Problem was that an event ID 1040 was logged which says, a server based rule
(configured in Outlook) was stopped, but without mentioning the reason or more details.
Event ID: 1040
Provider: MSExchangeIS Mailbox Store
Message: The rule "rulename"" with the sequence number 20 was disabled due to the error -2147467259 that was encountered while applying the rule.
The problem was absolute sporadic.
So the plan was to configure diagnostic logging and to create an extra trace.
This extra trace can be sent in to Microsoft for further analysis.
The extra trace should run all the time and should be stopped after the problem happens.
The challenge here was how to stop the trace, at the time the problem happens, so that the
log file, would not get overwritten.
Here is what you can do if the operating system on which Exchange 2007 runs on is windows 2008:
The steps are:
Set diagnostic logging (in this case diagnostic logging for private rules)
On the Exchange server open the powershell:
Set-EventLogLevel "MSExchangeIS\9000 Private\Rules" -level high
a) Start tracing:
Go to c:\program files\microsoft\Exchangeserver\bin
From there start the extra.exe
Select a task
Trace control; OK
Select trace file location: Enter the path where the file should be saved
Select trace file name: Enter the file name
Enter max trace file size (MB): Enter 250
Select trace file behavior: Circular logging
Select manual trace tags:
- Trace Types: Select all except performance
- Components to Trace: On the left site click on: Store
- Trace Tags: On the right site select:
Then check the checkbox "show only enabled components" and the checkbox: “Show only enabled tags”.
If other components or tags are enabled then the ones we selected please uncheck them
Click on start tracing. Then let the GUI stay as it is.
b) Configure to stop the tracing based on event 1040:
Attach to the event 1040 in event viewer:
Go to start, run: eventvwr.exe
In event viewer go to Windows Logs, Application, right click on the event 1040 and click on
"attach task to this event"
Give it a name and a description, click on the next button 2 times
Select "Start a program"
Arguments: stop -ets -n ExchangeDebugTraces
click on next and click on finish
c) check if the trace is running:
Start perfmon.exe and check if the session is running:
Go to start, run: perfmon
Data Collector Sets
Event Trace Sessions
There you should see a session called "ExchangeDebugTraces"
It should be shown as running.
d) After the log file is created
After the event occurred in the event log the trace should be stopped.
In perfmon you should no longer see the "ExchangeDebugTraces" session .
The you can close the GUI from extra.exe
To clear the task from the task scheduler:
Start, Programs, Administrative Tools, Task Scheduler
In the Task Scheduler, go to Task Scheduler Library, Event Viewer Tasks and delete the tasks you created earlier.
You can set the diagnostic logging back to none:
Set-EventLogLevel "MSExchangeIS\9000 Private\Rules" -level lowest