Before installing Foglight for Exchange, ensure your system meets the following minimum hardware and software requirements:
Platform |
Any supported Foglight, Foglight Evolve, or Foglight for Virtualization, Enterprise Edition platform. For complete information, see the System Requirements and Platform Support Guide. |
Memory |
As specified in Foglight, Foglight Evolve, or Foglight for Virtualization, Enterprise Edition documentation. |
Hard Disk Space |
As specified in Foglight, Foglight Evolve, or Foglight for Virtualization, Enterprise Edition documentation. |
Operating System |
As specified in Foglight, Foglight Evolve, or Foglight for Virtualization, Enterprise Edition documentation. |
Monitored Servers |
Domain Controllers specified in Foglight for Exchange agent properties must be Windows Server® 2008 or later. Small Business Systems (SBS) versions have not been tested. Foglight for Exchange version 5.6.5 and subsequent releases support Microsoft® Exchange Server 2010 or later, including all service packs, unless otherwise noted. Minimum Domain and Forest levels should be Windows Server 2008. |
The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.
Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.
Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.
Exchange account privileges:
Note: Make sure to give minimum required privilege to your agent; otherwise this agent cannot start data collection.
Domain Controller account privileges: a domain user account with the following privileges (LDAP):
To grant permissions on the registry keys:
Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.
Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.
Rule #2: need "Dynamic RPC" local ports opened.
For more information, see the following article: https://support.quest.com/kb/SOL85903.
For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.
The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:
If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.
The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:
[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>
Important: Starting with version 5.7.1, Foglight for Exchange trusts (by default) any certificates for secure LDAP connections, and does not require users to import the SSL certificate any longer. The only case when users need to import the certificate is when they set the vm parameter "quest.ldap.ssl.trustAnyCert" as False to disable any certificate trust.
When collecting data using LDAP through SSL communication, a new Certificate Authority must be added to the Agent Manager’s Java® Runtime Environment (JRE). The JRE includes a command-line tool keytool which can be used to add the new Certificate Authority.
keytool -import -file <importCertPath> -alias <someName> -keystore <cacertsPath> -storepass <changeit>
keytool -list -alias <someName> -keystore <cacertsPath> -storepass <changeit>
Here are example commands that import and list a new root certificate:
<FMS_HOME>\jre\bin\keytool -import -file MySSL.cer –alias MySecuryLDAP.ca -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit
<FMS_HOME>\jre\bin\keytool -list -alias MySecuryLDAP.ca -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit
The initial password of the cacerts keystore file is changeit. System administrators should change this password and the default access permissions of this file when installing the SDK. The file can be found in the directory <FMS_HOME>\jre\lib\security\cacerts (embedded Agent Manager) or <FglAM_HOME>\jre\<JRE_VERSION>\jre\lib\security\cacerts (external Agent Manager).
Note: The certificate file that you want to import should be the public certificate for the Certificate Authority that signed the server's SSL certificate, not the SSL certificate itself. The Agent Manager must be restarted for the certificate to take effect. If security LDAP is enabled when creating the Exchange agent via the Agent Setup wizard, the root certificate also needs to be added to the Foglight Management Server’s Java Runtime Environment (JRE).
Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.
Configuration steps:
Enable Remote Shell for the user account used to monitor the Exchange environment. For more information, see Manage Exchange Management Shell access.
If your Exchange environment is running on Windows Server 2012 or below, make sure to download and install KB2842230 from Microsoft Updated Catalog to avoid the "Out of memory" error. For more information, see "Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed.
Execute the Set-ExecutionPolicy RemoteSigned command for all of your Exchange environments.
The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.
This section provides information about problems that you might encounter while monitoring your environment with Foglight for Exchange, and describes the solutions available to troubleshoot these problems.
The following domain controller specific metrics are not available in Foglight for Exchange unless an Active Directory agent is monitoring the domain controller:
Symptom: Some domain controller specific metrics do not display in the Foglight for Exchange views.
Resolution: Install Foglight for Active Directory.
Foglight for Exchange now detects when an Exchange server is added or removed. Alarms are generated for the following cases:
Symptom: Alarms are not being generated when an Exchange server is added or removed.
Resolution:
There are two rules used for the Exchange Server Discovery feature. Disabling either one of these rules will disable alerting on server discovery. Ensure that the following rules are not disabled:
The EXC Server Discovery Search rule fires every 24 hours and an LDAP query is made once for every domain that has an active, collecting agent. Therefore, depending on when the server was added or removed, there may be a delay in seeing the alarm. Also, if the agent is deactivated or not collecting data, the new or removed server will not be detected until the next server discovery search interval after the agent is re-activated and collecting data.
The RPCs Failed (Server Too Busy) performance metric is a client-reported value. In order to send this type of data to the server in Outlook 2003 or later, the Exchange server’s registry must contain the ClientMonitoringReportLevel registry key with a value of either one or two.
Symptom: RPCs Failed (Server Too Busy) performance metric is not being collected.
Resolution:
Ensure that the server’s registry contains the ClientMonitoringReportLevel registry key with a value of either one or two.
To modify the client-side monitoring levels for Outlook 2003 or later clients:
Tip: It is recommended that you create a backup copy of the Registry that you can revert to prior to making any changes.
The Microsoft Exchange Monitoring service is not monitored and alarms will not be raised for this service by default. However, if you use this service in your Exchange organization, you can enable monitoring.
Symptom: Microsoft Exchange Monitoring service is not being monitored.
Resolution: Enable monitoring of this service:
The following procedure is a best practice that is recommended for optimal performance.
Do NOT allow Microsoft® automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.
Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.
Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.
Symptoms:
When upgrading to version 5.6.11, you encounter an error message similar to the following message (actual values may vary):
Error deploying package … Cause: The addition of 2097152kb to the negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the total available physical memory of 1780736kb. Rejecting memory request.
Resolution:
This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Exchange agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.
If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.
Symptoms:
2013-12-19 13:39:12.669 ECHO <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] com.quest.agent.service.auth.impl.CredentialManagerImpl - Begin to query credential for host: EX7.domain7.local
2013-12-19 13:39:26.707 ECHO <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Validate credentials for host: EX7.domain7.local
2013-12-19 13:39:26.708 ECHO <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Could not establish a connection to host : EX7.domain7.local.
2013-12-19 13:39:26.708 ECHO <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] com.quest.agent.exc.ExchangeAgentImpl - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : EX7.domain7.local
at com.quest.agent.exc.ExchangeAgentImpl.buidConfig(ExchangeAgentImpl.java:815)
at com.quest.agent.exc.ExchangeAgentImpl.buildConfigOnCredential(ExchangeAgentImpl.java:791)
at com.quest.agent.exc.ExchangeAgentImpl.access$000(ExchangeAgentImpl.java:84)
at com.quest.agent.exc.ExchangeAgentImpl$1.run(ExchangeAgentImpl.java:839)
at java.lang.Thread.run(Thread.java:662)
"A Credential with purpose xxxx has been encrypted with a lockbox that has not been granted to this Agent Manager"
. Resolution 1:
Resolution 2: Update the Agent Manager to version 5.6.12 (or later).
Symptom:
The following error message may be found in the Foglight Management Server console.
Failed to retain value of property instances when editing EXCADAccessDomainController object "null (EXCADAccessDomainController)" (39bb11e5-e952-4d63-8629-c4efc19a546d).
Failed to retain value of property instances when editing EXCADAccessCache object "null (EXCADAccessCache)" (16d56083-19b0-4370-af54-9b775a7f644e).
Failed to retain value of property instances when editing EXCADAccessProcessobject "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).
Failed to retain value of property instances when editing EXCDatabase object "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).
Resolution:
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessDomainController#.topologyObjects))
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessCache#.topologyObjects))
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessProcess #.topologyObjects))
server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCDatabase#.topologyObjects))
Symptoms:
2014-01-26 10:51:47.329 ECHO <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] com.quest.agent.service.winRm.WinRMEndPoint - Fail to establish the WinRM connection: com.quest.glue.api.services.RemoteConnectionException: a connection could not be established.
2014-01-26 10:51:47.329 ECHO <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> INFO [Quartz[0]-10] com.quest.agent.service.auth.impl.WinRmValidator - winRm connectivity test result: Failed.
2014-01-26 10:51:47.330 ECHO <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] com.quest.agent.exc.ExchangeAgentImpl - Could not establish a connection to host : zhuvmfog2901. 2014-01-26 10:51:47.332 ECHO <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> EERROR [Quartz[0]-10] com.quest.agent.exc.ExchangeAgentImpl - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : XXXXXX
at com.quest.agent.exc.ExchangeAgentImpl.buidConfig(ExchangeAgentImpl.java:718)
at com.quest.agent.exc.ExchangeAgentImpl.buildConfigOnCredential(ExchangeAgentImpl.java:701)
at com.quest.agent.exc.ExchangeAgentImpl.init(ExchangeAgentImpl.java:866)
at com.quest.agent.exc.ExchangeAgentImpl.isReady(ExchangeAgentImpl.java:741)
at com.quest.agent.exc.ExchangeAgentImpl.informationStoreDetailCollection(ExchangeAgentImpl.java:594)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.quest.glue.core.services.EquivalenceInvocationHandler.invoke(EquivalenceInvocationHandler.java:70)
at com.quest.glue.core.agent.AgentInteractionHandler.invoke(AgentInteractionHandler.java:186)
at com.sun.proxy.$Proxy51.informationStoreDetailCollection(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.quest.glue.core.agent.scheduler.CollectorCallback.invokeCollector(CollectorCallback.java:162)
at com.quest.glue.core.agent.scheduler.CollectorCallback.execute(CollectorCallback.java:130)
at com.quest.glue.core.scheduler.quartz.QuartzScheduler$ScheduledTaskSequentialJob.execute(QuartzScheduler.java:716)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Resolution:
Foglight includes a licensing capability that restricts access to those features that are defined in the license. Any Management Server installation requires a license that grants access to server-specific parts of the browser interface and the features associated with them. Foglight cartridges are also license-protected. While some cartridges are covered by the base Foglight license (such as Foglight Agent Manager cartridges and the Cartridge for Infrastructure), others may require an additional license. Foglight for Exchange is covered by the Foglight Evolve Monitor, Operate, and Flex license.
To activate a trial or a purchased commercial license:
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center