WHITE PAPER

Best Practices for Configuring BMC® Performance Manager for Microsoft Exchange Servers

Introduction

BMC Performance Manager Security

Agent Account (Agent Default Account)

Exchange Permissions

Account Roles in BMC Performance Manager for Microsoft Exchange Servers

System Access

Required Permissions

Configuring Account Roles

Configuring Account Roles Manually

Configuring Account Roles Using the Configuration Wizard

Automatic Configuration Process

Conclusion

Sources

Introduction

E-mail and messaging applications are mission-critical tools in business environments. Business productivity and effective communication require that these applications offer 24x7 availability and perform in real time. Microsoft Exchange is the leading collaboration tool offering mail and messaging capabilities. Exchange is being deployed in the most demanding environments, including large organizations with thousands of users.

Managing these demanding environments is a challenge. BMC Performance Manager for Microsoft Exchange Servers can help administrators simplify this challenge. BMC Performance Manager for Microsoft Exchange Servers is a comprehensive monitoring solution that can help ensure the performance and availability of your Microsoft Exchange environment. Once installed and configured, it provides the PATROL Agent with access to Exchange configuration and performance data to

provide notification about critical problems
perform system recovery
provide administrative control of the Exchange system

This white paper discusses the account requirements for BMC Performance Manager for Microsoft Exchange Servers 5.0.05 to be able to manage your Exchange servers and provides tips for streamlining the product configuration process.

BMC Performance Manager Security

BMC Performance Manager provides extensive security options, including a security pack for implementing security policy, a key database, and support for digital signatures. Security configurations range from simple (FIPS140 Level 0) to the most secure (FIPS140 Level 4). To best illustrate the minimal security and configuration requirements of BMC Performance Manager for Microsoft Exchange Servers, the descriptions and examples in this white paper assume the simplest security enforcement level.

The PATROL Agent (PatrolAgent.exe process) runs as a Windows service on the managed system and starts under the context of the LocalSystem account. The LocalSystem account is a special account that has complete, unrestricted access to local computer resources. On a domain controller (DC) this account has unrestricted access to the Windows Active Directory. The agent maintains a secure environment by running all child processes under the context of user accounts other than LocalSystem. The BMC Performance Manager administrator enforces system security standards by maintaining the user rights assignments of all BMC Performance Manager user accounts.

BMC Performance Manager contain the object definitions and run-time program instructions that the agent uses to manage a particular application or operating system environment. These program instructions include byte code instructions compiled from PATROL Script Language (PSL) and external commands such as operating system-level commands and command-line interfaces. Byte code instructions are executed by the PatrolAgent.exe process running as the LocalSystem account. External commands are executed as a separate process under the context of another user account.

Agent Account (Agent Default Account)

The PATROL Agent must be configured with an agent default account. During application discovery, data collection, or menu command or recovery action processing, BMC Performance Manager program instructions might trigger the agent to start an external command. The agent runs external commands under the context of the agent default account, unless the instructions indicate to use a different account. To run the process as another account, both the name of the account and its system password are required. An incorrect password generates an error in the agent error log and the external commands are not executed.

The following figure shows sample process information from the Windows Task Manager:

In the Username column, the PatrolAgent.exe process displays SYSTEM, which indicates that the user context for this process is the LocalSystem account. The MSEXCHE2E.exe process is a collector that is defined in BMC Performance Manager for Microsoft Exchange Servers. It is shown to be running using the Administrator account.

On member servers, the agent default account can be either a local or a domain account. During agent installation, the following advanced user rights are automatically added to the account:

Debug programs
Increase quotas or Adjust memory quotas for a process
Logon as a service
Log on locally
Profile system performance
Replace a process level token
Act as part of the operating system

BMC Performance Manager for Microsoft Exchange Servers further requires the agent default account to be a local administrator, but requires only a subset of the preceding user rights, as follows:

Increase quotas or Adjust memory quotas for a process
Replace a process level token
Act as part of the operating system

Because of these system requirements, BMC Performance Manager administrators often choose the scope of the agent default account based on their company's security policies. The following table summarizes how agent-level security is maintained:

Method of Maintaining Security	How Security Is Established
User Account	The default account for commands executed by the agent is specified by the /AgentSetup/defaultAccount variable in the agent's configuration file. The agent cannot run application discovery and parameters properly without a valid user name.
User and Host Names	The Access Control List (ACL), /AgentSetup/accessControlList/, is defined by an agent configuration variable. The ACL specifies which user names can be used with which computers when connecting with an agent.
Directory and File Ownership and Permissions	Agent log and configuration files are created when the PATROL Agent process is executed for the first time. Ownership and permissions of these files is assigned at file creation time. If the PATROL_ADMIN environment variable is set, it specifies the user that owns log and configuration files. If it is not set, the default account is used as the file owner.

Exchange Permissions

Microsoft Exchange supports a variety of application-level interfaces that provide access to system configuration and performance data. Most of these interfaces require the caller to be a domain account that has been granted an Exchange administrative role. Exchange administrator roles cannot be granted to local user accounts.

These Exchange permissions requirements add new security considerations for the BMC Performance Manager administrator, such as how to

balance a high level of system security against the account constraints of Exchange systems management
maintain a separate span of control for the system administrator and the Exchange administrator
minimize the number of Exchange administrative roles granted for management purposes

Exchange systems management requires performing tasks that simulate user experiences. To do this, the systems management tool must be able to access mailboxes on each Exchange server in the configuration.

Microsoft Exchange 2000 Server introduced changes to the relationship between the user account and the Exchange mailbox. Each mailbox must have an owning domain user account; a user account can own only a single mailbox. Exchange systems management tools that simulate user experience typically must use an Exchange mailbox to perform some of their tasks.

BMC Performance Manager for Microsoft Exchange Servers uses a custom mailbox on each managed server for gathering information about the Exchange information store, sending and receiving e-mail messages, and capturing service-level times for various e-mail client operations. For the Exchange administrator who needs to closely manage the delegation of Exchange administrative roles throughout the organization, this information can create a formidable challenge.

Example

The following figure shows Exchange System Manager with an Exchange 2000 organization named theSeeker. The organization has only a single administrative group, the Exchange default group named First Administrative Group. This Administrative Group has a single backend server, named TAGGART.

To manage this environment, BMC Performance Manager for Microsoft Exchange Servers requires

Domain account that is the owner of a mailbox that is a member of a storage group owned by TAGGART
Name of the mailbox that the domain account owns
Domain account that has full access to the mailbox and has the Exchange View Only Administrator role for First Administrative Group

Note: The Exchange View Only Administrator role could be explicitly granted at the administrative group level, or it can be inherited from the organization.

The domain account requirements could be satisfied with a single account, or with two accounts with the following delegated roles:

mailbox owning account (without any administrative privileges)
Exchange administrator account

The default configuration options assume the simplest and quickest approach. This approach is best suited for product trials and small- to medium-sized server environments. The default steps include

creating a new Exchange user account for the managed server
mail-enabling the account with a mailbox name matching the account name
adding the user account into the local Administrators Group
granting the Exchange View Only Administrator role to the account

Example

The following scenario shows why this approach might not be suited for a large-scale environment.

You have an Exchange organization that contains 100 Exchange backend servers, defined to 4 separate Administrative Groups. Assume they are evenly divided with 25 servers per Administrative Group. To manage this environment (assuming the default configuration options), you would end up with a minimum of

100 mailbox-owning user accounts (each is added to the local Administrators Group on the managed system)
100 mailboxes (one per Exchange server)
Exchange View Only Administrator role delegated to 100 user accounts (25 users per Administrators Group)

Additionally, each PATROL Agent would store the name and password of the Exchange user account for the managed system. In a highly secure environment with frequent password changes, this would represent a tremendous challenge. The system passwords the corresponding agent configuration settings (saved passwords) must be maintained.

BMC Performance Manager for Microsoft Exchange Servers provides the ability to configure with pre-existing accounts and mailboxes, and the ability to limit enterprise-wide Exchange administrative rights to a single account. This type of configuration eliminate the administrative nightmare associated with the configuration described in the preceding example. Information about implementing this type of configuration is provided in the next section.

Account Roles in BMC Performance Manager for Microsoft Exchange Servers

System Access

Software that manages the Exchange environment must have access to many different operating system components and system interfaces, including Exchange-specific system files, directory objects, and instrumentation data.

BMC Performance Manager for Microsoft Exchange Servers requires access to each of the following items:

message tracking log files (read access)
database files and logs (read access)
PATROL files and directories (read/write access)
Windows Performance Monitor (read access)
Windows Registry (read access)
Windows Win32 APIs
Microsoft Cluster API
mapisvc.inf file (read/write access)
Exchange 5.5 Directory Service (read/write access)
Windows Active Directory (read access)
Windows Management Instrumentation (read access)
CDO for Exchange Management (CDOEXM)
Exchange Mailbox (full access)
MAPI Subsystem (read access)

System access requirements can be divided into three distinct system roles:

local administrator (Agent Default Account role)
Exchange administrator (Exchange User Account role)
Exchange user (Exchange Mailbox role)

BMC Performance Manager for Microsoft Exchange Servers divides the management tasks according to these roles and allows you to control which account and which mailbox to assign to each role. The roles and the system resources that they access are as follows:

Agent Account (Agent Default Account) Role
message tracking log files
database files and logs
PATROL files and directories
Windows Performance Monitor
Windows Registry
Windows Win32 APIs
Microsoft Cluster API
Exchange User Account Role
mapisvc.inf file
Exchange 5.5 Directory Service
Windows Active Directory
Windows Management Instrumentation
CDO for Exchange Management
Exchange Mailbox
Exchange Mailbox Role
MAPI subsystem

For each managed system, these roles must be delegated to system accounts that are used to perform the related functions. Although the Agent Default Account Role is listed in the configuration as a management role, you cannot alter this role through any of the BMC Performance Manager for Microsoft Exchange Servers dialog boxes. You can modify the agent account through the PATROL Agent Configuration utility or PATROL Configuration Manager (PCM).

Note: If you have a license for the BMC Performance Manager consoles, you also have a license for PCM. PCM is included with, or is a component of, the BMC Performance Manager Consoles kit.

The Configure Account Roles dialog box (shown on the next page) shows the main product configuration dialog box that you access from the BMC Performance Manager console.

This dialog box is automatically displayed when a BMC Performance Manager console is connected to an agent with BMC Performance Manager for Microsoft Exchange Servers loaded but not yet configured.

The first time that you perform a configuration on a managed system, you have the option of an express configuration (Typical) or a customized configuration (Custom). The Typical configuration uses default options described in the "Exchange Permissions" section. To perform a Typical configuration, click Next after the dialog box is displayed. The Custom configuration uses options that you select. To perform a Custom configuration, click Exchange User Account or Exchange Mailbox and make changes on the displayed dialog boxes. The Agent Account (Agent Default Account) button to see information about requirements for the role, but you cannot make changes to the role.

Required Permissions

During the configuration of BMC Performance Manager for Microsoft Exchange Servers, each role assignment is validated for required rights and permissions before the configuration is identified as valid and complete. Required permissions are described in the following sections.

Agent Account (Agent Default Account) Role

The Agent Account role is used to access system-level files and objects. The following permissions are required:

Act as part of the Operating System advanced user right
Replace a process-level token advanced user right
Increase quotas (Windows NT or 2000 advanced user right)
Adjust memory quotas for a process (Windows 2003 advanced user right)
Member of the local Administrators Group

Exchange User Account Role

The Exchange User Account role is used to access the Exchange environment. The following permissions are required:

Member of the local Administrators Group
Full mailbox access permissions to the Exchange Mailbox
Admin or Permissions Admin role to the Site (Exchange 5.5)
Admin or Permissions Admin role to the Configuration (Exchange 5.5)
Exchange View Only Administrator role at the Administrative Group (Exchange 2000/2003)

Exchange Mailbox Role

No explicit rights are required for the Exchange mailbox. The Exchange User Account must have full mailbox access.

Configuring Account Roles

You can configure account roles either manually or by using a wizard. As mentioned earlier, during configuration each role assignment is validated for required rights and permissions before the configuration is identified as being valid and complete. The configuration processes and options are described in the following sections.

Configuring Account Roles Manually

1. Access the Exchange application class menu, and choose PATROL Admin => Configure => Account Roles to display the Configure Account Roles dialog box.

2. To view agent account information, click Agent Account to display the Agent Account Role dialog box (shown here). Click Back to return to the Configure Account Roles dialog box.

Note: If you want to make changes to the Agent Account role assignment, you must use either the PATROL Agent Configuration utility or PATROL Configuration Manager.

3. To enter or change Exchange user account information, click Exchange User Account to display the Exchange User Account Role dialog box.

You can modify the following options:

Domain\User — The fully qualified user account name. To specify an account other than the default, enter the domain and user name. (If you are configuring a node-level agent in an active-active cluster, BMC Software recommends that you enter the same Exchange user account on both nodes.)
Create New Account — Create a new account during configuration. If you specified an account other than the default, select this option to create the account. (The account is created only if it does not already exist. Also, if you are configuring a node-level agent in an active-active cluster, BMC Software recommends that you clear the Create New Account option when you configure the second node.)
Verify Only — Verify permissions assigned to the account without attempting to add any missing permissions. The default behavior for this role adds any required permissions that have not already been granted. (This option is ignored when the Create New Account option is selected.)
Reset Password — Change the configured password for the account. This option is used for applying a password change to a previously configured account setting. Configuration processing also provides an option to change the system password and save it to the configuration.

The Description button provides a description of the options on this dialog box. The Recommendation button provides the recommended use of this role. (If you clear all of the options on this dialog box, BMC Performance Manager for Microsoft Exchange Servers verifies the account permissions of the specified account and adds permissions, as needed.)

The default configuration options assigned to this role instruct the configuration process to

create a new account named host_BMC (where host is the name of the managed system).

You are prompted to enter a new password during configuration processing.

add the user account to the local Administrators Group
grant the Exchange View Only Administrator role to the account (Exchange 2000 and 2003 only)
grant the Admin or Permissions Admin role at the Site or Organization to the account (Exchange 5.5 only)
grant the Admin or Permissions Admin role at the Configuration to the Account (Exchange 5.5 only)

The default option to create a new account assumes that you have a configuration model that uses a one-to-one administrative account model. With this model, there is one Exchange administrator account per managed system. To implement a one-to-many administrative account model, you must perform the following manual steps before configuring the product:

1. Create an Exchange User Account.

2. Delegate the Admin or Permissions Admin role at the Site or Organization (Exchange 5.5 only).

3. Delegate the Admin or Permissions Admin role at the Configuration (Exchange 5.5 only).

4. Delegate the Exchange View Only Administrator role at the Administrative Group or Organization level (Exchange 2000 and 2003 only).

5. Create and mail-enable an account for each managed system (Exchange 2000 and 2003 only).

To configure using this model, clear the Create New option on the Exchange User Account and Exchange Mailbox dialog boxes. Do not select the Verify Only option so that the configuration grants full mailbox access to the Exchange User Account.

Note: You cannot use the BMC Performance Manager for Microsoft Exchange Servers Configuration Wizard (described later in this white paper) to configure a one-to-many model.

6. Click Back to return to the Configure Account Roles dialog box.

7. To enter or change Exchange mailbox information, click Exchange Mailbox to display the Exchange Mailbox Role dialog box.

You can modify the following options:

Mailbox Alias — The default is host_BMC. To specify a mailbox other than the default, enter the mailbox name.
Create New Mailbox — Create a new mailbox during configuration. If you specified a mailbox other than the default, select this option to create it. (The mailbox is created only if it does not already exist. The owner is the user account that was assigned to the Exchange User Account role.)
Verify Only — Verify the mailbox access permissions of the Exchange User Account without attempting to add any missing permissions. The default behavior for this role adds any required permissions that have not already been granted to the account. (This option is ignored when the Create New Mailbox option is selected.)

The Description button provides a description of the fields on this dialog box.

8. Click Back to return to the Configure Account Roles dialog box.

9. Click Next to display a confirmation Configure Account Roles dialog box.

10. Confirm your entries and selections.

If you need to change an account setting, click Back to return to the Configure Account Roles dialog box.
If the settings are correct, click Next to make the changes.

A confirmation screen shows each of the processing steps for the configuration.

When configuration processing begins, each role assignment is validated for the required rights and permissions before the configuration is identified as valid and complete. A configuration report is generated showing the results of each processing step and is displayed upon completion of the configuration process. You can print the report.

11. Clear the View Details option if you do not want to review the details of the configuration.

12. Click Finish.

Configuring Account Roles Using the Configuration Wizard

The configuration dialog box is designed to configure a single managed system. For environments with many servers, that approach can be time consuming and tedious. BMC Performance Manager for Microsoft Exchange Servers includes a configuration wizard for generating agent rulesets used for automatic configuration. This wizard generates two rulesets:

Domain ruleset — MSEXCHSetup/AutoConfig/defAccount. This value is assigned a string that contains the username and encrypted password of the configuration account. The format is domain/user/password.
Modified host mailbox ruleset — MSEXCHSetup/AutoConfig/mailboxAccount. This value is assigned a string that contains the name of the Exchange mailbox and encrypted password. For Exchange 2000 or later, this string also represents the username and password of the account that owns the mailbox. The format is user/password.

Note: This ruleset is generated only when the default mailbox name or mailbox password are modified for a host in the Configure Multiple Exchange servers page of the wizard. There is one ruleset for each modified host mailbox.

The BMC Performance Manager for Microsoft Exchange Servers Configuration Wizard rulesets are imported into PCM (required to use the configuration wizard) and deployed to managed systems. Once deployed, the rulesets trigger BMC Performance Manager for Microsoft Exchange Servers to process the Exchange User Account and Exchange Mailbox account roles. These rulesets can be incorporated into PCM.

The BMC Performance Manager for Microsoft Exchange Servers Configuration Wizard initial window (shown here) provides two main options:

Configure multiple servers — an option for generating rulesets to configure one or more servers discovered in the Windows network. This option generates one or more rulesets based on the options selected.
Configure a single server — an option for configuring a single server using default options. This option prompts for all user input and does not provide Windows network discovery.

1. Select a configuration option.

You are prompted to enter the location in which to save your rulesets and if you want to generate a UNIX shell script.

2. After you have made these selections, click Next.

If you selected the Configure multiple servers option, the next page lists all of the Windows domains found using Windows network discovery.

A. Select a domain and configuration account for the domain and enter the configuration account password.

B. From the Available Servers list, select the servers to be configured, which are then displayed in the Selected Servers list. You can override the Exchange User Account name for a server by clicking in the Mailbox column for the server.

C. Click the Save button to generate one or more rulesets for the configuration.

If you selected the Configure a single server option, the next page prompts for user input without providing selection lists. The information is validated over the network. If you selected this option, you cannot change the Exchange Mailbox name. The default Exchange Mailbox name is host_BMC. Click the Save button to generate one ruleset for the configuration.

Ruleset-based configuration is referred to as automatic configuration. The processing behavior for this type of configuration is somewhat different than the dialog-based approach.

Automatic Configuration Process

Automatic configuration is performed by BMC Performance Manager for Microsoft Exchange Servers. The MSEXCH_Server application class discovery detects automatic configuration rules and applies those rules to the configuration. All messages are written to the BMC Performance Manager console system output window.

Automatic configuration does not provide the same flexibility as the Configuration Account Roles dialog box. When you configure using rulesets, the configuration rules use the following implementation scheme:

Default ruleset, MSEXCHSetup/AutoConfig/defAccount, is assigned the credentials for a configuration account, which is used to process the configuration. The configuration account ruleset is first validated for required permissions.
Exchange Mailbox name (and owning account for Exchange 2000 and 2003 servers) is read from the MSEXCHSetup/AutoConfig/mailboxAccount ruleset. If this ruleset is missing, then the default name, host_BMC, is used.
Exchange User Account is created (if it does not already exist).
Exchange User Account is delegated to the required Exchange administrative roles.
Exchange User Account is mail-enabled and assigned a mailbox alias with the same name (if not already enabled and assigned).
Configuration is validated and required agent configuration variables are saved, indicating the configuration is complete.

This type of configuration allows the BMC Performance Manager administrator to streamline the configuration process for a large number of managed systems. The configuration process can be distributed to all of the deployed managed systems concurrently.

Conclusion

The configuration process for BMC Performance Manager for Microsoft Exchange Servers recognizes the value of Exchange system management. The process is simple, robust, and provides options for all types of users. Configuration features are provided for trial users, custom users, and power users.

For the trial user, default options perform account and mailbox creation and permissions delegation.
For the custom user, modifiable options allow the user to set up accounts and permissions before configuring and to perform post-configuration actions.
For the power user, product configuration can be streamlined by distributing the configuration process to managed systems through the use of automatic processing.

Sources

http://support.microsoft.com
http://www.microsoft.com
PATROL Agent Reference Manual
PATROL 7 Security Implementation: Securing the Data in Your PATROL-Managed Environment
PATROL for Microsoft Windows Server Getting Started
PATROL for Microsoft Exchange Servers Getting Started
BMC Performance Manager for Servers
BMC Performance Manager for Microsoft Exchange Servers
BMC Performance Manager for Servers online Help
BMC Performance Manager for Microsoft Exchange Servers online Help

Helping You Maintain Advantage

BMC Software Education Services offers a strategic investment for your business, maximizing the value for your employees and Business Service Management initiatives. Education ensures successful product implementation, promoting mastery of all product capabilities and highest productivity with your BMC Software solutions.

To explore our education offerings, visit our web page at http://www.bmc.com/bmceducation, or contact BMC Software Education Services by telephone or e-mail:

North America
Telephone: 800 574 4262
E-mail: education@bmc.com
Asia Pacific
Telephone: +61 3 9657 4404
E-mail: ISD_AP@bmc.com
Europe, Middle East, and Africa (EMEA)
Telephone: 00800 26233822
E-mail: emea_education@bmc.com

Copyright 2005 BMC Software, Inc., as an unpublished work. All rights reserved.

BMC Software, the BMC Software logos, and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc.

All other trademarks belong to their respective companies.

July 15, 2005

About BMC Software

BMC Software, Inc. [NYSE:BMC], is a leading provider of enterprise management solutions that empower companies to manage their IT infrastructure from a business perspective. Delivering Business Service Management, BMC Software solutions span enterprise systems, applications, databases, and service management. Founded in 1980, BMC Software has offices worldwide and fiscal 2003 revenues of more than $1.3 billion. For more information about BMC Software, visit www.bmc.com.