Troubleshooting message journaling in Exchange Server 2003 and in Exchange 2000 Server

Article translations Article translations
Article ID: 843105 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

In Microsoft Exchange Server, the message journaling feature saves a copy of every e-mail message that is sent from or received on a specific Exchange store. Message journaling works only for e-mail messages of senders or of recipients that have the Archive all messages sent or received by mailboxes on this store setting enabled.

Note Message journaling is also known as Message Archiving in the Help files in Exchange 2000 Server and in Exchange Server 2003. However, message journaling is different from the Archive Sink event sink utility that is available in Exchange 2000 Server Service Pack 2.

MORE INFORMATION

Message journaling terminology

Bifurcation In the bifurcation process, the categorizer generates a copy of an original message to the journal recipient or to the object that is specified in Exchange System Manager to receive copies of the archived message.

XEXCH50 The XEXCH50 extension is an Extension to SMTP (ESMTP) extension that is used for relay of certain properties, such as envelope properties, message properties, and recipient properties. The PR_CONTENT_IDENTIFIER identifier in an XEXCH50 binary large object (BLOB) is set to the ExJournalData string. The ExJournalData string enables journal messages to be recognized as they move from server to server on the delivery path to the journal recipient. If the XEXCH50 binary large object is not propagated between Exchange Server computers, duplicate messages may result.

Journal Recipient The journal recipient is the mailbox or the recipient that all journaled messages are destined for. The journal recipient is the distinguished name (DN) in the msExchMessageJournalRecipient attribute of the journaled stores.

Types of message journaling

The three types of message journaling are standard journaling, BCC journaling, and envelope journaling. Standard journaling is the simplest type of journaling. Envelope journaling is the most complex type of journaling. It has the most features. For all three types of journaling, you must enable the Archive all messages sent or received by mailboxes on this store setting on each mailbox store that you want to archive.

Standard journaling

Standard journaling bifurcates a copy of the original message to a journal recipient that you select by using the object picker. (Standard journaling is also known as message-only journaling.)

With standard journaling, you cannot journal MAPI reports. Examples of MAPI reports are delivery receipts of the Report.ipm.note.dr message class, read receipts, and non-delivery notifications (NDRs) of the Report.ipm.note.ndr message class.

By default, standard journaling does not capture the expansion of distribution groups, does not journal BCC recipients, and does not journal alternate recipients.

Note In Exchange 2000 Server and in Exchange Server 2003, message journaling is enabled only on individual mailbox stores. It is not enabled organization-wide. Additionally, message journaling cannot be enabled on public folder store databases. Public folder posts cannot be journaled.

To enable standard journaling, follow these steps:
  1. In Exchange System Manager, click Servers.
  2. Click Storage Group, right-click the mailbox store object that you want to turn on message journaling for, and then click Properties.
  3. On the General tab, click to select the Archive all messages sent or received by mailboxes on this store check box, and then click Browse to select an account for the archived messages.
  4. Repeat steps 1 through 3 for each mailbox store object where you want to turn on standard journaling. If you want to archive all messages in your Exchange organization, you must enable standard journaling on every mailbox store on every Exchange Server 2003 computer and on every Exchange 2000 Server computer in your Exchange organization.
Note Additionally, you can create a Mailbox System Policy that has message journaling enabled. You can add specific mailbox stores to the system policy.
For more information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/aa996378.aspx
Additionally, you can add a BCC feature to standard journaling. It captures BCC recipients on a message.

To turn on BCC journaling, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Enable standard journaling, as described earlier in this article.
  2. Start Registry Editor.
  3. Locate and click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeTransport\Parameters
  4. Create a Reg_DWORD key that is named JournalBCC, and then set the value to 1.
  5. Restart the SMTP service.
Note Do not use the JournalBCC registry key when you use envelope journaling. The JournalBCC key will break envelope journaling.

For more information about the JournalBCC registry key, click the following article number to view the article in the Microsoft Knowledge Base:
810999 Bcc information is lost for journaled messages in Exchange 2000

Envelope journaling

Envelope journaling involves capturing all the available RFC2821 recipients and all the RFC2822 recipients, including CC recipients and BCC recipients. Envelope journaling embeds the original message in a message with the list of all those final recipients that received or will receive the message.

Envelope journaling capabilities include the following:
  • Capturing all final RFC2821 recipients and RFC2822 recipients of a message.
  • Capturing all members of a distribution group expansion.
  • Capturing reports that include delivery receipts, NDRs, read receipts, and out-of-office notifications.
Envelope journaling does not support the JournalBCC registry key, because the BCC recipients are included in the journaled message envelope already.

Note Envelope journaling does not work with the JournalBCC registry key. Do not enable this key while you use envelope journaling.

The following is part of an envelope journal report:
Sender: "External E-mail Support" <smtp:Administrator@contoso.com>
Message-ID: <72F2A6CEB90C7F4C8D051364BF4A9FA41A89@lag.contoso.com
<mailto:72F2A6CEB90C7F4C8D051364BF4A9FA41A89@lag.contoso.com>>
Recipients: 
"External E-mail Support" <smtp:Administrator@contoso.com>,
"Lene Aalling" <smtp:lenea@contoso.com>,
"Katja Heidemann" <smtp:katjaheidemann@contoso.com>, 
"Doug Hite" <smtp:doughite@contoso.com>,
"Chris" <smtp:chris@contoso.com>,
"Katja folder" <smtp:Katjafolder@contoso.com>,
"Wide World Importers Folder" <smtp:WWIFolder@contoso.com>,
"Jeff Low" <smtp:JLow@contoso.com>
To turn on envelope journaling, follow these steps:
  1. Turn on standard journaling.
  2. Run the exejcfg -e command.
Note Envelope journaling first became available in Exchange 2000 Server with an Exchange 2000 Server post-Service Pack 3 (SP3) hotfix. That hotfix is contained in the August 2004 Exchange 2000 Server post-Service Pack 3 update rollup.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
870540 Availability of the August 2004 Exchange 2000 Server post-Service Pack 3 update rollup

The E-mail Journaling Advanced Configuration tool, or Exejcfg.exe, turns on envelope journaling.

Note You can also turn on envelope journaling manually. To do this, set the decimal value 512 on the heuristics property of the Exchange organization object in the Active Directory directory service Configuration container. When you clear the 512 value on the heuristics property, Exchange 2000 post-SP3 and Exchange 2003 SP1 return to the default, standard journaling.

The following file is available for download from the Microsoft Download Center:
Exejcfg.exe
Collapse this imageExpand this image
Download
Download the Exejcfg.exe package now. For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note The Exejcfg.exe tool is also available in Exchange Server 2003 SP1. The Exejcfg.exe tool is located in the i386\RTW folder. Although the Exejcfg.exe tool is listed as an Exchange Server 2003 tool, it works for both Exchange 2000 Server post-SP3 and Exchange Server 2003 SP1.

Envelope journaling became available in Exchange Server 2003 with Exchange Server 2003 SP1, and it is implemented the same way in Exchange Server 2003 SP1 that it is implemented in Exchange 2000 post-SP3. To implement envelope journaling in Exchange Server 2003, you must install Exchange 2003 SP1.

How message journaling works

Message journaling is handled by the transport component categorizer. The transport component categorizer is named Phatcat.dll. The first step in the journal process occurs on the first server to categorize the message, such as a mailbox server that a user is homed on or an Internet-facing bridgehead that receives mail from the Internet.

Specifically, if a user sends mail to and from a mailbox store where message journaling is turned on, the categorizer generates an additional copy of the message and then sends the copy to the journal recipient. The journal recipient could be a mailbox or a contact. This process is named bifurcation and is defined earlier in this article. For inbound Internet mail, the bridgehead server categorizes the message and then sends a separate copy of the incoming message to the journal recipient because the bridgehead determines that the recipient's store has been marked for message journaling. The attribute that the categorizer uses to determine if the recipient's store has been marked for message journaling is the msExchMessageJournalRecipient attribute on the mailbox store of the user. The msExchMessageJournalRecipient attribute is set to the DN of the user account object under which the messages for this store are archived.

Note Mailbox-enabled users are the recommended journal recipients in the organization. Do not use contacts or public folders. If you have to journal to an outside recipient, create a server-side rule to forward mail that is delivered to the designated journal mailbox to the contact that is specified in the server-side rule.

Also, do not use distribution groups as the journal recipient. If you do this, extra bifurcation occurs and an extra volume of messages is generated because of the topology that is involved when messages are sent to a distribution group. For example, a copy of each message is journaled to each member of the distribution group. This process may eventually cause a large extra load on the Exchange Server infrastructure. This extra load could cause mail flow stoppage.
Example

1> msExchMessageJournalRecipient: CN=Journal Mailbox,CN=Users,DC=contoso,DC=com
CN=Journal Mailbox,CN=Users,DC=contoso,DC=com

For message journaling to work effectively, the mailbox store has to be mounted on connector servers and on bridgeheads. Message journaling is a by-product of categorization, and the store has to be mounted in case the message is marked again for content-conversion by the categorizer.

If the journal recipient is not a valid object, such as a deleted object in Active Directory, mail will build up in the Awaiting Directory Lookup queue until this is corrected. This applies even if the mail is still physically on an inbound bridgehead.

In this case, Exchange 2003 SP1 will log an event ID 9035 if diagnostic logging is enabled at field-engineering level:

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9035
Date: 5/25/2004
Time: 9:37:44 AM
User: N/A
Computer: COMPUTERNAME
Description: Categorization of the message failed with a retryable error. Either some of the admin objects were renamed recently and changes were not picked or journaling was turned on for MDB (CN=Mailbox Store (MailboxServer),CN=First Storage Group,CN=InformationStore,CN=MailboxServer,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Org,CN=Contoso Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com) and the journal recipient's mailbox is deleted.

On every Exchange Server computer that a message traverses, message journaling is checked or assessed to determine if the message has to be journaled. Exchange Server computers are aware of the journal status of a message in transit through the XEXCH50 binary large object. In the XEXCH50 binary large object, the journal recipient copy is flagged with the following XEXCH50 PR_CONTENT_IDENTIFIER identifier: ExJournalData. This prevents journaling of the journal message. To prevent duplicates, the PR_JOURNAL_RECIPIENT_LIST in the XEXCH50 binary large object prevents the journaled message from being journaled two times. That is, the PR_JOURNAL_RECIPIENT_LIST prevents duplicate messages.

Categorizer

After the transport categorization process, a separate copy is created for the journal recipient:
------------------------------------------------------------
Message
------------------------------------------------------------

Message + Sender Information:

======================
MsgStatus: MP_STATUS_CATEGORIZED (5)
SMTP: Administrator@contoso.com <mailto:Administrator@contoso.com>
X500: CN=Administrator,CN=Users,DC=ti,DC=net
X400: c=US;a= ;p=Titanium;o=Exchange;s=Administrator;
LegacyEXDN: /o=Titanium/ou=First Administrative 
Group/cn=Recipients/cn=Administrator
Other: NONE
Msg822Subject: Hello
InternetMsgID: <72F2A6CEB90C7F4C8D051364BF4A9FA40278D0@lag.contoso.com
<mailto:72F2A6CEB90C7F4C8D051364BF4A9FA40278D0@lag.contoso.com>>
MTS_ID: c=US;a= ;p=Titanium;l=LAG-040128002844Z-25
MsgClass: NONE
EMP MsgClass: IPM.Note
MsgTracking Org Guid: {B34D99BB-861D-496D-B8C6-DF02E16BEE7C}
MsgTracking Submit time: 2004/1/28 00:28:44.750
Recipient #1
SMTP: doughite@contoso.com <mailto:doughite@contoso.com>
X500: CN=Doug User,CN=Users,DC=ti,DC=net
X400: c=US;a= ;p=Titanium;o=Exchange;s=User;g=Doug;
LegacyEXDN: /o=Titanium/ou=First Administrative Group/cn=Recipients/cn=doughite
Other: NONE
RP_FLAGS property set to 07000000
MDB guid: {96DF450F-3414-4816-8966-4A48626DA578}
User guid: {607D7996-011B-47AF-BD5A-F208671C6D1B}
RP_DOMAIN: Doug.contoso.com
AutoResponseSuppress: Not Set!
AltRecipExpanded: Not Set!

XEXCH50 PR_CONTENT_IDENTIFIER: NONE
XEXCH50 ContentType: (00000000)
XEXCH50 SendTNEF: TRUE
XEXCH50 PR_INTERNET_CONVERSION: NONE
XEXCH50 Override Format: NONE
XEXCH50 Override Charset: NONE
------------------------------------------------------------
Recipient #2
SMTP: journalmbx@contoso.com <mailto:journalmbx@contoso.com>
X500: CN=Journal Mailbox,CN=Users,DC=ti,DC=net
X400: c=US;a= ;p=Titanium;o=Exchange;s=Mailbox;g=Journal;
LegacyEXDN: /o=Titanium/ou=First Administrative Group/cn=Recipients/cn=journalmbx
Other: NONE
RP_FLAGS property set to 00000000
MDB guid: {4AF44A35-ECCE-484F-A5E9-FFC12D71255E}
User guid: {5284D454-7313-4ED1-BEA3-33B70C423C20}

RP_DOMAIN: contoso.com
AutoResponseSuppress: Not Set!
AltRecipExpanded: Not Set!
XEXCH50: NONE
XEXCH50 PR_CONTENT_IDENTIFIER: ExJournalData

------------------------------------------------------------

Components in the message journaling process

  • Categorizer
    Sub-component of the Advanced Queuing engine. Responsible for determining recipients and senders that have to be journaled, and for creating the journal messages.
  • SMTP Transport Stack

    Responsible for advertising and transmitting the XEXCH50 binary large object during an SMTP session after verifying the SendAs right on the sending server.
  • Exchange Store Driver

    Responsible for calling into the Exchange Information Store to make MBX store-delivery easier. Contracts the MIME body parts, the RFC 2821/2822 envelope properties retrieved by the CATEGORIZER sent through SMTP and XEXCH50.
  • Store.exe

    Responsible for delivering the journal reports to the journal mailboxes. It also guarantees that duplicate messages are not delivered to the journal recipients within one hour for message with the same Date/Time and Message_ID.

Best practices

  • Disk I/O

    The additional overhead of enabling message journaling is a minimum of between 10 percent and 15 percent. Direct-attached storage (DAS) tests that used simulated loads showed the following average disk I/O increases over the same load with journaling disabled:
    • Approximately 15.67 percent for database operations
    • Approximately 17 percent for transaction log file operations
    Similar load simulation tests that used storage area network (SAN) storage devices showed the following average disk I/O increases:
    • Approximately 4 percent for database operations
    • Approximately 8.25 percent for log file operations
    Note These tests were performed by using the Loadsim program to simulate loads of between 1000 users and 2000 users.

    RAID 0 + 1 or RAID 10 configurations are recommended. These configurations have proven to be more efficient than RAID 5 arrays on heavily used servers, and they provide more fault tolerance.
  • Back up the journal mailbox regularly.
  • Do not enable message journaling or archiving on the store that the journal recipient is on.
  • Hide the journal recipients from the Global Address List.
  • Do not put the users and the journal recipients on the same store to avoid incurring more disk overhead.
  • Avoid message journaling to public folders in standard journaling mode or in envelope journaling mode.

Questions and answers about common problems

  1. Question:
    Why do I receive a looping NDR 5.4.6 when I send e-mail to users and to the journal recipient?

    Answer:
    This is expected. The journal recipient does not receive e-mail typically like other users. The journal recipient must be hidden from the Global Address List. During categorization, the journal copy should be bifurcated from the beginning of the envelope chain. When the journal recipient is listed first on the list, the categorizer detects a potential loop and then generates an NDR.
  2. Question:
    Why does the store have to be mounted on my connector's servers or on front-end servers with no mailboxes?

    Answer:
    The store has to be mounted for bifurcation or for content-conversion to occur. Therefore, the store has to be mounted for message journaling also. Mail will build up if a message is being processed for a sender or for a recipient with message journaling enabled on their stores and if the processing server does not have a store mounted.
  3. Question:
    What is the effect on the store when message journaling is enabled?

    Answer:
    If the journal mailbox is on the same store as the users, the disk I/O will be two times the typical disk I/O, because there is an additional copy of each message that is sent or received. If there is a dedicated store or server for the journal mailbox, the additional disk overhead will be felt only on the journal store or on the server.
  4. Question: Why do we have to have the XEXCH50 binary large object?

    Answer:
    The bifurcation information, sender information, recipient information, and journal recipient information are transmitted between Exchange Server computers by using the XEXCH50 binary large object exchange. If this information is not propagated, servers along the hop may incorrectly think that a mail message has not been marked for message journaling, and then the servers may create another copy of a mail message. This causes duplicate messages.
  5. Question:
    Are archived messages susceptible to restrictions in the Exchange organization?

    Answer:
    Journal messages are classified as system messages. Therefore, they are exempted from restrictions.
  6. Question:
    What is the recommended object to use as the journal recipient?

    Answer:
    Exchange mailboxes are the recommended journal recipients. If you decide to use a contact or custom recipient, you can create an Outlook rule to redirect this mail outside the organization. We do not recommend public folders when you are using envelope journaling. Public folders do not archive all kinds of reports. This is by design.
  7. Question:
    Are there any message types that cannot be journaled?

    Answer:
    Yes, public folder replication messages, directory replication messages, and journal messages are exempt from message journaling.
  8. Question:
    What occurs when I recall a message that has already been journaled?

    Answer:
    In Exchange Server 2003, you cannot recall messages that have already journaled to the journal mailbox. The messages may still be recalled from the intended recipient mailboxes but not from the journal mailbox. Therefore, there is no security issue about exposure.
  9. Question:
    How can I determine who all the recipients of a mail message in the organization are?

    Answer:
    If the message was sent from within the organization, the fastest way is to check the sender’s Mailbox database (MDB) archive. The MDB archive will always contain the complete recipient record for sent mail messages. For mail that is received from an external sender, the only way to discover all internal recipients is through an exhaustive search of all journal mailboxes for MDBs in the organization. If any recipient received the message, there will be a journal report reflecting that in their MDB's archive mailbox.
  10. Question:
    How can I determine who received a mail message that was sent by someone in the organization?

    Answer:
    Check the journal mailbox for the sender’s MDB for all journal reports that contain the message. By doing this, you obtain the complete record of all recipients by aggregating the reported recipients from those reports. This includes all recipients within the organization. It also includes contacts and one-offs outside the organization.
  11. Question:
    Can I enable both BCC journaling and envelope journaling at the same time?

    Answer:
    No, you cannot enable them at the same time.
  12. Question:
    Why are we seeing duplicate recipients that are listed in the envelope journal report in the recipients section?

    Answer:
    This is by design. The BCC journaling code adds all recipients to the recipient table as BCC types and does not remove duplicates.

    For example, consider the following scenarios:

    Example 1
    To: UserA
    Cc: User B
    Bcc: None

    The journaled message will look similar to the following:
    To: UserA
    Cc: UserB
    Bcc: UserA,UserB

    Example 2
    To: UserA
    Cc: None
    Bcc: UserB, UserC

    The journaled message will look similar to the following:
    To: UserA
    Cc: None
    Bcc: UserB, UserC, UserA, UserB, UserC
  13. Question:
    Why do I see duplicate messages when mail is sent between mailbox stores that have different journal recipients?

    Note A journal recipient is an archive mailbox or a journaling mailbox.

    Answer:
    This is by design. The messages are not really duplicates. Each mailbox store generates an archived copy of the message for its respective journal recipient. To avoid this, use the same journal recipient for the mailbox stores.
  14. Question:
    I have noticed that non-Microsoft Extension headers (X-{name} headers) are not preserved when the journaled message is forwarded out of Exchange to an SMTP address. Is this by design?

    Answer:
    Yes, this is by design.
  15. Question:
    I am trying to forward messages by using Outlook Rules but forwarding is not working.

    Answer:
    You have to turn on the AutoForward feature, and then and configure “allow auto-forwards” for the wildcard domain or for the specific domain that you are forwarding to. To turn the AutoForward feature on or off, follow these steps:
    1. Start Exchange System Manager, and then click Global Settings in the left pane.
    2. In the right pane, double-click Internet Message Formats to populate the right pane with the defined domains. By default, there is a single domain that is the wildcard domain.
    3. Right-click the object that represents the domain, click Properties, and then click the Advanced tab in the Properties dialog box.
    4. To enable the AutoForward feature, click to select the Automatic forwarding check box in the Allowed Types area.

      To turn off the AutoForward feature, click to clear the Automatic forwarding check box.
  16. Question:
    Is a distribution group on the CC line and on the BCC line supposed to be expanded in the body of the envelope in envelope journaling ?

    Answer:
    Yes.
  17. Question:
    Are the BCC recipients and the CC recipients retained in an attached message?

    Answer:
    No, the BCC recipients and the CC recipients are not retained in envelope journaling. (The BCC recipients and the CC recipients are also known as the P2 recipients.)
  18. Question:
    How do I disable envelope journaling?

    Answer:
    Download the E-mail Journaling Advanced Configuration tool, or Exejcfg.exe. See the link earlier.
  19. Question:
    What tools are available to troubleshoot message journaling in Exchange 2000 Server and in Exchange Server 2003?

    Answer:
    Implement Regtrace on the CAT module, and then reproduce the problem you are having with message journaling. (The CAT module is named for the categorizer.) You must send the trace log to Microsoft Product Support Services for analysis. The default name of the trace log is Trace.atf.

    For more information about how to implement Regtrace on the CAT module, click the following article number to view the article in the Microsoft Knowledge Base:
    238614 How to set up Regtrace for Exchange 2000

REFERENCES

For more information about the Archive Sink event sink utility, click the following article number to view the article in the Microsoft Knowledge Base:
307798 The Archive Sink utility is available in Service Pack 2

Properties

Article ID: 843105 - Last Review: October 25, 2007 - Revision: 5.8
APPLIES TO
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server Standard Edition
Keywords: 
kbinfo KB843105

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com