Tag Archives: powershell

Exchange 2013: setting diagnostic logging levels the quick way

TL;DR how to set a bunch of logging levels with similar names to a specific level, plus a script that sets *everything* back to the defaults.


I’ve got a customer who is having trouble with Exchange 2013 and Active Directory, flip-flopping between DCs. i can see it occurring in the event log, but there’s no suggestion of what the problem might be. No worries, lets just hoik* the logging level up on ADAccess, and have a look at what’s happening.mmmm…

first problem with that; with the demise of anything approaching a usable GUI in exchange 2013, we’ll have to use powershell. it’s the “set-eventloglevel” cmdlet that i need, but usage examples are pretty thin on the ground. in fact, there’s just one.

Set-EventLogLevel -Identity "Exchange01\MSExchangeTransport\SmtpReceive" -Level High

which is peachy, but i don’t know which of the many adaccess logging objects i need. there are quite a few:


i don’t fancy running that cmdlet ten times, and my customer fancies it even less. what we need is some powershell magic. Why don’t we get the objects, and then feed them via the pipeline into the set-eventloglevel cmdlet? we can use the get-eventloglevel cmdlet. unfortunately it returns a great long list of objects, so we’ll need to filter them.


oh well, worth a try**. to do that we’ll need the where-object cmdlet and the “–like” comparator.

get-EventLogLevel | Where-Object {($_.identity) –like “*adaccess*”}


now we can feed that straight into the set-eventlogginglevel cmdlet:

get-EventLogLevel | Where-Object {($_.identity) –like “*adaccess*”} | set-EventLogLevel –level medium


you’ll not want to leave it there, though. that’ll fill your event log up quicksmart. once you’re done, set everything back. the handy “default” radio button that used to work in 2010 is gone:



so what you’ll need is a little script that puts everything back where you found it. if you run get-eventloglevel you’ll see that nearly everything is set at lowest, but there are one or two exceptions:


is that MSExchange RBAC\RBAC that’s set to low, there? god knows. my eyesight isn’t all that. let’s run a bit more powershell and dump out all the objects that aren’t set to lowest:


Bugger. that didn’t work. let’s run get-eventloglevel | gm and find out why .level didn’t select the –level parameter:


aha – why call your property after the parameter it sets? what we want isn’t called .level, it’s called .eventlevel. duh.


great, so everything needs to be set to “lowest” apart from those objects.

so, we could run a script that sets everything to ”lowest”, and then sets them to”low” afterwards, except… what about those “2”s there. you can’t set a value of 2 with set-EventLogLevel .I’ve tried. there’s two things we could do there, either ignore them, or use the registry powershell provider to set them back to 2 afterward. ignoring them is the easiest way, isn’t it? mm?


so my script looks like this:

<# this script returns Exchange 2013 server diagnostic levels to their default.

The first line sets everything but "msexchange oauth\server" and

"msexchange backendrehydration\server" objects to "lowest".

these objects are set to 2 by default, a value that can’t be set using set-EventLogLevel.

you can set them in the registry at

HKLM\currentcontrolset\services\msexchange backendrehydration\diagnostics


HKLM\currentcontrolset\services\msexchange oauth\diagnostics

the rest of the script sets the exceptions to their correct level

this script will only work on the local server, obviously#>

Get-EventLoglevel | where-object {($_.eventlevel) -notlike "2"} | set-eventloglevel -level lowest

set-eventloglevel -identity "MSExchange RBAC\RBAC" -level low

set-eventloglevel -identity "MSExchange ADAccess\Topology" -level low

set-eventloglevel -identity "MSExchange ADAccess\Validation" -level low

set-eventloglevel -identity "MSExchangeADTopology\Topology" -level low

set-eventloglevel -identity "MSExchange OAuth\Configuration" -level low

set-eventloglevel -identity "MSExchange BackEndRehydration\Configuration" -level low

how could it be improved? well, adding the two lines to set those values to 2 in the registry would make it quicker, rather than filtering them out. adding in a line for server identity that defaults to the local host would be good. signing it might be a good idea. maybe later.


why am i using “–notlike” in the first line, instead of “–ne”? i *think* it’s because the value is an integer, and –ne is interpreting the input as a string… whatever. “-ne” doesn’t work. “-notlike” does.


* yeah, that’s a word. hoik.

** turns out that get-EventLogLevel “msexchange adaccess*” DOES work though…never mind, this way is betterish.

Oh no, I’ve got a cert that’s about to expire!

cert001The scenario – you know that your cert is about to expire, you’ve bought a new cert, and you’ve installed it correctly, but you’re still getting an error. Event id 12017, to be exact.

I run

 get-exchangecertificate | fl

which lists the certificates I’ve got installed on this CAS:


There are two certs there – the first listed cert has been issued by an internal certification authority – the “issuer” value is cert.fabrikam.com – and is NOT self signed. I use it for IIS (owa, ecp, outlook anywhere, EAS). The second cert is the original self-signed cert that exchange produces when it’s installed on a server (the issuer is red-cas1, the local server name) and it’s only valid for imap and pop – two services I don’t bother configuring because none of our customers use them.

so lets get all the services onto a certificate that’s not about to expire. I  run

enable-exchangecertificate –thumbprint <thumbprint> -services pop,imap

using the thumbprint of the good certificate. <tip – to copy thumbprints and the like, right click in the powershell window, select mark, then highlight the thumbprint and click enter. Then when you are ready to type the thumbprint, right click anywhere again and hit “paste”>

Now if I run

get-exchangecertificate | fl

again I can see that all the services are now on my new cert, and the old self signed cert is doing nothing:


So now there are no services on the old cert, I can remove it using remove-exchangecertificate –t <thumbprint>


Has it gone? Hell yeah.


Now – here’s a word of warning. It’s perfectly possible to remove a certificate you are using. You get asked are you sure, and if you say “yes”, well… you’re the boss:


And you’ll need to reimport your cert.


In this cmdlet I import an certificate from a password protected .pfx file, which I created by exporting a certificate i’d previously requested on another server – this allows me to use the same certificate on a number of servers (for the same thing, obviously).


I then enable the cert for the required services – the first cmdlet (get-exchangecertificate) gets all the exchange certs on the server, I then run a couple of select cmdlets to create an array of psobjects which only contains the subjects and thumbprints of the original objects where the subject is like mail.fabrikam.com (select thumbprint, subject | ?{$_.subject –like “*mail.fabrikam.com*”}) – I then get the thumbprint of that psobject (select thumbprint)and pass it to the final cmdlet, which enables the chosen cert for iis, imap and pop (enable-exchangecertificate –services iis,imap,pop)

Finally I run get-exchangecertificate | fl  again to make sure that it has taken and the correct services are enabled.

I’d be a pretty sorry feller if I didn’t then run iisreset /restart at some point, to get iis to pick up the new cert.