configured in his profile! Of course this person had no fun and struggled almost every day.
Happy parsing! Feedback is always welcome!
Will this script work for Exchange 2013 as well? I only get no server found? Any ideas?
LikeLiked by 1 person
Hi Riaan,
make sure you use the switch -Exchange2013.
This will tell the script to look only for Exchange 2013 servers.
Ciao,
Ingo
LikeLike
Thanks Ingo
Works like a charm,
Kind Regards
LikeLike
nice script! You may want to add other fields too this script like client-software, etc. nicely done!
LikeLike
Hi Ted,
the script returns also the client-software field. I called it just Client. What additional fields you are interested in?
Ciao,
Ingo
LikeLike
Pingback: Troubleshhot Exchange with LogParser:MAPI Client Access logs | The clueless guy
Error: Syntax Error: : expecting FROM keyword instead of token ‘Data’
Query done!
Received above error
LikeLike
Hi,
could it be that the userID has a space? I just stumbled across this. If so use only a part of the userID.
Thanks!
Ciao,
Ingo
LikeLike
thanks a lot for that , i cannot manage to make it work :
i only got this output :
Statistics:
———–
Elements processed: 228120
Elements output: 6717
Execution time: 1.38 seconds
FullName
——–
\\SERV\L$\Exchange\Logging\RPC Client Access\RCA_20190503-1.LOG
\\SERV11\L$\Exchange\Logging\RPC Client Access\RCA_20190503-2.LOG
\\SERV11\L$\Exchange\Logging\RPC Client Access\RCA_20190503-3.LOG
\\SERV12\L$\Exchange\Logging\RPC Client Access\RCA_20190503-1.LOG
\\SERV12\L$\Exchange\Logging\RPC Client Access\RCA_20190503-2.LOG
\\SERV12\L$\Exchange\Logging\RPC Client Access\RCA_20190503-3.LOG
\\SERV21\L$\Exchange\Logging\RPC Client Access\RCA_20190503-1.LOG
\\SERV22\L$\Exchange\Logging\RPC Client Access\RCA_20190503-1.LOG
\\SERV22\L$\Exchange\Logging\RPC Client Access\RCA_20190503-2.LOG
\\SERV22\L$\Exchange\Logging\RPC Client Access\RCA_20190503-3.LOG
Start query!
Query done!
Loparser 2.2 installed, log are not empty .. cannot understand,I will have a look at script inside .
LikeLike
sorry for that , just $outpath i had to set , working nice now .Really thank you for this work
LikeLike
Where is the script? It takes you to other page but there is nothing there. thanks
LikeLike
https://github.com/IngoGege/Get-RCAStats
LikeLike