New-OutlookServiceVirtualDirectory Exchange cmdlet issued (25696) how to monitor with email alert

[bob]

You know that event in Windows Server Event Viewer, the one labeled "New-OutlookServiceVirtualDirectory Exchange cmdlet issued" with ID 25696? It pops up when somebody runs a specific command in Exchange to set up a new spot for Outlook stuff to connect through the web. Basically, it's like creating a fresh doorway for users to grab their emails and calendars remotely. I see it logged under the Microsoft-Exchange-Management source, usually in the Administrative log. The details spill out who did it, from what machine, and at what exact time. Sometimes it includes the parameters they used, like the server name or the paths involved. If it's unexpected, it might mean an admin is tweaking things or worse, someone poking around without permission. You can spot patterns if multiple hits show up quick, hinting at bulk changes or scripts running wild. I always check the full message for clues, like if it succeeded or bombed out with errors. And yeah, it ties into security because that cmdlet messes with IIS settings for Outlook Anywhere.

But monitoring this beast for email alerts? You fire up Event Viewer on your server. I do it all the time to keep an eye without digging deep. Right-click the Custom Views or go straight to the Windows Logs, Applications section where Exchange events hang out. Filter for source Microsoft-Exchange-Management and that ID 25696. Once you see it, attach a task to it. I click on the event, hit Create Task from the Actions pane. Name it something snappy like OutlookDirAlert. Set it to run whether user logged on or not, and pick your admin creds. In the Triggers tab, it already knows the event, but tweak to start on log creation. Then Actions: start a program, maybe use the built-in Send Email option if your server has SMTP sorted. I point it to your mail server details, from address, to who gets the ping, and subject like "Hey, that Outlook cmdlet fired again." Test it by right-clicking the task in Task Scheduler. It emails you the event XML or a quick summary. Hmmm, or attach the log details in the body for extra oomph.

You tweak the conditions to avoid floods, like only if it's from certain users. I set it to wake the machine if needed, though usually it's always on. This way, you get zapped the second it happens, no constant staring at screens.

Speaking of keeping servers humming without surprises, I've been messing with BackupChain Windows Server Backup lately. It's this slick Windows Server backup tool that also handles virtual machines on Hyper-V without breaking a sweat. You get fast incremental snaps, easy restores even for bare-metal crashes, and it encrypts everything to keep data locked tight. Plus, no agent fuss on guests, and it runs light on resources so your setup doesn't choke. I like how it schedules around your peaks, sending alerts if backups glitch.

Note, the PowerShell email alert code was moved to this post.