A categorizer warning event (ID: 6006) was logged within the last 24 hours

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-10-06

The Microsoft® Exchange Server Analyzer Tool queries the Win32_NTLogEvent Microsoft Windows® Management Instrumentation (WMI) class to determine whether an Event 6006 warning has been logged for MSExchangeTransport within the last 24 hours.

If the Exchange Server Analyzer finds that an Event 6006 warning has been logged for MSExchangeTransport within the last 24 hours, the Exchange Server Analyzer displays a warning.

This warning indicates that messages are being trapped in the message categorizer.

The message categorizer examines messages that come to a Simple Mail Transfer Protocol (SMTP) server and determines what to do with the messages. The messages may be destined for the local information store, for a remote host by using the message transfer agent (MTA), or for a remote host by using SMTP. The categorizer also handles distribution list expansion. The categorizer is a plug-in to the advanced queuing engine that performs Lightweight Directory Access Protocol (LDAP) queries against global catalog servers on TCP port 3268. The categorizer is basically a collection of event sinks that perform advanced address resolution on every message that travels through the advanced queuing engine. The categorizer performs address resolution and mail forwarding, sets content conversion flags, expands distribution lists, enforces global settings, and generates delivery status notifications. The categorizer also detects alternative recipient routes and performs bifurcation, journaling, and many other functions.

As soon as a message enters the message categorizer, the categorizer resolves the envelope sender by searching for the address in the proxy address attributes in the Active Directory® directory service. The categorizer also resolves the envelope recipient by searching for each address in the proxy addresses attribute in Active Directory. For example, if the list includes a distribution list, it expands the list to include those members if distribution list expansion is allowed on the server.

Possible causes of MSExchangeTransport Warning event 6006 include the following:

  • Outdated or incorrectly configured antivirus software.

  • Much distribution group expansion.

  • Incorrectly configured journaling recipients.

  • Incorrectly configured permissions for Exchange objects in Active Directory.

To address this warning:

  • Make sure that you have correctly configured your file-level antivirus application to exclude specific Exchange Server directories. For a description of the folders that you should not include when you scan servers that are running Microsoft Exchange Server, see Microsoft Knowledge Base article 823166, "Overview of Exchange Server 2003 and antivirus software" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823166).

  • Make sure that you are running the most current version of your antivirus application software.

  • Examine distribution group delivery restrictions settings and remove unnecessary restrictions.

  • Examine Journaling settings for possible incorrect configuration.

  • Examine Exchange objects in Active Directory for improperly configured permissions.

For More Information

For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking.

For more information about the effect of distribution group restriction on Exchange Server mail flow, see the following Microsoft Knowledge Base articles:

For more information about how to deploy a journaling solution, see "Journaling with Exchange Server" (http://go.microsoft.com/fwlink/?LinkId=47581).

For more information about the possible cause of categorizer Warning event ID 6006, see Microsoft Knowledge Base article 922256, "E-mail messages become stuck in the "Awaiting directory lookup" queue in an Exchange Server 2003 organization" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=922256).

For more information about Exchange Server 2003 events and errors, see the "Events and Errors Message Center" (http://go.microsoft.com/fwlink/?LinkId=34258).

For a listing of the DSNs and NDRs generated by Exchange Server and Microsoft Windows Small Business Server, see Microsoft Knowledge Base article 284204, "Delivery status notifications in Exchange Server and in Small Business Server" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=284204).

For more information about how to troubleshoot message categorizer issues, see the Microsoft Support WebCast, "Exchange 2000 Server: Message Categorizer and NDR Troubleshooting" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=329137).

For general information about how to troubleshoot transport-related problems, see the following Microsoft Knowledge Base articles and resources:

The message categorizer performance counters are published separately for each SMTP virtual server instance. For a list of the available performance counters related to the message categorizer, see Microsoft Knowledge Base article 231734, "XCON: Performance Monitor Counters for Message Categorizer" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=231734).