locked
Exchange 2007 R2 Mp Security Question RRS feed

  • Question

  • I have a question with regard to the security of the Exchange 2007 R2 Managment pack. If the default agent action account for all exchange servers running as local system be enough to allow OWA, POP IMAP and web services connectivity monitors to work? The only reason I ask if anyone encounter scenarios where the agent action account was set to local system and had all the connectivity monitors not working? I created the necessary test mailboxes on all the servers.
    Thursday, December 3, 2009 3:07 PM

Answers

  • Disable the rule "Exchange 2007 Test System Health" for your Exchange Client Access Servers.  Then restart the Operations Manager Agents on your Exchange Client Access Servers, this should work around the issue you are seeing.  


    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Marked as answer by S. Halsey Thursday, December 3, 2009 6:10 PM
    Thursday, December 3, 2009 6:10 PM

All replies

  • Hi, you dont have to change action account, local system will work. But you need to configure for example OWA connectivity check. Exchange 2007 use system mailboxes for all those tests. There are really good info and step by step guides about this in the exchange management pack guide.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Thursday, December 3, 2009 3:50 PM
  • I have those system mailbox created. My only problem right now is getting the connectivity monitors to work. When I leave the default action acount to local system I get perfomance data with regard to the synthetic transactions but the owa connectiveity monitors always fails with "The test was unable to log on to Outlook Web Access because the SSL certificate did not validate. You can force the cmdlet to proceed by re-running it and specifying the �TrustAnySSLCertificate parameter" This is also weird because i looked at the overrdies summary and there are no ovverides and the values are set to the default of true for the Trustanysslcert variable. The curious case is that when i change the action account to a named domain account all the connectivity monitors works without any issues but i lose the performance data gathered by those monitors.

    Thursday, December 3, 2009 4:48 PM
  • Disable the rule "Exchange 2007 Test System Health" for your Exchange Client Access Servers.  Then restart the Operations Manager Agents on your Exchange Client Access Servers, this should work around the issue you are seeing.  


    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Marked as answer by S. Halsey Thursday, December 3, 2009 6:10 PM
    Thursday, December 3, 2009 6:10 PM
  • That solves my problem completely. Can you explain why I was experiencing this problem. I believed I follow the documentation exactly to the letter. Am I missing something in preparing the environment before I run the wizard?
    Thursday, December 3, 2009 6:54 PM
  • Do you  ever re-enable the rule "Exchange 2007 Test System Health" for your Exchange Client Access Servers after the monitor clears up for synthetic transactions?
    Friday, December 4, 2009 1:40 PM
  • Renabling the test system health will result in the Client Access Synthetic Transactions failing again.  Currently there is no ETA on when the workaround won't be necessary.

    Something Exchange Best Practices does changes the environment variables in the power shell session which causes the Client Access Transactions to fail. Operations Manager re-uses the same Power Shell session, so when ExBPA runs it changes that Operations Manager session.   By disabling the Test System Health you stop Operations Manager from running ExBPA in the session.  You can still run ExBPA/Test-SystemHealth manually on your Exchange Client Access Servers, just have ExBPA run in its' own power shell session.
    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    Friday, December 4, 2009 5:37 PM