| EventID |
EntryType |
Source |
Message |
Action |
| 4 |
Error |
MSExchange Control Panel |
Current user: ‘<USER>’–Request for URL ‘<URL> failed with the following error:<ERROR> |
No action needed if not frequent. |
| 6 |
Error |
MSExchange CmdletLogs |
Cmdlet failed. Cmdlet <CMDlet>, <Parameters>. |
No action needed |
| 50 |
Error |
Microsoft-Windows-Time-Service |
The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself. |
Register correct time source and check if it is correctly synchronized |
| 63 |
Warning |
Microsoft-Windows-WMI |
A provider, PolicyAgentInstanceProvider, has been registered in the Windows Management Instrumentation namespace <NAMESPACE> to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. |
No action needed if not frequent |
| 74 |
Warning |
MSExchange RBAC |
(Process w3wp.exe, <PID>) <user ID> in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1. |
test DataProtection Health Set http://technet.microsoft.com/en-us/library/ms.exch.scom.dataprotection(v=exchg.150).aspx |
| 106 |
Error |
MSExchange Common |
Performance counter updating error. Counter name is Time in Resource per second, category name is <Category name>. Optional code: <number>. Exception: The exception thrown is : <Exception text>. |
This is common error, which can be handled by re-registering performance counters (use http://support.microsoft.com/kb/2870416) |
| 111 |
Error |
AD FS |
The Federation Service encountered an error while processing the WS-Trust request <description> |
Chceck Technet articles based on exception (usually wrong username / password or wrong account) |
| 118 |
Error |
ExchangeStoreDB |
At <Time> the copy of database ‘<MDB GUID>’ on this server appears to be experiencing performance issues, possibly as a result of storage failure. Consult the event log on the server for other storage and “ExchangeStoreDb” events for more specific information about the failure. Recovery was not attempted. |
check Technet for right solution – https://technet.microsoft.com/en-us/library/hh361352(v=exchg.140).aspx |
| 129 |
Warning |
Microsoft-Windows-Time-Service |
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. |
Check NTP environment health |
| 131 |
Warning |
Microsoft-Windows-Time-Service |
NtpClient was unable to set a domain peer to use as a time source because of DNS resolution error on ‘<DNS name of NTP>’. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. |
Check DNS resolution for NTP client/Server |
| 139 |
Error |
ExchangeStoreDB |
At <Time> the copy of database ‘<MDB GUID>’ on this server appears to be experiencing performance issues, possibly as a result of storage failure. Consult the event log on the server for other storage and “ExchangeStoreDb” events for more specific information about the failure. Recovery was not attempted. |
check Technet for solution – https://social.technet.microsoft.com/Forums/en-US/878c4557-81ca-4aab-94f4-9fac30d4bb71/false-database-performance-alerts?forum=exchangesvradminlegacy |
| 139 |
Error |
ExchangeStoreDB |
At <time> the copy of database ‘<MDB name>’ on this server appears to be experiencing performance issues, possibly as a result of storage failure. Consult the event log on the server for other storage and “ExchangeStoreDb” events for more specific information about the failure. Recovery was not attempted |
Reset search index catalog for affected MDB (https://social.technet.microsoft.com/Forums/en-US/878c4557-81ca-4aab-94f4-9fac30d4bb71/false-database-performance-alerts?forum=exchangesvradminlegacy) |
| 143 |
Error |
MSExchange OWA |
RMS templates for the organization couldn’t be loaded due to Microsoft.Exchange.Security.RightsManagement.RightsManagementException:<exception, URL of RMS> |
check connectivity to RMS server from inside and outside of the organization |
| 245 |
Error |
ESE |
Information Store – <MDB ID>: The internal database copy (for seeding or analysis purposes) has been stopped because it was halted by the client or because the connection with the client failed.——For more information, click http://www.microsoft.com/contentredirect.asp. |
check seeding failures on affected servers and ints connection to backup software |
| 342 |
Error |
AD FS |
Token validation failed |
no action needed – wrong user credentials |
| 364 |
Error |
AD FS |
Encountered error during federation passive request. <Exception> |
Check TEchnet articles based on exception (usually wrong username / password) |
| 401 |
Error |
MSExchange Common |
The organization certificate named <ThumbPrint> in the Federation Trust object <TRUST OBJECT> cannot be found in the computer’s certificate store. Please review the Federation Trust properties and the certificates present in the certificate store of the server. |
Check servers for federation certificate. Import certificate if not present |
| 415 |
Warning |
AD FS |
The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices. For more information, see http://go.microsoft.com/fwlink/?LinkId=311954. |
create ALIASES for your ADFS server farm. – https://technet.microsoft.com/library/dn614658.aspx |
| 489 |
Error |
ESE |
msexchangerepl <PID> Log Verifier <LOG BASE NAME>: An attempt to open the file “<LOG FILE>” for read only access failed with system error <ERROR ID>: “The process cannot access the file because it is being used by another process. “. The open file operation will fail with error <ERROR> |
check log file accessibility and file lock and its connection to antivirus and backup software |
| 507 |
Warning |
ESE |
Information Store – <MDB and PID>: A request to read from the file “<EDB file>” at offset <offset> for <bytes> bytes succeeded, but took an abnormally long time (<Time Span>) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. |
Disk timeouts might be caused by several problems, check storage performance and its connection to other servers utilization (especially in virtualized environment, perform stress test for underlying storage) |
| 509 |
Warning |
ESE |
Information Store – <MDB and PID>: A request to read from the file “<EDB file>” at offset <offset> for <bytes> bytes succeeded, but took an abnormally long time (<Time Span>) to be serviced by the OS. In addition, <count> other I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted <time delay> seconds ago. This problem is likely due to faulty hardware. |
Disk timeouts might be caused by several problems, check storage performance and its connection to other servers utilization (especially in virtualized environment, perform stress test for underlying storage) |
| 510 |
Warning |
ESE |
Information Store – <MDB and PID>: A request to read from the file “<EDB file>” at offset <offset> for <bytes> bytes succeeded, but took an abnormally long time (<Time Span>) to be serviced by the OS. |
Connected to 507,509. Disk timeouts might be caused by several problems, check storage performance and its connection to other servers utilization (especially in virtualized environment, perform stress test for underlying storage) |
| 628 |
Warning |
ESE |
Information Store – <MDB and PID>: Database ‘<EDB file>’: While attempting to move to the next or–previous node in a B-Tree, the database engine skipped over <Number>–non-visible nodes in <Number> pages. It is likely that these non-visible–nodes are nodes which have been marked for deletion but which are–yet to be purged. The database may benefit from widening the online–maintenance window during off-peak hours in order to purge such nodes–and reclaim their space. If this message persists, offline–defragmentation may be run to remove all nodes which have been marked–for deletion but are yet to be purged from the database. |
check performance and space of MDB and log volume, check maintenance window size and icrease if needed |
| 629 |
Warning |
ESE |
Information Store – <MDB and PID>: Database ‘<EDB file>’: While attempting to move to the next or–previous node in a B-Tree, the database engine skipped over <Number>–non-visible nodes in <Number> pages. It is likely that these non-visible–nodes are nodes which have been marked for deletion but which are–yet to be purged. The database may benefit from widening the online–maintenance window during off-peak hours in order to purge such nodes–and reclaim their space. If this message persists, offline–defragmentation may be run to remove all nodes which have been marked–for deletion but are yet to be purged from the database. |
check performance and space of MDB and log volume, check maintenance window size and icrease if needed |
| 1000 |
Error |
Application Error |
Faulting application name<description> |
check faulting application and use Technet to find related article |
| 1000 |
Warning |
AD FS |
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. |
check event logs for Correlation Activity ID event logs and check technet for solution |
| 1006 |
Warning |
MSExchangeFastSearch |
The FastFeeder component received a connection exception from FAST. Error details: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: |
check FAST search or recreate FAST from scratch https://social.technet.microsoft.com/Forums/office/en-US/9679decc-8707-4ace-80cf-5f57833e59c2/exchange-2013-content-index-status-unknown?forum=exchangesvrdeploy |
| 1007 |
Error |
MSExchangeDiagnostics |
Failed to create or start performance logs with error: System.ArgumentException: <Exception> |
Check servers if event log is frequent |
| 1008 |
Warning |
MSExchange ActiveSync |
An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. |
check CAS server configuration for max request length (http://blogs.technet.com/b/get-exchangehelp/archive/2013/06/10/event-id-1008-quot-maximum-request-length-exceeded-quot.aspx) |
| 1009 |
Warning |
MSExchangeFASTSearch |
The indexing of mailbox database <DB GUID> encountered an unexpected exception. Error details: Microsoft.Exchange.Search.Core.Abstraction.OperationFailedException: The component operation has failed. |
|
| 1009 |
Error |
MSExchangeHM |
Microsoft Exchange Health Manager worker process <PID> received restart request and will be stopped. Restart reason: <RASON> |
No action if not frequent |
| 1010 |
Warning |
MSExchangeFASTSearch |
An operation attempted against a FAST endpoint exprienced an exception. This operation may be retried. Error details: Microsoft.Exchange.Search.Fast.PerformingFastOperationException: An Exception was received during a FAST operation. —> System.ServiceModel.CommunicationException |
check FAST service connection to database |
| 1012 |
Error |
MSExchange Store Driver Submission |
The store driver failed to submit event <Event> mailbox <mailbox ID><MDB> couldn’t generate an NDR due to exception <Exception> |
No action needed. Usually caused by invalid sender |
| 1012 |
Error |
MSExchangeDiagnostics |
Data loss occurred in RetentionAgent: RetentionAgent: Data loss occurred. The size of this folder <Diagnostic logging path> has reached the max size allowed -<SIZE>. Some files will be purged. |
Connected to warning 1013. Consider increasing logging quota or redrect once it is available. Nowadays no action possible but cleaning logs. |
| 1013 |
Warning |
MSExchangeDiagnostics |
Potential data loss warning in RetentionAgent: RetentionAgent: Warning: Potential data loss. The size of this folder <Daily Perf logs path> has reached 95% of max size allowed – <SIZE>. Some data will be purged once it reaches the max limit. |
Connected to error 1012. Consider increasing logging quota or redrect once it is available. Nowadays no action possible but cleaning logs. |
| 1014 |
Warning |
Microsoft-Windows-DNS-Client |
Name resolution for the name <DNS record>. timed out after none of the configured DNS servers responded. |
Check if frequent, might be caused by maintenance |
| 1023 |
Error |
Perflib |
The description for Event ID ‘<Event ID number>’ in Source ‘<source>’ cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'<Service>’, ‘<Event>’ |
check correct registry entries for event log mentioned in the event log message https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx |
| 1023 |
Warning |
MSExchange ActiveSync |
Exchange ActiveSync tried to access a mailbox on Mailbox server “<SERVER>”. It could not access the mailbox because the Mailbox server is offline. |
Check if frequent. Might be caused due to server in maintenance |
| 1028 |
Error |
MSExchange Store Driver Delivery |
OOF history corruption was detected in mailbox <SMTP> |
use New-MailboxRepairRequest for affected mailbox |
| 1029 |
Error |
MSExchange Store Driver Delivery |
Unable to open the OOF history folder <SMTP>. OOF history operation skipped. |
use New-MailboxRepairRequest for affected mailbox |
| 1032 |
Warning |
MSExchange ActiveSync |
The connection to mailbox <IDENTITY> on Mailbox server <SERVER> failed. Examine the event log of Mailbox server <SERVER> |
Check server if event is frequent |
| 1035 |
Warning |
MSExchangeFrontEndTransport |
Inbound authentication failed with error LogonDenied for Receive connector <Receive Connector Name> The authentication mechanism is <Authentication type>. The source IP address of the client who tried to authenticate to Microsoft Exchange is [<SourceIP>]. |
Check default authentication types for particular receive connector and change it according the best practice for Exchange server – https://technet.microsoft.com/cs-CZ/library/aa996395(v=exchg.150).aspx |
| 1039 |
Error |
MSExchangeDiagnostics |
Failed to detect the bitlocker state for EDS log drive <Drive> |
If no Bitlocker enabled, service throuws an event, no action needed |
| 1039 |
Warning |
MSExchangeHMHost |
Worker process manager timed out after <Number> seconds while waiting for a retired process handles to close (process id : <PID> ). |
No action needed if infrequent |
| 1040 |
Error |
MSExchangeFrontEndTransport |
The SMTP availability of the Receive connector Server <Receive connector Name> was low (<number> percent) in the last 15 minutes. |
correct solution not available, probably caused by incorrect function of ExchangeHM, check free disk space for transport database and consider moving transport database to dedicated volume |
| 1040 |
Warning |
MSExchange ActiveSync |
The average of the most recent heartbeat intervals [<number>] for request [Sync] used by clients is less than or equal to [<number>].–Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. |
For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology” (http://go.microsoft.com/fwlink/?linkid=3052& kbid=905013). |
| 1050 |
Warning |
MSExchange Extensibility |
The execution time of agent ‘<Transport agent name>’ exceeded <Time span> milliseconds while handling event ‘<Transport Pipeline event>’ for message with InternetMessageId: ‘<Message ID>’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message. |
check transport for messages in queues, restart transport service |
| 1051 |
Warning |
MSExchange Extensibility |
Agent ‘<Transport Agent name>’ caused an unhandled exception <Exception> |
update exchange for latest version, otherwise no action needed |
| 1057 |
Error |
MSExchange Extensibility |
Agent ‘<Transport agent name>’ went async but did not call Resume on the new thread, while handling event ‘<Transport Pipeline Event>’ |
This should be sent to the vendor of the application server calling async. logging according to: http://blogs.msdn.com/b/dvespa/archive/2013/02/18/exchange-2013-async-agent-resume-1057.aspx |
| 1077 |
Warning |
MSExchangeIS |
The mailbox <Identity> on database <MDB GUID> is approaching its storage limit. A notification has been sent to the user. This warning will not be sent again for at least twenty four hours. |
No action needed |
| 1079 |
Warning |
MSExchange Unified Messaging |
The VoIP platform encountered an exception RequestUri=sip:<sip URI and port>transport=Tls |
ID connected to 1136. check UM certificate. It must have SN as same as UM server name https://social.technet.microsoft.com/Forums/lync/en-US/59bdff60-355f-4105-9843-7e3e92a0d020/event-ids-1079-1136-hangups?forum=exchangesvrunifiedmessaginglegacy |
| 1111 |
Error |
UmrdpService |
Driver<DRIVER NAME> required for printer <PRINTER> is unknown. Contact the administrator to install the driver before you log in again. |
No action needed |
| 1136 |
Warning |
MSExchange Unified Messaging |
An error occurred while transferring a call to “<Extension>”. Additional information: The call transfer type is “Blind.”, the transfer target is “phone number”. Call ID: “<Call GUID>”. Referred by: “”. |
ID connected to 1079 check UM certificate. It must have SN as same as UM server name https://social.technet.microsoft.com/Forums/lync/en-US/59bdff60-355f-4105-9843-7e3e92a0d020/event-ids-1079-1136-hangups?forum=exchangesvrunifiedmessaginglegacy |
| 1282 |
Error |
Microsoft-Windows-FailoverClustering |
Security Handshake between local and remote endpoints ‘<Source endpoint IP>~ -> <remote endpoint IP>’ did not complete in ‘<time>’ seconds, node terminating the connection |
check DAG status if occurs frequently |
| 1309 |
Warning |
ASP.NET 4.0.30319.0 |
Event message: The request has been aborted<description> |
check ASP config in IIS and increase ASP request timeout value |
| 1657 |
Warning |
MSExchange Unified Messaging |
DTMF map update failed for recipient “<Recipient GUID>”. Tenant: “Enterprise”, Run Id: “<RunID GUID>”, Error: Unable to read recipient. |
check if recipient can be read by Exchange server (inheritable properties) and correct DTMF mapping https://technet.microsoft.com/en-us/library/aa996919(v=exchg.150).aspx |
| 1692 |
Warning |
MSExchange Unified Messaging |
The Microsoft Exchange Unified Messaging service couldn’t establish a media channel with the current Lync Server Audio/Video Edge resources associated with <LYNC host name and port>. Diagnostic information: No diagnostic information is available. |
check connection to EDGE server |
| 2001 |
Error |
MSExchange Certificate Notification |
A transient failure has occurred. The problem may resolve itself. <DESCRIPTION> |
No action needed if not frequent. |
| 2004 |
Warning |
MSExchange OAuth |
Unable to find the certificate with thumbprint <thumbprint> in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token. |
check mentioned certificate, recreate OAUTH certificate – https://social.technet.microsoft.com/Forums/exchange/en-US/6d67e5ef-555e-41a5-8de9-2a56cf95363a/missing-the-microsoft-exchange-server-auth-certificate?forum=exchangesvradmin |
| 2005 |
Warning |
MSExchange Certificate Deployment |
Federation or Auth certificate not found: <THUMBPRINT>. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites. |
consider updating Federation trust with new certificate |
| 2005 |
Warning |
MSExchange Mid-Tier Storage |
<Process><Exception> |
check if frequent, this is common event log with no direct solution |
| 2009 |
Warning |
MSExchange Mid-Tier Storage |
[Process:Microsoft.Exchange.RpcClientAccess.Service PID:<PID> Thread:<THREAD>] Error occurred while resolving the Active Directory object for from email address field: ‘<SMTP address>’. Audit log will not be generated for this case. Exception details<DETAILS> |
No action needed if not frequent, caused by unknown object being searched in AD |
| 2030 |
Error |
MSExchangeFrontEndTransport |
The Ehlo options for the client proxy target <IP> did not match while setting up proxy for user <SMTP address> on inbound session <Session GUID>. The mismatched settings might cause some messages to get rejected. Continue with proxying even though there is a mismatch. The critical non-matching options were maxSize. The non-critical non-matching options were . |
Ensure that message size limits are same within all environment, especially FrontEnd and HUB transport messahe limits must correspond to not get messages rejected with NDR – http://technet.microsoft.com/en-us/library/bb124345(v=exchg.150).aspx |
| 2058 |
Error |
MSExchangeRepl |
The Microsoft Exchange Replication service was unable to perform an incremental reseed of database copy ‘<MDB copy name>’ due to a network error. The database copy status will be set to Disconnected. Error A timeout occurred while communicating with server <Server>’. Error: “A connection could not be completed within <time span> seconds.” |
test replication health against the affected database copy |
| 2091 |
Warning |
MSExchangeRepl |
Database: <MDB Copy>–Mailbox Server: <MBX Server>—Database <DB copy> will be mounted with the following loss information:–* The last log generated (known to the server) before the switchover or failover was |
check DAG MDB failover and Data loss settings |
| 2107 |
Warning |
MSExchange ADAccess |
Process Microsoft.Exchange.Directory.TopologyService.exe <PID>. Exchange Active Directory Provider failed to obtain an IP address for DS server <DNS name>, error <ERROR ID>. This host will not–be used as a DS server by Exchange Active Directory Provider. |
check DNS regarding to AD |
| 2120 |
Error |
MSExchange ADAccess |
Process Microsoft.Exchange.Directory.TopologyService.exe <PID>. Error ERROR_TIMEOUT (0x800705B4) occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain <DOMAIN> |
check availability of DNS service for AD Topology Service |
| 2123 |
Warning |
MSExchange ADAccess |
Process Microsoft.Exchange.Directory.TopologyService.exe <PID>. Exchange Active Directory Provider is unable to connect to the Domain Controller <Domain Controller> |
check availability of DNS service for AD Topology Service |
| 2137 |
Warning |
MSExchangeRepl |
RPC request to the Microsoft Exchange Information Store service for log truncation failed for database <MDB copy name>. Error: Failed to notify source server ‘<source Exchange server name>’ about the local truncation point. Hresult: <result>. Error: Operation has been aborted. |
check mailbox database replay and copy queue length as well as truncation log time for lagged copy database |
| 2142 |
Error |
MSExchangeADTopology |
Process Microsoft.Exchange.Directory.TopologyService.exe <PID> Forest <FOREST>. Topology discovery failed, error details –TimedOut. |
No action needed if not frequent |
| 2153 |
Error |
MSExchangeRepl |
The log copier was unable to communicate with server ‘<Mailbox server name>’. The copy of database ‘<MDB copy name>’ is in a disconnected state. The communication error was: An error occurred while communicating with server ‘<Mailbox server name>’. Error: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. The copier will automatically retry after a short delay. |
check mailbox database copy health on mailbox servers experiencing errors |
| 2193 |
Warning |
MSExchange ADAccess |
Process Microsoft.Exchange.Directory.TopologyService.exe <PID>. Suitability check failed for server <DC> with an exception. <Exception> |
Check connection to affected DC. No immediate action needed. DC can be down for maintenance |
| 3008 |
Warning |
MSExchange Front End HTTP Proxy |
[Owa] Failed to refresh Mailbox server for database <MDB GUID> in resource forest . Exception:<Exception> |
check databases availability |
| 3028 |
Warning |
MSExchangeApplicationLogging |
Scenario: ProcessKillBit. Failed to read killbit list file because of exception System.IO.IOException: The process cannot access the file ‘<KillBit XML file path>’ because it is being used by another process. |
use handle.exe for killbit.xml file to chek which process is using it, consider antivirus and backup software exclusions for Exchange related files and paths according MS Best Practice |
| 3028 |
Warning |
MSExchangeApplicationLogic |
Scenario: ProcessKillBit. Failed to read killbit list file because of exception System.IO.IOException: The process cannot access the file ‘<Killbit file path>’ because it is being used by another process.<Exception> |
Check file accessibility. Might be caused by antivirus or backup |
| 4001 |
Warning |
MSExchangeIS |
Microsoft Exchange Information Store service has encountered a message (internet message id <ID>) with an invalid submit time (<TIME>). Duplicate copies of this message may be delivered. |
No action if not frequent |
| 4002 |
Error |
MSExchange Availability |
Process <PID>: ProxyWebRequest CrossSite from <GUID> to https://ex13-cz-02.cz.avg.com:444/ews/Exchange.asmx failed <Description> |
check EWS authentication and settings on both endpoints – https://social.technet.microsoft.com/Forums/exchange/en-US/fbaeb391-ab2b-428a-a376-12c3845c67b2/event-id-4002-availability-server |
| 4009 |
Error |
MSExchange Availability |
Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: Unable to open connection for mailbox <MAILBOX><EXCEPTION> |
No action if not frequent |
| 4026 |
Error |
MSExchangeRepl |
[Seed Manager] The seed request for database ‘<DB ID>’ encountered an error during seeding. Error: An Exception was received during a FAST operation. |
check index and FAST service state for the database mentioned in error description |
| 4057 |
Error |
MSExchangeRepl |
The Microsoft Exchange Replication service encountered an unexpected error in log replay for database <ID>. Error MapiExceptionMdbOffline: LogReplayRequest rpc failed. |
check if exists after correction of HC – bring DB online |
| 4065 |
Error |
MSExchangeRepl |
The Microsoft Exchange Replication service sent a request to Hub Transport server <Server ID> to resubmit messages for database <DB ID> between time period |
check if exists-Test-ReplicationHealth |
| 4082 |
Error |
MSExchangeRepl |
The replication network manager encountered an error while monitoring events. Error: Microsoft.Exchange.Cluster.Replay.ClusterNetworkNullSubnetException: Cluster network |
check if exists – Test-ReplicationHealth |
| 4110 |
Error |
MSExchangeRepl |
The Microsoft Exchange Replication service has suspended log replay on database <DB ID> because the current copy queue length of 16 exceeds the threshold of 12. Replay will automatically be resumed when the queue length falls below 5 |
check queues and DB replicas |
| 4112 |
Warning |
MSExchange ADAccess |
Process <PROCESS><PID>. AD Session operation failed on DC <DC> because this server is not suitable at the moment. DomainController value set on the session instance: <DESCRIPTION> |
No action needed if not frequent, might be caused by patching |
| 4401 |
Error |
MSExchangeRepl |
Microsoft Exchange Server Locator Service failed to find active server for database ‘<DB GUID> Error: An Active Manager operation failed. Error: Invalid Active Manager configuration. |
check DAG status and cluster service |
| 4999 |
Error |
MSExchange Common |
Watson report about to be sent for process id: <PID>,<SERVICE>,<INFO> |
Check if log is frequent |
| 5004 |
Warning |
MSExchange Mid-Tier Storage |
User mailbox <USER> has exceeded the calendar logging quota. Calendar logging has been stopped for the mailbox until more space becomes available. |
No action needed or increase log space for mailbox (Set-Mailbox) |
| 6004 |
Error |
MSExchange Common |
ADDriverLogs: Failed to write logs because of the error: Access to the path ‘Microsoft.Exchange.Store.Worker.exe__<NO>.LOG’ is denied.. |
no direct action needes, check log path, disk space and file lock |
| 7024 |
Error |
Service Control Manager |
The Cluster Service service terminated with the following service-specific error: |
check health of DAG |
| 7024 |
Error |
Service Control Manager |
The <SERVICE> service terminated with the following service-specific error: <ERROR> |
Check mentioned service and affected servers |
| 7031 |
Error |
Service Control Manager |
service named in event ID terminated unexpectedly |
check service and repair according Technet articles of particular service |
| 7031 |
Error |
Service Control Manager |
The Microsoft Exchange Diagnostics service terminated unexpectedly. It has done this <number> time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. |
No action needed if service is running |
| 7032 |
Error |
Service Control Manager |
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the <Service Name> service, but this action failed with the following error:<type> |
check service restart according Technet articles |
| 8015 |
Warning |
Microsoft-Windows-DNS-Client |
The system failed to register host (A or AAAA) resource records (RRs) for network adapter–with settings:—— Adapter Name : <Description> |
Check DNS server connection timeouts, manually register network adapter by using ipconfig /registerDNS |
| 8020 |
Warning |
Microsoft-Windows-DNS-Client |
The system failed to register host (A or AAAA) resource records (RRs) for network adapter–with settings:—— Adapter Name : <Description> |
Check DNS server connection timeouts, manually register network adapter by using ipconfig /registerDNS |
| 8538 |
Warning |
MSExchangeIS |
The archive mailbox <MAILBOX GUID> on database <MDB GUID> has exceeded the maximum archive mailbox size. The user cannot copy or move items into the archive mailbox. All message retention actions that move items to the archive mailbox will fail, and the primary mailbox may contain items with expired retention tags until the archive mailbox is within the maximum size limit. The mailbox owner should be notified about the condition of the archive mailbox. |
info only – increase quota |
| 9037 |
Error |
MSExchange Assistants |
Service MSExchangeMailboxAssistants. An exception was encountered while processing a RPC. Method: Execute, Exception: <Exceprion> |
check mailbox Assistants based on Exception type (usually unknown database which occurs while DB was removed and IS service not restarted yet) |
| 9646 |
Error |
MSExchangeIS |
Mapi session <Recipient> with client type <client type> exceeded the maximum of 250 objects of type <Object type e.g. Message>. |
check limits for each mailbox servers – must be several times more than users located on mailbox server, check limits for MAPI (messages opened per folder) |
| 10006 |
Error |
MSExchange Mid-Tier Storage |
Active Manager Client experienced an AD timeout trying to lookup object <GUID> |
check availability of domain controllers (patching ETC) |
| 10015 |
Warning |
MSExchange Mid-Tier Storage |
Active Manager Client already doing query for object ‘<Objeckt GUID>’ on another thread, however this thread didn’t complete in 100 msec. |
no direct action needed, check DAG status |
| 10022 |
Warning |
MSExchangeMailboxAssistants |
The archive mailbox <Description> exceeded the archive warning quota <size> |
info only – increase quota, let user delete some content |
| 10025 |
Warning |
MSExchangeMailboxAssistants |
Processing of the current batch of items in mailbox <Description> failed. The expiration action is ‘MoveToArchive |
Connected to Event ID 10022 – folders cannot be moved to archive while quota exceeded |
| 10027 |
Error |
MSExchangeIS |
The archive mailbox <Description> exceeded the Recoverable Items Warning Quota. Please remove items from Recoverable Items or increase the Recoverable Items Warning Quota and Recoverable Items Quota. If the Recoverable Items Quota is exceeded, the user will be unable to delete items from the mailbox. |
info only – increase quota |
| 10028 |
Error |
DCOM |
The description for <ID> in Source ‘DCOM’ cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the <description> |
check correct registry entries for event log mentioned in the event log message https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx |
| 14021 |
Error |
MSExchange MailTips |
Group metrics generation was interrupted. <Description> |
Check group if it has corrupted membership or delegate values, restart OAB generation server (Exchange 2010) or check if generation of group matric in arbitration mailbox is not skipped due to constantly high server workload https://technet.microsoft.com/en-us/library/jj674302(v=exchg.150).aspx |
| 14035 |
Error |
MSExchange MailTips |
Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: MailTips query failed for mailbox <MAILBOX><DESCRIPTION> |
No action if not frequent |
| 22004 |
Warning |
MSExchangeTransport |
The periodic heartbeat to primary server <Transport service FQDN> failed. |
check connectivity to servers and shadow redundancy (safety net) functionality |
| 24001 |
Error |
MSExchange CalendarRepairAssistant |
Calendar repair assistant related description <SMTP> |
check CRA logs for mentioned mailbox |
| 36887 |
Error |
SChannel |
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70. |
no action needed http://ficility.net/2013/10/21/exchange-2013-exchange-2010-windows-server-2012-schannel-event-id36888-1203-tlsssl-error-the-root-cause/ |
| 36888 |
Error |
SChannel |
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 1203. |
no action needed http://ficility.net/2013/10/21/exchange-2013-exchange-2010-windows-server-2012-schannel-event-id36888-1203-tlsssl-error-the-root-cause/ |
FICILITY.NET 