Troubleshooting the Exchange Management Pack

There are several common issues and misconfigurations that can cause errors with the Exchange Management Pack. This chapter covers the issues you are most likely to encounter, solutions to those issues, and tools that you can use to resolve other problems that may arise in your environment.

This chapter does not cover disaster recovery. For information about disaster recovery, see the Microsoft® Operations Manager 2005 documentation (https://go.microsoft.com/fwlink/?linkid=35627).

On This Page

Troubleshooting the Exchange Management Pack Deployments
Common Problems

Troubleshooting the Exchange Management Pack Deployments

This section helps you to resolve problems that may occur when you run the Exchange Management Pack Configuration tool.

ExMOM 8203 Alert

This alert occurs if you selected a front-end server as the home for the Mailbox Access account mailbox. Front-end servers should not be used to store mailboxes. To fix the problem, move the mailbox to a back-end server or disable one or both of the following rules:

  • Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Configuration and Security Monitoring\Check for existence of mailboxes on Front-End Servers

  • Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Configuration and Security Monitoring\Mailboxes homed in a front-end server

The following error occurs if you attempt to run the configuration tool from a networked mapped drive:

Error: Request for the permission of type
System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089 failed

This error is the result of new security restrictions in the .NET Framework to protect your computer and your network. The Exchange Management Pack Configuration tool must be installed locally to run.

The configuration tool must be installed in a location that belongs to a security policy group with FullTrust permissions. While local drives belong to the "Zone – MyComputer" security policy group, which has FullTrust permissions, network shares and mapped network drives belong to the "Zone – Intranet" security policy group, which has LocalIntranet permissions and might prevent the Configuration Application from executing.

Configuring MAPI Logon Verification Tests Across Domains

In general, you should use a mailbox access account that is defined in your Exchange server's resource domain instead of one defined in your user domain. By default, the Configuration Wizard creates mailboxes and user accounts that you use for mail flow tests in the same domain as the Exchange server that you are monitoring. This can be a problem if, for example, your MOM server and the domain user accounts are in a parent domain, and your Exchange server that houses your test mailbox is in a child domain.

To configure your monitoring environment to support this scenario

  1. Use Active Directory Users and Computers to delete the mailboxes and user accounts created by the Configuration Wizard

  2. Create new mailboxes and user accounts in the desired domain (such as the parent domain in this scenario). You will need one mailbox for each database that you want the MAPI Logon verification test to run against, and you should name the mailboxes servernameMOM, servernameMOM01, and so on, where servername is the name of the Exchange server that you are monitoring. The display name and the alias for these accounts must be exactly the same or Automatic Name Resolution will not work correctly.

  3. Wait for Active Directory® directory service replication to complete. These accounts must be replicated to the global catalog server used by the Configuration Wizard for MOM to recognize them.

  4. Run the Configuration Wizard, verifying that the wizard correctly identifies the accounts that you created for the MAPI Logon text.

You should note that it is important that both the Configuration Wizard as well as the script performing the MAPI logon verification test must be able to find the new accounts when querying the global catalog server. There is replication latency between the domain controllers, and it may take some time for the accounts you created to replicate to the global catalog server used by the Configuration Wizard and script.

Mailbox Access Account Configuration

The Configuration Wizard configures the Mailbox Access Account correctly. If the Mailbox Access Account configuration is modified, the Exchange Management Pack will be unable to perform several tests. This section describes the settings that must be configured for MAPI logon dependent tests to run correctly.

To use the rules that rely on a MAPI logon to Exchange, you must create at least one mailbox—referred to as the Agent Access Account—on each server running Exchange that is being monitored. To access these mailboxes, the Exchange Management Pack needs to have a single domain user account—the Mailbox Access Account—that can access all the agent mailboxes on all the servers. The Mailbox Access Account must be granted the role of Exchange View Only Administrator to collect mailbox statistics information about the Exchange server for the Top 100 Mailboxes reports.

The rules that require a MAPI logon to Exchange require a test mailbox account on each server running Exchange. These rules and their associated reports are as follows:

Rule Group: Server Availability\MAPI Logon Check and Availability Reporting

Rule Name: Check store availability – MAPI logon\
Report: Exchange Server Availability

Rule Group: Server Availability\Mail Flow Verification

Rule Name: Send mail flow messages

Rule Name: Receive mail flow messages

Rule Group: Report Collection Rules\Mailbox Statistics Analysis

Rule Name: Report Collection Rules – Mailbox Statistics Analysis
Reports: Mailbox reports in "Exchange Mailbox and Folder Sizes" folder

Rule Group: Report Collection Rules\Public Folder Statistics Analysis

Rule Name: Report collection – public folder statistics
Reports: Public Folder reports in "Exchange Mailbox and Folder Sizes" folder

Note   Scripts in the Exchange Management Pack use the mailbox access account to access the test mailboxes. These scripts do not require Microsoft Outlook® to be installed on the server running Exchange. For more information, see Microsoft Knowledge Base article 266418, " Microsoft Does Not Recommend Installing Exchange 2000 Server and Outlook 2000 or Later on the Same Computer" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=266418).

Creating the Mailbox Access Account

The following procedures describe how to create a mailbox access account, and how to grant it the role of Exchange View Only Administrator.

To create the mailbox access account

  1. On a computer with Exchange Administration Tools installed, open Active Directory Users and Computers.

  2. In the left pane, expand the domain. Right-click the organizational unit that will contain the mail-enabled user, point to New, and then click User.

  3. In the New Object-User dialog box, in First name, Initials, Last name, and User logon name, type the user's information, and then click Next.

  4. In the Password and Confirm Password boxes, type a password for the new user. Select the password options that apply, and then click Next.

  5. Clear the Create an Exchange mailbox check box. Click Next, verify the information for the new user, and then click Finish.

To grant the role of Exchange View Only Administrator to the mailbox access account

  1. Open System Manager.

  2. In the left pane, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate control.

  3. On the Welcome to the Exchange Administration Delegation Wizard page, click Next.

  4. On the Users or Groups page, click Add to grant a new user or group administrative permissions.

  5. In Delegate Control, click Browse, and then select the domain user account that you just created.

    Note   By selecting where to browse from the Look in drop-down list, you can display the list of users and groups from the entire Active Directory, or only the list for a particular domain. You can also type the name of the user or group in the Name box. You must type one name at a time.

  6. After you have selected the domain user account, in the Delegate Control dialog box, in the Role list, select the following administrative permission for the group or user:

    Exchange View Only Administrator: This option can view Exchange configuration information.

    Note   To change the role of an existing user or group, select the user or group, click Edit, and then choose the new role. To remove a user or group, select the user or group, and then click Remove.

  7. To assign the permissions, click Next, and then click Finish.

Creating the Test mailbox account

The following rules require the configuration of an test mailbox account on each server running Exchange:

Rule Group: Report Collection Rules\MAPI Logon Check and Availability Reporting and also Availability Monitoring\MAPI Logon Check and Availability Reporting

Rule Name: Check store availability – MAPI logon\
Report: Exchange Server Availability
Agent Mailboxes used: <servername>MOM<optional suffix>

Rule Group: Availability Monitoring\Verify Mail Flow

Rule Name: Send mail flow messages

Rule Name: Receive mail flow messages
Agent Mailbox used: only <servername>MOM

Rule Group: Report Collection Rules\Mailbox Statistics Analysis

Rule Name: Report Collection Rules – Mailbox Statistics Analysis
Reports: Mailbox reports in "Exchange Mailbox and Folder Sizes" folder
Agent Mailbox used: only <servername>MOM

Rule Group: Report Collection Rules\Public Folder Statistics Analysis

Rule Name: Report collection – public folder statistics
Reports: Public Folder reports in "Exchange Mailbox and Folder Sizes" folder
Agent Mailbox used: only <servername>MOM

Note Do not create agent mailboxes on front-end Exchange servers.

To create and configure an test mailbox account

  1. On a computer with the Exchange System Manager installed, open the Active Directory Users and Computers.

  2. Create a user account for each Exchange server as follows:

  3. User name of server_nameMOM, where server_name is the name of the Exchange server. If this is an Exchange cluster, the server name is the name of the Exchange virtual server. For example, if the server name is ExServer1, the test account is ExServer1 MOM.

  4. The associated mailbox for the account must reside on the Exchange server. Each Exchange server must have an agent mailbox configured on one of the local stores.

    Note   If you have multiple stores on a server, you can add more test mailbox accounts with logon name <servername>MOM# where # can be any number or word. The first test mailbox account must be named <servername>MOM because it is the only mailbox used by the mail flow verification and the mailbox and public folder analyses. If you have multiple stores on a server, you can add more test mailbox accounts with logon name <servername>MOM#, where # can be any number or word.

    Also, the total length of the test mailbox account name cannot exceed 20 characters.

  5. User cannot change password

  6. Password never expires

  7. Account is disabled

    Note   Do not clear the Create an Exchange mailbox check box.

  8. After the account is created, on the View menu, click Advanced Features.

  9. Right-click this new test mailbox account, click Properties, and then click the Exchange Advanced tab. If this tab is not present, make sure that Advanced Features was selected in the previous step.

  10. Click Mailbox Rights, and then click Add.

  11. Add the mailbox access account, and then click OK.

  12. In the Permissions box, grant the mailbox access account Full Mailbox Access.

  13. On the Mailbox Rights tab, select the Self account.

  14. In Permissions, click Associated External Account and then click OK.

  15. Click the Security tab, and select the Mailbox Access Account. (It may be necessary to add the mailbox access account if it is not listed in the accounts. Select the mailbox access account from the list of all accounts.)

  16. With the mailbox access account selected, in the Permissions box, under the Allow column, select the Receive As and Send As check boxes and click OK.

    Note   The Agent Mailbox cannot be set to be hidden in the Global Address Book (GAL) because it is not possible to log in to an account in that state.

Mailbox Access Account Rights

The Configuration Wizard creates and configures the Mailbox Access Account in Active Directory. The Mailbox Access Account is granted the following Access Control Entries (ACE):

  • ADS_RIGHTS_ENUM.ADS_RIGHT_READ_CONTROL

  • ADS_RIGHTS_ENUM.ADS_RIGHT_DS_READ_PROP

  • ADS_RIGHTS_ENUM.ADS_RIGHT_DS_LIST_OBJECT

  • ADS_RIGHTS_ENUM.ADS_RIGHT_ACTRL_DS_LIST

These ACE are granted at the following locations, where ViewStoreStatus is an Exchange-specific property that lets the Mailbox Access Account view store information (Table 5.1).

Table 5.1   Mailbox Access Account Rights

LDAP object

Inherited in the LDAP tree

ViewStoreStatus

Configuration container

No

No

Exchange org

No

No

Address lists container

Yes

No

Addressing container

Yes

No

Admin groups container

No

No

Selected admin group container

Yes

Yes

Global settings container

Yes

No

Recipients policies container

Yes

No

System policies container

Yes

No

Additionally, the mailbox access account SID is added to the msExchAdmins property of the Exchange organization object. This causes the mailbox access account to appear in the Delegation Wizard.

Common Problems

Although some deployments and configurations may create problems, many problems can be avoided by following best practices. Nevertheless, when a problem does occur, it is important to troubleshoot and resolve it. This section discusses common problem areas and provides some resolution techniques.

Misconfigurations

Misconfigurations can cause the Exchange Management Pack to fail to detect problems in your environment. Several common misconfiguration errors are covered in this chapter. These errors fall into the following categories:

  • Configuration Wizard Errors

  • Permissions and Directory Access Errors

  • Errors Related to Upgrading

Configuration Wizard Errors

The following reports require that the Configuration Wizard be run and MAPI Logon and/or Mail flow tests be enabled.

  • Exchange Database Sizes

  • Exchange Mailboxes

  • Exchange Server Configuration

  • Mail Delivered - Top 100 Recipient Mailboxes by Count

  • Mail Delivered - Top 100 Recipient Mailboxes by Size

  • Highest Growth Mailboxes

  • Top 100 Mailboxes (by Size)

The Configuration Wizard will not overwrite the value in BEAccount if there is a value present. If you want to change the mailbox defined on your back-end server that the front-end monitoring script uses for log-on tests, use the following procedure.

To change the mailbox defined on your back-end server

  1. Run the Configuration Wizard and disable front-end monitoring. This removes the value defined for the BEAccount

  2. Run the Configuration Wizard and select the back-end and front-end servers that you want to monitor

To successfully run the Configuration Wizard on a front-end server, you must have at least one back-end server with at least one test mailbox for Outlook Web Access logons, and a mailbox access account for Outlook Mobile Access and Exchange ActiveSync® logons. If none of the back-end servers that your front-end server communicates with have a test mailbox or mailbox access account available, the Configuration Wizard will return an error indicating that it is unable to locate a test mailbox for front-end monitoring.

For the front-end server, Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync availability scripts to function correctly, SSL is required on the Exchange 2003 front-end server. To verify that SSL is configured for each virtual directory, follow the steps provided in the "Configuring SSL" section earlier in this guide.

Permissions and Directory Access Errors

If you receive MAPI logon verification script problems that generate event IDs 9981 and 9016, you should verify that the Mailbox Access Account has full mailbox rights on the mailbox used for the MAPI Logon test. You can verify this information by logging on to the test mailbox by using the mailbox access account.

If you receive a MAPI_E_NOT_FOUND error, you should verify the following:

  • The Mailbox Access Account must have privileges to read and write to the %systemroot%\temp\exmppd directory. This directory is where temporary MAPI logon profiles will be created. To verify that your account has appropriate permissions, log on to the server as the Mailbox Access Account and create a test file in this directory.

  • The Mailbox Access Account must have local logon rights on each Exchange server. These rights are required for the MAPI Logon and Mail Flow tests. The Configuration Wizard automatically grants the necessary rights.

  • The registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\ProfileDirectory must be set to the value of %systemroot%\temp\exmppd. For example, c:\winnt\temp\exmppd.

Explicitly changing the Default Access Permissions causes the System account to not be granted Default Access Permissions. If you have manually added an account to Default Access Permissions, you will not receive event ID 9986 on the MOM server after installing the agent on your Exchange server. You will then receive subsequent errors indicating a permissions issue. For more information, see Microsoft Knowledge Base article 274696, "Actions such as search and drag and drop do not work because the default access permissions have been changed in the Dcomcnfg.exe tool" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=274696).

To fix this problem

  1. Add the System account and Interactive account to the Default Access Permissions list according to Knowledge Base article 274696.

  2. Uninstall MOM completely.

  3. Delete the MOM installation directory and registry keys, and then restart the server

  4. Used the Agent Manager to reinstall the MOM agent on your Exchange server.

  5. At this point, you should begin receiving Event 9986 for your Exchange server. Run the Configuration Wizard and finish configuration of the Exchange Management Pack.

Inherited "deny" permissions cause the MAPI Logon verification test to fail. If your organization has "Send As" and "Receive As" permissions configured as "deny" at the organization level, the mailbox access account will be unable to log on to your Exchange server.

To resolve this problem

  1. Remove the access control entries that deny "Send As" and "Receive As" permissions from the organization object.

  2. Create a new mailbox access account

  3. Verify the new mailbox access account can resolve names in your global address list

  4. Run the Configuration Wizard.

Active Directory problems result in intermittent failure of the MAPI Logon Verification script. MAPI logon fails if it cannot access a domain controller, or the domain controller does not respond in a timely manner.

To resolve this problem

  1. Start the Exchange System Attendant service if it is not started.

  2. Verify the configuration for the agent mailboxes and correct any errors in configuration.

  3. Verify that the domain controllers in the domain are accessible and that users can log on using Outlook.

The Mail Flow script fails to run, and you receive MAPI_E_AMBIGUOUS_RECIP errors. This error can be caused if the Mailbox Access Account Display name and samAccountName are not exactly the same, which causes ambiguous name resolution to fail.

To resolve this

  1. Delete the Mailbox Access Account.

  2. Create a new Mailbox Access Account that has a full name of MOM#, where # is a unique number for each account.

In Exchange Server 2003, the rule "Mailbox Statistics", which generates a list of the top 100 mailboxes according to size, may not include mailboxes that were migrated from Exchange Server 5.5. As a result, you may have larger mailboxes on your server than what is displayed in the report. These mailboxes will also fail to appear in the performance view "Mailbox Size" and "Mailbox Message Count."

To resolve this problem

  1. Verify that you are running the correct version of the binary used to collect mailbox statistics. The current version is EMPMB.EXE. The retired version is ExchMBStat.exe.

  2. Install Exchange Server 2003 Service Pack 1.

When MOM deploys changes to an Exchange server, you may receive a Microsoft Operations Manager event indicating that the MOM performance provider could not access the performance counter.

To resolve this

  1. Verify that the referenced performance counter is correctly installed on your system.

  2. Verify that the correct computer group is associated with your rules. Associating the correct computer group with your rules allows only front-end server rules to run against your front-end servers, and only back-end server rules to run against your back-end servers.

  3. Delete rules that reference legacy counters that are no longer used

Alert Noise

A bothersome problem with alerts arises when they are generated unnecessarily and do not report a real problem. Alternatively, a problem exists when alerts fail to be generated for a specific problem. A first step in determining the causes is to review the Rule that generates the alert. If thresholds, responses, and other settings appear acceptable, a second step is to check logs for errors and events.

Alert optimization can also be handles through overrides. The Exchange Management Pack includes the option to disable Rules, and to change settings within them. For example, if the alert is generated from performance data, it is possible to change the threshold.

The Threshold Processing Rule "Disk Write Latencies > 50 msec" generates unnecessary alerts for servers with several physical disks. This rule gathers data from the Microsoft Windows NT® Performance Counter object PhysicalDisk, counter "Avg. Disk sec/Write" in which the provider is set to <All> instances. Because _Total instance is an aggregate value, it will exceed the threshold value even when there is no cause for alarm. In this case, you should reconfigure the rule to generate an alert only when a single disk is exceeding the threshold.

To configure this rule

  1. In MOM 2005 Administrator Console, locate Microsoft Operations Monitor\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003.

  2. In the left pane, right-click Microsoft Exchange Server and then click Create Rule Group.

  3. In the Rule Group Properties - General dialog box, type a Name for the rule group and then click Next.

  4. In the Rule Group Properties - Knowledge Base dialog box, enter any information that you want your operators and administrators to have access to when managing this rule group, and then click Finish.

  5. In the Microsoft Operations Manager dialog box, click Yes to deploy the rules in this rule group.

  6. In the Rule Group Properties dialog box, on the Computer Groups tab, click Add to add computer groups to this rule group and then click OK.

  7. In MOM 2005 Administrator Console, locate Microsoft Operations Monitor\Management Packs\Rule Groups\Microsoft Exchange Server\Microsoft Exchange Server 2003\Health Monitoring and Performance Thresholds\Server Performance Thresholds\Performance Rules.

  8. In the left pane, click Performance Rules and then, in the right pane, right-click Disk Write Latencies > 50 msec and then click Properties.

  9. In the Threshold Rule Properties dialog box, on the General tab, clear the This rule is enabled check box and then click OK.

  10. In the right pane, right-click Disk Write Latencies > 50 msec and then click Copy.

  11. In the left pane, expand the rule group that you created earlier in this procedure, click Performance Rules, and then, in the right pane, right click the space and click Paste.

  12. In the right pane, right-click the copied rule, and then click Properties.

  13. In the Threshold Rule Properties dialog box, click the Criteria tab.

  14. On the Criteria tab, click Advanced.

  15. In the Advanced Criteria dialog box, set the Field box to Instance, set the Condition box to not equals, type Total in the Value box, and then click Add to List.

  16. Click Close to close the Advanced Criteria dialog box.

  17. In the Threshold Rule Properties dialog box, click the General tab.

  18. On the General tab, verify that the This rule is enabled check box is selected, and then click OK.

Paging

Paging notifications allow you to have MOM send a page to your page device in the event that an alert threshold is exceeded. Paging is only one of several options.

To troubleshoot problems with paging notifications

  • Configure the alert to use a different type of notification, such as script or e-mail. If the alert triggers the notification, the problem is not with the alert itself or with the notification processing within MOM.

  • Verify that the page device is receiving pages correctly. If the page device is receiving pages correctly, the problem is not with the device.

If both of these steps complete without error, you probably have a configuration problem with the page device in the alert itself.

Rules

More often than not, problems in which your rules fail to run properly are typically caused by:

  • Scripts not running on the Exchange server. See the Scripts section for more information.

  • MOM test mailboxes not configured correctly. See the Permissions and Directory Access Errors section of this chapter for more information.

Scripts

If scripts fail to run, rules, reports, and views will not function correctly.

To troubleshoot problems with scripts

  • Verify that the scripts run correctly in an environment that is independent of MOM. If the scripts work correctly, the problem is not with the coding within the scripts.

  • Run the MOM Resource Kit utility RunMOMScript. The MOM RunMOMScript utility is a command-line program for testing and troubleshooting MOM script syntax and logic errors before they are deployed into production. This tool is included in the Microsoft Operations Manager 2000 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=36078).

  • Verify that all dependencies are functioning correctly. Script dependencies are identified in the appendix of this guide, and also in Knowledge Base article 814631, "Dependencies for Exchange 2000 Management Pack Scripts in MOM SP1" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=814631)

If all three of these verifications complete without problems, you should contact Microsoft Customer Support Services.