Exchange Server monitoring requirements

Robot Manager machine

The following requirements apply to the machine dedicated to the Robot Manager.

Version

Make sure PowerShell v4 or above is installed on the Robot Manager machine.

PowerShell Execution Policy

  • Locate the Windows PowerShell (x86) shortcut by typing PowerShell in the Start>Run box.

  • Make sure the new execution policy of the workstation allows all scripts and configuration files downloaded from the Internet to be run (http://technet.microsoft.com/en-us/library/dd347628.aspx), by entering:

set-executionpolicy remotesigned

Specific Requirements

The following PowerShell commands must be executed "As Administrator" through a Windows PowerShell (x86) console.

PowerShell communication between the Gizmo station and Exchange servers is ensured when meeting one of the following conditions:

  • The Gizmo station and Exchange server(s) are in the same domain, or

  • stations are in different domains but the server’s domain trusts the Gizmo station’s domain, or

  • the connection relies on SSL authentication, or

  • the Exchange server is part of the Gizmo station's WinRM trusted hosts:

Set-Item wsman:\localhost\client\trustedhosts *

 where * means all servers)

Checking remote PowerShell Connection on Microsoft.Exchange Endpoint

The following commands allow to check if all previous commands have succeeded:

$cred = Get-Credential domainname\username$sessionoption = New-PSSessionOption -SkipCACheck -SkipCNCheck –SkipRevocationCheck$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://YourServerName/PowerShell -Credential $cred -SessionOption $sessionoption -Authentication KerberosInvoke-Command -Session $session -ScriptBlock {Get-ExchangeServer}

Checking remote PowerShell Connection on Microsoft.PowerShell Endpoint

The following commands allow to check if all previous commands have succeeded:

$cred = Get-Credential domainname\username$sessionoption = New-PSSessionOption -SkipCACheck -SkipCNCheck –SkipRevocationCheck$session = New-PSSession -ConfigurationName Microsoft.PowerShell -ConnectionUri http://YourServerName:5985/wsman -Credential $cred -SessionOption $sessionoption -Authentication Kerberos (change port number to 5986 if using SSL)Invoke-Command -Session $session -ScriptBlock {Get-WmiObject -Query "SELECT Name, Description, State, AcceptStop, AcceptPause FROM Win32_Service"}

Server roles

The following PowerShell commands must be executed "As Administrator" through a Windows PowerShell (x86) console.

PowerShell communication between the Gizmo station and Exchange servers is ensured when meeting one of the following conditions:

  • The Gizmo station and Exchange server(s) are in the same domain, or

  • stations are in different domains but the server’s domain trusts the Gizmo station’s domain, or

  • the connection relies on SSL authentication, or

  • the Exchange server is part of the Gizmo station's WinRM trusted hosts (where * means all servers):

Set-Item wsman:\localhost\client\trustedhosts *

Follow the procedure depending on the Server roles used in your organization.

Mailbox Server and DAG

Checking remote PowerShell Connection on Microsoft.Exchange Endpoint

The following commands allow to check if all previous commands have succeeded:

$Cred = Get-Credential domainname\username
$SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck –SkipRevocationCheck
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://YourServerName/PowerShell -Credential $Cred -SessionOption $SessionOption -Authentication Kerberos
Invoke-Command -Session $Session -ScriptBlock {Get-ExchangeServer}

MailBox Server and Edge Server

Checking remote PowerShell Connection on Microsoft.PowerShell Endpoint

The following commands allow to check if all previous commands have succeeded:

$Cred = Get-Credential domainname\username
$SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck –SkipRevocationCheck
$Session = New-PSSession -ConfigurationName Microsoft.PowerShell -ConnectionUri http://YourServerName:5985/wsman -Credential $Cred -SessionOption $SessionOption -Authentication Kerberos (change port number to 5986 if using SSL)
Invoke-Command -Session $Session -ScriptBlock {Get-WmiObject -Query "SELECT Name, Description, State, AcceptStop, AcceptPause FROM Win32_Service"}

Exchange monitored Server

The following requirements apply to the monitored Exchange Server.

  • Make sure the port 5985 (5986 if SSL) is open on the monitored server (Microsoft.PowerShell endpoint).

  • Configure the server to receive remote commands:

Enable-PSRemoting -Force

The user connecting to the Exchange server must be member of the "View-Only Organization Management" security group in the Active Directory. This should implicitly set the users account's RemotePowerShellEnabled property to true. If not, the following command can check the property:

get-user "username" | fl RemotePowerShellEnabled

In case this query returns False, the user is not enabled for Remote PowerShell. To enable the user, run the following command:

Set-User "username" -RemotePowerShellEnabled $True

For Exchange 2010 servers monitoring, we recommend using a specific mailbox for CAS Checks. However, if you want to use the default test mailbox, a script must be run on the Exchange server to create a test account in the Exchange organization. This script is located in the following folder on any Exchange server:
"C:\Program Files\Microsoft\Exchange_Server\V14\Scripts\new-TestCasConnectivityUser.ps1"
If the user that does remote PowerShell is not part of the "Administrators" group, enter the following command:

Set-PSSessionConfiguration -Name Microsoft.PowerShell –ShowSecurityDescriptorUI -Force
  • The Permissions window is displayed.

  • Click Add to add the user to the list and enable the Read and Execute permissions.

  • Finally, restart the Windows Remote Management service:

Restart-Service WinRM

Throttling Policies

In large organizations, the default values of the following policies should be increased or even set to unlimited.

  • The PowerShellMaxRunspaces policy is closely related to PowerShell sessions initiated on the servers. By default, it is set to 18.

  • The PowerShellMaxConcurrency policy defines the maximum number of concurrent PowerShell connections on the server. By default, it is set to 18.

If you need to change these values:

  • Open the Management shell on one of the Exchange servers.

  • To create the new policy, enter New-ThrottlingPolicy policy_name

  • To change the max. runspaces settings (only on Exchange 2013 servers), enter Set-ThrottlingPolicy policy_name -PowerShellMaxRunspaces new_value

  • To change the max. concurrency settings, enter Set-ThrottlingPolicy policy_name -PowerShellMaxConcurrency new_value

  • To associate the policy to the user account, enter Set-ThrottlingPolicyAssociation user_name -ThrottlingPolicy policy_name

  • To take these changes into account, enter on each server.

    %windir%\system32\inetsrv\appcmd recycle apppool /apppool.name:MSExchangePowerShellAppPool