| S.No |
Event ID |
Description |
| |
1053 |
Exchange Active Sync device cannot create profile under the Active Directory.
Event ID 1053 indicates that the devices trying to connect are not able to create a container in Active Directory because of lack of permission. |
| |
4999 |
Unable to start Exchange mailbox transport delivery service.
Event ID 4999 is logged when the Exchange mailbox transport delivery service is unable to start. When this occurs in any of the Exchange Servers (2010 and above), you must generally install and use the cumulative updates provided by Microsoft to resolve the issue. |
| |
1006 |
Unable to process the mailbox move requests made.
Event ID 1006 indicates that the mailbox replication service failed to process the replication requests. It throws an MAPI exception (unknown user error). |
| |
3092 |
Issue in processing a public store replication.
Event ID 3092 indicates that there was an error while processing the replication message during public folder replication in Exchange Server. One of the main reasons for this error is the non-availability of a replica for the folder in the local public folder store. |
| |
1077 |
Mailbox storage exceeds the set issue warning at storage limit value.
Storage limits can be managed and tracked using three main attributes: Issue warning at, prohibit send at, and prohibit send and receive at. Event ID 1077 indicates that the mailbox storage has exceeded the issue warning at storage limit. |
| |
12025 |
Internal self-signed certificate used to establish mail transfer connection has expired.
Event ID 12025 indicates one of the most important issues related to mail transport. In Exchange Server 2007 and above, a self-signed internal certificate is necessary for the mail transfer to occur successfully and securely. When the certificate expires, the established trust fails resulting in the generation of event 12025. |
| |
1008 |
The ActiveSync device has faced an exception.
Event ID 1008 indicates that the ActiveSync device has faced an exception associated with device connectivity, but will attempt to re-establish the connection, and update all the details during the next sync activity. |
| |
5016 |
Active Directory topology is unable to find a route to the connector in the routing table.
The occurrence of event 5016 is an indicator that while trying to connect to a specific connector for mail transfer, Active Directory couldn’t find a route to that connector in the routing table. |
| |
8528 |
Mailbox exceeds its storage limit.
This event occurs when a particular user mailbox has crossed its storage limit. At this point, the mailbox cannot send or receive emails anymore. The incoming emails will be returned to the senders. |
| |
1100 |
ActiveSync device requests made by the users are blocked.
This event indicates that the ActiveSync device requests made by the users in your Exchange organization are being blocked. Event 1100 mostly happens when the HTTP OPTIONS method request isn't allowed by the firewall. |
| |
1106 |
Directory replication agent tries to connect with the mail service for more than 10 minutes and there is no reply.
Event 1106 occurs when the directory replication agent is unable to reach the mail service. This may be because the mail service or the information store is down. This might lead to replication errors. |
| |
5000 |
Unable to initiate the Microsoft Exchange Information Store.
The occurrence of this event indicates that the Microsoft Information Store is not reachable. This may be due to various reasons, two of which are insufficient permissions and corrupted database. |
| |
3005 |
The deleted items in the devices are not synchronizing with the Exchange Server of your organization.
This event indicates that there is an issue with the ActiveSync devices' sync with your organization’s Exchange server. The event indicates that any change in the devices, such as items being deleted, are not replicated in the server. |
| |
9519 |
Unable to mount information store database.
This event mostly occurs after you install Exchange 2000 Server Service Pack 3 (SP3) or later versions. In general, this issue may occur when you upgrade the Exchange Server pre-SP3 version to the latest versions. |
| |
3025 |
Processing an incoming replication message in Exchange.
This Exchange event indicates that the incoming replication message is processed in Exchange. The process of replication is essential to hold a copy of important mailbox and public folder items. |
| |
3091 |
An error has occurred while processing the incoming replication message in Exchange.
Event ID 3091 can occur because of corruption of public folders in an Exchange server. |
| |
1009 |
User logs on to his/her mailbox.
This Exchange event indicates a normal log on activity performed by a particular user. |
| |
566 |
Logging the permissions used by a particular user during Active Directory object access.
Event ID 566 logs all the permissions actually used by the user while accessing the object. Even though the object can be accessed several times and several permissions can be used, event ID 566 occurs only when a particular permission is used for the first time. |
| |
5136 |
Change is made to a particular mailbox property, attribute or object.
This Exchange event indicates that a particular mailbox object or property was modified. This event is displayed only when the object’s audit policy enables logging the change performed by the users. However, this event ID does not log creation, deletion, restoration and object move actions. |
| |
9523 |
Exchange database is successfully created and mounted.
This Exchange event indicates that the Exchange database has been created and mounted but the service or application is not responding to the Store.exe process. |
| |
40008 |
Mounting completed successfully for a database with a particular GUID (for Exchange Server 2013).
This Exchange event indicates that an Exchange database has been successfully created and mounted (for Exchange Server 2013). Event ID 9523 almost does the same for Exchange Server 2010. |
| |
40018 |
Mounting completed successfully for a database with a particular GUID (for Exchange Server 2016).
This Exchange event indicates successful mounting of a database previously mounted on another server. This is very similar to event ID 40008 for Exchange Server 2013 and Event ID 9523 for Exchange Server 2010. |
| |
9539,
40009, 40028 |
A particular MSExchangeIS database <canonical name> was stopped.
These Exchange events indicate that a particular MSExchangeIS database has been stopped and dismounted. Event ID 9539 is logged in Exchange Server 2010, event ID 40009 is for Exchange Server 2013, and Exchange ID 40028 is for Exchange Server 2016. |
| |
5141 |
An object was deleted in the Active Directory (directory service object) <Object class> <Object ID>
This event indicates that a directory service object (belonging to any object class) has been deleted. This event is logged only when the audit policy enables auditing of this action for a particular user. |
| |
5137 |
An object was created in the Active Directory (directory service object) <Object class> <Object ID>
This event indicates that a directory service object (of any object class) has been created. This event is logged only when the audit policy is configured to log this specific action. |
