How to troubleshoot the issue when event 9986 is not logged in MOM when you monitor Exchange Server 2003 or Exchange 2000 Server (911143)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server, when used with:
    • Microsoft Operations Manager 2005
    • Microsoft Operations Manager 2000 SP1

SUMMARY

When you monitor Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server by using Microsoft Operations Manager (MOM) 2005 or Microsoft Operations Manager (MOM) 2000, the logging of event 9986 is a critical indicator of Exchange Server mailbox availability. This article describes how to troubleshoot the issue when event 9986 is not logged in MOM. Additionally, this article describes what the underlying causes may be. The information is organized under the following topics:

  • Issue: The registry key is not present
  • About the DCOM helper objects
  • Issue: The DCOM application does not run
  • Issue: The ExchKP.PubKeyPublisher object is not created
  • Conclusion

INTRODUCTION

In Microsoft Operations Manager (MOM) 2005, a mailbox access account is used to log on locally to the monitored mailboxes in an Exchange Server organization. When the mailbox access account logs on successfully to the monitored mailboxes on each Exchange server, event 9986 is generated. This article describes how to troubleshoot the issue when event 9986 is not logged on the MOM 2005 server for any one of the monitored Exchange servers.

MORE INFORMATION

MOM 2005, when deployed together with Exchange Management Pack for Exchange Server 2003, uses a verification logon script to verify mailbox availability on servers that are running Exchange Server 2003.

MOM 2005 logs on to monitored mailboxes by using a mailbox access account that has been granted rights to those mailboxes. MOM 2005 does this by decrypting a copy of the mailbox access account's credentials that have been stored in the Exchange server's registry. The credentials are encrypted and written to the registry by using either the ExchangeMOMSetCredentialUtility utility or the Exchange Management Pack Configuration Wizard.

Before the encrypted credentials can be stored in the registry on the Exchange server, a registry key must be generated by a DCOM application. The DCOM application is triggered by the "Exchange - Publish ExMP Data" script. When the script runs successfully and the registry key is generated, the following MOM event is logged for the associated Exchange server. This event can be viewed in the Operator Console of MOM 2005: Description: Successfully published Exchange Management Pack data required for performing MAPI logon on Exchange server: "Server_NAME" This event was generated by the script: "Exchange - Publish ExMP Data"
Domain: Domain_Name
Computer: Exchange_Server_Name
Time: Date Time
Type: Information
Provider Name: Script-generated
Data Event Number: 9986
Provider Type: Generic Provider
Source: Exchange MOMMOM may not log event 9986 for several reasons. This article describes how to troubleshoot the issue when event 9986 is not logged on the MOM server.

Issue: The registry key is not present

One reason that event 9986 is not logged for an Exchange server is that the registry key is not present on the Exchange server. In this case, the mailbox access account credentials will not be encrypted and stored.

If this is the case, you will receive the following error message when you run the Exchange Management Pack Configuration Wizard:
Error: Cannot configure the mailbox access account on computer <servername>. This configuration can only be made after the Exchange MOM event 9986 is registered by MOM.
You can also manually verify the registry by looking for the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExMPLS

Troubleshooting

If the registry key is not present, you must first determine what failure is preventing the registry key from being generated. The "Exchange - Publish ExMP Data" script may generate other MOM events instead of event 9986 for the Exchange server. These events indicate what the problem is.

For example, the following events may be generated in the MOM event log.
  • The following event indicates that the DCOM application that is used to create the registry key failed during execution.
    • In the Exchange 2000 Management Pack on MOM 2000 with Service Pack 1 (SP1)Event Number 9970
      Type: Error
      Source: Exchange MOM
      Description: Failed to publish Exchange Management Pack data required for performing MAPI logon on Exchange server Server_Name
    • In the Exchange 2003 Management Pack on MOM 2000 SP1 or MOM 2005Event Number 10000
      Type: Error
      Source: Exchange MOM
      Description: Failed to publish Exchange Management Pack data required for performing MAPI logon on Exchange server:"SERVER_NAME". This event was generated by the script: "Exchange - Publish ExMP Data".
  • The following event indicates that the DCOM application that was used to create the registry key is not installed or is not registered:
    • In the Exchange 2000 Management Pack on MOM 2000 SP1Event Number 9972
      Type: Error
      Source: Exchange
      MOM Description: Failed to create the object 'ExchKP.PubKeyPublisher'
    • In the Exchange 2003 Management Pack on MOM 2000 SP1 or MOM 2005Event Number 10001
      Type: Error
      Source: Exchange MOM
      Description: Failed to create the object 'EMPKP.PubKeyPublisher'. This event was generated by the script: "Exchange - Publish ExMP Data"
Note These events do not appear as alerts in MOM. Therefore, you must specifically look for these events.

After you confirm the type of event that is logged, you can continue troubleshooting. However, if these events are not logged, you must verify that the "Exchange - Publish ExMP Data" script is running without failure on the Exchange server. This script is called from the following two rules:
  • Daily Agent Mailbox data generation
  • Publish data for Agent Mailbox impersonation
By default, the first rule runs every day at 2:00 A.M. (02:00). The second rule is called whenever the "Check mailbox store availability - MAPI logon test" rule runs. If the rule determines that an Exchange server does not have the ExMPLS registry key, the rule generates event 9987. If these rules do not run, or if the script does not run, troubleshoot accordingly.

About the DCOM helper objects

MOM and the Exchange Management Pack require several DCOM applications to run on the Exchange server to implement various monitoring tasks and functions. These applications are delivered to the Exchange server through DCOM helper objects that are installed and registered on the server.

The helper objects are called by Exchange Management Pack scripts as needed. Which DCOM object is responsible for publishing the mailbox access account credential storage registry key depends on the version of MOM and of Exchange that you are running.

The helper objects for Exchange 2000 and MOM 2000 SP1

The Exchange 2000 helper objects for MOM 2000 SP1 are the ExchKP.exe file and the ExchKPps.dll file. MOM installs these files on the Exchange 2000 server when the Exchange Management Pack is deployed and when the associated rules are pushed out to the Exchange agent servers. These files are installed in the C:\Program Files\Microsoft Operations Manager 2000\OnePoint folder.

The helper object for Exchange 2000 and MOM 2005

The Exchange 2000 helper object for MOM 2005 is the Empkp.exe file. This file is also pushed out to the Exchange agent server by MOM when the Exchange Management Pack for MOM 2005 is deployed. The file is installed in the C:\Program Files\Common Files\Exchange 2000 Management Pack Objects folder.

The helper object for Exchange 2003 and MOM 2000 SP1 or MOM 2005

The Exchange 2003 helper object is the Empkp.exe file. This file is copied to an Exchange Server 2003 server during setup. This file can be verified from the following entries in the Exchange Server Setup Progress.Log file:
[18:22:01] Copying c:\program files\exchsrvr\bin\empkp.exe

[18:34:03] Interpreting line <CreateProcess:C:\Program
Files\Exchsrvr\bin;"C:\Program Files\Exchsrvr\bin\empkp.exe" /regserver;60000> --
ID:31259 --
[18:34:03] Process created ... waiting (60000)
[18:34:03] Process has exited with 00000000
Whether the Empkp.exe file is registered does not depend on the deployment of MOM or of the Exchange Management Pack. Any Exchange Server 2003 server should have Empkp.exe registered in the registry during setup.

Troubleshooting

The first and most useful step in troubleshooting is to confirm the presence of the helper objects in the locations that were just described. If the helper objects are not present on the server, they can be copied from another source to the appropriate location on the server, depending on the versions of Exchange Server and of MOM that you are running.

The second step in troubleshooting is to determine whether the DCOM application is registered and is available.Verify that the ExchKP.exe file or the Empkp.exe file are registered on an Exchange server that is running Microsoft Windows 2000 ServerTo locate the ExchKP.exe file or the Empkp.exe file, follow these steps:
  1. On the affected Exchange server, click Start, click Run, type dcomcnfg, and then click OK.
  2. When the Distributed COM Configuration Properties application opens, click the Applications tab.
  3. Locate the ExchKP or the EMPKP object in the Applications list.
Verify that the Empkp.exe file is registered on an Exchange Server 2003 server that is running Microsoft Windows Server 2003To locate the Empkp.exe file, follow these steps:
  1. On the affected Exchange Server 2003 server, click Start, click Run, type dcomcnfg, and then click OK.
  2. When the Component Services application opens, locate Component Services\Computers \My Computer\DCOM Config.
  3. Locate the EMPKP object.
If the ExchKP.exe file or the Empkp.exe file are not registered successfully, and the DCOM application does not exist, the DCOM application can be registered manually.

How to manually register the ExchKP.exe file

  1. Open a command prompt, and then move to the directory in which the ExchKP.exe file and the ExchKP.dll file are located.
  2. Type ExchMP /regserver, and then click OK.
  3. Type ExchMP /regsvr32, and then click OK.
  4. Look for the ExchMPobject by following the previously described procedure.

How to manually register the Empkp.exe file

  1. Open a command prompt, and then move to the directory in which the Empkp.exe file is located.
  2. Type EMPKP /regserver, and then click OK.
  3. Look for the EMPKPobject by following the previously described procedure.

Issue: The DCOM application does not run

If the DCOM application is registered but will not start, an event is generated in the System event log on the Exchange server. This event is generated every time that the "Exchange - Publish ExMP Data" script runs. The event may be similar to the following event: Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10000
Date: Date
Time: Time
User: NT AUTHORITY\LOCAL SERVICE
Computer: Exchange_Server_Name
Description: Unable to start a DCOM Server: {94A6DCD0-B6F5-40E8-8C9D-CEE2C7796380}. The error: "Drive_Letter:\Program Files\Exchsrvr\BIN\empkp.exe -Embedding is not a valid Win32 application." Happened while starting this command: Drive_Letter:\Program Files\Exchsrvr\BIN\empkp.exe -Embedding

Troubleshooting

Usually, this issue occurs because the "Exchange - Publish ExMP Data" script cannot locate the DCOM application executable (.exe) file. Look in the registry for the following registry keys and values:ExchKP.exe on Exchange 2000

HKEY_CLASSES_ROOT\CLSID\{E3D2F927-69FA-4EFD-8D05-8726EF540A06}\LocalServer32

EMPKP.exe on Exchange 2000 or on Exchange 2003

HKEY_CLASSES_ROOT\CLSID\{94A6DCD0-B6F5-40E8-8C9D-CEE2C7796380}\LocalServer32

This registry key should contain a REG_SZ value that contains the path of the Empkp.exe file or the ExchKP.exe file, respectively. For example, the expected default value of the registry entry should be similar to the following value:

C:\PROGRA~1\Exchsrvr\bin\empkp.exe

Verify that this file is located in the path that is specified.

Issue: The ExchKP.PubKeyPublisher object is not created

If the DCOM application is registered, but the ExMPLS registry key is not generated the next time that the "Exchange - Publish ExMP Data" script runs, there may be an underlying DCOM permissions issue. This issue prevents the script from creating the ExchKP.PubKeyPublisher object. This issue generates event 9972 or event 10001 in MOM, depending on the version of Exchange Server that you are running.

Troubleshooting

To test whether the script is creating the ExchKP.PubKeyPublisher object, save the following three lines of code as a .vbs script file, and then run the file from the affected Exchange server.Exchange 2000 and MOM 2000 SP1
Set oKeySet=CreateObject("ExchKP.PubKeyPublisher")
ErrID=oKeySet.Publish()
Msgbox ErrID
Exchange 2000, or Exchange 2003 and MOM 2005
Set oKeySet=CreateObject("EMPKP.PubKeyPublisher")
ErrID=oKeySet.Publish()
Msgbox ErrID
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

274696 Actions such as search and drag and drop do not work because the default access permissions have been changed in the Dcomcnfg.exe tool

Conclusion

As soon as the DCOM helper object is registered and is running, the "Exchange - Publish ExMP Data" script can successfully run and generate the registry key that is used to store the encrypted credentials of the mailbox access account. If event 9986 has been logged on the MOM server for the associated Exchange server, the ExMPLS registry key should now be present on the Exchange server.

This registry key will hold the REG_BINARY value named DATA0. The DATA0 value holds the binary data that represents the public key BLOB of the mailbox access account credentials. When you see this registry key and this value, the Exchange server is ready to store the encrypted credentials for the mailbox access account.

The next step is to run the Exchange Management Pack Configuration Wizard or the ExchangeMOMSetCredentialUtility utility to encrypt and to write the mailbox access account credentials to the registry. The domain, user name, and password for the mailbox access account are written to the ExMPLS registry key when the credentials are successfully stored. The values to which the registry key is written are DATA1, DATA2, and DATA3, respectively.

Modification Type:MinorLast Reviewed:4/4/2006
Keywords:kbhowto KB911143 kbAudITPRO