Check Exchange configuration Change

Tagged: 

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Alain Laventure Alain Laventure 2 years, 4 months ago.

  • Author
    Posts
  • #17847
    Profile photo of Alain Laventure
    Alain Laventure
    Participant

    Hi
    I describe my goal

    My goal is to monitor all configuration change in my Exchange Environment

    For that I will need to build some Custom resources to do this job (I know how to create Custom resource)
    By default the mof is run with the Local System Account, with this account the resource will not be able to connect to the Exchange
    The custom resource must be able to connect to Exchange, and be able to read and write value in Exchange, the resource or the mof must be run with a user that have permission in Exchange

    There an Example command
    I want to collect the value on DeletedItenRetetion for the mailboxDatabase MDB01

    $D = Get-MailboxDatabase $MDBname | Select DeletedItemRetention 

    How I can pass this Exchange user to be able to execute the resource
    All test that I have done failed,

    Thank

  • #17901
    Profile photo of Don Jones
    Don Jones
    Keymaster

    This is more an Exchange question, I guess. How would you manually connect to, and query, an Exchange server while providing alternate credentials? For example, do the commands support the use of alternate credentials by using a parameter? In other words, whatever commands you need to run must themselves support the use of alternate credentials.

  • #17948
    Profile photo of Alain Laventure
    Alain Laventure
    Participant

    HI Don

    I know that the problem is not exchange problem but it is a credential with the Exchange Permission problem
    Many Exchange cmdlet support credential, but many don't
    Get-mailbox can be run with a credential
    Get-MailboxDatabase cannot
    IF DSC found the value is false DSC will call the Set-TargetRessource
    To run this king of cmdlet
    Set-MailboxDatabase -DeletedItemRetention 30

    Is it possible to run the DSC Agent with an alternate credential? IF yes
    All exchange cmdlet can be run with this user it will be simpler

    Thank

  • #17959
    Profile photo of Don Jones
    Don Jones
    Keymaster

    No, I don't believe the Local Configuration Manager can be safely run under an alternate account. Keep in mind that it isn't an "agent" or "service."

  • #17963
    Profile photo of Alain Laventure
    Alain Laventure
    Participant

    I don

    Do you think if a create a PSSession with an alternate Credential (with Exchange Permission) in the Module and pass the PSSession with my Exchange CMDlet that I will be able run the cmdlet as the Exchange Admin user ?

    If this solution work, what do think about performance and the load on the Exchange server? I will have a lot of custom resources that will use the PSSession. The PSSession cannot be see between each object that I want to configure in the Configuration Document I think.
    Is the PSSession can be see between resources?
    We have more than 40 servers and more than 50,000 mailboxes on that boxes

  • #17964
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Alain,

    I think you're trying to use DSC for something that it was not designed for. Don, please correct me if I'm wrong. My understanding is that DSC has been designed to configure, monitor and correct the state of computers or devices. That is why the agent is running as local system to make local changes on computers or connect to devices related to the computer like network switches.

    The configuration drift you're trying to prevent in Exchange sounds more like a rights or delegation issue. If only an configuration management system or handful of trained admins would be able to create and change mailboxes you wouldn't require another system to monitor configuration drift and change values back. If you don't have a configuration management system deployed you could still setup a scheduled task on a central system which runs a PowerShell controller script with the correct credentials to enumerate the mailboxes every day and revert changes of specify settings back to expected values.

    Just my 2 cents.

    Best,
    Daniel

  • #17965
    Profile photo of Alain Laventure
    Alain Laventure
    Participant

    Hi Daniel

    Thank for your response

    The particularity of Exchange, it is because some configurations are local on the server and other configuration are store in Active Directory. To be able to read, modify those configuration you need to have some rights in Exchange.

    Example if you want to check some attribute about one mailboxDatasase you need to get-Malboxdatabase –SomeAttributs as example. (This information are store in AD). After, if the configuration has drift, DSC will call the Set Function in the Custom Resource and the set function will use the Exchange cmdlet set-MailboxDatabase –SomeAttributes XYZ to configure this setting as the initial configuration

    The DSC cannot Read or Write the Exchange configuration because the LCM run as Local System Account on the Exchange Server et the LCM have no permission to access AD.
    Exchange use the remote execution to pass the PowerShell cmdLet

    Yes effectively if we don't find any solution with DSC, we have SCOM and we will pull the Exchange configuration with the SCOM and compare the configuration and if the configuration drift, another script will adjust the Drift with the initial configuration.

    For now we prefer try to find a solution with DSC, if we can find some solution, because we have also other environments Hyper-V and other programs that we want to use with DSC
    We have created many DSC Custom resources to install all Exchange prerequisite, because we need only local Administrator for that

    Thank Alot

You must be logged in to reply to this topic.