다음을 통해 공유


Deploying Exchange Server 2003 Management Pack

 

The Exchange Management Pack ships with a Configuration Wizard to help you with configuration tasks. The Configuration Wizard provides a convenient way to configure individual servers that are running Microsoft® Exchange Server 2003 and makes sure that they operate smoothly with Microsoft Operations Manager (MOM) 2005. The wizard generates a configuration file (Configuration.xml) that you can edit to adjust your monitoring solution and then apply with the ExchangeMPConfig.exe command-line tool.

Before you start a new installation or an upgrade, it is recommended that you document the existing configurations, especially if you are upgrading from Exchange 2000 Management Pack. Additional instructions for both new installations and upgrades are later in this section.

To deploy the Exchange Management Pack, you must be familiar with the following:

  • How to install the Exchange Management Pack   You can install the Exchange Management Pack on both a new Exchange 2003 environment, and one upgraded from Exchange 2000. You can also upgrade Exchange 2000 Management Pack to the Exchange Management Pack. Knowing the details of both types of installations helps successfully deploy the management pack.

  • How to configure the Exchange Management Pack   The configuration file that is used for deployment can be edited manually in a text editor and through a command-line interface. The command-line tool is helpful in complex scenarios and when troubleshooting.

Preparing to Deploy the Exchange Management Pack

Before you deploy the Exchange Management Pack, you should spend some time evaluating your organization's monitoring requirements and your Exchange organization topology. The planning phase will let you clarify your monitoring goals, understand your performance expectations, define your escalation procedures, and optimize your Exchange Management Pack deployment.

To prepare for deployment, you should follow these steps:

  • Identify who will receive alerts generated by the Exchange Management Pack.

  • Create a deployment plan for installing and configuring monitoring and monitored servers.

Note

Most environments are configured in such a way that the default monitoring settings in the Exchange Management Pack meet organizational needs. However, sometimes you may want to perform a requirements analysis for monitoring in your environment. This analysis would include creating a performance baseline and determining custom thresholds for rules that MOM agents run on your Exchange servers. For more information about how to create a performance baseline, see Exchange Server 2003 Performance and Scalability Guide at https://go.microsoft.com/fwlink/?linkid=47576.

Identify Who Will Receive Alerts Generated by the Exchange Management Pack

After you identify the messaging functionalities that you want to monitor, and you have calculated your baseline behavior and performance thresholds, you must identify who will be notified in the case of an alert, what method to use to perform the notification, and what level of severity will cause the alert to be triggered.

To simplify administration, you should follow these steps:

  • Identify the administrators who must be notified in the event of an Exchange problem.

  • Add each administrator to the MOM Operators security group.

  • Configure each administrator with the correct paging and messaging schedule.

  • Add each administrator to the Mail Administrators notification group.

Create a Deployment Plan for Installing and Configuring Monitoring and Monitored Servers

The final planning step is to create a plan for how to deploy the Exchange Management Pack in your environment. This plan must consider:

  • Which servers will be monitored.

  • Which servers will be monitoring.

  • Who will be performing the installation.

  • What permissions are required.

  • What the schedule will be.

  • What risks you may experience, and how to reduce them.

For more information about how to create a deployment plan, see Microsoft Solutions Framework documentation at https://go.microsoft.com/fwlink/?linkid=39530.

Securing Your Deployment

Before you install the Exchange Management Pack, you must secure your monitoring environment. You must do this before installation because the Exchange Management Pack will generate alerts for these issues. If you do not secure your environment before the Exchange Management Pack is installed, you will receive alerts when these security configurations are verified.

Securing your environment includes the following:

  • Running IIS Lockdown

  • Configuring SSL

  • Verifying that Message Tracking Log shares are locked down

  • Verifying that SMTP directories are on an NTFS file system partition

  • Verifying that SMTP cannot anonymously relay

Running IIS Lockdown

You should run the IIS Lockdown Tool on all front-end servers. This tool searches for security holes and helps you configure Internet-facing servers so that they are less susceptible to malicious attack.

For more information about how to install and run the IIS Lockdown Tool, see Microsoft Knowledge Base article 325864, "How to install and use the IIS Lockdown Wizard" at https://go.microsoft.com/fwlink/?linkid=3052&kbid=325864.

The Exchange Management Pack detects whether the IIS Lockdown Tool has been run and sends you an alert if any security holes normally secured by this tool are detected.

Configuring SSL

To use the front-end server availability monitoring features for Exchange 2003, your front-end server must have SSL configured for all Microsoft Office Outlook® Web Access, Outlook Mobile Access, and Exchange ActiveSync® virtual directories. To configure SSL, follow these high-level steps on your front-end server:

  1. Set up the certificate.

  2. Add the certsrv to your trusted roots.

  3. Enable SSL Required on the Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync Web sites.

  4. Enable forms-based authentication.

For more information about configuring SSL, see the Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology guide at https://go.microsoft.com/fwlink/?linkid=34216.

Verifying That Message Tracking Log Shares Are Locked Down

When message tracking is enabled, all messages that are handled by SMTP are logged to message tracking log files located on each Exchange server. By default, the message tracking log files are located at c:\program files\exchsrvr\servername.log. This folder is shared so that administrators can view their information from any Exchange System Manager console. You should configure permissions on this share so that the Everyone group is not explicitly granted any permissions. If the Everyone group has been granted permissions to the message tracking log share, you should remove the group. The Exchange Management Pack will detect this configuration and send you an alert if the Everyone group is identified on the share.

Verifying That SMTP Directories Are on an NTFS Partition

Because SMTP messages are not always secure, you should help protect their contents by storing them on an NTFS partition. You can verify that the directory is on an NTFS partition by locating the SMTP directory in Windows Explorer and accessing its properties. The General tab indicates what file system is being used.

If the SMTP directories are not on an NTFS partition, you should either move them or configure the partition to use NTFS.

To move the SMTP directories, see Microsoft Knowledge Base article 318230, "XCON: How to change the Exchange 2000 SMTP Mailroot directory location" at https://go.microsoft.com/fwlink/?linkid=3052&kbid=318230.

To configure a partition to use NTFS, see Windows Server™ 2003 Help.

The Exchange Management Pack detects this configuration and sends you an alert if the SMTP directory is not on an NTFS partition.

Verifying that SMTP Cannot Anonymously Relay

By default, your SMTP virtual servers are configured to relay only messages submitted by authenticated users.

To verify that this has not changed

  1. Start Exchange System Manager and locate the server object on which you want to prevent mail relay.

  2. In the left pane, under the server object, expand Protocols, and then expand SMTP.

  3. In the left pane, right-click the SMTP virtual server on which you want to prevent mail relay, and then click Properties.

  4. In the Properties dialog box, click the Access tab, and then click Relay.

  5. In the Relay Restrictions dialog box, verify the following are true:

    • Only the list below is selected, and the list box is empty

    • The Allow all computers which successfully authenticate to relay, regardless of the list above check box is selected.

  6. Click Cancel if you do not want to make any changes.

Exchange Management Pack detects this configuration and sends you an alert if your SMTP server is configured to allow anonymous relay.