test-Imapconnectivity together with PS1,VBS and R2

Posted: 21st June 2009 by Anders Bengtsson in Scripts

The Exchange 2007 management packs runs a number of test power shell cmdlet to check that Exchange is working. In some scenarios you cannot use the standard Exchange test cmdlet created by the New-TestCasConnectivityUser.ps1 script. For example in scenarios with complex namespaces or security requirements. In the Ops Mgr 2007 SP1 Exchange 2007 MP (converted) you can override the cmdlet command but The MSExchangeMonitoring service do not support scripts and only a limited set of Exchange cmdlets (test-*) and parameters (positional parameters are not allowed). The accepted syntax is also more restricted than the one accepted by the Exchange Management Shell. So even if you add parameters to the cmdlet it will not work with Ops Mgr. The new Exchange 2007 MP for Ops Mgr R2 do not support override of the cmdlet command at all, but it includes a lot of other great news.

In this example I will run the test-Imapconnectivity cmdlet with the HQ\svc-opsmgr-exchange account. I will run the power shell commands from a vbscript, then picks up the result, analyze it and send it back to Ops Mgr. I use a file, C:\cred.txt, to store the password for the test user (hq\svc-opsmgr-exchange). This file is encrypted (by a PowerShell command) and can only be used by the user created it. That is why the run as profile is so important.

There are a couple of steps to make this work

1. Create a encrypted password file on the affected machines (C:\cred.txt). More info about that file here.

2. Create a management pack to discover the exchange machines you want to use. The class that the management pack discover will be used as target for your run-as profile and for the monitor.

3. Create a two state monitor with the script and settings below, configure it to run for example every 15 minute
Unhealthy Expression: Property[@Name=’ImapConnectivity’] Does not equal Ok
Healthy Expression: Property[@Name=’ImapConnectivity’] equals Ok
Under alerting you can add $Data/Context/Property[@Name=’ImapConnectivity’]$ to see the status and also $Data/Context/Property[@Name=’varPSResult’]$ to see the result from the power shell command.

4. Configure a account and a run-as profile with the same account as you used to encrypt the password file

5. Configure your monitor to use this profile. This can (as far as I know) only be done direct in XML or in the Authoring Console

6. Import everything into Operations Manager and verify your run-as profile and your account. It is important that both your monitor is configure to use the run as profile and that your profile target the affected class/object.

The script:

pscommand = "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin; $pass = get-content C:\cred.txt | convertto-securestring; $credential = new-object -typename System.Management.Automation.PSCredential -argumentlist 'hq\svc-opsmgr-exchange',$pass; $Result = Test-ImapConnectivity -MailboxCredential:$Credential -MonitoringContext:$true -ConnectionType:2 -TrustAnySSLCertificate:$true -LightMode:$true | ft Result; $Result"
cmd = "powershell.exe " & pscommand
Set shell = CreateObject("WScript.Shell")
Set executor = shell.Exec(cmd)
executor.StdIn.Close

varPSResult = executor.StdOut.ReadAll
varString = InStr(varPSResult, "Success")

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Call oBag.AddValue("Result",varPSResult)
Call oBag.AddValue("varString",varString)

If varString = 0 Then
Call oBag.AddValue("ImapConnectivity","Error")
Call oAPI.Return(oBag)
Else
Call oBag.AddValue("ImapConnectivity","Ok")
Call oAPI.Return(oBag)
End If

Thanks to Pete Zerger (the run-as profile jedi) and Marco Shaw