Troubleshooting Exchange Management Pack
There are several common issues and misconfigurations that can cause errors with Exchange Management Pack. This topic covers the issues you are most likely to encounter, solutions to those issues, and tools that you can use to resolve other problems that may occur in your environment.
This guide does not cover disaster recovery. For information about disaster recovery, see the Microsoft® Operations Manager (MOM) 2005 documentation at https://go.microsoft.com/fwlink/?linkid=35627.
Troubleshooting the Exchange Management Pack Deployments
This section helps you resolve problems that may occur when you run the Exchange Management Pack Configuration tool.
ExMOM 8203 Alert
This alert occurs if you selected a front-end server as the home for the Mailbox Access account mailbox. Front-end servers should not be used to store mailboxes. To fix the problem, move the mailbox to a back-end server or disable one or both of the following rules:
Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Configuration and Security Monitoring\Check for mailboxes on Front-End Servers
Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Configuration and Security Monitoring\Mailboxes homed in a front-end server
Permission-related Errors when the Configuration Wizard is run over the Network
The following error occurs if you attempt to run the configuration tool from a networked mapped drive:
Error: Request for the permission of type System.Security.Permissions.EnvironmentPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed
This error is the result of new security restrictions in the .NET Framework to help protect your computer and network. The Exchange Management Pack Configuration tool must be installed locally to run.
The configuration tool must be installed in a location that belongs to a security policy group with FullTrust permissions. Although the local drives belong to the "Zone – MyComputer" security policy group, which has FullTrust permissions, network shares and mapped network drives belong to the "Zone – Intranet" security policy group, which has LocalIntranet permissions and might prevent the Configuration Application from running.
Configuring MAPI Logon Verification Tests across Domains
Generally, you should use a mailbox access account that is defined in your Exchange server's resource domain instead of one defined in your user domain. By default, the Configuration Wizard creates mailboxes and user accounts that you use for mail flow tests in the same domain as the Exchange server that you are monitoring. This can be a problem if, for example, your MOM server and the domain user accounts are in a parent domain, and your Exchange server that houses your test mailbox is in a child domain.
To configure your monitoring environment to support this scenario
Use Active Directory Users and Computers to delete the mailboxes and user accounts created by the Configuration Wizard
Create new mailboxes and user accounts in the desired domain (such as the parent domain in this scenario). You will need one mailbox for each database that you want the MAPI Logon verification test to run against, and you should name the mailboxes servernameMOM, servernameMOM01, and so on, where servername is the name of the Exchange server that you are monitoring. The display name and the alias for these accounts must be the same or Automatic Name Resolution will not work correctly.
Wait for Active Directory® directory service replication to finish. These accounts must be replicated to the global catalog server that is used by the Configuration Wizard for MOM to recognize them.
Run the Configuration Wizard, verifying that the wizard correctly identifies the accounts that you created for the MAPI Logon text.
Note that it is important that both the Configuration Wizard as well as the script that is performing the MAPI logon verification test must be able to find the new accounts when querying the global catalog server. There is replication latency between the domain controllers, and it may take some time for the accounts you created to replicate to the global catalog server used by the Configuration Wizard and script.
Mailbox Access Account Configuration
The Configuration Wizard correctly configures the Mailbox Access Account. If the Mailbox Access Account configuration is modified, the Exchange Management Pack cannot perform several tests. This section describes the settings that are configured by the Configuration Wizard. If these settings are modified, MAPI logon-dependent tests will not run correctly.
To use the rules that rely on a MAPI logon to Exchange, you must create at least one mailbox—referred to as the Agent Access Account—on each server that is running Exchange that is being monitored. To access these mailboxes, the Exchange Management Pack needs to have a single domain user account—the Mailbox Access Account—that can access all the agent mailboxes on all the servers. The Mailbox Access Account must be granted the role of Exchange View Only Administrator to collect mailbox statistics information about the Exchange server for the Top 100 Mailboxes reports.
The rules that require a MAPI logon to Exchange require a test mailbox account on each server that is running Exchange. These rules and their associated reports are as follows:
Rule Group: Server Availability\MAPI Logon Check and Availability Reporting
Rule Name: Check store availability – MAPI logon\
Report: Exchange Server Availability
Rule Group: Server Availability\Mail Flow Verification
Rule Name: Send mail flow messages
Rule Name: Receive mail flow messages
Rule Group: Report Collection Rules\Mailbox Statistics Analysis
Rule Name: Report Collection Rules – Mailbox Statistics Analysis
Reports: Mailbox reports in "Exchange Mailbox and Folder Sizes" folder
Rule Group: Report Collection Rules\Public Folder Statistics Analysis
Rule Name: Report collection – public folder statistics
Reports: Public Folder reports in "Exchange Mailbox and Folder Sizes" folder
Note
Scripts in the Exchange Management Pack use the mailbox access account to access the test mailboxes. These scripts do not require Microsoft Outlook® to be installed on the server that is running Exchange. For more information, see Microsoft Knowledge Base article 266418, "Microsoft does not support installing Exchange Server components and Outlook on the same computer" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=266418).
Creating the Mailbox Access Account
The following procedures describe how to create a mailbox access account, and how to grant it the role of Exchange View Only Administrator.
To create the mailbox access account
On a computer that has Exchange Administration Tools installed, open Active Directory Users and Computers.
In the left pane, expand the domain. Right-click the organizational unit that will contain the mail-enabled user, point to New, and then click User.
In the New Object-User dialog box, in First name, Initials, Last name, and User logon name, type the user's information, and then click Next.
In the Password and Confirm Password boxes, type a password for the new user. Select the password options that apply, and then click Next.
Clear the Create an Exchange mailbox check box. Click Next, verify the information for the new user, and then click Finish.
To grant the role of Exchange View Only Administrator to the mailbox access account
Open System Manager.
In the left pane, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate Control.
On the Welcome to the Exchange Administration Delegation Wizard page, click Next.
On the Users or Groups page, click Add to grant a new user or group administrative permissions.
In Delegate Control, click Browse, and then select the domain user account that you just created.
Note
By selecting where to browse from the Look in drop-down list, you can display the list of users and groups from the entire Active Directory, or only the list for a particular domain. You can also type the name of the user or group in the Name box. You must type one name at a time.
After you have selected the domain user account, in the Delegate Control dialog box, in the Role list, select the following administrative permission for the group or user:
Exchange View Only Administrator: This option can view Exchange configuration information.
Note
To change the role of an existing user or group, select the user or group, click Edit, and then choose the new role. To remove a user or group, select the user or group, and then click Remove.
To assign the permissions, click Next, and then click Finish.
Creating the Test mailbox account
The following rules require the configuration of a test mailbox account on each server that is running Exchange:
Rule Group: Report Collection Rules\MAPI Logon Check and Availability Reporting and also Availability Monitoring\MAPI Logon Check and Availability Reporting
Rule Name: Check store availability – MAPI logon\
Report: Exchange Server Availability
Agent Mailboxes used: <servername>MOM<optional suffix>
Rule Group: Availability Monitoring\Verify Mail Flow
Rule Name: Send mail flow messages
Rule Name: Receive mail flow messages
Agent Mailbox used: only <servername>MOM
Rule Group: Report Collection Rules\Mailbox Statistics Analysis
Rule Name: Report Collection Rules – Mailbox Statistics Analysis
Reports: Mailbox reports in "Exchange Mailbox and Folder Sizes" folder
Agent Mailbox used: only <servername>MOM
Rule Group: Report Collection Rules\Public Folder Statistics Analysis
Rule Name: Report collection – public folder statistics
Reports: Public Folder reports in "Exchange Mailbox and Folder Sizes" folder
Agent Mailbox used: only <servername>MOM
Note
Do not create agent mailboxes on front-end Exchange servers.
To create and configure a test mailbox account
On a computer that has the Exchange System Manager installed, open the Active Directory Users and Computers.
Create a user account for each Exchange server as follows:
User name of server_nameMOM, where server_name is the name of the Exchange server. If this is an Exchange cluster, the server name is the name of the Exchange virtual server. For example, if the server name is ExServer1, the test account is ExServer1MOM.
The associated mailbox for the account must reside on the Exchange server. Each Exchange server must have an agent mailbox configured on one of the local stores.
Note
If you have multiple stores on a server, you can add more test mailbox accounts with logon name <servername>MOM# where # can be any number or word. The first test mailbox account must be named <servername>MOM because it is the only mailbox used by the mail flow verification and the mailbox and public folder analyses. If you have multiple stores on a server, you can add more test mailbox accounts with logon name <servername>MOM#, where # can be any number or word.
Also, the total length of the test mailbox account name cannot exceed 20 characters.User cannot change password.
Password never expires.
Account is disabled.
Note
Do not clear the Create an Exchange mailbox check box.
After the account is created, on the View menu, click Advanced Features.
Right-click this new test mailbox account, click Properties, and then click the Exchange Advanced tab. If this tab is not present, make sure that Advanced Features was selected in the previous step.
Click Mailbox Rights, and then click Add.
Add the mailbox access account, and then click OK.
In the Permissions box, grant the mailbox access account Full Mailbox Access.
On the Mailbox Rights tab, select the Self account.
In Permissions, click Associated External Account, and then click OK.
Click the Security tab, and select the Mailbox Access Account. (You may have to add the mailbox access account if it is not listed in the accounts. Select the mailbox access account from the list of all accounts.)
With the mailbox access account selected, in the Permissions box, under the Allow column, select the Receive As and Send As check boxes and click OK.
Note
The Agent Mailbox cannot be set to be hidden in the Global Address Book (GAL) because it is not possible to log on to an account in that state.
Mailbox Access Account Rights
The Configuration Wizard creates and configures the Mailbox Access Account in Active Directory. The Mailbox Access Account is granted the following Access Control Entries (ACE):
ADS_RIGHTS_ENUM.ADS_RIGHT_READ_CONTROL
ADS_RIGHTS_ENUM.ADS_RIGHT_DS_READ_PROP
ADS_RIGHTS_ENUM.ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHTS_ENUM.ADS_RIGHT_ACTRL_DS_LIST
These ACE are granted at the following locations, where ViewStoreStatus is an Exchange-specific property that lets the Mailbox Access Account view store information. The following table shows the Mailbox Access Account rights.
LDAP object | Inherited in the LDAP tree | ViewStoreStatus |
---|---|---|
Configuration container |
No |
No |
Exchange org |
No |
No |
Address lists container |
Yes |
No |
Addressing container |
Yes |
No |
Admin groups container |
No |
No |
Selected admin group container |
Yes |
Yes |
Global settings container |
Yes |
No |
Recipients policies container |
Yes |
No |
System policies container |
Yes |
No |
Additionally, the mailbox access account SID is added to the msExchAdmins property of the Exchange organization object. This causes the mailbox access account to appear in the Delegation Wizard.
Common Problems
Although some deployments and configurations may create problems, many problems can be avoided by following best practices. Nevertheless, when a problem does occur, it is important to troubleshoot it. This section discusses common problem areas and provides some resolution techniques.
Misconfigurations
Misconfigurations can cause the Exchange Management Pack to fail to detect problems in your environment. Several common misconfiguration errors are covered in this topic. These errors fall into the following categories:
Configuration Wizard Errors
Permissions and Directory Access Errors
Errors Related to Upgrading
Configuration Wizard Errors
The following reports require that the Configuration Wizard be run and MAPI Logon and/or Mail flow tests be enabled.
Exchange Database Sizes
Exchange Mailboxes
Exchange Server Configuration
Mail Delivered - Top 100 Recipient Mailboxes by Count
Mail Delivered - Top 100 Recipient Mailboxes by Size
Highest Growth Mailboxes
Top 100 Mailboxes (by Size)
The Configuration Wizard will not overwrite the value in BEAccount if there is a value present. If you want to change the mailbox defined on your back-end server that the front-end monitoring script uses for logon tests, follow these steps.
To change the mailbox defined on your back-end server
Run the Configuration Wizard and disable front-end monitoring. This removes the value defined for the BEAccount
Run the Configuration Wizard and select the back-end and front-end servers that you want to monitor.
To successfully run the Configuration Wizard on a front-end server, you must have at least one back-end server that has at least one test mailbox for Outlook Web Access logons, and a mailbox access account for Outlook Mobile Access and Exchange ActiveSync® logons. If none of the back-end servers that your front-end server communicates with have a test mailbox or mailbox access account available, the Configuration Wizard will return an error that indicates that it is unable to locate a test mailbox for front-end monitoring.
For the front-end server, Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync availability scripts to function correctly, SSL is required on the Exchange 2003 front-end server. To verify that SSL is configured for each virtual directory, follow the steps provided in the "Configuring SSL" section earlier in this guide.
Permissions and Directory Access Errors
If you receive MAPI logon verification script problems that generate event IDs 9981 and 9016, you should verify that the Mailbox Access Account has full mailbox rights on the mailbox used for the MAPI Logon test. You can verify this information by logging on to the test mailbox by using the mailbox access account.
If you receive a MAPI_E_NOT_FOUND error, you should verify the following:
The Mailbox Access Account must have permissions to read and write to the %systemroot%\temp\exmppd directory. This directory is where temporary MAPI logon profiles will be created. To verify that your account has appropriate permissions, log on to the server as the Mailbox Access Account and create a test file in this directory.
The Mailbox Access Account must have local logon rights on each Exchange server. These rights are required for the MAPI Logon and Mail Flow tests. The Configuration Wizard automatically grants the necessary rights.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\ProfileDirectory must be set to the value of %systemroot%\temp\exmppd. For example, c:\winnt\temp\exmppd.
Explicitly changing the Default Access Permissions causes the System account not to be granted Default Access Permissions. If you have manually added an account to Default Access Permissions, you will not receive event ID 9986 on the MOM server after installing the agent on your Exchange server. Event 9986 can be found in the Event Viewer on the MOM server by searching for events associated with the specific Exchange server. You will then receive subsequent errors that indicate a permissions issue. For more information, see Microsoft Knowledge Base article 274696, "Actions such as search and drag and drop do not work because the default access permissions have been changed in the Dcomcnfg.exe tool" at https://go.microsoft.com/fwlink/?linkid=3052&kbid=274696.
To fix this problem
Add the System account and Interactive account to the Default Access Permissions list according to Knowledge Base article 274696.
Uninstall MOM completely.
Delete the MOM installation directory and registry keys, and then restart the server
Used the Agent Manager to reinstall the MOM agent on your Exchange server.
At this point, you should start receiving Event 9986 for your Exchange server. Run the Configuration Wizard and finish configuration of the Exchange Management Pack.
Inherited "deny" permissions cause the MAPI Logon verification test to fail. If your organization has "Send As" and "Receive As" permissions configured as "deny" at the organization level, the mailbox access account will be unable to log on to your Exchange server.
To resolve this problem
Remove the access control entries that deny "Send As" and "Receive As" permissions from the organization object.
Create a new mailbox access account
Verify the new mailbox access account can resolve names in your global address list
Run the Configuration Wizard.
Active Directory problems result in intermittent failure of the MAPI Logon Verification script. MAPI logon fails if it cannot access a domain controller, or the domain controller does not respond in a timely manner.
To resolve this problem
Start the Exchange System Attendant service if it is not started.
Verify the configuration for the agent mailboxes and correct any errors in configuration.
Verify that the domain controllers in the domain are accessible and that users can log on using Outlook.
The Mail Flow script fails to run, and you receive MAPI_E_AMBIGUOUS_RECIP errors. This error can be caused if the Mailbox Access Account Display name and samAccountName are not the same, which causes ambiguous name resolution to fail.
To resolve this problem
Delete the Mailbox Access Account.
Create a new Mailbox Access Account that has a full name of MOM#, where # is a unique number for each account.
Errors Related to Upgrading
In Exchange Server 2003, the rule "Mailbox Statistics", which generates a list of the top 100 mailboxes according to size, may not include mailboxes that were migrated from Exchange Server 5.5. As a result, you may have larger mailboxes on your server than what is displayed in the report. These mailboxes will also fail to appear in the performance view "Mailbox Size" and "Mailbox Message Count."
To resolve this problem
Verify that you are running the correct version of the binary used to collect mailbox statistics. The current version is EMPMB.EXE. The discontinued version is ExchMBStat.exe.
Install Exchange Server 2003 Service Pack 1.
When MOM deploys changes to an Exchange server, you may receive a Microsoft Operations Manager event that indicates that the MOM performance provider could not access the performance counter.
To resolve this
Verify that the referenced performance counter is correctly installed on your system.
Verify that the correct computer group is associated with your rules. Associating the correct computer group with your rules allows only front-end server rules to run against your front-end servers, and only back-end server rules to run against your back-end servers.
Delete rules that reference legacy counters that are no longer used.
Alert Noise
A bothersome problem with alerts occurs when they are generated unnecessarily and do not report a real problem. Alternatively, a problem exists when alerts fail to be generated for a specific problem. A first step in determining the causes is to review the Rule that generates the alert. If thresholds, responses, and other settings appear acceptable, a second step is to check logs for errors and events.
Alert optimization can also be handles through overrides. The Exchange Management Pack includes the option to disable Rules, and to change settings within them. For example, if the alert is generated from performance data, it is possible to change the threshold.
The Threshold Processing Rule "Disk Write Latencies > 50 msec" generates unnecessary alerts for servers with several physical disks. This rule gathers data from the Microsoft Windows NT® Performance Counter object PhysicalDisk, counter "Avg. Disk sec/Write" in which the provider is set to <All> instances. Because _Total instance is an aggregate value, it will exceed the threshold value even when there is no cause for alarm. In this case, you should reconfigure the rule to generate an alert only when a single disk is exceeding the threshold.
To configure this rule
In MOM 2005 Administrator Console, locate Microsoft Operations Monitor\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003.
In the left pane, right-click Microsoft Exchange Server and then click Create Rule Group.
In the Rule Group Properties - General dialog box, type a Name for the rule group, and then click Next.
In the Rule Group Properties - Knowledge Base dialog box, enter any information that you want your operators and administrators to have access to when managing this rule group, and then click Finish.
In the Microsoft Operations Manager dialog box, click Yes to deploy the rules in this rule group.
In the Rule Group Properties dialog box, on the Computer Groups tab, click Add to add computer groups to this rule group and then click OK.
In MOM 2005 Administrator Console, locate Microsoft Operations Monitor\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Performance Thresholds\Performance Rules.
In the left pane, click Performance Rules and then, in the right pane, right-click Disk Write Latencies > 50 msec, and then click Properties.
In the Threshold Rule Properties dialog box, on the General tab, clear the This rule is enabled check box, and then click OK.
In the right pane, right-click Disk Write Latencies > 50 msec, and then click Copy.
In the left pane, expand the rule group that you created earlier in this procedure, click Performance Rules, and then, in the right pane, right click the space and click Paste.
In the right pane, right-click the copied rule, and then click Properties.
In the Threshold Rule Properties dialog box, click the Criteria tab.
On the Criteria tab, click Advanced.
In the Advanced Criteria dialog box, set the Field box to Instance, set the Condition box to not equals, type Total in the Value box, and then click Add to List.
Click Close.
In the Threshold Rule Properties dialog box, click the General tab.
On the General tab, verify that the This rule is enabled check box is selected, and then click OK.
Paging
Paging notifications let you have MOM send a page to your page device when an alert threshold is exceeded. Paging is only one of several options. To troubleshoot problems with paging notifications, do the following:
Configure the alert to use a different type of notification, such as script or e-mail. If the alert triggers the notification, the problem is not with the alert itself or with the notification processing within MOM.
Verify that the page device is receiving pages correctly. If the page device is receiving pages correctly, the problem is not with the device.
If both steps complete without error, you probably have a configuration problem with the page device in the alert itself.
Rules
Frequently, problems in which your rules do not run correctly are typically caused by:
Scripts not running on the Exchange server. See Exchange Management Pack Script Dependencies for more information.
MOM test mailboxes not configured correctly. For more information, see "Permissions and Directory Access Errors" earlier in this topic.
Scripts
If scripts do not run, then rules, reports, and views will not function correctly. To troubleshoot problems with scripts, do the following:
Verify that the scripts run correctly in an environment that is independent of MOM. If the scripts work correctly, the problem is not with the coding in the scripts.
Run the MOM Resource Kit utility RunMOMScript. The MOM RunMOMScript utility is a command-line program for testing and troubleshooting MOM script syntax and logic errors before they are deployed into production. This tool is included in the Microsoft Operations Manager 2000 Resource Kit at https://go.microsoft.com/fwlink/?linkid=36078.
Verify that all dependencies are functioning correctly. Script dependencies are identified in Exchange Management Pack Script Dependencies, and also in Microsoft Knowledge Base article 814631, "Dependencies for Exchange 2000 Management Pack Scripts in MOM SP1" at https://go.microsoft.com/fwlink/?linkid=3052&kbid=814631.
If all three of these verifications complete without problems, then you should contact Microsoft Customer Support Services.