Hello, voici quelques commandes PowerShell pour checker la santé de vos serveurs de messagerie. Exchange Server TroubleShooting sur Exchange Server 2013 CU23.
Ce qu’il vous faut :
- Votre infrastructure Exchange
- Console PowerShell/EMS
Voir mes articles sur l’installation et la configuration Exchange Server 2016 :
- Partie 1 : deploiement-exchange-server-2016-partie-1/
- Partie 2 : deploiement-exchange-server-2016-partie-2/
- Partie 3 : deploiement-exchange-server-2016-partie-3/
- Partie 4 : deploiement-exchange-server-2016-partie-4/
- Partie 5 : deploiement-exchange-server-2016-partie-5/
- Partie 6 : deploiement-exchange-server-2016-partie-6/
Rôle Transport Edge (DMZ) :
- Partie 1 : installation-role-transport-edge-2016-partie-1/
- Partie 2 : installation-role-transport-edge-2016-partie-2/
- Partie 3 :installation-role-transport-edge-2016-partie-3/
Serveur DAG : haute-disponibilite-exchange-2016-serveur-dag/
Mes articles sur la supervision des serveurs Exchange :
- NRPE Partie 1 : supervision-exchange-avec-centreon-nrpe-nsclient-partie-1/
- NRPE Partie 2 : supervision-exchange-avec-centreon-nrpe-nsclient-partie-2/
- NRPE Partie 3 : supervision-exchange-avec-centreon-nrpe-nsclient-part-3/
Supervision d’un serveur hébergeant Exchange : https://pixelabs.fr/supervision-exchange-server-2016-avec-centreon/
Ressources Exchange Server :
- Microsoft Exchange Server Script : microsoft.github.io/CSS-Exchange/
- Rapport par mail (voir tout en bas) : Test-ExchangeServerHealth.ps1
Exchange Server TroubleShooting
Vous avez dans le lien Microsoft ci-dessus ce qu’il faut déjà pour vérifier la santé de votre infrastructure Exchange.
Testons l’un des scripts (Exchange Server security best practices) : Exchange Server HealthChecker.ps1
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Ce script permet donc de vérifier la santé de votre serveur Exchange. Il va également vous indiquer si votre serveur est mal paramétré, vérifier les patchs de sécurité…etc.
Vous avez des exemples dans le script :
.EXAMPLE
.\HealthChecker.ps1 -Server SERVERNAME
Run against a single remote Exchange server
.EXAMPLE
.\HealthChecker.ps1 -Server SERVERNAME -MailboxReport -Verbose
Run against a single remote Exchange server with verbose logging and mailbox report enabled.
.EXAMPLE
Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}
Run against all Exchange 2013/2016 servers in the Organization.
.EXAMPLE
.\HealthChecker.ps1 -LoadBalancingReport
Run a load balancing report comparing all Exchange 2013/2016 CAS servers in the Organization.
.EXAMPLE
.\HealthChecker.ps1 -LoadBalancingReport -CasServerList CAS01,CAS02,CAS03
Run a load balancing report comparing servers named CAS01, CAS02, and CAS03.Connectez-vous à votre serveur Exchange via une console PowerShell (depuis votre poste ou directement sur votre serveur Exchange) :
Remarque : une fois le scripts téléchargé, effectuer un clic-droit > propriété et débloquer l’exécution du script.
Lancer la console PowerShell en tant qu’admin sinon, vous aurez l’erreur suivante :
PS D:\PowerShell> .\HealthChecker.ps1 -Server exch-serv-04 Failed to load Exchange Shell... stopping script
Lancer le script directement et attendez quelques secondes. Le résultat sera affiché directement à l’écran et un fichier TXT et XML seront générés dans le même répertoire que le script.
Il ne reste plus qu’a corriger les erreurs en rouge, mais aussi des warnings en jaune (orange ci-dessous).
Voici le résultat sur un Exchange Server 2013 sous Windows Server 2012 R2:
Exchange Health Checker version 21.09.07.1538 Exchange Information -------------------- Name: exch-serv-04 Generation Time: 09/17/2021 19:52:22 Version: Exchange 2013CU23 Build Number: 15.0.1497.2 Exchange IU or Security Hotfix Detected. Security Update for Exchange Server 2013 Cumulative Update 23 (KB5000871) Server Role: MultiRole DAG Name: EX-MAIL-DAG AD Site: PIXELABS MAPI/HTTP Enabled: False MAPI Front End App Pool GC Mode: Server Exchange Server Maintenance: Server is not in Maintenance Mode Operating System Information ---------------------------- Version: Microsoft Windows Server 2012 R2 Standard System Up Time: 7 day(s) 1 hour(s) 7 minute(s) 6 second(s) Time Zone: Paris, Madrid Dynamic Daylight Time Enabled: True .NET Framework: 4.8 Page File Size: 11763MB Warning: Pagefile should be capped at 32778MB for 32GB plus 10MB - Article: https://aka.ms/HC-SystemRequirements2016#hardware-requirements-for-exchange-2016 Power Plan: Performances élevées Http Proxy Setting: Visual C++ 2012: Redistributable is outdated Visual C++ 2013: Redistributable is outdated Note: For more information about the latest C++ Redistributeable please visit: https://aka.ms/HC-LatestVC This is not a requirement to upgrade, only a notification to bring to your attention. Server Pending Reboot: False Processor/Hardware Information ------------------------------ Type: Physical Manufacturer: Dell Inc. Model: PowerEdge R730 Processor: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz Number of Processors: 2 Number of Physical Cores: 12 Number of Logical Cores: 12 Hyper-Threading: Disabled All Processor Cores Visible: Passed Max Processor Speed: 2400 Physical Memory: 64 GB NIC Settings Per Active Adapter ------------------------------- Interface Description: Microsoft Network Adapter Multiplexor Driver [T-LAN] Warning: NIC driver is over 1 year old. Verify you are at the latest version. Driver Date: 2006-06-21 Driver Version: 6.3.9600.16384 MTU Size: 1500 Max Processors: 4 Max Processor Number: 11 Number of Receive Queues: 0 RSS Enabled: True Link Speed: 2000 Mbps IPv6 Enabled: False IPv4 Address: Address: 10.186.1.6\24 Gateway: 10.186.1.240 Address: 10.186.1.4\24 Gateway: IPv6 Address: DNS Server: 10.100.60.104 10.100.60.103 10.100.60.103 Registered In DNS: True Interface Description: Microsoft Network Adapter Multiplexor Driver #2 [T-REPL] Warning: NIC driver is over 1 year old. Verify you are at the latest version. Driver Date: 2006-06-21 Driver Version: 6.3.9600.16384 MTU Size: 1500 Max Processors: 4 Max Processor Number: 11 Number of Receive Queues: 0 RSS Enabled: True Link Speed: 2000 Mbps IPv6 Enabled: False IPv4 Address: Address: 192.168.95.4\24 IPv6 Address: DNS Server: Registered In DNS: False Multiple active network adapters detected. Exchange 2013 or greater may not need separate adapters for MAPI and replication traffic. For details please refer to https://aka.ms/HC-PlanHA#network-requirements Disable IPv6 Correctly: True Frequent Configuration Issues ----------------------------- TCP/IP Settings: 1800000 RPC Min Connection Timeout: 0 More Information: https://aka.ms/HC-RPCSetting FIPS Algorithm Policy Enabled: 0 CTS Processor Affinity Percentage: 0 Credential Guard Enabled: False EdgeTransport.exe.config Present: True Security Settings ----------------- LmCompatibilityLevel Settings: 3 Description: Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. TLS 1.0 Server Enabled: True Server Disabled By Default: False Client Enabled: True Client Disabled By Default: False TLS 1.1 Server Enabled: True Server Disabled By Default: False Client Enabled: True Client Disabled By Default: False TLS 1.2 Server Enabled: True Server Disabled By Default: False Client Enabled: True Client Disabled By Default: False SystemDefaultTlsVersions: False SystemDefaultTlsVersions - Wow6432Node: False SchUseStrongCrypto: False SchUseStrongCrypto - Wow6432Node: False SecurityProtocol: Ssl3, Tls Certificate: FriendlyName: mail.pixelabs.fr Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Lifetime in days: 586 Certificate has expired: False Certificate status: Unknown Key size: 2048 Signature Algorithm: sha256RSA Signature Hash Algorithm: sha256 Current Auth Certificate: False SAN Certificate: True Namespaces: mail.pixelabs.fr exch-serv-01 exch-serv-01.pixelabs.lan exch-serv-02 exch-serv-02.pixelabs.lan exch-serv-03 exch-serv-03.pixelabs.lan exch-serv-04 exch-serv-04.pixelabs.lan Certificate: FriendlyName: Microsoft Exchange Server Auth Certificate Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Lifetime in days: 1677 Certificate has expired: False Certificate status: Unknown Key size: 2048 Signature Algorithm: sha256RSA Signature Hash Algorithm: sha256 Current Auth Certificate: True SAN Certificate: False Namespaces: Microsoft Exchange Server Auth Certificate Certificate: FriendlyName: WMSvc-exch-serv-04 Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Lifetime in days: 1665 Certificate has expired: False Certificate status: Unknown Key size: 2048 Signature Algorithm: sha1RSA Signature Hash Algorithm: sha1 It's recommended to use a hash algorithm from the SHA-2 family More information: https://aka.ms/HC-SSLBP Current Auth Certificate: False SAN Certificate: False Namespaces: WMSvc-exch-serv-04 Valid Auth Certificate Found On Server: True SMB1 Installed: True SMB1 Blocked: False SMB1 should be uninstalled SMB1 should be blocked More Information: https://aka.ms/HC-SMB1 Security Vulnerability: CVE-2021-28480 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28480 for more information. Security Vulnerability: CVE-2021-28481 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28481 for more information. Security Vulnerability: CVE-2021-28482 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28482 for more information. Security Vulnerability: CVE-2021-28483 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28483 for more information. Security Vulnerability: CVE-2021-31195 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31195 for more information. Security Vulnerability: CVE-2021-31198 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31198 for more information. Security Vulnerability: CVE-2021-31207 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207 for more information. Security Vulnerability: CVE-2021-31209 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31209 for more information. Security Vulnerability: CVE-2021-31206 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31206 for more information. Security Vulnerability: CVE-2021-31196 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31196 for more information. Security Vulnerability: CVE-2021-33768 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-33768 for more information. Security Vulnerability: CVE-2021-34470 See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34470 for more information. Security Vulnerability: CVE-2021-34470 PrepareSchema required: https://aka.ms/HC-July21SU Exchange Web App Pools ---------------------- AppPoolName State GCServerEnabled RestartConditionSet ----------- ----- --------------- ------------------- MSExchangeOWAAppPool Started False False MSExchangeECPAppPool Started False False MSExchangeMapiAddressBookAppPool Started False False MSExchangeRpcProxyFrontEndAppPool Started False False MSExchangePowerShellAppPool Started False False MSExchangePowerShellFrontEndAppPool Started False False MSExchangeMapiFrontEndAppPool Started True False MSExchangeMapiMailboxAppPool Started False False MSExchangeOABAppPool Started False False MSExchangePushNotificationsAppPool Started False False MSExchangeOWACalendarAppPool Started False False MSExchangeAutodiscoverAppPool Started False False MSExchangeServicesAppPool Started False False MSExchangeSyncAppPool Started False False MSExchangeRpcProxyAppPool Started False False Output file written to .\HealthChecker-exch-serv-04-20210917195126.txt Exported Data Object Written to .\HealthChecker-exch-serv-04-20210917195126.xml
Autant dire que mon serveur va mal niveau sécurité… 🙂
Bref, je vous laisse explorer les autres scripts.
Exchange Services Status
Voici quelques commandes sympa à connaître pour vérifier les services Exchange.
Vérifier les services Exchange :
[PS] C:\Windows\system32> Get-Service -ComputerName "exch-serv-04" -Name *Exchange* | Format-Table -AutoSize Status Name DisplayName ------ ---- ----------- Running AvamarExchangeGLR EMC Avamar Exchange GLR Service Running MSExchangeADTopology Topologie Active Directory Microsoft Exchange Running MSExchangeAntispamUpdate Mise à jour de la fonction anti-spam Microsoft Exchange Running MSExchangeDagMgmt Gestion de DAG Microsoft Exchange Running MSExchangeDelivery Remise de transport de boîte aux lettres Microsoft Exchange Running MSExchangeDiagnostics Microsoft Exchange Diagnostics Running MSExchangeEdgeSync Microsoft Exchange EdgeSync Running MSExchangeFastSearch Microsoft Exchange Search Running MSExchangeFrontEndTransport Transport frontal Microsoft Exchange Stopped MSExchangeHM Gestionnaire d'intégrité Microsoft Exchange Running MSExchangeImap4 Microsoft Exchange IMAP4 Running MSExchangeIMAP4BE IMAP4 principal de Microsoft Exchange Running MSExchangeIS Banque d'informations Microsoft Exchange Running MSExchangeMailboxAssistants Assistants de boîte aux lettres Microsoft Exchange Running MSExchangeMailboxReplication Réplication de boîte aux lettres Microsoft Exchange Running MSExchangePop3 Microsoft Exchange POP3 Running MSExchangePOP3BE POP3 principal Microsoft Exchange Running MSExchangeRepl Réplication de Microsoft Exchange Running MSExchangeRPC Service d'accès au client RPC Microsoft Exchange Running MSExchangeServiceHost Hôte de services Microsoft Exchange Running MSExchangeSubmission Transmission de transport de boîte aux lettres Microsoft Exchange Running MSExchangeThrottling Limitation Microsoft Exchange Running MSExchangeTransport Transport Microsoft Exchange Running MSExchangeTransportLogSearch Recherche de journal de transport Microsoft Exchange Running MSExchangeUM Messagerie unifiée de Microsoft Exchange Running MSExchangeUMCR Routeur d'appel de messagerie unifiée Microsoft Exchange Running SearchExchangeTracing Tracing Service for Search in Exchange Stopped vmickvpexchange Service Échange de données Microsoft Hyper-V Running vrnsExchangeCommit Varonis Exchange Commit Agent Stopped wsbexchange Microsoft Exchange Server Extension for Windows Server Backup
Il y a aussi cette commande :
[PS] C:\Windows\system32> Test-ServiceHealth -Server exch-serv-04 Role : Rôle serveur de boîtes aux lettres RequiredServicesRunning : True ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost, MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM} ServicesNotRunning : {} Role : Rôle serveur d'accès au client RequiredServicesRunning : True ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeIMAP4, MSExchangeMailboxReplication, MSExchangePOP3, MSExchangeRPC, MSExchangeServiceHost, W3Svc, WinRM} ServicesNotRunning : {} Role : Rôle serveur de messagerie unifiée RequiredServicesRunning : True ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM} ServicesNotRunning : {} Role : Rôle serveur de transport Hub RequiredServicesRunning : True ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM} ServicesNotRunning : {}
Si un service n’est pas démarré, il apparait dans la ligne rouge.
Pour démarrer un service :
PS D:\PowerShell> Set-Service -ComputerName "exch-serv-04" -Name IISAdmin -Status RunningExchange Components Status
Vérifier les composants Exchange :
PS D:\PowerShell> Get-ServerComponentState -Identity hd-mail-a-01 Server Component State ------ --------- ----- EXCH-SERV-04.PIXELABS.LAN ServerWideOffline Active EXCH-SERV-04.PIXELABS.LAN HubTransport Active EXCH-SERV-04.PIXELABS.LAN FrontendTransport Active EXCH-SERV-04.PIXELABS.LAN Monitoring Active EXCH-SERV-04.PIXELABS.LAN RecoveryActionsEnabled Active EXCH-SERV-04.PIXELABS.LAN AutoDiscoverProxy Active EXCH-SERV-04.PIXELABS.LAN ActiveSyncProxy Active EXCH-SERV-04.PIXELABS.LAN EcpProxy Active EXCH-SERV-04.PIXELABS.LAN EwsProxy Active EXCH-SERV-04.PIXELABS.LAN ImapProxy Active EXCH-SERV-04.PIXELABS.LAN OabProxy Active EXCH-SERV-04.PIXELABS.LAN OwaProxy Active EXCH-SERV-04.PIXELABS.LAN PopProxy Active EXCH-SERV-04.PIXELABS.LAN PushNotificationsProxy Active EXCH-SERV-04.PIXELABS.LAN RpsProxy Active EXCH-SERV-04.PIXELABS.LAN RwsProxy Active EXCH-SERV-04.PIXELABS.LAN RpcProxy Active EXCH-SERV-04.PIXELABS.LAN UMCallRouter Active EXCH-SERV-04.PIXELABS.LAN XropProxy Active EXCH-SERV-04.PIXELABS.LAN HttpProxyAvailabilityGroup Active EXCH-SERV-04.PIXELABS.LAN ForwardSyncDaemon Inactive EXCH-SERV-04.PIXELABS.LAN ProvisioningRps Inactive EXCH-SERV-04.PIXELABS.LAN MapiProxy Active EXCH-SERV-04.PIXELABS.LAN EdgeTransport Active EXCH-SERV-04.PIXELABS.LAN HighAvailability Active EXCH-SERV-04.PIXELABS.LAN SharedCache Active PS D:\PowerShell>
Pour démarrer un composant :
PS D:\PowerShell> Set-ServerComponentState -Identity "exch-serv-04" -Component ImapProxy -State Active -Requester HealthAPI
Exchange Replication Status
Tester l’état de la réplication :
PS D:\PowerShell> Test-ReplicationHealth -Identity EXCH-SERV-04 Server Check Result Error ------ ----- ------ ----- EXCH-SERV-04 ClusterService Transmis EXCH-SERV-04 ReplayService Transmis EXCH-SERV-04 ActiveManager Transmis EXCH-SERV-04 TasksRpcListener Transmis EXCH-SERV-04 TcpListener Transmis EXCH-SERV-04 ServerLocatorService Transmis EXCH-SERV-04 DagMembersUp Transmis EXCH-SERV-04 MonitoringService Transmis EXCH-SERV-04 ClusterNetwork Transmis EXCH-SERV-04 QuorumGroup Transmis EXCH-SERV-04 FileShareQuorum Transmis EXCH-SERV-04 DatabaseRedundancy Transmis EXCH-SERV-04 DatabaseAvailability Transmis EXCH-SERV-04 DBCopySuspended Transmis EXCH-SERV-04 DBCopyFailed Transmis EXCH-SERV-04 DBInitializing Transmis EXCH-SERV-04 DBDisconnected Transmis EXCH-SERV-04 DBLogCopyKeepingUp Transmis EXCH-SERV-04 DBLogReplayKeepingUp Transmis PS D:\PowerShell>
Exchange Databases Status
Tester l’état des bases de données (lancer les commandes depuis le Shell Exchange) :
PS D:\PowerShell> Get-MailboxDatabase -Status | Format-Table Identity, Server, MountedPS D:\PowerShell> Get-MailboxDatabase | Format-Table Identity, Server, ActivationPreference -AutoSizePS D:\PowerShell> Get-MailboxServer | Get-MailboxDatabaseCopyStatus | Sort-Object Name | Format-Table -AutoSizeExchange Health Mail Report (HTML)
Un script pour recevoir un rapport complet par mail sur l’état des serveurs Exchange au format HTML.
Il est ici : Test-ExchangeServerHealth.ps1
- Written by: Paul Cunningham
- Compatible Exchange Server 2013 et plus
Exemple d’utilisation dans le script :
.EXAMPLE .\Test-ExchangeServerHealth.ps1 Checks all servers in the organization and outputs the results to the shell window. .EXAMPLE .\Test-ExchangeServerHealth.ps1 -Server HO-EX2010-MB1 Checks the server HO-EX2010-MB1 and outputs the results to the shell window. .EXAMPLE .\Test-ExchangeServerHealth.ps1 -ReportMode -SendEmail Checks all servers in the organization, outputs the results to the shell window, a HTML report, and emails the HTML report to the address configured in the script.
Il faut modifier quelques lignes. Ouvrir le script avec NotePad++
- Le titre (facultatif) : Ligne : 182 :
$reportemailsubject = "Exchange Server Health Report" - Paramètre SMTP pour l’envoi de rapport par mail : Ligne : 190-194
$smtpsettings = @{
To = "sysadmin@pixelabs.fr"
From = "MyAwesomeExchange@pixelabs.fr"
Subject = "$reportemailsubject - $now"
SmtpServer = "smtp.pixelabs.fr"
}Et bien sur, il faut modifier quelques mots en anglais pour que le script fonctionne sur un serveur FR. Si vos serveurs sont en anglais, ne rien modifier ci-dessous.
Ligne : 203 – 2010
# The server roles must match the role names you see when you run Test-ServiceHealth. $casrole = "Client Access Server Role" $htrole = "Hub Transport Server Role" $mbrole = "Mailbox Server Role" $umrole = "Unified Messaging Server Role" # This should match the word for "Success", or the result of a successful Test-MAPIConnectivity test $success = "Success"
Remplacer par :
# The server roles must match the role names you see when you run Test-ServiceHealth. $casrole = "Rôle serveur d'accès au client" $htrole = "Rôle serveur de transport Hub" $mbrole = "Rôle serveur de boîtes aux lettres" $umrole = "Rôle serveur de messagerie unifiée" # This should match the word for "Success", or the result of a successful Test-MAPIConnectivity test $success = "Réussite"
Enregistrer et lancer le script depuis votre serveur Exchange via la console EMS (Shell) :
Quelques secondes après, vous allez recevoir un mail au format HTML avec 4 tableaux bien détaillés.
Quelques screenshot :
Serveur DAG :
Il ne vous reste plus qu’a mettre ce script en tâche planifiée pour recevoir un rapport chaque semaine par exemple.
C’est terminé pour aujourd’hui. Amusez-vous bien.
Bonne journée et à bientôt 🙂
