0

Quick Tip: What Restarts Has Managed Availability Issued

Posted on by Rhoderick Milne [MSFT]

Exchange 2013 introduced the Managed Availability feature to provide a very capable automated monitoring and management framework.  Managed Availability allows Exchange to self diagnose and to self correct issues without having to escalate to a carbon life based unit for every issue.  Whilst Managed Availability may still have to page humans, the frequency is certainly reduced compared to Exchange 2010 and its SCOM Management Pack.

Some common question that arise with Managed Availability include:

  • What has Managed Availability done to my server?
  • How can I see what Managed Availability has done?
  • Why did my server reboot?
  • Why has Exchange moved my database from one server to another?

For the results of what Managed Availability has done we can look at the Event Logs.

Managed Availability Event logs

We can find these logs in the crimson channel, located under:

Applications and Services Logs\Microsoft\Exchange\ManagedAvailability

Exchange 2013 Managed Availability Event Logs

While it is great to review these logs, consulting them on multiple servers is time consuming. You will also notice that they do get very busy over time…..

PowerShell to the rescue!

Querying Managed Availability Logs Using PowerShell

To make it easier to parse event log content, we can convert it to XML.  The basic syntax to do the conversion could look like the below.  Do not run that against all the logs on an Exchange server as you will get hundreds of results.  We will get to filtering the results shortly!

 (Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object  {[XML]$_.toXml()}).event.userData.eventXml

(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object  {[XML]$_.toXml()}).event.userData.eventXml

 

When parsed out, the fields will look like the below example:

auto-ns2                   : http://schemas.microsoft.com/win/2004/08/events
xmlns                      : myNs
Id                         : RestartService
InstanceId                 : 150326.065657.03497.001
ResourceName               : MSExchangeFastSearch
StartTime                  : 2015-03-26T18:56:57.0349771Z
EndTime                    : 2015-03-26T18:56:57.4880982Z
State                      : Finished
Result                     : Succeeded
RequestorName              : SearchServiceRunningRestartSearchService
ExceptionName              : [null]
ExceptionMessage           : [null]
Context                    : <LocalThrottlingResult IsPassed="true" MinimumMinutes="60" TotalInOneHour="0"
MaxAllowedInOneHour="-1" TotalInOneDay="0" MaxAllowedInOneDay="4"
IsThrottlingInProgress="true" IsRecoveryInProgress="false" ChecksFailed=""
TimeToRetryAfter="0001-01-01T00:00:00.0000000" />
<GroupThrottlingResult IsPassed="true" TotalRequestsSent="0" TotalRequestsSucceeded="0"
MinimumMinutes="0" TotalInOneDay="0" MaxAllowedInOneDay="0"
ThrottlingInProgressServers="" RecoveryInProgressServers="" ChecksFailed=""
TimeToRetryAfter="0001-01-01T00:00:00.0000000" Comment="Neither ThrottleGroupName or
ServersInGroup are specified. Allowing the operation for backward compatibility">
<ServerStats />
</GroupThrottlingResult>
CustomArg1                 : [null]
CustomArg2                 : [null]
CustomArg3                 : [null]
LamProcessStartTime        : 1/1/0001 12:00:00 AM
ThrottleIdentity           : RestartService/Default/Microsoft.Office.Datacenter.Monitoring.ActiveMonitoring.Recovery.Re
startServiceResponder/SearchServiceRunningRestartSearchService/MSExchangeFastSearch
ThrottleParametersXml      : <ThrottleConfig Enabled="True" LocalMinimumMinutesBetweenAttempts="60"
LocalMaximumAllowedAttemptsInOneHour="-1" LocalMaximumAllowedAttemptsInADay="4"
GroupMinimumMinutesBetweenAttempts="-1" GroupMaximumAllowedAttemptsInADay="-1" />
TotalLocalActionsInOneHour : 0
TotalLocalActionsInOneDay  : 0
TotalGroupActionsInOneDay  : 0

 

Filtering Managed Availability Server Reboots

To show only the events when Managed Availability restarted a server we could customise the PowerShell command to something like the example below:

 (Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object  {[XML]$_.toXml()}).event.userData.eventXml | Where-Object {$_.ActionID -like "*ForceReboot*"} | Format-Table  RequesterName

 

 

(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | Foreach-Object {[XML]$_.toXml()}).event.userData.eventXml | Where-Object {$_.ActionID -like "*ForceReboot*"} | Format-Table RequesterName

 

 

It is simple to extend the above sample to loop through multiple servers etc.

 

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *