MS-203 Microsoft 365 Messaging – Troubleshoot Mail Flow Problem Part 3

5. Analyze Message Headers with the Remote Connectivity Analyzer

Let’s take some time now and talk about a really great web based tool that Microsoft provides us. This tool is called the remote connectivity analyzer, okay. Also known as RCA. We can get to this tool by typing test connectivity Microsoft. com. So we’re going to open that up and there is a plethora of things here that, that you can do.

As you can see, there’s a lot of things here I can click on and do for office 365 testing, exchange server testing, I’ve got Skype for business, a link, other tools, message analyzer, sarah client, lot of stuff here you can really get down and dirty with to test things in exchange. Now what we’re actually looking at here though in this little lesson is we’re looking at message headers.

And Microsoft has a great little tool over here to the left called the message analyzer. So we’re going to click on that. This is going to let us paste message header information into this box and try and learn some information about that message and maybe what could be a problem. The first thing I need to do is get a message header. And there’s various ways we can do that. One way though, that’s pretty simple is just to analyze the email itself. So if I actually jump over to my email, so I’m just going to go to portalofficecom, we’ll just pull this up through the outlook app, okay. So you can actually analyze your email. And when you look at the email, you can view this header.

So I’ve got an MDR that I’ve received from trying to email a user. And I’m going to open up this little MDR here and I’m going to double click on it, wait on it to pop up here and then I can scroll down here and view this information. So here is the message header in all its glory and all this clear text. And I’m just going to copy all of this. All right, copy it.

And then I’m going to paste it in the message header analyzer. We’re just going to paste it right here and we’re going to say analyze headers. So what this is going to do is it’s going to put it in an easy to read format, it’s going to break everything down for us and it’s going to give us an opportunity to analyze what’s going on here.

Okay? So it’s showing me authentication information. It was showing me if this email had been authenticated, the header information, if it was using what’s called DMark. I’ve got content type. It shows that it was an application. Content type was application based and tells you windmill DAP was used. The content transfer was just binary from this user jc@examlabpractice. com to test user examlabpractice. com subject was.

This is an NDR test thread index date message ID. Now if you’re like a lot of people, you look at some of these things and you don’t really know what they are. The good news is that you can click on these and they actually will link you to the RFC article for what that actually is. Now, what is an RFC article? It’s a request for comment. These are the articles that were created by the Internet Society over the years to describe what technologies are, what they mean, and the standards of that technology on the Internet.

So for example, if I click on authentication results, it’s going to take me to this RFC article that gets into what the message header headers are and each individual thing on the message header. So I could do that, I can click each one of these and it’ll bring me to different articles that can help me understand what those particular headers are. And this will help me just essentially what this is going to do is help you break these message headers out to where it’s easier for you to understand what was going on and view things that were happening. Another thing you can do is if you’re ever dealing with compliance in Exchange, let me jump over to Exchange Online.

If you’re ever dealing with Compliance in Exchange, you’ve got compliance management where you can have rules in place that may be prevented email. So that could be a reason why a message didn’t go through. You’ve got rules that have stopped it. You’ve also got protection and exchange online. Protection can also prevent email from flowing through.

So another reason why that email might not have went through is it could have gotten like Quarantined for example. And if a message ever gets Quarantined, any of those messages that are quarantined here through Exchange Online, you actually can view that right here. So I can actually go here and view that message. And if you click on it, you’re able to actually see the message header and then you would be able to copy and paste that into this message header analyzer.

Now also note that this is being moved so it’s actually quarantine as a new home says please start using the new page. So it’s actually now going to be located over in the security and Compliance Center and they let you link over to that. If you want to go straight over there, it lets you link over to the security and Compliance Center and this is where it’s going to show you. It’s underneath this threat management.

By the way, if you ever want to get here without having to go through Exchange, if you just start on the portal, Microsoft. com is sort of your starting point. You can get there by clicking Show All, come down here to security and click that and that will take you to the Security Compliance Center. That’s how you get there without having to click through the Exchange because eventually they’re going to remove stuff directly out of Exchange.

But I could go here under threat management and I’m able to go through here and it gives me some good information as to what’s going on, different threats. So if something was to get quarantined, or if it was a compliance filtering through exchange online, you can view all that here, and that’s basically what they’re showing you right here.

But that’s another way you can get email headers, so you can get these message headers through the outlook line, or outlook on the web, whatever. You can grab the message header and paste that into the message header analyzer, or you can also get it through viewing the quarantine status and some of the compliance statuses through the security compliance center.

So that’s how you can actually get that header information. And again, the goal of the remote connectivity analyzer in regards to this is you can open up message header analyzer, you can paste it in, and it puts it in a much easier to read format for you. So it’s not necessarily going to fix the problem at all, but at least it breaks it down for you in an easy to read format that will help you try and solve what’s going on.

6. Investigating Transport Logs

Up and we’re going to open up the location of where Exchange is at. Okay, so in my case, and let me just zoom in on this for you. In my case, Exchange is located in this program files folder and then we’re going to go to Microsoft Exchange V 15. And then from there we’ve got something, some different folders here. In our case where we’re wanting to go is Transport Roles.

So we’re going to go to Transport Roles and then there is a folder called Logs. And then from there we have all these different logs that we can look at. So to start with, maybe I want to look at the front end transport service logs for my mailbox server so I can actually go down here to front end and from there I can choose connectivity. And this is going to show me front end services for my mailbox server in connectivity with that.

Here’s my different logs that I’ve got available. You can see the timestamps on those. So I can sort by the newest to the oldest if I want and then I can double click on that and see the different things that have been going on. Okay, so just kind of sort that out and I can analyze information and it tells me how it’s listed. Now granted I’ve got a little lab environment here so I don’t have a tremendous amount of load going on, but in a normal Exchange environment you’re going to see a lot of entries there and they tell you how each one of these fields are broken out.

And this is all a comma separated value based format. Okay, so you can get some good information though from this. Just being able to see if perhaps you’re getting errors. Mail is not being able to be transmitted from one place to another. You can pull this up and you can view those logs.

And of course again, you’ve got other logs that you can pull up as well. For example, I can do message tracking and this is going to focus more on the email side of things and I can have that sorted by date. Same thing. Double click on the log and you can see some information here.

Mail flowing. Keep in mind there’s other tools out there that you can use. You could pull this into a spreadsheet if you wanted to and it would break the commas up into different fields and it might be a little easier for you to read that way if you want, but this is just purely using.

Notepad there’s actually a third party tools out there, tool that people have like to use for viewing some of these logs as well. Okay, but this is showing you message tracking right here. Client IP, where the email came from, where it’s going in regards to the server forwarding out email and all that.

So I also can look at, let’s go back and I’ll pull up let’s go back over here to logs again. All right, and I can analyze let’s go to protocol log and we’ll look at particular protocols. We have an Http client, okay, nothing in there. So in order for a log to be generated, there’s got to be a service that actually utilizes that log.

So if you got app, you got Outlook, you got mobile clients connecting in, you got web based clients connecting in. You may see some different protocol messages get generated. In this case, I don’t have any. Now I also want to point out, and again, I know you guys have heard me say this before, I’m a big advocate for their knowledge base.

They have some great knowledge base articles that talk about all of these logs and help you kind of get down and dirty with some of these different logs. And I’ll pull that up on the screen here for you and you can take a look at it.

So if you look here, this is the transport logs and Exchange Server, microsoft updates this pretty frequently as they update their Exchange services. So this is where it tells you each individual log, like this mailbox server log, the front end and where it’s at. Transport service log connectivity logs are listed here.

Message tracking and delivery reports. You’ll see those? So the mailbox server for message tracking, that’s actually where I just was a little earlier. And it tells you the files and what service they belong to. And then pipeline tracing the logs for that gets back into Hub transport and all of that. And then the protocol logs like here is SMTP send, SMTP received.

Those are connector logs. So I can see logs involving my connectors going in and out of Exchange. You got routing table logs, making decisions on traffic being routed. So there’s all sorts of logs. And so here’s the thing. What you got to think about when dealing with this in Exchange is you got to be thinking about, well, if I’m experiencing a problem, what kind of problem am I experiencing and which service would that link to?

Is it the client access server interacting with clients? And clients are not able to interact with the client access server for the email? Is it Exchange trying to talk to another Exchange server? Is it Exchange trying to talk to something on the outside? And so based on those criteria, you would depend on which log you would want to use, whether it be a front end, whether it be a transport thing, whether it be a mailbox database specific thing.

And then you would view the log based upon which of those services that you would be dealing with. Okay, so all in all though, Exchange has got a lot of different logs that you can utilize to benefit you. It’s just a matter of familiarizing yourself with it and then trying to break down what the problem involves and which log is going to help me figure out that problem.

• Category: Uncategorized