Environment
NetIQ AppManager 7.0.x
Situation
Unable to discover Exchange with the AMAdmin_AddManagedObject Knowledge Script
After discovering an Exchange Server, I'm unable to manage Exchange on it
Error: "Unable to discover Exchange 5.5/2000/2003. Please make sure the MO is installed or NetIQmc.exe is installed on the server"
Resolution
The following is a text copy of a white paper that details the exact steps to follow in order to configure management of Exchange. It is also attached to this Knowledgebase article in word format:
How to Properly Setup/Diagnose the Exchange Module on an Exchange 2000/2003 Server
On the Exchange Server:
1. Determine which NT account and Exchange Mailbox you will be using to Manage the Exchange Server. Keep in mind that this account will be an Exchange Administrator Account. We will call this account the ?NetIQ Exchange Service Account?.
2. Go to ?Active Directory Users and Computers? and ensure that the ?NetIQ Exchange Account? NT Account has been created. Open this NT account and ensure the account has the Mailbox created for the NT Account and it is not hidden from the ?Global Address list? (GAL).
3. Connect to the Remote Exchange Server. Log on to the Exchange Server as an ?Exchange Server Administrator? and go to Start and Run and type ?Regedit?. Locate:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin
- On the Edit menu, click Add Value.
- Enter the following registry value information:
- Value Name: ShowSecurityPage
- Data Type: REG_DWORD Value: 1
- Exit the Registry Editor.
4. On the Exchange Server, Go to Start, and Programs and then select ?Microsoft Exchange? and then select ?Exchange System Manager?.
5. When the Exchange System Manager Comes up, you will find the Organization listed in the top pane. Right Click on the Organization and go to Properties. Select the Security Tab.
6. If this ?NetIQ Exchange Account? is a member of any ACL Groups listed in the Exchange Security tab, ensure none of the Groups have explicit Denials listed that will over ride your ?NetIQ Exchange Account? permissions.
7. Add the ?NetIQ Exchange Account? user account and give it the following permissions:
Full Control (this will select all security options by default)
~This security level will be reduced after install~
8. After these permissions have been set, go to the lower containers and ensure the account is listed at the Organization Unit level as well, with the listed permissions. Close the Exchange System Manager.
Client Installation:
1. Log on to the Exchange Server as the ?NetIQ Exchange Service Account?. Connect to a software share or CD location which contains the AppManager Client Installation software.
2. Go to the ??\AppManager\Setup? directory and select the ?Setup.exe?
3. Run the install and select the pre-installation check when prompted. Select the Exchange Managed Object option specifically and view the output report. Verify that everything succeeds. If it does not, take action to address the issue items as specified.
4. Restart the agent install, and continue with the installation as before and select the ?Complete Install? option.
5. select the required Agent Components including the Exchange managed Object. Fill in the prompts correctly as they come up.
6. After the agent install verify that the NetIQ Client Resource Monitor, The NetIQ Client Communication Manager and the NetIQ ?Qexch2k1a? Services are running with the ?NetIQ Exchange Service Account?.
7. If the Installation completes with out the Service creation, Ensure the Installation Account, The QEXCH2k1a Service account, System group, and Interactive group are specified in DCOM permissions with access to ?default? and Launch? permissions. Then retry the steps above.
8. If you notice the install completes but the Qexch2k1a Service is not available.
- Check the install directory ??.\NetiQ\AppManager\Bin? for the file name ?Qexch2k1a.exe?.
- If it is there, you can manually create the service (to bypass the install) by using the following command:
- Qexch2k1a.exe ?service ?u ?domain\username? ?p password
Windows Messaging Subsystem / and Profile Script Setup
1. (still logged in as the ?NetIQ Exchange Service Account?)?Go to Start and Run and type ?CMD?
2. Browse to ??\Program Files\NetIQ\AppManager\Bin?
3. Type the Following Command:
Prof.exe ?s ExchangeServername ?m MailboxName -Notm -p ProfileName
Hit enter: You should receive a number ?0? returned if it enters the Profile OK
4. Close the Command Prompt
Re-adjusting the Exchange Account Permissions
Note: The initial Setup of the AppManager Exchange Module requires the use of an Account that has ?Full Control? Permissions. It may be requested to decrease this access considerably.
1. (Log in again as the original Exchange Administrator Account)Go to Start and Program Files and select the Microsoft Exchange Server and select ?Exchange System Manager?.
2. Go to the Organization level and select the ?NetIQ Exchange Service? NT account and remove the permissions from all selections except view type and Information Store administration privilidges.
3. Go to the Organizational Unit Level and perform the same action.
Security Manager Setup
1. Log in to the AppManager Operator Console as an Administrator.
2. Go to the Extensions and select ?Security Manager?
3. Select the Exchange Server from the Server list and select the Exchange Tab and Specify the Profile and mailbox.
4. Select the Exchange 2000/2003 Tab and add the Exchange Profile and Mailbox for Exchange 2000/2003 as before.
5. Select ?Apply? and Close the Security Manager
MAPI Script setup:
These steps usually address any Exchange Setup or Mapi based script issues. However, consider that these components rely on other systems, Mapi subsystem, and configurations. Performance can be directly affected by the improper configuration or issues related to Mapi32.DLL or other Mapi Subsystems.
Additionally, On Exchange 2003 Managed Clients do not utilize the MAPI based actions. These Mapi based Actions utilize the ?NetIQMapimail.exe? program which has problems accessing the Exchange 2003 Mapi32.dll, Mapi subsystem.
On some of the MAPI based scripts, the KS?s are designed to first send a message and then on the next iteration it logs on and reads the mailbox to look for the reply. For example, the Exchange_SMTPConnectivity script is one of these.
To configure the Exchange_SMTPConnectivity knowledge Script:
1. Log on to the Exchange Server as the NETIQ Client Resource Monitor NT Service Account
2. Verify that you have created the MAPI Profile. To do this, while logged on as the NetIQMC NT Service account use the following command:
PROF.EXE ?S EXCHServer ?M MailboxName ?notm ?P profilename
3. Go to the Operator Console, drop the Exchange_SMTPConnectivity script and specify the profile and mailbox to be used, as you established it previously, a valid domain that returns a Non-delivery reports (Microsoft.com,Conoco.com). Also schedule the job to run every 10 minutes to give sufficient time for NDR message return.
4. Log on to Outlook on some other workstation client or through OWA and verify the NDR comes back, take notes on the specific words returned in the Subject line and the message body
5. When the script reads the body of the e-mail, it truncates the beginning part of the body message, so select some words toward the end of the body message to specify a filter.
6. Go back to the running Exchange_SMTPConnectivity job and change the values to:
- Subject up = <the text you found in the subject>
- Message Body up = <The distinguishable or unique text you choose toward the end of the Email message body>
7. Accept the changes and configuration and the script will restart and should begin running.
Cause
The Active Directory account being used within the job does not have appropriate rights on Exchange.