none
Was there is any replacement for get-logonstatistics in exchange 2013 & 2016 RRS feed

  • Question

  • Hello All , 

    In exchange 2010 we use get-logonstatistics to check to which exchange servers a particular user is connected .It will show all the connections which is established from the particular user to any exchange servers.

    Since that command is deprecated in exchange 2013 and exchange 2016 so we would not be able to track all the connections from the particular user to exchange servers .

    Was there is any replacement done in exchange 2013 & 2016 to check all the established connections from the particular user to exchange servers ?

    In  my end i have checked with the Netstat commands against all the exchange servers by filtering the particular ip address of the client machine but it not as much as user friendly like we extract the report by using get-logonstatistics.

    Please let me know your views and suggestions on this requirement and also share me if there is alternative methods which is given by Microsoft ?


    Thanks & Regards S.Nithyanandham




    Friday, October 27, 2017 7:22 AM

All replies

  • Some of the information may be available in Get-MailboxStatistics, but there's no direct replacement for that cmdlet in Exchange 2013.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, October 27, 2017 6:30 PM
    Moderator
  • Agree with Ed.

    Instead, we can analyze IIS log and RPC Client Access log to find out more information about Exchange client.

    OWA, ActiveSync, ECP, EWS (includes Outlook 2011 and OS X mail clients) client: IIS log (default location: C:\inetpub\logs\LogFiles\W3SVC1) to get the client information.
    For example:
    2017-03-28 02:33:25 fe80::cce2:b193:1b07:74f7%12 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=af09dd09-ada4-461d-8cd5-8d70860021af;&encoding=; 443 
    contoso\three fe80::cce2:b193:1b07:74f7%12 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 
    https://exc2016.contoso.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fexc2016.contoso.com%2fowa%2f 302 0 0 31

    Outlook client: RPC client Access Log (default location: C:\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access).
    For example:
    2017-03-28T03:16:17.456Z,2131,1,/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16,,
    OUTLOOK.EXE,14.0.6025.1000,Classic,192.168.0.51,,,ncacn_http,Client=MSExchangeRPC,97ba2552-352e-420c-a8fc-75fb789b5b73|ff2ecc61-9378-45a6-aa57-91c010db1757,"""{E0AA311E-7A89-4693-ADB1-22DB4E703E5E}""",
    OwnerLogon,0,00:00:00.1870000,"Logon: Owner, /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16 in 
    database 89e656e8-05c3-41f8-813b-4de95004dfe2 last mounted on EXC2016.contoso.com; 
    LogonId: 0",,,,test16@contoso.com,,

    Furthermore, we can use LogParser / LogParser Studio to analyze IIS log.

    Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 30, 2017 7:46 AM
    Moderator
  • Hello ED / Allen Wang , 

    Thanks ED and Allen for your suggestions .I agree we can make use of those RPC & IIS logs and get-mailboxstatistics as an alternate option.

    In my environment i was having around 150 exchange servers .So to analyze my outlook client connection did i need to check only the RPC logs on the mailbox server where my mailbox resides or on all the exchange servers in my environment ? 

    The reason i am asking this question is because all of my exchange servers (i.e count is around 150 ) are attached to the load balancer .So when my outlook client connect the namepsace it will get resolved in to Load balancer's ip address and from there outlook client query will go to any one of my exchange server .So in that case i believe i have to analyze the RPC logs in all the exchange servers as because i don't know the name of the exchange server which has handled my outlook connection.Please correct me if my understanding is wrong .If my understanding is correct i believe i need a script .Was there is any script given by Microsoft to find out the currently established outlook client connections to exchange servers in the environment ?

    To anlayze these logs , Out of 150 servers first i need to find out the name of the exchange servers which has handled my outlook query and its connections ? Please tell me how should i do that ? 

    Note : If my understanding is wrong or statement is not clear , Please correct and inform me to make it clear.


    Thanks & Regards S.Nithyanandham




    Monday, October 30, 2017 9:30 AM
  • Yes, you're right. However, there's no such script to list user's Outlook client and its information as far as I know.
    Here's a similar script to the outlook versions and mode for Exchange 2013:
    https://gallery.technet.microsoft.com/office/Determine-all-outlook-d43bd71f

    Moreover, the RPC request will be proxy to Exchange server by mailbox location.
    Thus, if you want to find or troubleshooting Outlook issue with individual mailbox, we can check the RPC client access log on server which places this mailbox.

    Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 31, 2017 3:46 AM
    Moderator
  • Hello Allen / All , 

    Thanks for your reply . Just curious to know and i would like to discuss with you about the netstat results and also the reason i would like to have deep dig is because this kind of requirements are mandatory for the environment which contains large amount of servers.

    Here is the command which i have created to track all the outlook connections currently established with the exchange servers .

    $track = Get-ExchangeServer -Identity "EX*" | Select-Object -ExpandProperty name

    $track | foreach {Write-host $_ ; Invoke-Command -ComputerName $_ -ScriptBlock {NETSTAT.EXE -a -n -o | findstr "19.238.185.237" | findstr ":443"}}

    Note : I have given the ip address of my system and the port number to list out the currently established connections from outlook to my exchange servers.On the output i could see my outlook has established around five connections with different exchange servers over port no 443 and then from the output i tried to find out the name of the process by using the PID value (which is 4) for the established connections but it shows just the process name as SYSTEM and no other informations.

    One weird behavior what i have noticed is , the output doesn't show the name of the exchange server which holds my mailbox .Other than that it is connecting and listing other exchange servers with PID value as 4 and the process name as SYSTEM .

    After seeing this results , The questions which is raising in my end are 

    why netstat has not listed the name of the exchange server which holds my mailbox ?

    Netstat is showing the process ID as 4 for other connected exchange servers but when i try to do a tasklist against that PID it shows the process name as SYSTEM ? I would like to know for which type of service connection my outlook was connected to those exchange servers ?


    Thanks & Regards S.Nithyanandham


    Tuesday, October 31, 2017 6:16 AM
  • Hi,

    We can use NETSTAT.EXE to check the usage of port, foreign address and its application, however it will not display the host name of target IP address. Normally, the Exchange server will behind of a firewall, thus the NETSTAT.EXE will find the public IP of Exchange server.

    Therefore, I suppose that it's not a proper way to find the Exchange server which Outlook client connect to.

    As I said above, the Outlook request will proxy to the Exchange server which hosts this mailbox. Thus, we can find the server by "Get-Mailbox <User> | FL ServerName", then check the RPC client access log on this server.

    Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 2, 2017 2:28 AM
    Moderator
  • Hello Allen , 

    Thanks for your reply and sorry for my delay .

    Environment Description : In my environment i am using MAPI over HTTP as the protocol and all of my 156 exchange servers are attached to the HW load balancer .So at first my outlook client will connect to the LB and from there outlook connections will be assigned to some set of exchange servers and those connections will be proxied to the exchange server which holds my user mailbox.

    My question is very simple - In the above scenario , How should i identify to which exchange servers my load balancer is assigning the connections when i open my outlook ? which means i would like to know which are all the exchange servers is participating on proxying the connections to the exchange server which holds my user mailbox ?What is your recommended way to find these details ?

    Note : Parsing HTTT proxy and IIS logs on all 156 servers is a big task and time consuming process .But still log parsing is the only way which will be convenient when we identify the specific set of servers which is participated on proxying. But how should i identify that server names ?

    Additionally in some of the blogs i have found we may get those details by using the below mentioned URL's ? Does Microsoft explains anything about the given URL's ?

    Please replace with your namespace.

    https://nithya.test.com/mapi/nspi 

    https://nithya.test.com/mapi/emsmdb

    https://nithya.test.com/mapi/emsmdb/?showdebug=yes 

    Reference link :  http://www.msftexchange.org/mapi-over-http/


    Thanks & Regards S.Nithyanandham

    Monday, November 13, 2017 8:57 AM
  • Hello Allen , 

    Any update on this ?

    Was there is any official article from MS which describes about the usage of below mentioned links and descriptions for the outputs after link execution .

    https://nithya.test.com/mapi/nspi 

    https://nithya.test.com/mapi/emsmdb

    https://nithya.test.com/mapi/emsmdb/?showdebug=yes

    Note : Please replace with your namespace.


    Thanks & Regards S.Nithyanandham

    Tuesday, November 28, 2017 9:58 AM