Notification

Icon
Error

Exchange scanning - Lansweeper Exchange scanning Executing script failed

Posted: Monday, August 2, 2021 8:56:01 AM(UTC)
brama

brama

Member Original PosterPosts: 5
1
Like
Hi,

I have an issue with Lansweeper and Exchange scanning, I tried all the troubleshooting steps documented but it is still not working.

Log file (did not use the original host names):

2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Executing script failed
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Asset with FQDN 'exchangehost.domain.local' not found in Exchange server list.
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG DOMAIN\exchangehost\1 is not found in the domain's Exchange server list

When I try it via the "Scan Test Tool" it does scan the information.

In Lansweeper the hosts are not showing the "Exchange" tab.

Powershell is enabled and set to RemoteSigned, the scanning account is member of domain admins.

Please advice!
FrankSc
#1FrankSc Member Administration Posts: 166  
posted: 8/6/2021 3:31:04 PM(UTC)
Hi,

Looking at the error you posted, it seems that the requirements for Exchange scanning are not met. Could you please send a mail to support@lansweeper.com for further troubleshooting?
brama
#2brama Member Original PosterPosts: 5  
posted: 8/10/2021 12:56:16 PM(UTC)
We found out that we indeed had some powershell issues.

Still, mailboxes are not scanned, after contact with lansweeper support, it seems to be a bug.

Dev team is working on a fix.
3cardmagictrick
#33cardmagictrick Member Posts: 3  
posted: 9/21/2021 8:09:47 AM(UTC)
Has there been any update from the Dev team on when a fix will be ready for this issue?

I also followed all the setup and troubleshooting steps @ https://www.lansweeper.c...%20to%20al...%20More%20 however still facing same issue.
Jim Gallott
#4Jim Gallott Member Posts: 6  
posted: 10/6/2021 8:23:11 PM(UTC)
Originally Posted by: brama Go to Quoted Post
We found out that we indeed had some powershell issues.

Still, mailboxes are not scanned, after contact with lansweeper support, it seems to be a bug.

Dev team is working on a fix.


What issues did you eventually find with the powershell requirements? We're running into the same errors for (lack of) scanning of our Exchange servers. I am able to connect remotely via powershell from the Lansweeper host to the Exchange server Exchange management shell. I think I have covered all the bases in the checklist, but would be interested if there are other less obvious issues that I need to tend to.

Thanks.
JackyPeng
#5JackyPeng Member Posts: 2  
posted: 10/7/2021 2:56:16 AM(UTC)
Originally Posted by: brama Go to Quoted Post
Hi,

I have an issue with Lansweeper and Exchange scanning, I tried all the troubleshooting steps documented but it is still not working.

Log file (did not use the original host names):

2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Executing script failed
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Asset with FQDN 'exchangehost.domain.local' not found in Exchange server list.
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG DOMAIN\exchangehost\1 is not found in the domain's Exchange server list

When I try it via the "Scan Test Tool" it does scan the information.

In Lansweeper the hosts are not showing the "Exchange" tab.

Powershell is enabled and set to RemoteSigned, the scanning account is member of domain admins.

Please advice!


It seems that a permission account such as domain admins or exchange admins is needed to successfully scan
Corey Lambert
#6Corey Lambert Member Posts: 12  
posted: 10/15/2021 8:05:41 PM(UTC)
Has anyone receive a resolution for this issue? I am having the same issue and have an open case with support. I can perform a remote powershell session to and from my exchange, domain controller, and Lansweeper servers without problems but Lansweeper itself errors out.
Jim Gallott
#7Jim Gallott Member Posts: 6  
posted: 10/15/2021 8:09:34 PM(UTC)
Originally Posted by: Corey Lambert Go to Quoted Post
Has anyone receive a resolution for this issue? I am having the same issue and have an open case with support. I can perform a remote powershell session to and from my exchange, domain controller, and Lansweeper servers without problems but Lansweeper itself errors out.


No solution yet. I also have a case open with Lansweeper. I will post if anything develops.
Corey Lambert
#8Corey Lambert Member Posts: 12  
posted: 10/15/2021 9:02:16 PM(UTC)
I think I may have found something.
I found in my error log that it is trying to use ssl on port 5986 and when I test winRM with ssl on port 5986 it fails, but it works without ssl on port 5985.

Quote:
PS C:\WINDOWS\system32> Test-WSMan -ComputerName exchange-server


wsmid : http://schemas.dmtf.org/...ity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0



PS C:\WINDOWS\system32> Test-WSMan -ComputerName exchange-server -UseSSL
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046"
Machine="***.COM"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is
valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled
and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote
computers within the same local subnet. </f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -ComputerName exchange-server -UseSSL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (exchange-server:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand



I also ran this on my exchange server:

Quote:
PS C:\Users\administrator.MHA> winrm quickconfig -transport:https
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Jim Gallott
#9Jim Gallott Member Posts: 6  
posted: 10/15/2021 9:25:40 PM(UTC)
I have tested remote powershell successfully from the scanning server to the exchange servers using:

https://docs.microsoft.c...rshell?view=exchange-ps

All three connect and I can run Get-mailbox.

I did remote powershell successfully to the preferred domain controller using:

Enter-PSSession -ComputerName <dc_name> –credential <credentials>

Still Exchange won't scan. It does not seem to be the remote powershell that is getting in the way.
Jim Gallott
#10Jim Gallott Member Posts: 6  
posted: 10/15/2021 9:30:34 PM(UTC)
So far, not much back from support. He did point out an error:

'Unable to scan Windows Cluster for target exch01.CSAC.Local with credential Exchange Scan.'

Is there an 'Exchange Scan' credential? I haven't seen it anywhere.

The normal Windows credentials are a Domain Admin member, so that isn't it, either.
Corey Lambert
#11Corey Lambert Member Posts: 12  
posted: 10/15/2021 9:39:03 PM(UTC)
Originally Posted by: Jim Gallott Go to Quoted Post
So far, not much back from support. He did point out an error:

'Unable to scan Windows Cluster for target exch01.CSAC.Local with credential Exchange Scan.'

Is there an 'Exchange Scan' credential? I haven't seen it anywhere.

The normal Windows credentials are a Domain Admin member, so that isn't it, either.



My global scan credentials is the domain admin as well. I even created another credential and mapped it to the netbios name of the exchange server and it did not change anything.

I think its the WinRM using ssl. This was in my error log while debug was turned on:

WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. - on exchange-server.local using port 5986 and ssl True as the user 'domain\admin'.

Corey Lambert
#12Corey Lambert Member Posts: 12  
posted: 10/18/2021 7:56:31 PM(UTC)
As I suspected the reason it is not scanning is because of WinRM SSL error. I fixed it with this article.





3cardmagictrick
#133cardmagictrick Member Posts: 3  
posted: 10/19/2021 7:33:18 AM(UTC)
Originally Posted by: Jim Gallott Go to Quoted Post
I have tested remote powershell successfully from the scanning server to the exchange servers using:

https://docs.microsoft.c...rshell?view=exchange-ps

All three connect and I can run Get-mailbox.

I did remote powershell successfully to the preferred domain controller using:

Enter-PSSession -ComputerName <dc_name> –credential <credentials>

Still Exchange won't scan. It does not seem to be the remote powershell that is getting in the way.


Same here, can connect fine remotely via PowerShell. Does anyone know where the script LANSweeper runs to scan Exchange is located? Or what commands it runs?

Reason I ask is I was hoping to connect manually and run these myself to troubleshoot further.
Corey Lambert
#14Corey Lambert Member Posts: 12  
posted: 10/19/2021 2:33:42 PM(UTC)
Use this switch when testing your remote PowerShell: -UseSSL
example: Enter-PSSession -ComputerName <dc_name> –credential <credentials> -UseSSL

If it fails that is your problem and my above comment will fix it.

I also looked for the script they use to scan Exchange and was unsuccessful in finding it. I was going to try and modify it not to use SSL.

Originally Posted by: 3cardmagictrick Go to Quoted Post
Originally Posted by: Jim Gallott Go to Quoted Post
I have tested remote powershell successfully from the scanning server to the exchange servers using:

https://docs.microsoft.c...rshell?view=exchange-ps

All three connect and I can run Get-mailbox.

I did remote powershell successfully to the preferred domain controller using:

Enter-PSSession -ComputerName <dc_name> –credential <credentials>

Still Exchange won't scan. It does not seem to be the remote powershell that is getting in the way.


Same here, can connect fine remotely via PowerShell. Does anyone know where the script LANSweeper runs to scan Exchange is located? Or what commands it runs?

Reason I ask is I was hoping to connect manually and run these myself to troubleshoot further.


Corey Lambert
#15Corey Lambert Member Posts: 12  
posted: 10/19/2021 3:39:52 PM(UTC)
Originally Posted by: Corey Lambert Go to Quoted Post
As I suspected the reason it is not scanning is because of WinRM SSL error. I fixed it with this article.


This has been confirmed with the support team and they are getting with the development team to see if they need to modify the requirements for Exchange scanning.
3cardmagictrick
#163cardmagictrick Member Posts: 3  
posted: 10/19/2021 11:15:57 PM(UTC)
Originally Posted by: Corey Lambert Go to Quoted Post
Use this switch when testing your remote PowerShell: -UseSSL
example: Enter-PSSession -ComputerName <dc_name> –credential <credentials> -UseSSL

If it fails that is your problem and my above comment will fix it.

I also looked for the script they use to scan Exchange and was unsuccessful in finding it. I was going to try and modify it not to use SSL.

Originally Posted by: 3cardmagictrick Go to Quoted Post
Originally Posted by: Jim Gallott Go to Quoted Post
I have tested remote powershell successfully from the scanning server to the exchange servers using:

https://docs.microsoft.c...rshell?view=exchange-ps

All three connect and I can run Get-mailbox.

I did remote powershell successfully to the preferred domain controller using:

Enter-PSSession -ComputerName <dc_name> –credential <credentials>

Still Exchange won't scan. It does not seem to be the remote powershell that is getting in the way.


Same here, can connect fine remotely via PowerShell. Does anyone know where the script LANSweeper runs to scan Exchange is located? Or what commands it runs?

Reason I ask is I was hoping to connect manually and run these myself to troubleshoot further.




Use this switch when testing your remote PowerShell: -UseSSL
example: Enter-PSSession -ComputerName <dc_name> –credential <credentials> -UseSSL

Originally connecting remotely using Enter-PSSession was failing but the comment and article you shared with steps on how to configure an SSL self signed certificate worked perfectly, seriously cannot thank you enough for that. I'm 100% self taught with PowerShell and I am a total amateur at best so was so satisfying to read that article you shared ;-)

I can connect perfectly fine now however I'm getting this error :-(

PS C:\Users\USERNAME> Enter-PSSession -ComputerName EXCHANGE SERVER NAME -credential DOMAIN\USERNAME -UseSSL

PowerShell credential request
Enter your credentials.
Password for user DOMAIN\USERNAME: **********

[EXCHANGE SERVER NAME]: PS C:\Users\USERNAME\Documents> Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
[EXCHANGE SERVER NAME]: PS C:\Users\USERNAME\Documents> Get-Mailbox
Active Directory operation failed on . The supplied credential for 'DOMAIN\USERNAME' is invalid.
+ CategoryInfo : NotSpecified: (:) [], ADInvalidCredentialException
+ FullyQualifiedErrorId : [Server=EXCHANGE SERVER NAME,RequestId=aa150a06-0e4d-4cf3-97f8-dc627c72beb9,TimeStamp=19/10/2021 9:47:15 PM] [FailureCategory=Cmdlet-ADInvalidCredentialException] 476A3E7D


Interesting thing is I found this article (https://www.alitajran.com/load-exchange-management-shell-in-powershell-ise/#:~:text=To%20load%20Exchange%20snapin%20in%20PowerShell%20ISE%2C%20you,connect%20to%20the%20Exchange%20Server%20with%20PowerShell%20ISE.) and when I follow the steps in listed under the "Connect to Exchange servers with remote PowerShell" section it works PERFECTLY!

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://EXCHANGE SERVER NAME/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking
Get-Mailbox
Joerg
#17Joerg Member Posts: 2  
posted: 10/20/2021 11:46:55 AM(UTC)
Hey guys.

Originally Posted by: brama Go to Quoted Post
[...]I have an issue with Lansweeper and Exchange scanning[...]

Me too - at least I _had!_ an issue with it... ;-)
Quote:
[...]Please advice![...]

I'll try to. ;-)
First of all, instructions for Exchange scanning are hard to find as the original article from Lansweeper's KB is rubbish - scan acoount DOES NOT! need to be a domain admin but for proper scanning has to be member of the AD's "Domain Administrators" and "Organization Management" groups.

As long as you have your Windows firewalls turned off there is no problem at all with Exchange scanning. The fun part starts with firewalls enabled on either of your systems. For proper exchange scanning the requirements from the KB article are not complete - you need to configure your Exchange server(s) as well as your domain controller(s)!

Combining all links and infos from this thread the following setup worked (at least for me). This is the quick n' dirty solution. If you e.g. have an internal Root-CA you can automate some of these steps concerning certificates. Further on, with the proper use of GPOs you can automate the steps for WSMan/WinRM configuration.

In a nutshell:
- Create self signed certificates on your DCs and Exchange servers (or use/export existing ones) - purpose is "Client Authentication"
- Import these certificates to "Trusted root" store on your scanning server
- Create a WinRM https listener on each DC and Exchange
- Trigger "Rescan Asset" for your Exchange server(s)

I used Powershell to configure my setup, will just leave those lines here - feel free to adapt them to your needs:
Code:
#Creating and exporting certificates
$hostName = $env:COMPUTERNAME
$serverCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $hostName
Export-Certificate -Cert $serverCert -FilePath \\server\share\PSR<hostname>.cer


Code:
#Configure WinRM on DC(s) and Exchange server(s)
Enable-PSRemoting -Force
New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $serverCert.Thumbprint -Force
New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP
Restart-Service WinRM


Code:
#Import certificates on your scanning server
Import-Certificate -FilePath \\server\share\PSR<hostname>.cer -CertStoreLocation Cert:\LocalMachine\My


HTH! ;-)

Cheers,
Joerg


EDIT:
Just as an addition - I have one Exchange server where Exchange Management Shell does NOT! load the Exchange CMDlets. As expected, this server CAN NOT! be scanned by LanSweeper. Have to fix EMS and will try again. Pretty sure it'll work then.
Corey Lambert
#18Corey Lambert Member Posts: 12  
posted: 10/20/2021 2:29:34 PM(UTC)
3cardmagictrick : glad I was able to help, not sure why you are getting the invalid credential error though.

Joerg : Thanks for the detailed post. The method you posted is what I eventually did. I do have an Internal Root-CA and tried multiple times to get that certificate working and never could. Then I did self signed (even though it tells you it can't be self signed) and it worked. I worked on this for several hours trying to get it to work without buying a certificate.

Support was not very helpful other than asking for a debug log (with a different option than what's outlined in the online documents) where I found the SSL issue. They never got back to me after sending the logs. I had to reach back out to them and tell them how I fixed it.
Joerg
#19Joerg Member Posts: 2  
posted: 10/20/2021 2:36:08 PM(UTC)
Hi.
Originally Posted by: Corey Lambert Go to Quoted Post
[...]I do have an Internal Root-CA[...]

Me as well - you have to configure a template for client authentication and then configure your AD to automatically deploy the machine certificates. A bit tricky to do but it works quite well once you get used to it. Don't have a short instructions right now; maybe will find the time to write all that stuff into one article.
Jim Gallott
#20Jim Gallott Member Posts: 6  
posted: 10/27/2021 6:26:58 PM(UTC)
Originally Posted by: Corey Lambert Go to Quoted Post
I do have an Internal Root-CA and tried multiple times to get that certificate working and never could. Then I did self signed (even though it tells you it can't be self signed) and it worked.


I also have an Internal Certificate Authority, and feel your pain about getting it to work. Error of 'RPC server not available' when requesting a certificate through the Certificates snap-in in mmc.exe. Went through dozens of links about adding permissions in DCOM Config for 'CertSrv Request', including Domain Computers in the 'Certificate Service DCOM Access' group (both in AD and in the local group on the CA), and I'm not sure how many other things I ended up checking.

I finally noticed that on the CA server is a local group called 'Distributed COM Users'. On a whim, I checked it and found that it was empty (so nobody or nothing could access DCOM). Added Domain Users, Domain Computers and Domain Controllers to the group and the magic happened and the Exchange server certificate requests succeeded.

I had to add the Domain Controllers group to the Security tab of the 'Computer' template for it to show when requesting from the Domain Controllers. At least for me, the certificate had to be from the Computer template for WinRM to succeed. On the CA, run Certification Authority Management, right-click the 'Certificate Templates' folder and choose 'Manage', then 'properties' on the Computer template.

After getting the certificate, I found that I could configure WinRM HTTPS on the server just by running: 'winrm quickconfig -transport:https' in an elevated command prompt.

https://docs.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

Once the CA was straightened out, on each Exchange server and each Domain Controller:

1) run mmc.exe, add the Certificates snap-in for 'Computer account' and 'local computer'; under Personal --> Certificates, right click the folder and All Tasks --> Request certificate; choose 'Computer' template.
2) once certificate succeeds, in an elevated command prompt, run 'winrm quickconfig -transport:https' (without quotes). It will ask you if you want to make the necessary changes, say yes and you're done.

Rescan, and at least for me, everything scanned properly.

Active Discussions

Lansweeper Linux Agent - login user
by  Dinusha Chandrasinghe   Go to last post Go to first unread
Last post: Today at 11:03:07 AM(UTC)
Lansweeper device with multiple NICs
by  mzipperer  
Go to last post Go to first unread
Last post: Yesterday at 7:42:57 PM(UTC)
Lansweeper Internal Note
by  mdavis2503   Go to last post Go to first unread
Last post: Yesterday at 6:00:07 PM(UTC)
Lansweeper Problem with deploy software
by  Max90  
Go to last post Go to first unread
Last post: Yesterday at 12:09:40 PM(UTC)
Lansweeper Can lsagent be protected from deletion
by  RKCar   Go to last post Go to first unread
Last post: 11/29/2021 8:56:09 PM(UTC)
Lansweeper HTTPS not secure
by  Larry Rhea  
Go to last post Go to first unread
Last post: 11/29/2021 7:50:59 PM(UTC)
Lansweeper Warning about Built-in Admin
by  Larry Rhea   Go to last post Go to first unread
Last post: 11/29/2021 7:45:45 PM(UTC)