Chat now with support
Chat with Support

Foglight for Exchange 5.7.2 - Release Notes

Upgrade and compatibility

Upgrade and compatibility

The latest version of Foglight for Exchange is 5.7.2. You can upgrade to version 5.7.2 of Foglight for Exchange from version 5.6.9 and later.

Important: When data collection starts up, the Exchange agent installs a "Quest Remote Command Service" service in monitored server, to execute a PowerShell script. This service is uninstalled automatically when data collection stops.


To upgrade the Foglight for Exchange to the latest version:

  1. Deactivate all of the Exchange agents.
  2. Install version 5.7.2 of Foglight for Exchange. For details, see Installation instructions.
  3. Deploy the agent package to each Foglight Agent Manager that hosts an Exchange agent instance and wait for the version to update.
    Note: This may take two to three refresh cycles.
  4. From the navigation panel, navigate to Dashboards > Exchange > Exchange Environment > Administration tab. In the Agents view select the Exchange agents that you want to upgrade, and click Upgrade Agent.
    Note: You can specify the lockbox when upgrading the agents. The credentials for the existing agents are updated automatically. 
  5. Verify the agent properties and update the properties and collection intervals as required.
  6. Activate the agents and start data collections.

Important: For a list of issues that you may encounter after upgrading the Foglight for Exchange to version 5.7.2, and ways to troubleshoot these issues, see section Potential issues after upgrading the cartridge to version 5.7.2.

Note: If you are also running Foglight for Active Directory, you must upgrade the Active Directory agents as well. It is strongly recommended that you run the same version and patch level of both cartridges.


The following is a list of product versions and platforms compatible with this release.

Product Name

Product Version


Foglight Management Server 5.9.2 All platforms supported by this version of the Foglight Management Server
Foglight Agent Manager 5.9.2 All platforms supported by this version of the Foglight Agent Manager
Foglight For Virtualization, Enterprise Edition 8.7
All platforms supported by these versions of the Foglight For Virtualization, Enterprise Edition


System requirements

System requirements

Before installing Foglight for Exchange, ensure your system meets the following minimum hardware and software requirements:


Any supported Foglight or Foglight for Virtualization, Enterprise Edition platform.

For complete information, see the System Requirements and Platform Support Guide.


As specified in Foglight or Foglight for Virtualization, Enterprise Edition documentation.

Hard Disk Space

As specified in Foglight or Foglight for Virtualization, Enterprise Edition documentation.

Operating System

As specified in Foglight or Foglight for Virtualization, Enterprise Edition documentation.

Monitored Servers

Domain Controllers specified in Foglight for Exchange agent properties must be Windows Server® 2008 or later.

Small Business Systems (SBS) versions have not been tested.

Foglight for Exchange version 5.6.5 and subsequent releases support Microsoft® Exchange Server 2007 or later, including all service packs, unless otherwise noted.

Minimum Domain and Forest levels should be Windows Server 2008.

Foglight for Office 365 support Microsoft Active Directory Federation Service 2.0 or later.

 Active Directory Federation Service 2.0 only can be monitored via WinRm.

For ADFS agents: If the monitored host is a physical machine, it requires a host agent for host information collection. If the monitored host is a virtual machine, it requires a VMware/Hyper-V agent to collect host information collection.




The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account privileges

Exchange account privileges:

Note: Make sure to give minimum required privilege to your agent; otherwise this agent can not start data collection.

  • Exchange server Local Administrator privilege (DCOM, WinRm).
  • Logon as a service privilege (“Quest Remote Command Service”).
  • Running Exchange PowerShell cmdlet with the following privileges:
    • Server Management
    • Organization Management
    • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

  • Organization Management (Exchange 2010, 2013)
  • Exchange Organization Administrators (Exchange 2007)

ADFS account privileges:

  • ADFS server Local Administrator privilege (DCOM, WinRm)

Office 365® account privileges:

  • Global administrator when consent the application permission
  • Monitoring with the following privileges (Office 365 report):
    • Billing administrator
    • Password administrator
    • Service administrator
    • User management administrator
    • Exchange administrator

DCOM prerequisites for the ADFS/Exchange server

  1. Enable the Distributed COM (DCOM) on the Exchange server:
    1. Click Start | Run.
    2. In the Run dialog, enter dcomcnfg and click OK.
    3. Expand Component Services and then Computers.
    4. Right-click the My Computer object and select Properties.
    5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
  2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
    The account which monitors the Exchange server must have the "Log on as a service" user right. This is required to enable a remote service to run PowerShell commands. For more information about how to log on as a service, see and the To add the Log on as a service Right to an account section.
  3. The Exchange account specified in the agent properties must have Full Control permissions on following registry keys:
    • HKEY_CLASSES_ROOT\CLSID 72C24DD5-D70A-438B-8A42-98424B88AFB8 (Windows Script Host Shell Object)
    • HKEY_CLASSES_ROOT\CLSID 76A64158-CB41-11d1-8B02-00600806D9B6 (WBEM Scripting Locator)
    • HKEY_CLASSES_ROOT\CLSID 0D43FE01-F093-11CF-8940-00A0C9054228 (Windows Script FileSystem Object)

      For a 64-bit OS, also grant the permissions for these two additional registry keys
    • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 72C24DD5-D70A-438B-8A42-98424B88AFB8
    • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 76A64158-CB41-11D1-8B02-00600806D9B6
    • HKEY_CLASSES_ROOT\Wow6432Node\CLSID 0D43FE01-F093-11CF-8940-00A0C9054228

      Note: For instructions on how to configure the registry keys, see the To grant permissions on the registry keys section.


To add the Log on as a service Right to an account:

  1. Go to Control Panel > Administrative Tools and open Group Policy Management.
  2. Go to Group Policy Management > Forest:[Domain Name] > Domains > [Domain Name] > Default Domain Policy.
  3. Right click the Default Domain Policy and select Edit.
  4. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service.
  5. Double click Log on as a service and select Security Policy Setting tab.
  6. Click Add User or Group and add the account which monitors the exchange server into the list.


To grant permissions on the registry keys:

  1. Login to the Exchange server with an Administrator account that you are comfortable having ownership over these keys.
  2. Start the Windows Registry Editor (run regedit.exe).
  3. If asked to allow the Regedit program to make changes to the computer, click Yes.
  4. Navigate to the registry item: HKEY_CLASSES_ROOT\CLSID\{clsid} or HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{clsid}, as necessary.
  5. Right-click the registry key and select Permissions.
  6. Click Advanced.
  7. Open the Owner tab.
  8. In the Change Owner to box, select one of the following entries:
    • the user account that is used by the Exchange agent
    • the administrative group for the account you currently belong to
  9. Select the Replace the owner on subcontainers and objects check box.
  10. If the account is not listed, click Other user or groups to add the account.
  11. Click OK.
  12. Under Group or user names, select the account that will be specified in the agent properties. If the account is not listed, click Add to add the account.
  13. Under Permission for account, select the Allow Full Control check box and click OK.
  14. Close the Registry Editor.

SmbServerNameHardeningLevel in ADFS/Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see

Firewall settings for the ADFS/Exchange Server

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article:

Configure Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

Kerberos settings for the Agent Manager

If LDAP Authentication Schema is selected as Kerberos in the agent properties, the Agent Manager will search the following files for information about the location of the Key Distribution Center (KDC):

  • %WINDIR%/krb5.ini [Windows]
  • /etc/krb5.conf  [Solaris®]
  • /etc/krb5/krb5.conf [Linux®]

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

default_realm = MY.REALM
    kdc =

Configure root certificates for the Agent Manager

Important: Starting with version 5.7.1, Foglight for Exchange trusts (by default) any certificates for secure LDAP connections, and does not require users to import the SSL certificate any longer. The only case when users need to import the certificate is when they set the vm parameter "quest.ldap.ssl.trustAnyCert" as False to disable any certificate trust.


When collecting data using LDAP through SSL communication, a new Certificate Authority must be added to the Agent Manager’s Java® Runtime Environment (JRE). The JRE includes a command-line tool keytool which can be used to add the new Certificate Authority. 

keytool -import -file <importCertPath> -alias <someName> -keystore <cacertsPath> -storepass <changeit>
keytool -list -alias <someName> -keystore <cacertsPath> -storepass <changeit>

Here are example commands that import and list a new root certificate:

<FMS_HOME>\jre\bin\keytool -import -file MySSL.cer –alias -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit
<FMS_HOME>\jre\bin\keytool -list -alias -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass changeit

The initial password of the cacerts keystore file is changeit. System administrators should change this password and the default access permissions of this file when installing the SDK. The file can be found in the directory <FMS_HOME>\jre\lib\security\cacerts (embedded Agent Manager) or <FglAM_HOME>\jre\<JRE_VERSION>\jre\lib\security\cacerts (external Agent Manager).

Note: The certificate file that you want to import should be the public certificate for the Certificate Authority that signed the server's SSL certificate, not the SSL certificate itself. The Agent Manager must be restarted for the certificate to take effect. If security LDAP is enabled when creating the Exchange agent via the Agent Setup wizard, the root certificate also needs to be added to the Foglight Management Server’s Java Runtime Environment (JRE).

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example: domain.local childdomain.domain.local
  4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example: server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc.

PowerShell configurations required for feature state queries (for Exchange servers only)

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.




This section provides information about problems that you might encounter while monitoring your environment with Foglight for Exchange, and describes the solutions available to troubleshoot these problems.

Foglight for Active Directory and Foglight for Exchange integration

The following domain controller specific metrics are not available in Foglight for Exchange unless an Active Directory agent is monitoring the domain controller:

  • Exchange | Environment | Servers | AD Dependencies (LDAP, Replication, Database)
  • Exchange | Exchange Explorer | AD Health | Domain Controllers |
    • Replication Queue Length
    • Replication Failures

Symptom: Some domain controller specific metrics do not display in the Foglight for Exchange views.

Resolution: Install Foglight for Active Directory.

Exchange Server discovery feature

Foglight for Exchange now detects when an Exchange server is added or removed. Alarms are generated for the following cases:

  • A new Exchange 2007/2010 server is detected and there is no agent monitoring it.
  • A new Exchange server is detected, but the Exchange version on this server is not supported for monitoring.
  • An existing Exchange server is removed and an associated agent still exists.

Symptom: Alarms are not being generated when an Exchange server is added or removed.


There are two rules used for the Exchange Server Discovery feature. Disabling either one of these rules will disable alerting on server discovery. Ensure that the following rules are not disabled:

  • EXC Server Discovery Search
  • EXC Server Discovery Alert

The EXC Server Discovery Search rule fires every 24 hours and an LDAP query is made once for every domain that has an active, collecting agent. Therefore, depending on when the server was added or removed, there may be a delay in seeing the alarm. Also, if the agent is deactivated or not collecting data, the new or removed server will not be detected until the next server discovery search interval after the agent is re-activated and collecting data.

RPCs Failed (Server Too Busy) performance metric

The RPCs Failed (Server Too Busy) performance metric is a client-reported value. In order to send this type of data to the server in Outlook 2003 or later, the Exchange server’s registry must contain the ClientMonitoringReportLevel registry key with a value of either one or two.

Symptom: RPCs Failed (Server Too Busy) performance metric is not being collected.


Ensure that the server’s registry contains the ClientMonitoringReportLevel registry key with a value of either one or two.

  • In Exchange 2007, the default behavior is to collect performance data only from Outlook clients that have high-speed network connectivity. (Functionally the same as when the value of the ClientMonitoringReportLevel registry key is set to one.)
  • For clients that are using a low-bandwidth connection, set the value of the ClientMonitoringReportLevel to two.

To modify the client-side monitoring levels for Outlook 2003 or later clients:

Tip: It is recommended that you create a backup copy of the Registry that you can revert to prior to making any changes.

  1. On the Exchange server that contains the client mailboxes to be monitored, run: regedit.
  2. If you are asked to allow the Regedit program to make changes to the computer, click Yes.
  3. Navigate to the following registry key:
  4. Right-click ParametersSystem and click New | DWORD Value.
  5. Name the new DWORD value ClientMonitoringReportLevel.
  6. Double-click ClientMonitoringReportLevel.
  7. In the Value data field, enter the appropriate value:
    0 = do not collect data from any Outlook 2003 and later clients
    1 = collect performance data only from high-bandwidth Outlook 2003 and later clients (default)
    2 = collect performance data from all Outlook 2003 or later clients
  8. Close the registry editor.
    The Exchange Information Store service automatically detects the changes. You do not need to restart the computer or any services.

Monitoring Microsoft Exchange Monitoring service

The Microsoft Exchange Monitoring service is not monitored and alarms will not be raised for this service by default. However, if you use this service in your Exchange organization, you can enable monitoring.

Symptom: Microsoft Exchange Monitoring service is not being monitored.

Resolution: Enable monitoring of this service:

  1.  Navigate to Dashboards > Administration > Agents > Agent Status.
  2. Under Monitor, select a Monitored Service and click Edit.
  3. Click Add Row in the ExchangeMonitoring - ExchangeAgent - monitoredServicesList table.
  4. Enter the Server Role and the Service Name for the service to be monitored. All entries are case sensitive.
  5. Click Save Changes.

Startup failure of Quest Remote Command Service

Symptom: The "Quest Remote Command Service" services is not started automatically. 

Resolution: In the Update Credential Properties dialog box, change the value of Domain to the host name of Edge Transport server:

Note: This resolution is only applicable for the Edge Transport server, which means this resolution will not be available if the monitored server is not an Edge Transport server.

  1. On the Edge Transport server, browse to locate the Quest Remote Command Service in the Services (Local) list.
  2. Execute the following command to delete the Quest Remote Command Sevice:
    sc delete "<name_of_service>"
    Quest recommends rebooting this Edge Transport server after executing the delete command.
  3. Navigate to Dashboards > Exchange > Exchange Environment.
  4. In the Exchange Environment dashboard, click Administration.
  5. Under Agents, select this Edge Transport server and click the Edit button in the Private Properties column.
  6. In the Agent Edit dialog box, click Next to open the Assign and Validate Credentials step.
  7. Under the selected Edge Transport server, click the value next to Credential.
  8. In the Updated Credential Properties dialog box, change the value of Domain to the host name of the selected Edge Transport server. 
  9. Click Save.

Recommended best practices

The following procedure is a best practice that is recommended for optimal performance.

Disable automatic updates on Foglight Management Server

Do NOT allow Microsoft® automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.

Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.

Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.

Potential issues after upgrading the cartridge to version 5.7.2

Insufficient heap memory


When upgrading to version 5.6.11, you encounter an error message similar to the following message (actual values may vary):

Error deploying package … Cause: The addition of 2097152kb to the negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the total available physical memory of 1780736kb. Rejecting memory request.



This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Exchange agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.  

If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.

Could not establish a connection to host


  1. The following exception message may be found in the Exchange agent log.
    2013-12-19 13:39:12.669 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] - Begin to query credential for host:  EX7.domain7.local
    2013-12-19 13:39:26.707 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> INFO [Thread-20] - Validate credentials for host: EX7.domain7.local
    2013-12-19 13:39:26.708 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] - Could not establish a connection to host : EX7.domain7.local.
    2013-12-19 13:39:26.708 ECHO    <ExchangeMonitoring/5.6.6/ExchangeAgent/EXC0-EX7.domain7.local-agent> ERROR [Thread-20] - Data collection failure. Could not establish a connection to host : EX7.domain7.local      
  2. In Administrator > Credentials > Manage Credentials, the following alarm may be found: "A Credential with purpose xxxx has been encrypted with a lockbox that has not been granted to this Agent Manager".

Resolution 1:

  1. Ensure that the lockbox has been released to the related Agent Manager (check credential clients in the Credentials > Manage Lockboxes dashboard).
  2. If the Agent Manager is in the credential client list, it must be restarted to fix this issue.

Resolution 2: Update the Agent Manager to version 5.6.12 (or later).

Data merge error found in Foglight Management Server console


The following error message may be found in the Foglight Management Server console.

Failed to retain value of property instances when editing EXCADAccessDomainController object "null (EXCADAccessDomainController)" (39bb11e5-e952-4d63-8629-c4efc19a546d).
Failed to retain value of property instances when editing EXCADAccessCache object "null (EXCADAccessCache)" (16d56083-19b0-4370-af54-9b775a7f644e).
Failed to retain value of property instances when editing EXCADAccessProcessobject "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).
Failed to retain value of property instances when editing EXCDatabase object "null (EXCADAccessProcess)" (36b2c281-13b6-48ee-9dc0-7660e326fd50).


  1. Stop the data collection.
  2. Run the following groovy script in the script console, to remove old topology objects: EXCADAccessDomainController, EXCADAccessCache, EXCADAccessProcess, and EXCDatabase.
    server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessDomainController#.topologyObjects)) 
    server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessCache#.topologyObjects)) 
    server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCADAccessProcess #.topologyObjects)) 
    server["TopologyService"].deleteObjects(new java.util.HashSet(#!EXCDatabase#.topologyObjects))

Can not start the Exchange agent to monitor Exchange Edge Transport server



  1. The monitored Exchange Edge Transport server is a stand alone host.
  2. In agent properties, communication Protocol is set as "WinRm Through HTTP" or "Winrm Through HTTPS".
  3.  The following exception message may be found in the Exchange agent log.
    2014-01-26 10:51:47.329 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] - Fail to establish the WinRM connection: a connection could not be established.
    2014-01-26 10:51:47.329 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> INFO [Quartz[0]-10] - winRm connectivity test result: Failed.
    2014-01-26 10:51:47.330 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> ERROR [Quartz[0]-10] - Could not establish a connection to host : zhuvmfog2901. 2014-01-26 10:51:47.332 ECHO    <ExchangeMonitoring/5.6.7/ExchangeAgent/2901-agent> EERROR [Quartz[0]-10] - Data collection failure. Could not establish a connection to host : XXXXXX                        
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                        
    at sun.reflect.NativeMethodAccessorImpl.invoke(                        
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(                        
    at java.lang.reflect.Method.invoke(                        
    at com.sun.proxy.$Proxy51.informationStoreDetailCollection(Unknown Source)                        
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                        
    at sun.reflect.NativeMethodAccessorImpl.invoke(                        
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(                        
    at java.lang.reflect.Method.invoke(                        
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(                        
    at java.util.concurrent.ThreadPoolExecutor$                        


  • Check the credential setting in Exchange Agent properties and ensure that the user is in local account format.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating