System Requirements

System Requirements

Before installing Foglight for Exchange, ensure your system meets the following minimum hardware and software requirements:

Back to Top

Prerequisites

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account Privileges

Exchange account privileges:

• Exchange server Local Administrator privilege (DCOM, WinRm).
• Logon as a service privilege (“Quest Remote Command Service”).
• Running Exchange PowerShell cmdlet with the following privileges:
  • Server Management
  • Organization Management
  • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

• Organization Management (Exchange 2010, 2013)
• Exchange Organization Administrators (Exchange 2007)

DCOM Prerequisites for the Exchange Server

1. Enable the Distributed COM (DCOM) on the Exchange server:
   1. Click Start | Run.
   2. In the Run dialog, enter dcomcnfg and click OK.
   3. Expand Component Services and then Computers.
   4. Right-click the My Computer object and select Properties.
   5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
   The account which monitors the Exchange server must have the "Log on as a service" user right. This is required to enable a remote service to run PowerShell commands. For more information about how to log on as a service, see http://technet.microsoft.com/en-us/library/cc794944(v=WS.10).aspx and the To add the Log on as a service Right to an account section.
   
3. The Exchange account specified in the agent properties must have Full Control permissions on following registry keys:
   • HKEY_CLASSES_ROOT\CLSID 72C24DD5-D70A-438B-8A42-98424B88AFB8 (Windows Script Host Shell Object)
   • HKEY_CLASSES_ROOT\CLSID 76A64158-CB41-11d1-8B02-00600806D9B6 (WBEM Scripting Locator)
   • HKEY_CLASSES_ROOT\CLSID 0D43FE01-F093-11CF-8940-00A0C9054228 (Windows Script FileSystem Object)
     
     For a 64-bit OS, also grant the permissions for these two additional registry keys
   • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 72C24DD5-D70A-438B-8A42-98424B88AFB8
   • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 76A64158-CB41-11D1-8B02-00600806D9B6
   • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 0D43FE01-F093-11CF-8940-00A0C9054228
     
     Note: For instructions on how to configure the registry keys, see the To grant permissions on the registry keys section.

To add the Log on as a service Right to an account:

1. Go to Control Panel > Administrative Tools and open Group Policy Management.
2. Go to Group Policy Management > Forest:[Domain Name] > Domains > [Domain Name] > Default Domain Policy.
3. Right click the Default Domain Policy and select Edit.
4. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service.
5. Double click Log on as a service and select Security Policy Setting tab.
6. Click Add User or Group and add the account which monitors the exchange server into the list.

To grant permissions on the registry keys:

1. Login to the Exchange server with an Administrator account that you are comfortable having ownership over these keys.
2. Start the Windows Registry Editor (run regedit.exe).
3. If asked to allow the Regedit program to make changes to the computer, click Yes.
4. Navigate to the registry item: HKEY_CLASSES_ROOT\CLSID\{clsid} or HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{clsid}, as necessary.
5. Right-click the registry key and select Permissions.
6. Click Advanced.
7. Open the Owner tab.
8. In the Change Owner to box, select one of the following entries:
   • the user account that is used by the Exchange agent
   • the administrative group for the account you currently belong to
9. Select the Replace the owner on subcontainers and objects check box.
10. If the account is not listed, click Other user or groups to add the account.
11. Click OK.
12. Under Group or user names, select the account that will be specified in the agent properties. If the account is not listed, click Add to add the account.
13. Under Permission for account, select the Allow Full Control check box and click OK.
14. Close the Registry Editor.

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.

Firewall Settings for the Exchange Server

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article: https://support.quest.com/kb/SOL85903.

Configuring Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

Kerberos Settings for the Agent Manager

If LDAP Authentication Schema is selected as Kerberos in the agent properties, the Agent Manager will search the following files for information about the location of the Key Distribution Center (KDC):

• %WINDIR%/krb5.ini [Windows]
• /etc/krb5.conf  [Solaris®]
• /etc/krb5/krb5.conf [Linux®]

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = MY.REALM
[realms]
MY.REALM = {
    kdc = kdc.my.realm
}

Configuring Root Certificates for the Agent Manager

When collecting data using LDAP through SSL communication, a new Certificate Authority must be added to the Agent Manager’s Java® Runtime Environment (JRE). The JRE includes a command-line tool keytool which can be used to add the new Certificate Authority. 

keytool -import -file <importCertPath> -alias <someName> -keystore <cacertsPath> -storepass <changeit>
keytool -list -alias <someName> -keystore <cacertsPath> -storepass <changeit>

Here are example commands that import and list a new root certificate:

<FMS_HOME>\jre\bin\keytool -import -file MySSL.cer –alias MySecuryLDAP.ca -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit
<FMS_HOME>\jre\bin\keytool -list -alias MySecuryLDAP.ca -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit

The initial password of the cacerts keystore file is changeit. System administrators should change this password and the default access permissions of this file when installing the SDK. The file can be found in the directory <FMS_HOME>\jre\lib\security\cacerts (embedded Agent Manager) or <FglAM_HOME>\jre\<JRE_VERSION>\jre\lib\security\cacerts (external Agent Manager).

Note: The certificate file that you want to import should be the public certificate for the Certificate Authority that signed the server's SSL certificate, not the SSL certificate itself. The Agent Manager must be restarted for the certificate to take effect. If security LDAP is enabled when creating the Exchange agent via the Agent Setup wizard, the root certificate also needs to be added to the Foglight Management Server’s Java Runtime Environment (JRE).

Agent Must be Able to Reach the Target Host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example:
   10.10.10.100 domain.local
   10.10.10.200 childdomain.domain.local
4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example:
   10.10.10.101 server server.domain.local
   The Hosts file is located at %windir%\system\drivers\etc.

PowerShell Configurations Required for Feature State Queries

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.

Back to Top

Troubleshooting

Troubleshooting

This section provides information about problems that you might encounter while monitoring your environment with Foglight for Exchange, and describes the solutions available to troubleshoot these problems.

Foglight for Active Directory and Foglight for Exchange Integration

The following domain controller specific metrics are not available in Foglight for Exchange unless an Active Directory agent is monitoring the domain controller:

• Exchange | Environment | Servers | AD Dependencies (LDAP, Replication, Database)
• Exchange | Exchange Explorer | AD Health | Domain Controllers |
  • Replication Queue Length
  • Replication Failures

Symptom: Some domain controller specific metrics do not display in the Foglight for Exchange views.

Resolution: Install Foglight for Active Directory.

Exchange Server Discovery Feature

Foglight for Exchange now detects when an Exchange server is added or removed. Alarms are generated for the following cases:

• A new Exchange 2007/2010 server is detected and there is no agent monitoring it.
• A new Exchange server is detected, but the Exchange version on this server is not supported for monitoring.
• An existing Exchange server is removed and an associated agent still exists.

Symptom: Alarms are not being generated when an Exchange server is added or removed.

Resolution:

There are two rules used for the Exchange Server Discovery feature. Disabling either one of these rules will disable alerting on server discovery. Ensure that the following rules are not disabled:

• EXC Server Discovery Search
• EXC Server Discovery Alert

The EXC Server Discovery Search rule fires every 24 hours and an LDAP query is made once for every domain that has an active, collecting agent. Therefore, depending on when the server was added or removed, there may be a delay in seeing the alarm. Also, if the agent is deactivated or not collecting data, the new or removed server will not be detected until the next server discovery search interval after the agent is re-activated and collecting data.

RPCs Failed (Server Too Busy) Performance Metric

The RPCs Failed (Server Too Busy) performance metric is a client-reported value. In order to send this type of data to the server in Outlook 2003 or later, the Exchange server’s registry must contain the ClientMonitoringReportLevel registry key with a value of either one or two.

Symptom: RPCs Failed (Server Too Busy) performance metric is not being collected.

Resolution:

Ensure that the server’s registry contains the ClientMonitoringReportLevel registry key with a value of either one or two.

• In Exchange 2007, the default behavior is to collect performance data only from Outlook clients that have high-speed network connectivity. (Functionally the same as when the value of the ClientMonitoringReportLevel registry key is set to one.)
• For clients that are using a low-bandwidth connection, set the value of the ClientMonitoringReportLevel to two.

To modify the client-side monitoring levels for Outlook 2003 or later clients:

Tip: It is recommended that you create a backup copy of the Registry that you can revert to prior to making any changes.

1. On the Exchange server that contains the client mailboxes to be monitored, run: regedit.
2. If you are asked to allow the Regedit program to make changes to the computer, click Yes.
3. Navigate to the following registry key:
   HKLM\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
4. Right-click ParametersSystem and click New | DWORD Value.
5. Name the new DWORD value ClientMonitoringReportLevel.
6. Double-click ClientMonitoringReportLevel.
7. In the Value data field, enter the appropriate value:
   0 = do not collect data from any Outlook 2003 and later clients
   1 = collect performance data only from high-bandwidth Outlook 2003 and later clients (default)
   2 = collect performance data from all Outlook 2003 or later clients
8. Close the registry editor.
   The Exchange Information Store service automatically detects the changes. You do not need to restart the computer or any services.

Monitoring Microsoft Exchange Monitoring Service

The Microsoft Exchange Monitoring service is not monitored and alarms will not be raised for this service by default. However, if you use this service in your Exchange organization, you can enable monitoring.

Symptom: Microsoft Exchange Monitoring service is not being monitored.

Resolution: Enable monitoring of this service:

1.  Navigate to Dashboards > Administration > Agents > Agent Status.
2. Under Monitor, select a Monitored Service and click Edit.
3. Click Add Row in the ExchangeMonitoring - ExchangeAgent - monitoredServicesList table.
4. Enter the Server Role and the Service Name for the service to be monitored. All entries are case sensitive.
   win2k3\MicrosoftExchangeMonitoring
   or
   win2k8\MicrosoftExchangeMonitoring
5. Click Save Changes.

Recommended Best Practices

The following procedure is a best practice that is recommended for optimal performance.

Disable Automatic Updates on Foglight Management Server

Do NOT allow Microsoft’s automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.

Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.

Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.

Potential Issues After Upgrading the Cartridge to Version 5.6.10

Insufficient heap memory

Symptoms:

When upgrading to version 5.6.10, you encounter an error message similar to the following message (actual values may vary):

Error deploying package … Cause: The addition of 2097152kb to the negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the total available physical memory of 1780736kb. Rejecting memory request.

Resolution:

This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Exchange agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.  

If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.

Could not establish a connection to host xxx.xxxx.xxx

Symptoms:

1. The following exception message may be found in the Exchange agent log.
   2013-12-19 13:39:12.669 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] com.quest.agent.service.auth.impl.CredentialManagerImpl - Begin to query credential for host:  EX7.domain7.local
2013-12-19 13:39:26.707 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Validate credentials for host: EX7.domain7.local
2013-12-19 13:39:26.708 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Could not establish a connection to host : EX7.domain7.local.
2013-12-19 13:39:26.708 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : EX7.domain7.local      
at com.quest.agent.exc.ExchangeAgentImpl.buidConfig(ExchangeAgentImpl.java:815)      
at com.quest.agent.exc.ExchangeAgentImpl.buildConfigOnCredential(ExchangeAgentImpl.java:791)      
at com.quest.agent.exc.ExchangeAgentImpl.access$000(ExchangeAgentImpl.java:84)      
at com.quest.agent.exc.ExchangeAgentImpl$1.run(ExchangeAgentImpl.java:839)      
at java.lang.Thread.run(Thread.java:662)  
2. In Administrator > Credentials > Manage Credentials, the following alarm may be found: "A Credential with purpose xxxx has been encrypted with a lockbox that has not been granted to this Agent Manager".

Resolution 1:

1. Ensure that the lockbox has been released to the related Agent Manager (check credential clients in the Credentials > Manage Lockboxes dashboard).
2. If the Agent Manager is in the credential client list, it must be restarted to fix this issue.

Resolution 2: Update the Agent Manager to version 5.6.12 (or later).

Data merge error found in Foglight Management Server console

Symptom:

The following error message may be found in the Foglight Management Server console.

Failed to retain value of property instances when editing EXCADAccessDomainController object "null (EXCADAccessDomainController)" (39bb11e5-e952-4d63-8629-c4efc19a546d).
Failed to retain value of property instances when editing EXCADAccessCache object "null (EXCADAccessCache)" (16d56083-19b0-4370-af54-9b775a7f644e).
Failed to retain value of property instances when editing EXCADAccessProcessobject "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).
Failed to retain value of property instances when editing EXCDatabase object "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).

Resolution:

1. Stop the data collection.
2. Run the following groovy script in the script console, to remove old topology objects: EXCADAccessDomainController, EXCADAccessCache, EXCADAccessProcess, and EXCDatabase.
   server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessDomainController#.topologyObjects)) 
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessCache#.topologyObjects)) 
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessProcess #.topologyObjects)) 
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCDatabase#.topologyObjects))  

Can not start the Exchange agent to monitor Exchange Edge Transport server

Symptoms:

1. The monitored Exchange Edge Transport server is a stand alone host.
2. In agent properties, communication Protocol is set as "WinRm Through HTTP" or "Winrm Through HTTPS".
3.  The following exception message may be found in the Exchange agent log.
   2014-01-26 10:51:47.329 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] com.quest.agent.service.winRm.WinRMEndPoint - Fail to establish the WinRM connection: com.quest.glue.api.services.RemoteConnectionException: a connection could not be established.
2014-01-26 10:51:47.329 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> INFO [Quartz[0]-10] com.quest.agent.service.auth.impl.WinRmValidator - winRm connectivity test result: Failed.
2014-01-26 10:51:47.330 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] com.quest.agent.exc.ExchangeAgentImpl - Could not establish a connection to host : zhuvmfog2901. 2014-01-26 10:51:47.332 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> EERROR [Quartz[0]-10] com.quest.agent.exc.ExchangeAgentImpl - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : XXXXXX                        
at com.quest.agent.exc.ExchangeAgentImpl.buidConfig(ExchangeAgentImpl.java:718)                        
at com.quest.agent.exc.ExchangeAgentImpl.buildConfigOnCredential(ExchangeAgentImpl.java:701)                        
at com.quest.agent.exc.ExchangeAgentImpl.init(ExchangeAgentImpl.java:866)                        
at com.quest.agent.exc.ExchangeAgentImpl.isReady(ExchangeAgentImpl.java:741)                        
at com.quest.agent.exc.ExchangeAgentImpl.informationStoreDetailCollection(ExchangeAgentImpl.java:594)                       
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                        
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)                        
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)                        
at java.lang.reflect.Method.invoke(Method.java:597)                        
at com.quest.glue.core.services.EquivalenceInvocationHandler.invoke(EquivalenceInvocationHandler.java:70)                        
at com.quest.glue.core.agent.AgentInteractionHandler.invoke(AgentInteractionHandler.java:186)                        
at com.sun.proxy.$Proxy51.informationStoreDetailCollection(Unknown Source)                        
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                        
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)                        
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)                        
at java.lang.reflect.Method.invoke(Method.java:597)                        
at com.quest.glue.core.agent.scheduler.CollectorCallback.invokeCollector(CollectorCallback.java:162)                        
at com.quest.glue.core.agent.scheduler.CollectorCallback.execute(CollectorCallback.java:130)                        
at com.quest.glue.core.scheduler.quartz.QuartzScheduler$ScheduledTaskSequentialJob.execute(QuartzScheduler.java:716)                        
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)                        
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)                        
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)                        
at java.lang.Thread.run(Thread.java:662)

Resolution:

• Check the credential setting in Exchange Agent properties and ensure that the user is in local account format.

Back to Top

Product Licensing

Product Licensing

Foglight includes a licensing capability that restricts access to those features that are defined in the license. Any Management Server installation requires a license that grants access to server-specific parts of the browser interface and the features associated with them. Foglight cartridges are also license-protected. While some cartridges are covered by the base Foglight license (such as Foglight Agent Manager cartridges and the Cartridge for Infrastructure), others may require an additional license. Foglight for Exchange is covered by the base Foglight license.

To activate a trial or a purchased commercial license:

1. On the navigation panel, under Dashboards, click Administration > Setup & Support > Manage Licenses.
2. Click Install.
3. In the Install License dialog box, click Browse.
4. In the file browser that appears, specify the location of the license file.
5. In the Install License dialog box, click Install License.

Back to Top