Exchange Server 2003 Management Pack Overview
Making sure that Exchange servers are operating reliably is a key objective for daily messaging operations and should be approached systematically based on the principles outlined in the Microsoft Operations Framework (MOF) (http://go.microsoft.com/fwlink/?LinkId=25297 ). A significant part of daily operations in information technology (IT) is monitoring system health. Monitoring can make sure that service level agreements (SLAs) are met, and it lets you detect and address issues in the Exchange organization before they affect user productivity. Monitoring can also help you estimate future demands based on usage patterns and other performance data.
Monitoring with Microsoft® Operation Manager (MOM) lets you perform the following tasks, which are discussed in this guide:
Obtain a performance baseline
Take preventive measures
Identify conditions or processes that are outside normal operating conditions. For example, thresholds exceed your baseline performance expectations
Evaluate operational effectiveness
Identify your company's peak workload hours
Perform configuration management
Manage software updates
Obtain performance metrics
Monitoring should be performed centrally, especially in a large Exchange organization with several Exchange servers, so that reports and data can be stored in a single repository. With centralized monitoring, you can reduce administrative overhead by implementing uniform, company-wide administration procedures. The Exchange Management Pack for Microsoft Operations Manager (MOM) provides a centralized monitoring approach.
To effectively use the Exchange Management Pack, familiarize yourself with the following:
Microsoft Operations Manager integration the Exchange Management Pack extends MOM so that you can monitor Exchange-specific components and services in addition to resources provided by the operating system. An introduction to MOM helps you better understand where and how the Exchange Management Pack integrates with MOM.
the Exchange Management Pack components Not only does the management pack integrate with MOM, but it also contains specific interfaces, rules, reports, and features that help monitor Exchange 2003 servers. Knowing the components and their capabilities and purposes is critical to using the Exchange Management Pack efficiently.
System monitoring tasks Knowing the tasks that you can do with the Exchange Management Pack helps you identify opportunities to streamline IT operations in an Exchange 2003 organization. For example, instead of manually monitoring individual servers, you can automatically monitor all servers that are running Exchange Server 2003.
Monitoring scenarios You can deploy the Exchange Management Pack in a centralized or decentralized environment. Deployment options might vary according to your requirements and the geography of the organization.
On This Page
Exchange Management Pack Components
Automating Monitoring with the Exchange Management Pack
Exchange Management Pack Monitoring Scenarios
Exchange Management Pack Components
The discussion about the Exchange Management Pack integration with Microsoft Operations Manager 2005 already presented most of the components of the Exchange Management Pack. There are rules on the MOM database server. These rules are imported into the MOM database by using the MOM 2005 Administrator Console. The MOM Management Server then pushes the appropriate set of rules to each agent, where they then run locally. The database also contains views, reports, alerts, and knowledge base articles on the MOM server, and there are MOM agents on servers running Exchange 2003. This section discusses these components in more detail.
Rule Groups are used to organize rules into a logical structure. The structure of the rule groups changed from Exchange 2000 Server to Exchange Server 2003, and the Exchange Management Pack for Exchange 2003 includes additional rule groups. You can also create your own custom rule groups that let you further customize your MOM configuration.
The Exchange 2003 Management Pack includes rule groups to organize rules as follows:
Availability Monitoring The rules in this group check Exchange servers for their availability. This includes rules to monitor Exchange services, front-end servers, database connection, MAPI logon, mailboxes, and mail flow.
Exchange Event Monitoring The rules in this group monitor Exchange-specific events written to the event log. This includes rules to monitor the following:
Exchange store The Exchange store hosts the mailboxes and public folders.
System attendant The system attendant includes important modules, such as DSAccess, without which the Exchange server system cannot function.
Simple Mail Transfer Protocol (SMTP), Message Transfer Agent (MTA), and message routing These components are elements of the Exchange 2003 transport engine and must be running on every Exchange 2003 server to guarantee a correctly functioning system.
Microsoft Outlook® Web Access, Outlook Mobile Access, and Exchange ActiveSync® Internet and mobile users can use these components to access mailbox resources through HTTP and HTTP-related protocols.
*IMAP4 and POP3 *These components are important if Internet users access their mailboxes using Microsoft Outlook® Express or another IMAP4 or POP3 conforming client.
*DSAccess and Active Directory Connector *DSAccess manages communication between Exchange 2003 and Active Directory® directory service. Active Directory Connector (ADC), on the other hand, is an important tool when integrating an Exchange 5.5 organization with Active Directory.
Free/busy information Outlook users can look up other users' free/busy information to determine availability when scheduling meeting requests. Free/busy information is stored in a hidden system folder on the Exchange server.
Health Monitoring and Performance Thresholds The rules in this group include rules to monitor server health, such as rules for server configuration, security settings, and disk space thresholds, and mail queue thresholds. They also let you discover problems in key Exchange components by setting thresholds for alerts.
Performance Counter Logging Rules The rules in this group monitor your Exchange server usage and performance, such as client monitoring, antivirus rules, and public folder store usage. There are also rules to monitor server resource usage, such as CPU, disk, memory, and network usage logging.
Report Collection Rules The rules in this group provide data to MOM reports. These rules include database size, configuration rules, mailbox statistics, and message tracking log analysis, as well as several other rules.
For more information about rules included with the Exchange Management Pack and their capabilities, see Chapter 4, "System Monitoring with the Exchange Management Pack."
Rules specify how MOM 2005 collects, handles, and responds to information. Rules define the events and threshold conditions for MOM to monitor. When a MOM server receives information from an information source (Microsoft Windows® Management Instrumentation, System Monitor, the event log, and others) that matches a rule, the responses associated to the rule are executed.
Note The Exchange Management Pack includes many predefined rules, but you can also define your own.
The most common rule types are:
Event Rules * *Event rules instruct MOM 2005 to generate an alert or run responses when specific events occur. These events can be events that are written to Windows event logs by the Windows components that are being monitored, or they can be events that are generated by MOM. MOM 2005 stores the events and alerts in the MOM database.
Alert Rules * *Alert rules generate a response when a particular alert is detected. You can configure these rules to identify alert criteria from a specific alert source and generate a response when the alert matches a specified critical value. You can also define which rule group the alert rule applies to.
Performance Rules * *Performance rules collect performance data. You can view this information by using the MOM Administrator Console. MOM stores performance data in the MOM database. These rules generate an alert when some measured value, such as CPU usage, exceeds a defined threshold. You can define multiple threshold values, with a separate alert severity level for each value. Use your performance baseline to identify appropriate threshold values for your environment.
An alert occurs when a MOM agent detects an event or measured value that matches the event or threshold that is defined in a rule. An alert notifies the administrator about the event that triggered the alert. The alert can trigger an e-mail message to be sent or a script to be run.
Defining Alert Severity Levels
Each rule in MOM 2005 that generates an alert assigns an alert level that indicates the severity of the event that triggers the alert. You can use the alert severity level to determine the importance of the indicated condition. By default, the more-severe alerts are set to page administrators immediately. Alert severity levels for MOM are described in Table 2.1.
Table 2.1 MOM alert severity levels
Paged by default
Indicates that a service is no longer running or responding to client requests.
Indicates that a breach in security is likely to have occurred.
Indicates errors and events that require immediate attention.
Indicates an error that requires attention soon.
Defined per rule
Indicates that an event has occurred that is suspect and is likely to cause an error or critical error soon. Paging is not required, and all related services are currently reachable. But the warning should be investigated and the cause of it determined.
Provides information about an expected or required event.
Provides notification that a particular operation succeeded.
The Exchange Management Pack contains a knowledge base with technical information that can help in troubleshooting. The knowledge base information is available on the Product Knowledge Base tab when displaying alert details in the MOM Operator console. This information indicates the meaning and importance of the alerts that are generated by a rule. You can also obtain detailed suggestions about resolutions and links to up-to-date information about the Web. The knowledge base contains predefined information from Microsoft, to which you can add information that is specific to your organization.
The Knowledge Base is a key feature of the Exchange Management Pack, and empowers your front-line operators to be able to quickly resolve issues. Resolving issues quickly results in faster resolution and fewer escalations, saving your company time and money.
Views and Reports
The Exchange Management Pack includes several views and reports to help you quickly identify Exchange issues. With these views and reports, you can analyze and graph performance data to understand usage trends, do accurate load balancing, and manage system capacity.
In Exchange Management Pack for Exchange 2003, all data that is used for reports is stored and read from the Data Warehouse. As scripts collect data from each data source, this information is stored in the Microsoft SQL Server™ data warehouse. The process is as follows:
Agents on each Exchange server run scripts that read data from multiple data sources, such as the Event Logs.
Agents write the data to the operational database on the MOM management server.
Each day, a DTS job automatically transfers data from the operational database on the MOM management server to the data warehouse.
Data is read from the data warehouse and displayed in reports.
Because reports only read data from the data warehouse, there is a delay between when an event occurs and when the event is recorded in a report.
Exchange reports cover the following:
Health Monitoring and Operations Reports
You can use the monitoring and operations reports to analyze database sizes, disk usage, mailboxes, server availability, and the configuration of Exchange servers. For example, you can list database sizes for Exchange servers, where database size (in megabytes) is presented for each server, storage group, and database. The reports in this category are as follows:
Exchange Disk Usage This report provides data about servers running Exchange based on disk performance counters, presenting daily averages for each counter.
Exchange Server Availability This report provides the percentage of server availability for Exchange servers during a specified time period and also lists the categories of failure types that could lead to a server being unavailable.
Exchange Server Configuration This report provides configuration information including computer and operating systems configuration and local disk information.
Exchange 2003 Outlook Client Monitoring This report gives you the results of analysis data collected by Exchange 2003 servers monitoring Outlook 2003 clients for the end user's experience in terms of response times and errors.
Exchange Mailboxes This report shows the distribution of mailboxes across storage groups and databases for Exchange servers.
Database Size This report provides the size of each database on your monitored server.
Number of Mailboxes per Database/Storage Group/Server This report provides the total number of mailboxes defined on each mailbox store, within each storage group, and across a server.
Mailbox and Public Folder Size and Count This report provides the total number of mailboxes and public folders defined across all stores, and how much disk space each is occupying in your storage subsystem.
Mail Traffic Analysis This report identifies the top 100 e-mail senders and receivers for each domain.
Client Monitoring This report identifies the average latency observed by clients per server, and reports the number and percentage of failed remote procedure calls (RPCs) per server.
Exchange Database Sizes This report shows the total database size on each server, in addition to the individual components of the database. For example, if a database contains both a mailbox store and a public folder store, this report shows the size of each.
**Protocol Usage Reports **The protocol usage reports obtain data about usage and activity levels for the mail protocols that are used by Exchange, such as POP3, IMAP4, and SMTP. You can also obtain usage and activity level reports for Exchange components, such as Microsoft Exchange Information Store service, mailbox store, public folder store, MTA, and Outlook Web Access. These reports use key performance counters for operations conducted in a specific time period. The reports include data for Exchange 2000 servers only when the Exchange 2000 Management Pack for Microsoft Operations Manager is installed.
**Traffic Analysis Reports **The traffic analysis reports summarize Exchange mail traffic patterns by message count and size for both Recipient and Sender domains. For example, the report Mail Delivered: Top 100 Sender Domains by Message Size provides a list of the top 100 sender domains sorted by message size during a specific time period, as reported in the Exchange message tracking logs. The reports include data for Exchange 2000 servers only when the Exchange 2000 Management Pack for Microsoft Operations Manager is installed.
**Exchange Capacity Planning Reports **By analyzing your daily client logons and messages sent and received, in addition to work queues, the capacity planning reports show the Exchange server resource usage and help you plan for current and future capacity requirements.
**Exchange Mailbox and Folder Sizes Reports **You can use these reports to monitor the size of Exchange mailboxes and folders and to determine your highest growth areas. The reports in this category include top 100 mailboxes by size and message count, and top 100 public folders by size and message count.
**Exchange Performance Analysis Report **The Queue Sizes report summarizes Exchange performance counters and helps you analyze queue performance.
The Exchange Management Pack for Exchange 2003 includes State Monitoring. State Monitoring provides a real time view of the condition of your servers and applications. It verifies that critical services are available and that they are providing end users with expected performance by evaluating several features. These features include the following:
MAPI logon test
Mail flow test
Databases (mounted or not)
Front-end servers logon test
Outlook Web Access
Outlook Mobile Access
State Monitoring continuously monitors your servers and will automatically detect when an alert or error condition is resolved. Because of this, you do not have to manually resolve alerts in MOM.
To view the state of your organization
Open the MOM Operator Console. To do this, click Start, point to Programs, point to Microsoft Operations Manager 2005, and then click Operator Console.
In the MOM 2005 Operator Console, in the left pane, click State.
In the right pane, view state details and tasks that you can perform. Click a task to cause the task to run on the computer selected in the State Right pane.
The Exchange Management Pack for Exchange 2003 includes the Topology View. The Topology View lets you use the Operator Console to quickly view the state of your environment in a graphical format. This view lets you quickly identify servers with issues that require attention, and lets you go into each server's properties to effectively triage the servers that you must attend to first. Servers and their status are presented in a format that can be exported into Microsoft Visio®.
For example, if your environment includes 20 servers in multiple routing groups, the Topology View will identify these servers, show the routing group boundaries, and include a graphic on each server indicating whether the server is healthy or not. As soon as a server is found to have a problem, the green check mark on the Topology View will change to a red X. To learn more about the server, you can point to it with your mouse to see properties including the number of mailboxes on the server. If you have multiple servers indicating a problem, you can determine which server is likely affecting more people by the number of mailboxes on that server. You can then double-click the server in Topology View to determine exactly what is wrong with that server and how to resolve the problem. After you resolve the problem, the red X in Topology View automatically turns into a green check mark the next time the rule runs.
Automating Monitoring with the Exchange Management Pack
The components in the Exchange Management Pack can help you detect and respond to critical events. Frequently, timely alerts help prevent Exchange service outages, but preventing outages is not the only objective of system monitoring. You can also use the Exchange Management Pack to automate the following monitoring tasks:
Collecting Event and Performance Information The Exchange Management Pack collects monitoring information from several sources that are defined by individual rules. For example, a rule to look for available disk space might require information from System Monitor, events data generated by other scripts, and Windows event logs. Each rule defines the provider of the information that is used in that rule. Information providers to Microsoft Operations Manager 2005 include the following:
Event logs Warnings and errors, in addition to some informational events, are used to collect information. Rules search for predefined event numbers to obtain system information.
Event and performance information gathered through MOM and MOM scripts the Exchange Management Pack includes its own methods and scripts to collect information about your Exchange 2003 organization and system.
System Monitor The Exchange Management Pack can collect information from System Monitor objects and counters. The counters and their uses are explained in Appendix B.
Simple Network Management Protocol (SNMP) SNMP is an application layer protocol that is part of the TCP/IP protocol suite. It provides a means to manage network performance, resolve problems, and improve capacity.
Windows Management Instrumentation (WMI) WMI is a component of Windows Server 2003 and Windows XP that provides information about software and hardware components. Through WMI, you can query and set information about hardware, systems, services and applications, links, networks, and components of your infrastructure.
Maintaining System Health To keep your Exchange 2003 organization running smoothly with high availability, you must continuously maintain the overall health of your infrastructure. This involves many components not only specific to Exchange 2003, but also involving the underlying physical network topology, Active Directory deployment, and operating system configuration. MOM can examine your network's configuration and produce reports and alerts to help improve system health. At a minimum, you should deploy Active Directory Management Pack together with the Exchange Management Pack, so that you can monitor Active Directory in addition to the components specific to Exchange 2003. A functioning Active Directory environment is required for Exchange Server 2003 operations. Also consider deploying supplemental management packs such as the DNS and Internet Information Services (IIS) management packs.
Some methods to monitor system health have been discussed already. You can use reports specific to the Exchange Management Pack, such as the reports from the Health Monitoring and Operations, Capacity Planning, and Traffic Analysis categories in the Exchange Server reporting category of MOM Reporting.
Another method of monitoring system health is to develop an escalation ticket system to deal with and resolve critical system states.
By default, MOM includes several default alert resolution states. You can view or modify these states in MOM 2005 Administrator Console by navigating to Microsoft Operations Manager\Administration\Global Settings and accessing the properties of the Alert Resolution States object. The default alert resolution states are shown in Table 2.2.
Table 2.2 MOM 2005 default alert resolution states
Service level agreement
Level 1: Assigned to helpdesk or local support
Level 2: Assigned to subject matter expert
Level 3: Requires scheduled maintenance
Level 4: Assigned to external group or vendor
A ticket system helps make sure that critical issues are tracked and their resolution assigned for the most appropriate response.
You can also use the warnings and notifications to alert you of future problems. For example, you can track CPU usage and create an alert when the CPU usage exceeds a certain threshold. However, not every such alert is valuable. In this case, a temporary spike in user activity may generate the alert.
Addressing issues proactively Addressing problem areas before an actual problem occurs is easier with the Exchange Management Pack. With the Exchange Management Pack, you can monitor e-mail flow, logon failure, service disruption, database availability, queue abnormalities, routing and transport failures, and underlying network and hardware availability.
Capacity planning Systems growth monitoring is especially important in large, enterprise environments with many users. The Exchange Management Pack aids with capacity planning by enabling you to store reports and generate baselines for comparison. Using a standardized method of tracking disk use, processor use, user logons, outgoing and incoming messages delivered, and other Exchange components, the Exchange Management Pack facilitates a side-by-side comparison. For example, you can view free disk space available per month to understand the growth rate of your organization, and use that data to anticipate and plan for future requirements.
Alerting administrators about critical states As mentioned earlier, the Exchange Management Pack can send alerts about critical system states, such as Exchange service problems or denial-of-service attacks, to an administrator. The default notification group, found under Rules/Notification Groups/, for rule responses in the Exchange Management Pack, is Mail Administrators. You can add operators to this group and set up how each operator is to be notified. You can page, e-mail, and notify by external command, and you can configure at what times the operator is be notified. This is useful where you must have continuous monitoring in an organization that operates on a shift basis. Each operator in such a case can be notified at only a specific time range and on specified days (that is, during their shift).
Exchange Management Pack Monitoring Scenarios
There are four potential scenarios in which you can monitor an Exchange 2003 organization with the Exchange Management Pack:
An agentless environment
A centralized environment,
A distributed environment
A hybrid environment
Each is discussed in the following sections.
In an agentless environment, no agents are installed on the Exchange servers being monitored by MOM. MOM automatically monitors your servers without first installing an agent. The Exchange Management Pack will monitor performance counter and event-related problems in this environment, but cannot run scripts.
Agentless Monitoring Support
If you plan to monitor servers that do not have agents installed, you must be aware of the limitations of this configuration. By default, the Exchange Management Pack will only monitor servers on which the MOM agent is installed. If you want to monitor agentless servers, you must manually add each agentless server to the appropriate computer group. The computer groups are as follows:
Microsoft Exchange 2000 Server Back-end
Microsoft Exchange 2000 Server Front-end
Microsoft Exchange Server 2003 Back-end
Microsoft Exchange Server 2003 Front-end
To add a server to a computer group
Click Start, point to Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.
In the MOM 2005 Administrator Console, in the Console Root, expand Microsoft Operations Manager\Management Packs, and then click Computer Groups.
In the right pane, right-click the computer group that you want to add a server to, and then click Properties.
In the Properties dialog box, click Included Computers.
On the Included Computers tab, add the agentless server to the group, and then click OK to close the dialog boxes.
The Exchange Management Pack for MOM 2005 supports the following monitoring features on agent-managed computers:
Disk space monitoring
Health and availability monitoring
Database configuration monitoring
Service pack compliance
Server performance threshold monitoring
Server performance collection
This management pack supports the following features on Exchange Server computers that are monitored without an agent:
Server performance threshold monitoring
Server performance collection
You should note that the MOM service account on the MOM server requires administrator access to agentless computers, but the MOM service account on a managed computer does not. The MOM Agent Action account on each Exchange server should be running as Local System.
To update the Agent Action Account
In the MOM 2005 Administrator Console, expand Microsoft Operations Manager\Administration\Computers, and then click Agent-managed Computers.
In the left pane, right-click the server that you want to update, and then click Update Agent Settings.
In the Update Agent Settings Task dialog box, under Which account do you want to use for the Agent Action Account, click Local System, and then click OK.
In a centralized environment, a single location contains servers, routing groups, and administrative groups. This helps reduce administrative overhead, and also enables convenient monitoring. For example, a centralized environment can have a front-end and back-end architecture with users in the central location who have MAPI access for their Outlook clients, and remote users who use Outlook Web Access and connect through the front-end servers.
Monitoring a Centralized Environment
For centralized environments with up to 2000 servers, the single management group topology provides a fitting, centralized administrative model. This MOM topology can monitor one or more domains and contains one or more MOM Management server. For enterprises monitoring fewer than 50 computers, a single configuration group topology can be used with a single computer that is running all MOM components. For larger organizations, MOM components can be put on different computers, as shown in Figure 2.1.
Figure 2.1 MOM single configuration group
A distributed environment extends the centralized environment concept by giving locations control over their systems. In a distributed environment, routing groups and administrative groups are monitored from various locations. An example of this is a corporation after a merger. The separate messaging systems might require separate administration and monitoring, in addition to established routes for message flow, or a merged system might require access by two different departments.
Monitoring a Distributed Environment
Multiple configuration groups enable monitoring of multiple locations in a distributed environment. To allow for uniform data gathering, MOM has a feature named multi-homing that lets you configure agents as members of more than one configuration group. For example, many enterprises are made up of organizations with multiple departments that are responsible for managing different aspects of a server. One group might monitor security issues, and another group might monitor only servers that are running specific Windows applications, such as Exchange.
In a multi-homed agent environment, the agent reports to multiple configuration groups for the events, alerts, and performance counters that it collects. The multi-homed agent processes work from the different configuration groups independently of one another so there is no conflict of rules. Agent computers can belong to up to four configuration groups. You can deploy this topology across one or more domains. Figure 2.2 shows a distributed environment monitoring scenario.
Figure 2.2 MOM multiple configuration groups with multi-homed agents
A hybrid environment combines centralized and distributed environments. For example, suppose you require all mailboxes to be in a central location, and you also want to let other locations have control over different server resources, such as public folders. This is an example of a hybrid approach that combines both centralized and distributed environments.
Monitoring a Hybrid Environment
Monitoring in this scenario is similar to monitoring a centralized environment. Tiers of configuration groups and alert forwarding can be used to monitor multiple physical locations from a central point. Alert forwarding facilitates this monitoring by creating a hierarchical monitoring infrastructure.
Alert forwarding is used to achieve centralized monitoring by forwarding only alerts and the events that are associated with those alerts. Alert forwarding enables consolidators in one configuration group to send alerts to another configuration group, which creates an efficient hierarchical alert-management structure for large enterprise networks, and can reduce network bandwidth requirements.
Establishing a master configuration group to receive alerts, and then establishing one or more zone configuration groups to send alerts accomplishes alert forwarding. The alerts and associated events are kept separately in the zone configuration group database and in the master configuration group database, so the data in the zone configuration group can be used for trend analysis.
Alerts that are forwarded maintain the name of the source computer where the actual event was generated. Alert responses are processed independently between the zone and master configuration groups. Changes that are made in the alert properties in a zone configuration group do not affect alerts in the master configuration group and vice versa.
MOM supports a two-tiered architecture: zone configuration group to master configuration group. Implementing more than two tiers is not supported. A master configuration group can support up to ten zone configuration groups with up to 120,000 alerts per day forwarded to the master configuration group.
Designing and operating a multi-tiered topology requires significant team effort and coordination to implement processing-rule changes and configuration changes.
Figure 2.3 illustrates the topology for monitoring a hybrid environment.
Figure 2.3 Multi-tiered configuration groups with alert forwarding