Exchange 2013 introduced the Managed Availability feature to provide a very capable automated monitoring and management framework. Managed Availability allows Exchange to self diagnose and to self correct issues without having to escalate to a carbon life based unit for every issue. Whilst Managed Availability may still have to page humans, the frequency is certainly reduced compared to Exchange 2010 and its SCOM Management Pack.
Some common question that arise with Managed Availability include:
-
What has Managed Availability done to my server?
-
How can I see what Managed Availability has done?
-
Why did my server reboot?
-
Why has Exchange moved my database from one server to another?
For the results of what Managed Availability has done we can look at the Event Logs.
Managed Availability Event logs
We can find these logs in the crimson channel, located under:
Applications and Services Logs\Microsoft\Exchange\ManagedAvailability
While it is great to review these logs, consulting them on multiple servers is time consuming. You will also notice that they do get very busy over time…..
PowerShell to the rescue!
Querying Managed Availability Logs Using PowerShell
To make it easier to parse event log content, we can convert it to XML. The basic syntax to do the conversion could look like the below. Do not run that against all the logs on an Exchange server as you will get hundreds of results. We will get to filtering the results shortly!
(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object {[XML]$_.toXml()}).event.userData.eventXml
(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object {[XML]$_.toXml()}).event.userData.eventXml
When parsed out, the fields will look like the below example:
auto-ns2 : http://schemas.microsoft.com/win/2004/08/events
xmlns : myNs
Id : RestartService
InstanceId : 150326.065657.03497.001
ResourceName : MSExchangeFastSearch
StartTime : 2015-03-26T18:56:57.0349771Z
EndTime : 2015-03-26T18:56:57.4880982Z
State : Finished
Result : Succeeded
RequestorName : SearchServiceRunningRestartSearchService
ExceptionName : [null]
ExceptionMessage : [null]
Context : <LocalThrottlingResult IsPassed="true" MinimumMinutes="60" TotalInOneHour="0"
MaxAllowedInOneHour="-1" TotalInOneDay="0" MaxAllowedInOneDay="4"
IsThrottlingInProgress="true" IsRecoveryInProgress="false" ChecksFailed=""
TimeToRetryAfter="0001-01-01T00:00:00.0000000" />
<GroupThrottlingResult IsPassed="true" TotalRequestsSent="0" TotalRequestsSucceeded="0"
MinimumMinutes="0" TotalInOneDay="0" MaxAllowedInOneDay="0"
ThrottlingInProgressServers="" RecoveryInProgressServers="" ChecksFailed=""
TimeToRetryAfter="0001-01-01T00:00:00.0000000" Comment="Neither ThrottleGroupName or
ServersInGroup are specified. Allowing the operation for backward compatibility">
<ServerStats />
</GroupThrottlingResult>
CustomArg1 : [null]
CustomArg2 : [null]
CustomArg3 : [null]
LamProcessStartTime : 1/1/0001 12:00:00 AM
ThrottleIdentity : RestartService/Default/Microsoft.Office.Datacenter.Monitoring.ActiveMonitoring.Recovery.Re
startServiceResponder/SearchServiceRunningRestartSearchService/MSExchangeFastSearch
ThrottleParametersXml : <ThrottleConfig Enabled="True" LocalMinimumMinutesBetweenAttempts="60"
LocalMaximumAllowedAttemptsInOneHour="-1" LocalMaximumAllowedAttemptsInADay="4"
GroupMinimumMinutesBetweenAttempts="-1" GroupMaximumAllowedAttemptsInADay="-1" />
TotalLocalActionsInOneHour : 0
TotalLocalActionsInOneDay : 0
TotalGroupActionsInOneDay : 0
Filtering Managed Availability Server Reboots
To show only the events when Managed Availability restarted a server we could customise the PowerShell command to something like the example below:
(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object {[XML]$_.toXml()}).event.userData.eventXml | Where-Object {$_.ActionID -like "*ForceReboot*"} | Format-Table RequesterName
(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object {[XML]$_.toXml()}).event.userData.eventXml | Where-Object {$_.ActionID -like "*ForceReboot*"} | Format-Table RequesterName
It is simple to extend the above sample to loop through multiple servers etc.
Cheers,
Rhoderick
