Documente Academic
Documente Profesional
Documente Cultură
M I C R O S O F T
L E A R N I N G
P R O D U C T
10135A
Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2010 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Released: 01/2010
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time. c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter. e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device. f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content. Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location. i.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms. i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session. 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement. c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks: You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.
o o o o o
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement. iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means. 7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy; transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. 9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR or Not for Resale. 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. 11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts. 12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services. 13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement. 16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouv ez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage partic ulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects , accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
ix
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
xi
Contents
Module 1: Deploying Microsoft Exchange Server 2010
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-4 1-16 1-32 1-37 1-46
xii
Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions
Module 12: Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview 12-3
xiii
Lesson 2: Upgrading from Exchange Server 2003 to Exchange Server 2010 Lesson 3: Upgrading from Exchange Server 2007 to Exchange Server 2010
12-10 12-27
xiv
xiii
Course Description
This course will provide you with the knowledge and skills to configure and manage a Microsoft Exchange Server 2010 messaging environment. This course will teach you how to configure Exchange Server 2010, as well as provide guidelines, best practices, and considerations that will help you optimize your Exchange server deployment.
Audience
This course is intended for people aspiring to be enterprise-level messaging administrators. Others who may take this course include IT generalists and help desk professionals who want to learn about Exchange Server 2010. People coming into the course are expected to have at least 3 years experience working in the IT fieldtypically in the areas of network administration, help desk, or system administration. They are not expected to have experience with previous Exchange Server versions.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience managing Windows Server 2003 or Microsoft Window Server 2008 operating systems. Experience with Active Directory directory services or Active Directory Domain Services (AD DS). Fundamental knowledge of network technologies including Domain Name System (DNS) and firewall technologies. Experience managing backup and restore on Windows Servers. Experience using Windows management and monitoring tools such as Microsoft Management Console, Active Directory Users and Computers, Performance Monitor, Event Viewer, and Internet Information Services (IIS) Administrator.
xiv
Experience using Windows networking and troubleshooting tools such as Network Monitor, Telnet, and NSLookup. Fundamental knowledge of certificates and Public Key Infractructur (PKI).
Course Objectives
After completing this course, students will be able to: Install and deploy Exchange Server 2010. Configure Mailbox servers and mailbox server components. Manage recipient objects. Configure the Client Access server role. Manage message transport. Configure the secure flow of messages between the Exchange Server organization and the Internet. Implement a high availability solution for Mailbox servers and other server roles. Plan and implement backup and restore for the server roles. Plan and configure messaging policy and compliance. Configure Exchange Server permissions and security for internal and external access. Monitor and maintain the messaging system. Transition an Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Configure the Unified Messaging Server role and Unified Messaging components. Implement high availability across multiple sites and implement Federated Sharing.
Course Outline
This section provides an outline of the course: Module 1, Deploying Microsoft Exchange Server 2010 describes how to prepare for, and perform, an installation of Exchange Server 2010. This module also provides details on the Exchange Server 2010 deployment. Module 2, Configuring Mailbox Servers describes the Exchange Management Console and Exchange Management Shell management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public-folder configuration and usage. Module 3, Managing Recipient Objects describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. Module 4, Managing Client Access describes how to implement the Client Access server role in Exchange Server 2010. Module 5, Managing Message Transport describes how to manage message transport in Exchange Server 2010, which includes topics such as components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot message-transport issues. Additionally, this module provides details on deploying the Exchange Server 2010 Hub Transport server.
xv
Module 6, Implementing Messaging Security describes how to plan for and deploy an Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. Additionally, it describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security. Module 7, Implementing High Availability describes the high-availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions. This module provides details about how to deploy highly available mailbox databases as well as other Exchange Server 2010 server roles. Module 8, Implementing Backup and Recovery describes the Exchange Server 2010 backup and restore features, and what you should consider when creating a backup plan. Module 9, Configuring Messaging Policy and Compliance describes how to configure the Exchange Server 2010 messaging policy and compliance features. Module 10, Securing Microsoft Exchange Server 2010 describes how to secure your Exchange Server deployment by configuring administrative permissions and securing the Exchange Server configuration. Module 11, Maintaining Microsoft Exchange Server 2010 describes how to monitor and maintain your Exchange Server environment. Additionally, it also describes troubleshooting techniques for fixing problems that may arise. Module 12, Transitioning from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 describes the options that organizations have when they choose to implement Exchange Server 2010. Additionally, it describes how to transition an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Appendix A, Implementing Unified Messaging describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging. Appendix B, Advanced Topics in Exchange Server 2010 describes how to deploy two advanced Exchange Server features: highly available Exchange Server across multiple data centers and Federated Sharing.
xvi
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
xvii
Important: At the end of each lab, you must revert the virtual machine back to the state the virtual machine was in before the lab started. To revert a virtual machine, perform the following steps: 1. In Hyper-V Manager, right click the virtual machine name and click Revert. 2. In the Revert dialog box, click Yes.
The following table shows the role of each virtual machine used in this course: Virtual machine 10135A-NYC-DC1 10135A-NYC-SVR1 10135A-NYC-SVR2 10135A-VAN-DC1 10135A-VAN-EX1 10135A-VAN-EX2 10135A-VAN-EX3 10135A-VAN-EDG 10135A-VAN-CL1 10135A-VAN-TMG 10135A-VAN-Exchange Server 2003 10135A-VAN-SVR1 Role Domain controller in the Contoso.com domain Member server in the Contoso.com domain Member server in the Contoso.com domain Domain controller in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 Edge Transport server Client computer in the Adatum.com domain Microsoft Forefront Threat Management Gateway server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Standalone server
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2, Release Candidate build Windows 7, Release Candidate build Exchange Server 2010, Release Candidate build Microsoft Office 2007, Service Pack 2 Microsoft Forefront Threat Management Gateway, Beta 3
xviii
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the aforementioned virtual machines are deployed in each student computer.
*Striped In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
1-1
Module 1
Deploying Microsoft Exchange Server 2010
Contents:
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-3 1-16 1-32 1-37 1-46
1-2
Module Overview
This module describes how to prepare for, and perform, an installation of Microsoft Exchange Server 2010. The most important task in preparing for an Exchange Server 2010 installation is to ensure that the Active Directory directory services environment is ready. Exchange Server 2010 requires an Active Directory deployment because Active Directory stores all configuration and recipient information that Exchange Server uses. This module also provides details on the Exchange Server 2010 deployment. To install Exchange Server 2010 properly for your environment, you must be aware of the server roles that Exchange Server can install. Additionally, you should be aware of the infrastructure, hardware, and software requirements for introducing Exchange Server 2010 into a messaging environment. Finally, you should know how to verify, troubleshoot, and secure the installation. After completing this module, you will be able to: Describe the infrastructure requirements to install Exchange Server 2010. Install Exchange Server 2010 server roles. Complete an Exchange Server 2010 installation.
1-3
Lesson 1
In this lesson, you will review the requirements for installing Exchange Server 2010. The most important requirement is the Active Directory deployment, but you also must ensure that you implement the appropriate Domain Name System (DNS) infrastructure. You also should be aware of the Exchange Server 2010 infrastructure requirements when you perform an installation, and when you need to troubleshoot deployment issues. After completing this lesson, you will be able to: Describe the Active Directory components. Describe the Active Directory partitions. Describe how Exchange Server 2010 uses Active Directory. Describe the DNS requirements for Exchange Server 2010. Prepare Active Directory for Exchange Server 2010. Describe the integration of Active Directory and Exchange Server 2010.
1-4
Key Points
Active Directory is the integrated, distributed directory service that is included with the Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server operating systems. Many applications, such as Exchange Server 2010, integrate with Active Directory. This creates a link between user accounts and applications, which enables single sign-on for applications. Additionally, the Active Directory replication capabilities enable distributed applications to replicate applicationconfiguration data.
Discussion Questions
Based on your experience, consider the following questions: Question: What is the definition of a domain? Question: What is the definition of a forest? Question: Under what circumstances would an organization deploy multiple domains in the same forest? Question: Under what circumstances might an organization deploy multiple forests? Question: What are trusts? Question: What type of information do domains in a forest share? Question: What is the functionality of a domain controller? Question: What is a global catalog server? Question: What is the definition of an Active Directory site?
1-5
Question: What is Active Directory replication? Question: How do Active Directory sites affect replication?
1-6
Key Points
Active Directory information falls into four types of partitions: domain, configuration, schema, and application. These directory partitions are the replication units in Active Directory.
Domain Partition
A domain partition contains all objects in the domains directory. Domain objects replicate to every domain controller in that domain, and include user and computer accounts, and groups. A subset of the domain partition replicates to all domain controllers in the forest that are global catalog servers. If you configure a domain controller as a global catalog server, it holds a complete copy of its own domains objects and a subset of attributes for every domains objects in the forest.
Configuration Partition
The configuration partition contains configuration information for Active Directory and applications, including Active Directory site and site link information. Additionally, some distributed applications and services store information in the configuration partition. This information replicates through the entire forest so each domain controller has a replica of the configuration partition.
Schema Partition
The schema partition contains definition information for all object types and their attributes that you can create in Active Directory. This data is common to all domains in the forest, and Active Directory replicates it to all domain controllers in the forest. However, only one domain controller maintains a writable copy of the schema. By default, this domain controller, known as the Schema Master, is the first domain controller installed in an Active Directory forest.
Application Partitions
An administrator or an application during installation creates application partitions manually. Application partitions hold specific application data that the application requires. The main benefit of application
1-7
partitions is replication flexibility. You can specify the domain controllers that hold a replica of an application partition, and these domain controllers can include a subset of domain controllers throughout the forest. Exchange Server 2010 does not use application partitions to store information.
1-8
Key Points
To ensure proper placement of Active Directory components in relation to computers running Exchange Server, you must understand how Exchange Server 2010 communicates with Active Directory Domain Services (AD DS) and uses Active Directory information to function. Note: The Exchange Server 2010 Edge Transport server role does not use Active Directory to store configuration information. Instead, the Edge Transport server role uses Active Directory Lightweight Directory Services (AD LDS). For more details, see Module 6, Implementing Messaging Security.
Forests
An Exchange Server organization and an Active Directory forest have a one-to-one relationship. You cannot have an Exchange Server organization that spans multiple Active Directory forests. You also cannot have multiple Exchange Server organizations within a single Active Directory forest.
Schema Partition
The Exchange Server 2010 installation process modifies the schema partition to enable the creation of Exchange Server-specific objects. The installation process also adds Exchange Server-specific attributes to existing objects.
Configuration Partition
The configuration partition stores configuration information for the Exchange Server 2010 organization. Because Active Directory replicates the configuration partition among all domain controllers in the forest, configuration of the Exchange Server 2010 organization replicates throughout the forest.
1-9
Domain Partition
The domain partition holds information about recipient objects. This includes mailbox-enabled users, and mail-enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-enabled have preconfigured attributes, such as e-mail addresses.
Global Catalog
When you install Exchange Server 2010, the e-mail attributes for mail-enabled and mailbox-enabled objects replicate to the global catalog. The following is true: The global address list is generated from the recipients list in an Active Directory forests global catalog. Exchange Hub Transport servers access the global catalog to find the location of a recipient mailbox when delivering messages. Exchange Client Access servers access the global catalog server to locate the user Mailbox server and to display the global address list to Microsoft Office Outlook, Microsoft Outlook Web App, or Exchange ActiveSync clients. Important: Because of the importance of the global catalog in an Exchange Server organization, you must deploy at least one global catalog in each Active Directory site that contains an Exchange 2010 server. You must deploy enough global catalog servers to ensure adequate performance.
Note: Windows Server 2008 provides a new type of domain controllera read-only domain controller (RODC). Exchange Server 2010 does not use RODCs or RODCs that you configure as global catalog servers (ROGC). This means that you should not deploy an Exchange 2010 server in any site that contains only RODCs or ROGCs.
1-10
Key Points
Each computer running Exchange Server must use DNS to locate Active Directory and global catalog servers. As a site-aware application, Exchange Server 2010 prefers to communicate with directory servers that are located in the same site as the computer running Exchange Server.
Role of DNS
Exchange Server services use DNS to locate a valid domain controller or global catalog. By default, each time a domain controller starts the Netlogon service, it updates DNS with service (SRV) records that describe it as a domain controller and global catalog server, if applicable.
The SRV records for domain controllers and global catalog servers are registered with several different variations to allow locating domain controllers and global catalog servers in several different ways. One option is to register DNS records by site name, which enables computers running Exchange Server to find domain controllers and global catalog servers in the local Active Directory site. Exchange Server always performs DNS resource queries for the local Active Directory site first.
1-11
Host Records
Host records provide a host name to IP address mapping. Host records are required for each domain controller and other hosts that need to be accessible to Exchange Servers or client computers. Host records can use IPv4 (A records) or IPv6 (AAAA records).
MX Records
A Mail Exchanger (MX) record is a resource record that allows servers to locate other servers to deliver Internet e-mail using the Simple Mail Transfer Protocol (SMTP). An MX record identifies the SMTP server that will accept inbound messages for a specific DNS domain. Each MX record contains a host name and a preference value. When you deploy multiple SMTP servers that are accessible from the Internet, you can assign equal preference values to each MX record to enable load balancing between the SMTP servers. You also can specify a lower preference value for one of the MX records. All messages are routed through the SMTP server that has the lower preference-value MX record, unless that server is not available. Note: In addition to SRV, Host, and MX records, you also may need to configure Sender Policy Framework (SPF) records to support Sender ID spam filtering. Module 6 provides more information on SPF records. Additionally, some organizations use reverse lookups as an option for spam filtering, so you should consider adding reverse lookup records for all SMTP servers that send your organizations e-mail.
1-12
Key Points
To install Exchange Server 2010, you need to run the Exchange Server 2010 setup command for preparing the Active Directory forest for the installation. You can use the setup command with the following switches. Setup switch /PrepareAD /OrganizationName: organizationname Explanation
/PrepareLegacy ExchangePermissions
Necessary if the organization contains Exchange Server 2003 servers Modifies the permissions assigned to the Enterprise Exchange Servers
group to allow the Recipient Update Service to run Must be run by a member of the Enterprise Admins group
/PrepareSchema
Prepares the schema for the Exchange Server 2010 installation Must be run by a member of the Enterprise Admins and Schema
Admins groups
1-13
Important: You must prepare the Active Directory forest in the same domain and the same site as the domain controller that hosts the Schema Master role.
1-14
Key Points
In this demonstration, you will review the integration of Active Directory and Exchange Server 2010.
Demonstration Steps
1. 2. 3. On a domain controller, open Active Directory Users and Computers. In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational unit. Review the description and membership of the following Active Directory groups: 4. 5. 6. Organization Management Recipient Management View-Only Organization Management Discovery Management
Open ADSI Edit, and connect to the domain partition. Review the information in the domain partition. Connect to the configuration partition. Review the information in the configuration partition, and in the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container. Connect to the schema partition. Review the information in the schema partition, and point out the attributes and class objects that begin with ms-Exch.
Question: How do you assign permissions in your Exchange organization? How will you assign permissions using the Exchange security groups?
1-15
Question: Which Active Directory partition would you expect to contain the following information? Users e-mail address Exchange connector for sending e-mail to the Internet Exchange Server configuration
1-16
Lesson 2
Before you install Exchange Server 2010, you need to understand the concept of Exchange Server 2010 server roles. Each server role provides a specific set of functionality that an Exchange Server organization requires. When you install Exchange Server 2010, you can install all server roles on the same computer, except for the Edge Transport server role. Alternately, you can distribute the roles across multiple computers. After you decide which server role to deploy in each Exchange server, you must ensure that the network infrastructure and servers are ready for the Exchange Server 2010 installation. After completing this lesson, you will be able to: Describe the server roles included in Exchange Server 2010. Describe the options for deploying Exchange Server 2010. Describe the hardware recommendations for combining server roles in Exchange Server 2010. Describe the options for integrating Exchange Server 2010 and Exchange Online Services. Describe the infrastructure requirements for installing Exchange Server 2010. Describe the server requirements for installing Exchange Server 2010. Describe the considerations for deploying Exchange Server 2010 servers as virtual machines. Describe the process for installing Exchange Server 2010. Describe the options for performing an unattended installation.
1-17
Key Points
Exchange Server 2010 provides functionality that falls into five separate server roles. When you install Exchange Server 2010, you can select one or more of these roles for installation on the server. Large organizations might deploy several servers with each role, whereas a small organization might combine all server roles except the Edge Transport server role on one computer. Important: Exchange Server 2010 server roles are a logical grouping of features and components that perform a specific function in the messaging environment. You can install all server roles, except the Edge Transport server role, on the same physical computer.
1-18
part of an Active Directory domain, it cannot use Active Directory to store configuration information. Instead, it uses AD LDS on Windows Server 2008 computers to access recipient and configuration information. Client Access server role. The Client Access server role enables connections from all available client protocols to the Exchange Server mailboxes. You must assign at least one Client Access server in each Active Directory site that contains a Mailbox server. Client protocols that connect through a Client Access server include: Messaging Application Programming Interface (MAPI) clients Outlook Web App clients Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients Outlook Anywhere, which is known as remote procedure call (RPC) over HTTP in Exchange Server 2003 Exchange ActiveSync clients
Note: In previous Exchange Server versions, MAPI clients connect directly to the Mailbox servers. In Exchange Server 2010, all clients, including MAPI clients, connect to the Client Access servers. MAPI clients still connect directly to Mailbox servers when accessing public folders. Unified Messaging server role. The Unified Messaging server role provides the foundation of services that integrate voice and fax messages into your organizations messaging infrastructure. This role requires the presence of three server roles: Hub Transport, Client Access, and Mailbox. The Unified Messaging server provides access to voice messages and faxes.
1-19
Key Points
You can deploy the server roles in Exchange Server 2010 in several different scenarios, depending on an organizations size and requirements. If you are an administrator, it is important to understand the deployment scenarios when you plan an Exchange Server system.
1-20
1-21
Key Points
You can install all roles, except the Edge Transport server role, on a single computer. When you design the hardware configuration for servers on which you install multiple server roles, consider the following recommendations: You should plan for at least two processor cores, at a minimum, for a server with multiple server roles. The recommended number of processor cores is eight, while 24 is the maximum recommended number. You should design a server with multiple roles to use half of the available processor cores for the Mailbox role and the other half for the Client Access and Hub Transport roles. You should plan for the following memory configuration for a server with multiple server roles: 8 gigabytes (GB) and between 2 megabytes (MB) and 10 MB per mailbox. This can vary based on the user profile and the number of storage groups. We recommend 64 GB as the maximum amount of memory you need. To accommodate the Client Access and Hub Transport server roles on the same server as the Mailbox server role, you should reduce the number of mailboxes per core calculation, based on the average client profile by 20 percent. You can deploy multiple Exchange server roles on a mailbox server that is a DAG member. This means that you can provide full redundancy for the Mailbox, Hub Transport, and Client Access server roles on just two Exchange servers.
1-22
Options for Integrating Exchange Server 2010 and Exchange Online Services
Key Points
One deployment option available in Exchange Server 2010 is to integrate your messaging system with Exchange Online Services. Exchange Online Services is part of the Business Productivity Online services that Microsoft offers.
1-23
some of your organizations mailboxes on Exchange Online. You can use the Exchange Management Console to move mailboxes to the Exchange Online Services and manage those mailboxes. For more information on Exchange Online Services, refer to the links provided on the CD.
1-24
Key Points
Before you deploy Exchange Server 2010 in your organization, you need to ensure that your organization meets Active Directory and DNS requirements.
DNS Requirements
Before you install Exchange Server 2010, you must ensure that your organization meets the following requirements: You must configure DNS correctly in your Active Directory forest. All servers that run Exchange Server 2010 must be able to locate Active Directory domain controllers, global catalog servers, and other Exchange servers.
1-25
Key Points
Exchange Server 2010 requires a minimum level of hardware, and specific software, before you can install it.
Hardware Requirements
You can deploy Exchange Server 2010 only on 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 running on 64-bit hardware. Resource Processor Requirement
Memory
A minimum of 2 GB of system memory, plus 2 to 6 MB per mailbox. This recommendation is based on the number of mailbox databases and the user-usage profile. 1.2 GB disk space for Exchange Server files and 200 MB of free disk space on the system drive. Drives formatted with NTFS file systemfor all Exchange Serverrelated volumes.
Important: Exchange Server 2010 is available only in 64-bit versions, which means that you can install all components, including the Exchange Management tools, only on 64-bit operating systems.
1-26
1-27
Key Points
One option with Exchange Server 2010 is to deploy the servers as virtual machines.
1-28
or deploy a Client Access server with sufficient client connections so that your organization fully utilizes all hardware resources. One of the benefits of running virtual machines is that you can configure high availability within the virtual machine environment. For example, you can deploy Quick Migration in Windows Server 2008 Hyper-V or Live Migration in Windows Server 2008 R2 Hyper-V. However, Microsoft does not support running both DAGs and a virtual machine-based high availability solution. If you require high availability, you should use the Exchange Server 2010 solution. The storage used by the Exchange Server guest machine can be virtual storage of a fixed size, SCSI pass-through storage, or Internet SCSI (iSCSI) storage. Pass-through storage is storage that is configured at the host level and dedicated to one guest machine. To provide the best performance for Exchange server storage, use either pass-through disks or fixed-size virtual disks. Running Exchange servers as virtual machines can complicate performance monitoring. The performance data between the host and virtual machine is not consistent because the virtual machine uses only some part of the hosts resources. One of the most common performance bottlenecks for Mailbox servers is network input/output (I/O). When you run Mailbox servers in a virtual environment, the virtual machines have to share this I/O bandwidth with the host machine and other virtual machine servers deployed on the same host. A heavily utilized Mailbox server can consume all of the available I/O bandwidth, which makes it impractical to host additional virtual machines on the physical server. If you are planning to deploy Exchange Server 2010 as a virtual machine, ensure that you plan the virtual hardware requirements carefully. You must assign the same hardware resources to the Exchange Server virtual machine as you would assign to a physical server running the same workload.
1-29
Key Points
The Exchange Server 2010 graphical setup program guides you through the installation process. The following steps provide a high-level installation overview: 1. 2. 3. 4. Install the prerequisite software. If you install Exchange Server on Windows Server 2008 R2, the correct versions of Windows PowerShell and Windows Remote Management are installed already. To start the installation, run setup.exe from the installation source. The Setup program checks to ensure that the correct software is installed on the computer. After you finish installing all the required software, you can proceed with the installation of Exchange Server 2010. Exchange Server 2010 provides the option to install additional language packs that will enable the management tools to display in languages other than English. You can choose to install the language packs during the installation. The Installation Type page of the wizard presents you with the option to perform a Typical Exchange Server Installation or a Custom Exchange Server Installation. The typical installation option installs the Hub Transport server role, the Client Access server role, the Mailbox server role, and the Exchange Management tools. The custom installation option allows you to choose the roles you want to install. If this is the first Exchange Server 2010 server in the deployment, and you do not run setup /PrepareAD, you are prompted for the Exchange organization name. If you chose the Mailbox server role, the Exchange Setup program prompts you if you have any Office Outlook 2003 or Entourage clients in the organization. If you choose Yes, Exchange Setup creates the public folders required by these clients for the offline address book and for sharing calendar information. If you choose to install the Client Access server role, you also can configure the external domain name for the Client Access server. Clients use this external domain name to connect to the server from the Internet.
5.
6. 7.
8.
1-30
Note: Exchange Server 2010 supports Office Outlook 2003 SP1 or later clients. The only Entourage version supported by Exchange Server 2010 is Entourage 2008, Web Services Edition. This version of Entourage requires public folders.
1-31
Key Points
You can use the command line to perform an unattended Exchange Server 2010 installation. When you use the command line, you can use parameters to install specified roles or configure other setup options. Note: To run an unattended installation with setup parameters, you must run setup.com or setup rather than setup.exe. To see all the parameters available for use with setup.com, run the command with the /? parameter. The syntax for this command is:
Setup.com [/roles:<roles to install>] [/mode:<setup mode>] [/console] [/?][/targetdir:<destination folder>] [/prepareAD] [/domaincontroller]
For example, if you want to install Exchange Server 2010 into the default path, and specify the roles of Hub Transport, Client Access, and Mailbox, you would enter the command:
Setup.com /r:H,M,C
1-32
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. In Hyper-V Manager, click 10135A--NYC-DC1, and in the Actions pane, click Start. 3. 4. 10135A- NYC-DC1: Domain controller in the Contoso.com domain.
In the Actions pane, click Connect. Click the CTRL+ALT+DELETE button in the top-left corner of the Virtual Machine Connection window. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
5.
Repeat these steps to start, and log on to the 10135A--NYC-SVR2 virtual machine. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
Lab Scenario
You are working as a messaging administrator in Contoso Ltd. Your organization is preparing to install its first Exchange Server 2010 server. Contoso Ltd. is a large multinational organization that includes offices in Seattle, Washington, in the United States, and in Tokyo, Japan. Contoso Ltd. does not have a previous version of Exchange Server deployed so you do not have to upgrade a previous messaging system. Before installing Exchange Server 2010, you must verify that the Active Directory environment is ready for the installation. You also must verify that all computers that will run Exchange Server 2010 meet the prerequisites for installing Exchange.
1-33
Yes or No
1-34
1-35
Task 1: Install the Windows Server 2008 server roles and features
1. 2. On NYC-SVR2, in Server Manager, install the prerequisite server roles and features for Exchange Server 2010. Configure the Net.Tcp Port Sharing Service to start Automatically.
1-36
1-37
Lesson 3
After you install the necessary server roles in Exchange Server 2010, you should verify the installation and perform post-installation tasks, including securing Exchange Server 2010 and installing additional thirdparty software, if necessary. This lesson describes the post-installation tasks that you should perform. After completing this lesson, you will be able to: Verify an Exchange Server 2010 installation. Verify an Exchange Server 2010 deployment. Describe how to troubleshoot an Exchange Server 2010 installation. Describe how to finalize an Exchange Server 2010 installation.
1-38
Key Points
If all prerequisites are met, the Exchange Server installation should complete successfully. However, you should verify that the installation was successful.
Demonstration Steps
On VAN-EX1, open the Services management console, and review the Microsoft Exchange services that were added during the installation. 2. Open Windows Explorer, and browse to C:\ExchangeSetupLogs. 3. Review the contents of the ExchangeSetup.log file. 4. Describe some of the other files in this folder: 5. Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders in this location. 6. Open the Exchange Management Console. 7. Under Server Configuration, verify that the server that you installed is listed. 8. Click Toolbox and review the installed tools. 9. In the left pane, click Recipient Configuration. Create a new mailbox. 10. Open Internet Explorer, and connect to the Outlook Web App site on a Client Access server. Log on using the credentials for the new mailbox that you created. 11. Send an e-mail to the mailbox that you created. Verify that the messages delivery. 1.
1-39
Create a user account with a mailbox and connect to that mailbox using an Office Outlook client or Outlook Web App. For more information: For detailed information about each of the log files created during the installation, see Exchange Server Help.
1-40
Key Points
The Microsoft Exchange Server Best Practices Analyzer Tool automatically examines an Exchange Server deployment and determines whether the configuration meets with Microsoft best practices. Microsoft performs periodic updates on the definitions that the Exchange Server Best Practices Analyzer uses, so they typically reflect the latest version of the Microsoft best practices recommendations. We recommend running the Exchange Server Best Practices Analyzer after you install a new Exchange server, upgrade an existing Exchange server, or make configuration changes. You can find the Exchange Server Best Practices Analyzer in the Toolbox node of the Exchange Management Console. In this demonstration, your instructor will run the Exchange Server Best Practices Analyzer and review the generated reports. Note: For more information about the Exchange Server Best Practices Analyzer, view the Exchange Server Best Practices Analyzer Help that is available with the Exchange Server Best Practices Analyzer Tool.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, open Exchange Management Console, and click Toolbox. Start the Best Practices Analyzer, and clear the options to check for updates and to join the customer improvement program. Go to the Welcome page. Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed. When the scan finishes, view the following tabs and reports: Critical Issues All Issues Recent Changes
1-41
1-42
Key Points
The Exchange Server installation should complete successfully if you meet all prerequisites. However, if the installation does not complete properly, it is important for you to follow a consistent troubleshooting process.
Troubleshooting Process
Each time you troubleshoot any application or service, you should follow a consistent process, as this ensures that you do not miss steps and that problems are resolved quickly.
1-43
Incorrect domain functional level. All domains with Exchange Server 2010 recipients or servers must be at Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 functional level. To resolve this problem, raise the domain functional level to the appropriate functional level. Insufficient Active Directory permissions. When you install Exchange Server 2010, you need sufficient permissions to extend the Active Directory schema and modify the Active Directory configuration partition. To perform the initial schema extension, you must be a member of the Enterprise Admins and Schema Admins groups. Insufficient Exchange permissions. To install Exchange Server 2010 into an existing organization, you must be a member of the Exchange Admins group. You also must run Setup.exe with the /PrepareLegacyExchangePermissions switch. Wait for replication throughout the Exchange Server organization before you continue.
1-44
Key Points
After finishing the Exchange Server installation, you might need to perform additional steps to finalize the server deployment.
1-45
Some of the additional software you might want to install or configure includes: Antivirus software. Antivirus software can be used with the Edge Transport server and internal servers. You can install ForeFront Protection for Exchange Servers on Exchange Server 2010, or deploy and configure third party antivirus solutions. Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial e-mail messages that your users receive, and have to manage. Exchange Server 2010 provides anti-spam features on the Edge Transport server role and the Hub Transport server role. Most organizations that deploy anti-spam software on Exchange Server 2010 will deploy it on the Edge Transport server, but you also can enable and configure anti-spam features on Hub Transport servers. Many organizations choose to deploy third-party anti-spam solutions. Backup software. To back up Exchange Server 2010 servers, you must deploy backup software that uses Volume Shadow Copy Service (VSS) to perform the backup. Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center Operations Manager. Operations Manager allows you to proactively monitor and manage your Exchange servers by installing monitoring agents on them. Important: There are additional tasks that you must perform for each server role. Later modules cover these tasks.
1-46
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-NYC-DC1 and the 10135A-NYC-SVR2 virtual machines are running. 3. 10135A- NYC-DC1: Domain controller in the Contoso.com domain. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
Lab Scenario
You have completed the installation of the first Exchange Server at Contoso Ltd. You now need to verify that the installation completed successfully. You also should ensure that the installation meets the best practices that Microsoft suggests.
1-47
1-48
6. 7.
Wait for 10135A-VAN-DC1 to start, and then start 10135A-VAN-EX1. Connect to the virtual machine. Wait for 10135A-VAN-EX1 to start, and then start 10135A-VAN-EX3. Connect to the virtual machine.
1-49
Review Questions
1. 2. 3. The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot the issue? What factors should you consider while purchasing new servers for your Exchange Server 2010 deployment? How would the deployment of additional Exchange Server 2010 servers vary from the deployment of the first server?
Verify that you are logged on to the domain. Verify the account has sufficient permissions. Verify that the server meets the software requirements. Ensure that you are running setup in the same Active
Directory site as the schema master domain controller.
1-50
2. 3.
You can deploy the Edge Transport server at any time, but it does not integrate automatically with your organization until you deploy a Hub Transport server.
2-1
Module 2
Configuring Mailbox Servers
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Lab: Configuring Mailbox Servers 2-3 2-13 2-32 2-40
2-2
Module Overview
The Microsoft Exchange Server management tools provide a flexible environment that enables administrators to manage all sizes of Microsoft Exchange Server 2010 messaging deployments. Successful Exchange Server messaging professionals need to understand where configuration elements reside within the Exchange Management Console and the basics of the Exchange Management Shell. This module describes these management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public folder configuration and usage. After completing this module, you will be able to: Describe the Exchange Server 2010 administrative tools. Configure mailbox server roles. Configure public folders.
2-3
Lesson 1
This lesson introduces you to the Exchange Management Console, Exchange Management Shell, and the Exchange Control Panel (ECP). These tools are the main interfaces that Exchange Server administrators use daily, so a detailed understanding of when and how to use each interface is vital. After completing this lesson, you will be able to: Describe the Exchange Management Console. Describe the Exchange Management Shell and Windows PowerShell. Identify the benefits of using remote Windows PowerShell. Use Exchange Management Shell cmdlets. Work with the Exchange Management Shell. Apply Exchange Manage Shell cmdlet examples. Describe the Exchange Control Panel.
2-4
Key Points
In this demonstration, you will review how to navigate the Exchange Management Console, and use it to manage Exchange Server. The Exchange Management Console uses the Microsoft Management Console 3.0 (MMC) paradigm of a four-pane environment. The Console Tree is a unique feature of the Exchange Management Console, and it has four main nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. These four nodes have four distinct functions.
Organization Configuration
The Organization Configuration node contains all configuration options for each Exchange server role that affects the messaging systems functionality. This node allows you to configure database management, ActiveSync policies, journal and transport rules, message-formatting options, and e-mail domain management.
Server Configuration
The Server Configuration node contains the configuration options for each Exchange server in the organization. Settings that you can manipulate include server diagnostic-logging settings, product-key management, and the per-server configuration of the Microsoft Outlook Web App.
Recipient Configuration
The Recipient Configuration node contains the configuration and creation tasks for mailboxes, distribution groups, and contacts. You also can use it to move or reconnect mailboxes.
2-5
Toolbox
The Toolbox node contains utilities and tools that you can use to monitor, troubleshoot, and manage Exchange Server. These tools include Exchange Best Practices Analyzer, Public Folder Management Console (PFMC), Messaging Tracking, and Database Recovery Management. You also can use the Exchange Management Console to manage both onsite and hosted Exchange Server 2010 environments, most notably the Microsoft Business Productivity Online Suite (BPOS). The Console Trees root node also includes two tabs in the Content pane: Organizational Health and Customer Feedback. The Organizational Health tab displays a report on the overall status of the Exchange Server organization that includes information about the number of deployed databases, servers, and Client Access Licenses. Use the Customer Feedback tab to enable the Customer Experience Improvement Program and to access Exchange Server documentation.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. Open the Exchange Management Console. Note the consoles layout: Console Tree on the left, Content pane in the middle, and Actions pane on the right. Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. Expand each Console Tree section to view the available nodes. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the information available in the Content pane. In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in the Content pane. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information in the Content pane.
Question: Does the Exchange Management Console organization seem logical to you? Why? Question: Does the Exchange Management Console have the same functionality as it did in previous Exchange Server versions? What is different about this version?
2-6
Key Points
The Exchange Management Shell and the Exchange Management Console run on top of Windows PowerShell version 2.0 command-line interface. They use cmdlets, which are commands that run within Windows PowerShell. Each cmdlet completes a single administrative task, and you can combine cmdlets to perform complex administrative tasks. In Exchange Management Shell, there are approximately 700 cmdlets that perform Exchange Server management tasks, and even more non-Exchange Server cmdlets that are in the basic Windows PowerShell shell design. Exchange Management Shell is more than just a command-line interface that you can use to manage Exchange Server 2010. Exchange Management Shell is a complete management shell that offers a complex and extensible scripting engine that has sophisticated looping functions, variables, and other programmatic features so that you can create powerful administrative scripts quickly.
2-7
Key Points
Exchange Server 2010 builds on the success of Microsoft Exchange Server 2007 usage of Windows PowerShell 1.0 by leveraging its remote Windows PowerShell functionality within Windows PowerShell 2.0. By using the remote Windows PowerShell feature, Exchange Server 2010 includes many new features.
These new features enable scenarios such as simplified cross-domain management, management from workstations that do not have installed management tools, management through firewalls, and the ability to throttle resources that management tasks consume.
2-8
Key Points
All shell cmdlets present as verb-noun pairs. A hyphen (-) without spaces separate the verb-noun pair, and the cmdlet nouns are always singular. Verbs refer to the action that the cmdlet takes. Nouns refer to the object on which the cmdlet takes action. For example, in the Get-User cmdlet, the verb is Get, and the noun is User. All cmdlets that manage a particular feature share the same noun. For detailed information about using cmdlets, refer to the CD content.
2-9
Key Points
In this demonstration, you will review how to create a mailbox, and how to use Windows PowerShell scripting and pipelining to change the address on multiple mailboxes. The instructor also will describe basic cmdlet aliases.
Demonstration Steps
The instructor will run the following cmdlets: Get-Mailbox Get-Mailbox | Format-List Get-Mailbox | fl Get-Mailbox | Format-Table Get-Mailbox | ft Name, Database, IssueWarningQuota Get-Help New-Mailbox Get-Help New-Mailbox -detailed Get-Help New-Mailbox -examples $Temp = Text $Temp $password = Read-Host Enter password AsSecureString New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris -Database Mailbox Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName Chris Ashton -ResetPasswordOnNextLogon $true
2-10
Note: Assign a password to a new user by specifying the Read-Host cmdlet with the -AsSecureString switch, because passwords cannot be stored as simple strings.
2-11
Key Points
One of the best ways to become proficient with Windows PowerShell is to review cmdlets that administrators use the most often. The following example retrieves a list of all the users, filters only users that are located in the Sales organizational unit (OU), and then mail-enables the users:
Get-User | Where-Object {$_.distinguishedname -ilike "*ou=sales,dc=contoso,dc=com"} | Enable-Mailbox -database "Mailbox Database 1"
The following example returns all members in the RemoteUsers distribution group, and then sets the MaxReceiveSize on each of the members mailboxes:
Get-DistributionGroup "RemoteUsers" | Get-DistributionGroupMember | Set-Mailbox MaxReceiveSize 10MB
The following example retrieves a list of all mailboxes on VAN-EX1, and then moves these mailboxes to Mailbox Store 2:
Get-Mailbox -server VAN-EX1 | New-MoveRequest -Local -targetDatabase " "Mailbox Store 2"
The following example removes all messages from addresses that start with the word Tom from the message queue:
Get-Message -Filter {FromAddress -like "Tom*" } | Remove-Message
The following example returns the status of all mailbox copies from the local server:
Get-MailboxDatabaseCopyStatus
2-12
Key Points
The ECP is a new feature in Exchange Server 2010. It enables end users and Exchange Server specialists to manage many aspects of the messaging environment from a secure Web page that includes inbox rules, public groups, account information, call-answering rules, and retention policies. You can assign permissions to ECP users by assigning and customizing one of the preconfigured RBAC groups. The ECP runs on the Client Access servers, and you access it either from the Options menu in Outlook Web App.
2-13
Lesson 2
This module describes how to configure the Mailbox server after you install it. Since the Mailbox server stores all of the mailbox and public folder data, it is a critical component in an Exchange Server messaging system. You also will learn about databases, database storage considerations, and managing the number and size of databases. After completing this lesson, you will be able to: Describe your initial mailbox configuration tasks. Configure the Mailbox server role. Describe mailbox and public folder databases. Describe database file types. Describe the process for updating mailbox databases. Configure database options. Identify Exchange Server 2010 storage improvements. Describe your database storage options. Describe direct attached storage. Describe storage area networks. Manage mailbox size limits. Identify the criteria to consider when implementing databases.
2-14
Key Points
Complete the following steps after deploying the Mailbox server role: Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the server, which includes configuring permissions at the organizational and server levels. This reduces the Exchange Servers attack surface. Create and configure databases. Exchange Server 2010 uses mailbox databases or public folder databases to store messages. As a result, before creating mailboxes on the server, you need to create the required databases. Configure public folders. Although recent Exchange Server versions de-emphasize the role of public folders, Microsoft continues to support public folders fully, and you must configure them if you have Outlook 2003 or earlier clients. However, if you are using Office Outlook 2007 or later clients, public folders are not required to support offline address-book distribution or calendar information. During the installation of the first Exchange Server 2010 into a new Active Directory Domain Service (AD DS) or Active Directory directory service forest, you have the option to support older Office Outlook and Entourage clients. Exchange Server creates a public folder database if you choose this option. You also can create public folders after installation if you do not configure them during setup. Configure recipients, including resource mailboxes. The Mailbox server role manages all user mailboxes, so deploying the Mailbox server role includes configuring recipients. Configure the offline address book. Outlook 2007 (and higher) clients support retrieving offline address books with HTTP, rather than only with public folders, as in previous Office Outlook versions.
2-15
Key Points
In this demonstration, you will review how to configure the Mailbox server role with the Exchange Management Console.
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. In the Console Tree, expand Server Configuration, and then click Mailbox. Note the available options in the Actions pane: Manage Diagnostic Logging Properties, Enter Product Key, and Properties. View the properties of the server and review the options on the General, System Settings, Messaging Records Management, and Customer Feedback Options tabs. View the Manage Diagnostic Logging options.
Question: What additional tasks do you need to perform on the Mailbox server role after the Exchange Server 2010 installation occurs?
2-16
Key Points
To manage Mailbox servers properly, you need to know how they store mailbox and public folder contents. Exchange Server 2010 stores mailbox and public folder contents in databases, which enhances performance and reduces storage utilization. Mailbox servers can maintain mailbox databases and public folder databases, and each database consists of a single rich-text database (.edb) file. Exchange Server 2010 mailbox servers store all messages in this database regardless of which type of client sends or reads the messages. Mailbox databases store the messages for mailbox-enabled users. Users cannot have a mailbox without a mailbox database. Public folder databases store the contents of public folders. Unlike previous Exchange Server versions that required unique database names only within a storage group, Exchange Server 2010 requires unique database names across the entire Exchange Server organization. In Exchange Server 2010, each database has a single set of transaction logs, which store database changes. Database changes include all messages sent to or from the database. Transaction logs are an essential part of disaster recovery if you need to restore a mailbox or public folder database. By default, all databases and transaction logs are stored in one folder within the Exchange Server directory (C:\Program Files\Microsoft\Exchange Server\v14 \Mailbox). Each database has its own folder. Although Exchange Server 2010 does not require separating databases and transaction logs, given the appropriate redundancy, performing this separation increases recoverability. You should consider it if your organization does not employ other availability options. If the disk storing a database fails, you will need the transaction logs to recover activity since your last backup. If your transaction logs also are lost, along with the database, you can recover only to the point of your last back up. The Exchange Server 2010 database schema was changed significantly to improve its performance over previous Exchange Server versions. The new database schema now performs larger and more-sequential input/output (I/O) transactions, optimizes performance on lower end disk systems, and reduces
2-17
the database maintenance that you must perform. These improvements were accomplished by removing single-instance storage and increasing the page size from 8 kilobytes (KB) to 32 KB. In Microsoft Exchange 2000 Server and Exchange Server 2003, there was an option to create multiple databases and have them share a set of transaction logs. This was called a storage group. In Exchange Server 2007, having multiple databases in a storage group was available only for databases that did not have high availability features enabled. In Exchange Server 2010, there is no option to have multiple databases to share a single set of transaction logs.
2-18
Key Points
A database consists of a collection of file types, each of which performs different functions. <Log Prefix>.chk. This checkpoint file determines which transactions require processing to move the checkpoint file from the transaction log file to the database. Each databases log prefix determines its checkpoint file name. For example, the checkpoint file name for a database with prefix E00 would be E00.chk. This checkpoint file is several kilobytes in size, and does not grow. <Log Prefix>.log. This is the databases current transaction log file. An example is E00.log. The maximum amount of data storage for this file is 1 megabyte (MB). When this file reaches its maximum storage of 1 MB, Exchange Server renames it and creates a new current transaction log. <Log Prefix>xxxxxxxx.log. Exchange Server renames and files this transaction log file. Log files use sequential hexadecimal names. For example, the first log file for the first database on a server would be E0000000001.log. Each transaction log file is always 1 MB. <Log Prefix>res00001.jrs and <Log Prefix>res00002.jrs. These are the reserved transaction logs for the database. Exchange Server 2010 uses these only as emergency storage when the disk becomes full and it can write no new transactions to disk. An example is E00res00001.jrs. When Exchange Server 2010 runs out of disk space, it writes the current transaction to disk, and then dismounts the database. The reserved transaction logs ensure minimal loss of data that is in transit to the database. The reserved transaction logs always are 1 MB each. Tmp.edb. This temporary workspace is for processing transactions. Exchange Server 2010 deletes the contents of this file when it dismounts the database or when the Microsoft Exchange Information Store service stops. This file typically is a few megabytes in size. <Log Prefix>tmp.log. This is the transaction log file for the temporary workspace. An example is E00tmp.log. This file does not exceed 1 MB. <File Name>.edb. This is the rich-text database file that stores content for mailbox and public folder databases. An example is Database.edb. Each mailbox or public folder database is contained in a single file. Database files can grow very large, depending on the content that the database stores.
2-19
Key Points
The following process takes place when a Mailbox server receives a message: 1. 2. The Mailbox server receives the message. The Mailbox server writes the message to the current transaction log and memory cache simultaneously. Note: If the current transaction log reaches 1 MB of storage, Exchange Server 2010 renames it and creates a new current transaction log. 3. 4. 5. The Mailbox server writes the transaction from memory cache to the appropriate database. The Mailbox server updates the checkpoint file to indicate that the transaction was committed successfully to the database. Clients can access and read the message in the database.
2-20
Key Points
Several configuration options are set at the database level. Three key management tabs contain these options: Maintenance, Limits, and Client Settings. In this demonstration, you will review these tabs, and explain how you can use them to configure your database options.
2-21
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. Select the Database Management tab, and then view the properties of a mailbox database. View the properties on the General, Maintenance, Limits, and Client Settings tabs. Run the Move Database Path Wizard to move the database files.
Question: When would you need to move the path of the transaction logs or databases? Question: When might you use circular logging?
2-22
Key Points
Exchange Server 2010 introduces several significant changes that reduce storage costs and improve performance, including changes to the database schema, the use of compression, and the change to 32 KB database pages. Additionally, further improvements minimize database fragmentation by writing data sequentially on disk, which also improves disk performance. Lastly, when you combine the reduced storage input/output (I/O) requirements with the new database high availability features, you may be able to leverage inexpensive direct-attached storage for larger Exchange Server deployments. Since the storage I/O requirements are lower in Exchange Server 2010, more storage options are available. Still, you should ensure that your storage method meets the business and technical requirements for the Exchange Server deployment. Tools such as Load Simulator and JetStress are available to approximate usage patterns, and you can use these tools to test various hardware configurations in your environment.
2-23
Key Points
Exchange Server 2010 now supports several disk storage options, including Serial Advanced Technology Attachment (SATA), Solid-state disk (SSD), and Serial Attached small computer system interface (SCSI), or SAS. When selecting which storage solution to use, the goal is to ensure that the storage will provide the performance that your environment requires.
RAID
RAID increases disk-access performance and fault tolerance. The most common RAID options are: RAID 0 (striping). Increases read and write performance by spreading data across multiple disks. However, it offers no fault tolerance. Performance increases as you add more disks. You add fault tolerance by using multiple copies of the databases on separate RAID sets. RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Read performance is faster than a single disk, but write performance is slower than RAID 0. Half of the disks are used for data redundancy. RAID 5 (striping with parity). Increases fault tolerance by spreading data and parity information across three or more disks. If one disk fails, the missing data is calculated based on the remaining disks. Read and write performance for RAID 5 is slower than RAID 0. At most, only one third of the disks are used to store parity information. RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This provides very fast read and write performance, and excellent fault tolerance.
2-24
RAID 6 (striping with double parity). Increases fault tolerance by spreading data and parity information across four or more disks. If up to two disks fail, RAID 6 calculates the missing data based on data and parity information stored on the remaining disks. Read and write performance for RAID 6 typically is slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID 6 is the ability to rebuild missing data if you have two failures per RAID group, and to reduce the impact of rebuilding the RAID set when a disk fails. RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved performance, but increases complexity. The difference between RAID 0+1 and RAID 1+0 is that RAID 1+0 creates a striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0 performs better and is more fault tolerant than RAID 0+1.
2-25
Key Points
Direct attached storage is any disk system that connects physically to your server. This includes hard disks inside the server or those that connect by using an external enclosure. Some external enclosures include hardware-based RAID. For example, external disk enclosures can combine multiple disks in a RAID 5 set that appears to the server as a single large disk. In general, direct attached storage provides good performance, but it provides limited scalability because of the units physical size. You must manage direct attached storage on a per-server basis. Exchange Server 2010 performs well with the scalability and performance characteristics of direct attached storage. Direct attached storage provides the following benefits: Lower cost Exchange Server solution. Direct attached storage usually provides a substantially lower purchase cost than other technologies. Easy implementation. Direct attached storage typically is easy to manage, and requires very little training. Distributed failure points. Each Exchange server has separate disk systems, so the failure of a single system does not affect the entire Exchange messaging system negatively, assuming that you configure your Exchange servers for high availability.
2-26
Key Points
A storage area network (SAN) is a network dedicated to providing servers with access to storage devices. A SAN provides advanced storage and management capabilities, such as data snapshots, and high performance. SANs use either Fibre Channel switching or Internet SCSI (iSCSI) to provide fast and reliable connectivity between storage and applications. Fibre Channel switching or iSCSI allows many servers to connect to a single SAN. Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Because Fibre Channel is specifically for SANs, it is the fastest architecture available, and most SANs use it. SANs are complex and require specialized knowledge to design, operate, and maintain. Most SANs also are more expensive than direct attached storage. SANs provide the following benefits: A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requirements of Exchange Server 2010 make it more likely that an iSCSI-based SAN will meet your requirements in small and medium-sized deployments. However, you should test all hardware configurations thoroughly before deployment to ensure that they meet your organizations required performance characteristics. Highly scalable storage solutions. Messaging systems are growing continually, and require larger storage over time. As your needs expand, a SAN allows you to add disks to your storage. Most SANs incorporate storage virtualization, which allows you to add disks and allocate the new disks to your Exchange server. Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers running Exchange Server, and then divide the storage among them.
2-27
Enhanced backup, recovery, and availability. SANs use volume mirroring and snapshot backups. Because SANs allow multiple connections, you can connect high performance back-up devices to the SAN. SANs also allow you to designate different RAID levels to different storage partitions.
For cost-conscious SAN implementations, iSCSI may be a viable option. An iSCSI network encapsulates SCSI commands in TCP/IP packets over standard Ethernet cabling and switches. You should implement this technology only on dedicated storage networks that are 1 gigabit per second (Gbps) or faster.
2-28
Key Points
In this demonstration, you will review how to use the Exchange Management Console to configure storage quotas, and how to use the Exchange Management Shell to configure storage quotas in bulk or simultaneously. You can enforce size limits either on a specific mailbox or on a database, which applies the settings on all mailboxes in the database, by default. The three options available to set a limit on mailboxes and on the database are: Issue warning at (KB). When a mailbox reaches the size you specify, at a predetermined schedule (daily by default), mailbox-enabled users receive a message indicating that their mailboxes have become too large. Prohibit send at (KB). When a mailbox reaches the size you specify, the user no longer can send messages and receives a warning message that the mailbox is too large. The mailbox can still receive messages. Prohibit send and receive at (KB). When a mailbox reaches the size you specify, the user can no longer send or receive messages, and receives a warning message that the mailbox is too large. If the organization uses a Unified Messaging server, prohibiting e-mail reception can result in lost e-mail messages, voice-mail messages, and faxes. Most organizations elect not to use this option.
You also can use mailbox database defaults to set limits on the database. Exchange Server 2010 enables this by default, and if you use it, the mailbox inherits any settings that you assign to the database that stores the mailbox. Deleted item retention settings work similarly to size limits in that you can assign them either on the mailbox or database. By default, all mailboxes also inherit deleted time retention from the database.
2-29
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox. Right-click a user mailbox, and click Properties. Click the Mailbox Settings tab, and double-click Storage Quotas. Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at (MB). Open Exchange Management Shell. Configure the database limits with the Get-MailboxDatabase cmdlet. Configure just the user mailboxes that are contained in the Marketing department with the GetMailbox.
2-30
Key Points
It is important to plan properly for any changes you want to make in the Exchange Server environment. When considering which sort of storage to use for new databases, note the following: Give each set of transaction logs its own hard disk. You likely will achieve the best performance when transaction logs do not share disks with any other data. However, if you do not require high performance, and there are enough copies of the data, you may not require this. Use RAID 5 to enhance performance and fault tolerance for databases. RAID 5 increases read and write performance for random disk access and fault tolerance. Use RAID 1 to provide fault tolerance for transaction logs. RAID 1 keeps two complete copies of transaction logs for fault tolerance, and it provides good write performance for data that is written serially. Use a SAN, which provides excellent scalability and manageability for storage in large Exchange Server organizations. A Fibre Channel SAN provides the best performance, but this high level of performance may be more than you need to support your organizations requirements. SANs also add considerable cost and complexity. Use the prohibit send at storage limit to manage storage growth. This storage limit forces users to address the size of their mailbox before sending additional messages. Halting message reception is risky, because important business data might get lost. However, a warning may not be enough encouragement for users to lower their mailbox size.
Question: What should you consider when naming databases? Question: When would you want or need to create multiple databases Question: Why would you want to reduce the number of databases?
2-31
Question: What should you consider when planning to build additional Mailbox servers?
2-32
Lesson 3
This lesson covers public folders, and details how you can configure them. Although public folders have been deemphasized since Exchange Server 2007, they remain a useful feature of Exchange Server 2010. It is essential to understand when to use public folders and how to configure them properly. After completing this lesson, you will be able to: Describe public folders. Configure public folder replication. Describe how clients access public folders. Configure public folders. Identify when to use SharePoint instead of public folders.
2-33
Key Points
A public folder is a repository for different information types, such as e-mail messages, text documents, and multimedia files. A public folder database stores public folder contents, which you can share with Exchange Server organization users. Organizations typically use public folders as: A location to store contacts for the entire organization. Centralized calendars for tracking events. Discussion groups. A location in which to receive and store messages for a workgroup, such as the Help desk. A storage location for custom applications.
Additionally, system public folders support legacy Office Outlook versions for free/busy information, custom forms, and offline address books. One alternative to public folders is Windows SharePoint Services, which is a Web-based platform that stores data centrally for the enterprise, workgroups, and individuals. You can create multiple SharePoint sites for specific tasks, including: Team collaboration Project management Help-desk management Expense reimbursement Vacation scheduling
2-34
For collaboration, Windows SharePoint Services goes beyond the capabilities that public folders offer. Some of the features that a SharePoint site offers are: Document collaboration, including checking in, checking out, and version control. This feature allows you to track changes to documents and prevent team members from editing multiple versions of a single document. Alerts sent out when content changes. Alerts enable you to monitor content and act when that content changes. For example, a project team could be alerted automatically when the project schedule changes. Extensibility by developers for building applications. In some cases, you can use public folders to manage application data, but SharePoint sites can perform many of the same tasks.
One area in which SharePoint services does not provide similar functionality to Exchange Server is in the ability to perform multimaster replication. Because Windows SharePoint Services is tied to Microsoft SQL Server, only one writable copy of the data is available at a time, whereas public folders can have multiple readable and writable copies of a public folder available around the globe. The next topic details public folder replication.
2-35
Key Points
Public folder content replication is an e-mail-based process for copying public folder content between computers running Exchange Server. When you modify a public folder or its contents, the public folder database that contains the replica of the public folder that you change sends a descriptive e-mail message to the other public folder databases that host a replica of the public folder. To reduce network traffic, Exchange Server includes information about multiple changes in one e-mail message. If any message exceeds the specified size limit, that message is sent as a separate replication message. Exchange Server routes these replication messages the same way that it routes other e-mail messages. By default, public folder content replicates every 15 minutes, and you cannot set replication to less than every minute. Because AD DS and Active Directory store the public folder configuration objects, AD DS and Active Directory replication must be working correctly to ensure that the configuration is available to all Exchange servers. When you create a public folder, only one replica of that public folder exists within the Exchange Server organization. Using multiple replicas allows you to place public folder content in the physical server locations where users are located. This results in faster access to public folder content and reduced communication across wide area network (WAN) links between physical locations. Public folder replication also provides fault tolerance for public folders. Note: You also need to replicate the public folder tree.
2-36
Key Points
The public folder connection process for Messaging Application Programming Interface (MAPI)-based clients is: 1. 2. If the public folder is located on the user accounts default public folder database, Exchange Server directs the client to this database for the public folder contents. If the public folder contents are not stored in the user accounts default public folder database, Exchange Server redirects the client to a public folder database on a computer running Exchange Server 2010 in the local Active Directory site. If no computer running Exchange Server 2010 or Exchange Server 2007 on the local Active Directory site has a copy of the public folder contents, Exchange Server redirects the client to the Active Directory site with the lowest cost site link that does have a copy of the public folder contents. If there is no computer running Exchange Server 2010 or Exchange Server 2007 that has a copy of the public folder contents, Exchange Server redirects the client to a computer running Microsoft Exchange Server 2003 that has a copy of the public folder contents, using the cost assigned to the routing group connector(s). Exchange Server 2010 does not enable this by default. Rather, you must enable it with the Set-RoutingGroupConnector cmdlet. If no public folder replica exists on the local Active Directory site, a remote Active Directory site, or on a computer running Exchange Server 2003, the client cannot access the contents of the requested public folder. Note: For Outlook Web App clients to view public folders, a replica of the public folder must be available on an Exchange Server 2010 mailbox server.
3.
4.
5.
2-37
Key Points
In this demonstration, you will review how to use the PFMC, Exchange Management Shell, and Office Outlook to configure public folders. You will see how to: Use the PFMC to add replicas and set permissions on a public folder. Use Exchange Management Shell to add permissions to a public folder. Open Outlook, and then view the permissions for the public folder.
Demonstration Steps
Use the PFMC to add replicas and set permissions on a public folder
1. 2. 3. 4. 5. Open the Exchange Management Console. Open the PFMC, and then connect to a Mailbox server. Create a new public folder named Sales. View the properties of the Sales public folder, and then view the options on the General, Statistics, Limits, and Replication tabs. Add a replica to the Sales public folder.
2-38
2-39
Key Points
Exchange Server 2010 fully supports public folders. However, there are several reasons that another complementary technology may be a better solution. You need to move custom applications that use Exchange Server event sinks or organizational forms to a supported platform, such as SharePoint, by using the InfoPath information-gathering program. If you are using public folders to share documents, consider moving these documents to SharePoint for additional features, such as versioning and file locking. Depending on its scope, a new Exchange Server deployment that includes calendar sharing, contact sharing, discussion forums, or distribution group archives, can use Exchange Server public folders or SharePoint. Additionally, when deploying new custom applications, use Exchange Web Services and/or SharePoint, depending on the applications scope. Question: For what does your company currently use public folders and SharePoint?
2-40
Lab Setup
Important: If required, start the 10135A-VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX3 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a new messaging administrator at A. Datum Corporation, and your manager has left instructions indicating that you need to create and configure a database for the executive group, and then move the existing database for the accounting group to a new location. Additionally, you need to add an additional public folder database, and then replicate data to it.
2-41
2-42
2-43
3.
To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
4. 5.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
2-44
Review Questions
1. 2. 3. Which tools can you use to manage Exchange Server 2010? What customizations can you make on mailbox databases? When can you use public folders?
2-45
Tools
Tool Exchange Management Console Exchange Management Shell Use for Where to find it Start menu
Start menu
Managing recipients
2-46
3-1
Module 3
Managing Recipient Objects
Contents:
Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-Mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Lab: Managing Exchange Recipients 3-3 3-19 3-26 3-31 3-37 3-41
3-2
Module Overview
In any messaging system, you need to create recipients and configure them to send and receive e-mail. As a Microsoft Exchange Server messaging administrator, you often must create, modify, or delete recipient objects. Therefore, it is important to have a good understanding of recipient management. In Exchange Server 2010, you can easily perform bulk management of Exchange Server recipient objects by using the Exchange Management Shell. This module describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. After completing this module, you will be able to: Manage mailboxes in Exchange Server 2010. Manage other recipients in Exchange Server 2010. Configure e-mail address policies. Configure address lists. Perform bulk recipient management tasks.
3-3
Lesson 1
Managing Mailboxes
Apart from creating mailboxes, you may need to modify mailbox options to meet the needs of users and ensure optimal performance of the messaging environment. Based on your organizations requirements, and its users, you also may have to move mailboxes to different servers or databases, and configure resources. This lesson provides an overview of Exchange Server recipient objects and the available configuration options. Additionally, this lesson covers the reasons and procedures for moving mailboxes, and explains how to configure resource mailboxes. After completing this lesson, you will be able to: Identify the different recipient object types in Exchange Server 2010. Manage mailbox user accounts. Describe how to configure mailbox settings. Configure mailbox permissions. Describe the reasons for moving mailboxes. Move mailboxes by using the Exchange Management Console. Describe the purpose and functionality of resource mailboxes. Describe how to design resource booking policies. Manage resource mailboxes.
3-4
Key Points
In Microsoft Exchange Server 2003, you can use the Active Directory Users and Computers functionality to perform all individual recipient management tasks. However, in Microsoft Exchange Server 2007, and subsequently in Exchange Server 2010, you cannot use Active Directory Users and Computers to manage Exchange Server recipients. You must configure all Exchange Server-specific recipient settings in the Exchange Management Console or the Exchange Management Shell. Exchange Server recipients are mail-enabled when they have associated e-mail addresses, but do not have Exchange mailboxes. For example, a contact that has been mail-enabled becomes a mail contact. Exchange Server 2010 supports the following recipient types: User mailboxes. A mailbox that you can assign to an individual user in your Exchange Server organization. It typically contains messages, calendar items, contacts, tasks, documents, and other important business data. Mail users or mail-enabled Active Directory users. These are users outside the Exchange Server organization that have an external e-mail address. All messages sent to the mail user are routed to this external e-mail address. A mail user is similar to a mail contact, except that a mail user has Active Directory logon credentials and can access resources. Resource mailboxes (Room mailboxes and Equipment mailboxes). A resource mailbox that you can assign to a meeting location, or to a resource such as a projector. You can include resource mailboxes as resources in meeting requests, which provides a simple and efficient way of scheduling resource usage. Mail contact or mail-enabled contacts. These contacts contain information about people or organizations that exist outside an Exchange Server organization and that have an external e-mail address. Exchange Server routes all messages sent to the mail contact to this external e-mail address. Mail-enabled security and distribution groups. You can use a mail-enabled Active Directory security group object to grant access permissions to Active Directory resources, and you also can use it to
3-5
distribute messages. You can use a mail-enabled Active Directory distribution group object to distribute messages to a group of recipients. Dynamic distribution groups. A distribution group that uses recipient filters and conditions to derive its membership at the time messages are sent. Linked mailboxes. You can assign a linked mailbox to an individual user in a separate, trusted forest.
You can use a mail-enabled user when Exchange Server 2010 is not responsible for sending and receiving mail for an Active Directory user, but you want that user to appear in the global address list (GAL). You might do this for remote sales people that prefer to use e-mail based on their own Internet service providers (ISP). You can only mail-enable universal security groups and universal distribution groups in Exchange Server 2010, similar to Exchange Server 2007. Question: How is a mail-enabled contact different from a mail-enabled user?
3-6
Key Points
In this demonstration, you will see how to manage mailboxes by performing common operations such as creating, deleting, and removing mailbox user accounts.
Demonstration Steps
Use the Exchange Management shell to mail-enable an existing user: 1. 2. Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users container. Open Exchange Management Shell, and run the following cmdlets: 3. Enable-MailUser Daniel Brunner externalemailaddress Daniel@contoso.com Disable-MailUser Daniel Brunner
In Active Directory Users and Computers, verify that the Daniel Brunner user still exists.
Create a new mail-enabled user with the Exchange Management Console. 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Run the New Mailbox Wizard, and create a new user account and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database. Note: Remove-mailbox deletes the specified user account and mailbox, and disable-mailbox removes the mailbox, but leaves the user account enabled. Question: What tools do you prefer to use for managing mailbox users?
3-7
Question: How does your organization delegate Exchange and Active Directory management tasks?
3-8
Key Points
Exchange Server 2010 provides several options for configuring a single mailbox. Many of these options are similar to those available for managing an Active Directory domain services environment. Mailbox configuration options include: General User Information Address and Phone Organization Account Member Of
However, some configuration options are unique to Exchange Server such as: Mail Flow Settings. There are three mail-flow settings: delivery options, message-size restrictions, and message-delivery restrictions: Use the delivery options to set: Who can send an e-mail message from that mailbox. A recipient to whom all messages are forwarded. The maximum number of recipients to which the mailbox can send a single message.
Use the message-size restrictions options to specify the maximum size for the messages that the mailbox sends or receives. Use the message delivery restrictions options to control the recipients that can send messages to the mailbox.
3-9
Mailbox Features. Use these options to configure the mailboxs specific features, such as Microsoft Outlook Web App, Exchange ActiveSync, Unified Messaging, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4), and the Archive mailbox. Calendar Settings. Use this option to configure how a mailbox processes meeting requests. Mailbox Settings. There are four mailbox settings: messaging records management, federated sharing, storage quotas, and archive quota. E-Mail Addresses. Use this option to configure the e-mail addresses assigned to the mailbox.
Question: Why would you configure mailbox size limits on individual mailboxes?
3-10
Key Points
In this demonstration, you will see how to assign Full Access and Send As permissions to a mailbox.
Demonstration Steps
Assign Wei Yu send as permissions on Kim Akerss mailbox: 1. 2. 3. 4. 5. 6. 7. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission. In the Manage Send As Permission Wizard, click . In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage. Click Finish.
Assign Wei Yu full access to Kim Akerss mailbox: 1. 2. 3. 4. Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission. In the Manage Full Access Permission Wizard, click Add. In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage, and then click Finish.
Question: When would more than one user need to access the same mailbox? Question: What is the difference between Send on behalf of permissions and Send As permissions?
3-11
Key Points
You might need to move your organizations mailboxes. The following scenarios list the common reasons for moving mailboxes: Transition. When you transition an existing Exchange Server 2007 or Exchange Server 2003 organization to Exchange Server 2010, you need to move mailboxes from the existing Exchange servers to an Exchange Server 2010 Mailbox server. Realignment. You can move mailboxes to realign based on specific values. For example, you may want to move a mailbox from one database to another that has a larger mailbox size limit. Investigating an issue. If you need to investigate an issue with a mailbox, you can move that mailbox to a different server. For example, you can move all mailboxes that have corrupted messages to one server. Corrupted mailboxes. If you encounter corrupted mailboxes, you can move the mailboxes to a different server or database to fix the corruption. Physical location changes. You can move mailboxes to a server that is in a different Active Directory site. For example, if a user moves to a different physical location, you can move that users mailbox to a server that is in a site closer to the new location. Separation of administrative roles. A company may want to separate the administration of Microsoft Exchange from administration of Microsoft Windows accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest. Outsourcing e-mail administration. A company may want to outsource the administration of e-mail and retain the administration of Windows user accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest.
3-12
Integrating e-mail and user-account administration. A company might want to change from a separated or outsourced e-mail administration model to a model in which e-mail and user accounts are managed from the same forest. To do this, you can move mailboxes from a resource forest scenario to a single forest, in which the Microsoft Exchange mailboxes and Windows user accounts reside in the same forest. Reducing Database size. In cases where data has been removed from a database and there is a lot of white-space, rather than performing an offline defragmentation on the database, you can move the contained mailboxes online to a new database and delete the original database.
While a move request is in progress, the mailbox stays online, allowing the user to continue sending and receiving e-mail. You can view the move request status in the Exchange Management Console and Exchange Management Shell. The request can have one of the following statuses: Queued for move Move in progress Ready to complete Completing
3-13
Key Points
In this demonstration, you will see how to move mailboxes by using the Exchange Management Console.
Demonstration Steps
Move Kim Akerss mailbox to Mailbox Database 1: 1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request Wizard, click Browse. Select Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New. Click Finish.
3-14
Key Points
Resource mailboxes are specific types of mailboxes that you can use to represent meeting rooms or shared equipment, and you can include them as resources in meeting requests. The Active Directory user that is associated with a resource mailbox is a disabled account. Room mailboxes. These are resource mailboxes that you can assign to meeting locations, such as conference rooms, auditoriums, and training rooms. Equipment mailboxes. These are resource mailboxes that you can assign to non-location-specific resources, such as portable computer projectors, microphones, or company cars.
You can include both types of resource mailboxes as resources in meeting requests, and thus provide a simple and efficient way to utilize resources for your users. You can configure resource mailboxes to automatically process incoming meeting requests based on the resource booking policies that are defined by the resource owners. For example, you can configure a conference room to automatically accept incoming meeting requests except recurring meetings, which can be subject to approval by the resource owner. You can create a resource mailbox as a room or as equipment. After creating the resource mail box, you must configure properties such as location and size. Then, you must define the resource booking policy and enable the resource booking attendant.
3-15
Key Points
A resource booking policy specifies: Who can schedule a resource. When the resource can be scheduled. What meeting information will be visible on the resources calendar. The response message that meeting organizers will receive.
Exchange Server 2010 provides various resource mailboxes, such as meeting rooms and equipment. You can invite these resources to meetings as a way of reserving the meeting room or equipment. Exchange Server 2010 provides several options for managing users who can book meetings using resource mailboxes.
3-16
To enable manual approval by delegates, the booking attendant should be enabled, and then All Book In Policy should be disabled. Next the All Request In Policy should be enabled, and the delegates should be specified. To enable manual approval from the mailbox, the booking attendant should be left disabled.
3-17
Key Points
In this demonstration, you will use Exchange Management Console to create a resource mailbox, and then configure it to accept appointments and create a delegate for the resource.
Demonstration Steps
1. 2. 3. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Create a new room mailbox with the following information: 4. 5. Name: Conference Room 1 User logon name (User Principal Name): ConferenceRoom1 Password: Pa$$w0rd Alias: ConferenceRoom1
After creating the room mailbox, modify the properties, and enable the resource booking attendant. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd. 6. In Outlook Web App, create a new Meeting Request. 7. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant tab. 8. Select a Start time and an End time. 9. Click the down arrow next to Select Rooms, and then click More. 10. In the Address Book window, double-click Conference Room 1, and then click OK. 11. Send the meeting request and verify that the resource accepted the invitation.
3-18
Question: How does your organization use resource mailboxes? Question: Which attributes are useful for your resource mailboxes?
3-19
Lesson 2
Exchange Server also includes other recipient types that provide additional functionality, such as sending e-mail to an entire company department or sharing e-mail addresses between users, for recipients outside your company. In this lesson, you will be introduced to the other recipient types in Exchange Server 2010 such as contacts and distribution groups. After completing this lesson, you will be able to: Describe the functionality of mail contacts and mail users. Describe the purpose of a distribution group. Explain the options for configuring distribution groups. Manage distribution groups by using the Exchange Control Panel.
3-20
Key Points
Mail contacts are mail-enabled Active Directory contacts. These contacts contain information about people or organizations that exist outside your Exchange Server organization. You can view mail contacts in the GAL and other address lists, and you can add them as members to distribution groups. Each contact has an external e-mail address, and all e-mail messages that are sent to a contact are automatically forwarded to that address. If multiple people within your organization contact a trusted external person, you can create a mail contact with the persons e-mail address. This allows Exchange Server users to select that person from the GAL for sending e-mail. Mail users are similar to mail contacts. Both have external e-mail addresses, they contain information about people outside your Exchange Server organization, and you can display them in the GAL and other address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can access resources to which they are granted permission. If a person external to your organization requires access to resources on your network, you should create a mail user instead of a mail contact. For example, you may want to create mail users for short-term consultants who require access to your server infrastructure, but who will use their own external e-mail addresses. In another scenario, you can create mail users for whom you do not want to maintain an Exchange Server mailbox. For example, after an acquisition, the acquired company may maintain its own messaging infrastructure, but it may also need access to your networks resources. For those users, you might want to create mail users instead of mailbox users. Question: When would you use mail-enabled contacts? Question: Why would you use a mail-enabled contact rather than a mail-enabled user?
3-21
Key Point
You can use mail-enabled groups to allow end users to send e-mail to multiple recipients. Mail-enabled groups also allow you to assign permissions simultaneously to multiple users for Exchange Server objects, such as private mailboxes and public folders. In Exchange Server 2010, mail-enabled groups belong to one of the following four categories: Universal Security groups. Can be mail-enabled and can be assigned permissions outside of Exchange Server. Distribution groups. Are mail-enabled and can only be assigned Exchange Server permissions for things such as Public folders. The two types of distribution groups are: Static Dynamic
Public groups. End users can manage these distribution groups through the Exchange Control Panel. Within Exchange Control Panel, the end user can add or remove group members, moderate the group, or even request access to other public groups. Moderated groups. These are distribution groups that allow the group manager to approve or reject either all messages sent to the group or from specific users. You can use moderated groups to restrict the conversations that occur between group members.
Question: When would your organization use distribution groups? Question: When would your organization use public and moderated groups?
3-22
Key Points
Similar to the options available for configuring mailboxes, there are a number of options available for configuring mail-enabled groups. You can configure several options for Exchange Server distribution groups, including: Group membership. These are the objects that are in the distribution group. Maximum message size. Use this option to set the maximum size for messages that can be sent to the distribution group. Message delivery options. Use these options to configure which users can send messages to the group. Address list visibility. Use this option to hide the group from the address list. You can use this option when the distribution group is used mainly for receiving e-mail from the Internet, and internal users do not need it. Delivery of out-of-office messages. Enable this option to send out-of-office messages back to the message sender, if one of the distribution group recipients has enabled out-of-office notifications. Non-delivery reports. Use this option to configure non-delivery reports (NDR). You can choose to send an NDR or specify whether they are sent to the distribution lists manager or to the message originator. E-mail addresses for the group. Use this option to configure the distribution groups e-mail address. Message moderation. Use these options to assign moderators permissions to review all messages that are sent to the distribution list. You also can configure a list of users that do not require moderation. Additionally, you can configure notifications to alert the message originators if their message is approved or not. Membership approval. Use these options to control if and how users can join or leave the group:
3-23
Choose whether owner approval is required to join the group. If you choose Open, users can join this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can add members to the group. Requests to join this distribution group will be rejected automatically. If you choose owner approval, users can request membership on this distribution group. The distribution group owner must approve requests to join the group before the user can join. Choose whether the group is open to leave. If you choose Open, users can leave this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can remove members from this distribution group. Requests to leave this distribution group will be rejected automatically.
Question: What is the advantage of enforcing a naming convention for distribution groups?
3-24
Key Points
Public groups is a new feature that enables users that have the requisite permissions to add distribution groups, manage membership, and moderate content.
Demonstration Steps
Add Kim Akers to the Recipient Management role group: 1. 2. 3. 4. 5. On VAN-EX1, in Active Directory Users and Computers, add Kim Akers to the Recipient Management role group. Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd. Select Public Groups, and create a new Public Group. In the New Group window, configure the following information: 6. Display name: Sales Alias: Sales Description: Sales Department
Add the following members: Manoj Syamala Rohinton Wadia Paul West
7. 8. 9.
Expand Membership Approval, and select Owner Approval. Click Save. Sign out of Exchange Control Panel.
3-25
Log on to ECP as Wei Yu, and ask to join the Sales group: 1. 2. 3. 4. 5. 6. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd. In the left pane, select Groups. In the Public Groups I Belong to section, click Join. In the All Groups window, select Sales, and then click Join. Click Close. Sign out of Exchange Control Panel.
Approve Wei Yus request to be added to the Sales Group: 1. 2. 3. 4. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd. Double-click the Request to Join Distribution Group message in the inbox. In the Request to Join Distribution Group message pane, click Approve. Close Outlook Web App.
3-26
Lesson 3
In many messaging systems, you might host multiple Single Mail Transfer Protocol (SMTP) domains, and thus you would need to manage the e-mail addresses assigned to the Exchange recipients. To ensure that recipients have appropriate e-mail addresses, you can create and apply e-mail address policies. In this lesson, you will learn about e-mail address policies and how to configure them. After completing this lesson, you will be able to: Describe the purpose and functionality of e-mail address policies. Configure e-mail address policies.
3-27
Key Points
For a recipient to send or receive e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients so they can receive and send e-mail. You must create an accepted domain so that a domain in an e-mail address policy functions properly. An accepted domain is an SMTP namespace that you can configure Exchange servers to send messages to, or from which they can receive messages. By default, Exchange Server contains an e-mail address policy for every mail-enabled user. This default policy specifies the recipients alias as the local part of the e-mail address and uses the default accepted domain. The local part of an e-mail address is the name that appears before the @ symbol. However, you can configure how your recipients e-mail addresses display. To specify additional e-mail addresses for all recipients or just a subset, you can modify the default policy or create additional e-mail address policies.
3-28
Resource mailboxes. Select this check box if you want your e-mail address policy to apply to Exchange resource mailboxes. Resource mailboxes let you administer company resources, such as a conference room or company vehicle, through a mailbox. Contacts with external e-mail addresses. Select this check box if you want your e-mail address policy to apply to contacts with external e-mail addresses. Mail-enabled groups resemble distribution groups, as messages sent to a mail-enabled group account will go to several recipients. Mail-enabled groups. Select this check box if you want your e-mail address policy to apply to security groups or distribution groups that have been mail-enabled.
The second part of the E-mail Address Policy filter has conditions in one of the following categories: Recipient is in a State or Province. Select this check box if you want the e-mail address policy to include only recipients from specific states or provinces. The Address and Phone tabs in the recipients properties contains this information. Recipient is in a Department. Select this check box if you want the e-mail address policy to include only recipients in specific departments. The Organization tab in the recipients properties contains this information. Recipient is in a Company. Select this check box if you want the e-mail address policy to include only recipients in specific companies. The Organization tab in the recipients properties contains this information. Custom Attribute equals Value. There are 15 custom attributes for each recipient. There is a separate condition for each custom attribute. If you want the e-mail address policy to include only recipients that have a specific value set for a specific custom attribute, select the check box that corresponds to that custom attribute.
When creating an e-mail address policy, you can use the following e-mail address types: Precanned SMTP e-mail address. Precanned SMTP e-mail addresses are commonly used e-mail address types that Exchange Server provides for you. Custom SMTP e-mail address. If you do not want to use one of the precanned SMTP e-mail addresses, you can specify a custom SMTP e-mail address. NonSMTP e-mail address. Exchange Server 2010 supports a number of nonSMTP address types.
3-29
Key Points
In this demonstration, you will see how to modify existing e-mail address policies, create new policies, and configure an alias.
Demonstration Steps
Create a new e-mail address policy for Fourth Coffee recipients: 1. 2. 3. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport. Create a new e-mail address policy named with these attributes: 4. 5. 6. Name: Fourth Coffee Display Name: Fourth Coffee Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
Use the user Alias as the local part of the e-mail address. Select fourthcoffee.com as the accepted domain. Apply the e-mail address policy immediately.
Verify that the e-mail address policy has been applied: 1. 2. 3. 4. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, double-click Jane Dow. View the current E-Mail addresses that have been assigned. Change the Company attribute to Fourth Coffee.
3-30
5.
3-31
Lesson 4
Address lists are similar to a telephone book in that they provide a clearinghouse in which users can locate, send e-mail to, and find information about, other users. In larger or specialized organizations, you may need to modify the lists organization. In this lesson, you will learn about address lists and how to manage them. After completing this lesson, you will be able to: Explain the functionality of address lists. Explain the reasons for configuring address lists. Configure address lists. Describe how to configure offline address books. Describe the options for deploying offline address books.
3-32
Key Points
Address lists are recipient objects that are grouped together based on a Lightweight Directory Access Protocol (LDAP) query for specific Active Directory attributes. You can use address lists to sort the GAL into multiple views, which makes it easier to locate recipients. This is especially helpful for very large or highly segmented organizations. Similar to configuring e-mail address policies, you can configure address lists with recipient filters that determine which objects belong in each address list. Address lists are evaluated every time a mail-enabled account is modified to determine on which address lists it should appear.
3-33
Key Points
For most small or medium organizations, you would not need to make changes to the default address lists. However, in large organizations, you might need to modify the default configuration. Question: What are the reasons for creating multiple address lists? Geographic organization. Departmental organization. Recipient type organization.
Question: How do you use address lists in your organization? Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts?
3-34
Key Points
In this demonstration, you will see how to create and configure address lists.
Demonstration Steps
Create a new E-mail Address list for Fourth Coffee recipients: 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Mailbox. Create a new address list with the following attributes. 4. 5. 6. Name: Fourth Coffee Display Name: Fourth Coffee Container: \ Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth Coffee for their company attribute. Preview the address list. Apply the e-mail address list immediately.
Verify the new address list is working: 1. 2. 3. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd. Open the Address book, and view the members of the Fourth Coffee address list. Close Outlook Web App.
3-35
Key Points
Exchange Server 2010 provides several configuration options for deploying offline address books offline address books. Outlook uses the offline address book when you configure it to use a cached mode Outlook profile or when it is in offline mode. The default offline address book contains the entire GAL, but does not include any additional GALs that have been created. By default, the offline address book is generated only once each day. This means that any additions, deletions, or changes made to mail-enabled recipients are only committed to the offline address book once each day, unless you modify the schedule to generate the offline address book more often. In many environments, you would need to modify the offline address book generation schedule to accommodate the rate of change in a particular Exchange Server organization. As a best practice, whether you use a single offline address book or multiple offline address books, consider the following factors as you plan and implement your offline address book strategy: Size of each offline address book in your organization. Number of offline address book downloads. How many clients will you need to download the offline address book? Overall number of changes made to the directory. If a large number of changes are made, the size of the differential offline address book downloads also will be large.
3-36
Key Points
Public folder distribution is the distribution method by which Outlook 2003, or clients that are working offline or through a dial-up connection, access the offline address book. With public folder distribution, the generation process for the offline address book places the files directly in one of the public folders, and then Exchange Server store replication copies the data to other public folder distribution points. Outlook 2007 and newer clients that are working in cached mode, offline or through a dial-up connection, use Web-based distribution to access the offline address book. Web-based distribution does not require the use of public folders. With Web-based distribution, after the offline address book generates, the Client Access server replicates the files. Web-based distribution uses HTTPS and BITS. If you require redundancy, you can use multiple Client Access servers as publishing points.
3-37
Lesson 5
Managing a large number of recipients can be time consuming. Manual changes also are also prone to error. You can use the Exchange Management Shell to create scripts that automate these management tasks. In this lesson, you will be introduced to bulk management of recipients and using Exchange Management Shell to manage multiple recipients. After completing this lesson, you will be able to: Describe the benefits of managing recipients in bulk. Manage multiple recipients.
3-38
Key Points
Exchange Management Shell cmdlets are powerful tools that you can use for managing multiple recipients simultaneously. The cmdlets use features such as pipelining and filtering to sort the results of one cmdlet and apply the result to another cmdlet. Exchange Management Shell also is a very powerful scripting tool for managing multiple recipients in bulk. In small organizations, you might not need to manage multiple recipients at the same time. However, in medium or large organizations, you may often need to manage multiple users at the same time, and it is useful to know how to use Exchange Management Shell to do that. Question: Describe situations where you need to create multiple recipients. Question: Describe situations where multiple recipients need to be modified.
3-39
Key Points
Exchange Management Shell provides several features that you can use to perform bulk recipient management. For relatively simple tasks, you can pipe output between cmdlets to retrieve a list of appropriate objects, and then you can modify them. You can use scripting for complex tasks, such as creating users from a .csv file.
Demonstration Steps
1. The instructor will run the following cmdlets:
Get-User filter {Company eq "Fourth Coffee"} Disable-mailbox Jane Get-User filter {Company eq "Fourth Coffee"} | Enable-Mailbox database "Mailbox Database 1"
2.
The instructor will run the following script. The script will create mailboxes based on information provided in a .csv file.
## Section 1 ## Define Database for new mailboxes $db="Mailbox Database 1" ## Define User Principal name $upndom="Adatum.com" ## Section 2 ## Import csv file into variable $users $users = import-csv $args[0] ## Section 3 ## Function to convert password string to secure string function SecurePassword([string]$plainPassword) { $secPassword = new-object System.Security.SecureString
3-40
## Section 4 ## Create new mailboxes and users foreach ($i in $users) { $sp = SecurePassword $i.password $upn = $i.FirstName + "@" + $upndom $display = $i.FirstName + " " + $i.LastName New-Mailbox -Password $sp -Database $db DisplayName $display -UserPrincipalName $upn -Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName OrganizationalUnit $i.OU }
3.
In Exchange Management Console, verify that the users listed in the .csv file have been created.
3-41
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-CL1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Windows 7 client computer in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your company is purchasing a new company called Adventure Works. Adventure Works recipients will need to maintain a separate e-mail domain and address list. You also must create new mailboxes for the new departments employees.
3-42
Task 2: Create a resource mailbox, and configure auto-accept settings for the
ProjectRoom
1. 2. In Exchange Management Console, create a new room mailbox named ProjectRoom in the Mailbox Database 1 database. Configure a user logon name of ProjectRoom, and a password of Pa$$w0rd. Enable the Booking Attendant on ProjectRoom.
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank
In Exchange Management Console, create a new mail-enabled contact for Ian Palangio, using an alias of IanPalangioWB and an e-mail address of ian.palangio@woodgrovebank.com.
Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1. 2. In Exchange Management Console, create a new Distribution group called Adventure Works Project with an alias of AdventureWorksProject. Add the following recipients to the Adventure Works Project group: 3. George Schaller Ian Palangio Wei Yu Paul West
Specify George Schaller as the group moderator, and enable moderation of all messages.
3-43
2. 3.
Create and send a new meeting request. Invite the Adventure Works Project group, and specify ProjectRoom as the room. On VAN-EX1, open Outlook Web App, log on as Adatum\George, using the password Pa$$w0rd, and accept the meeting request message. Send the response now. Results: After this exercise, you should have completed all of the assigned tasks, which include creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
3-44
3-45
Task 5: Create a new offline address book for the Adventure Works address list to
support both Office Outlook 2003 and Outlook 2007 clients
1. 2. On VAN-EX1, open Exchange Management Console. Create a new offline address book named Companies with the Adventure Works and A. Datum address lists, and enable distributions through Web-based distribution and public folders. Use the OAB folder on VAN-EX1 for Web-based distribution. Close the Exchange Management Console. Results: After this exercise, you should have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
3.
3-46
The main tasks for this exercise are: 1. 2. 3. 4. 5. Add a header line to the .csv file exported from the Human Resources (HR) system. Modify the CreateUsersLab.ps1 script to Adventure Works users from a .csv file. Create the AdventureWorks OU in the Adatum.com domain Run CreateUsersLab.ps1 to Adventure Works users from a .csv file. Define mailbox limits for all Adventure Works company users.
Task 1: Add a header to the .csv file exported from the HR system
1. 2. On VAN-EX1, open D:\Labfiles\Users.csv in Notepad. Add a header line that defines each column: 3. FirstName LastName Password
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a
.csv file
1. 2. Open D:\Labfiles\CreateUsersLab.ps1 in Notepad. Modify CreateUsersLab.ps1 as required to: 3. Configure the database to create users as Mailbox Database 1. Configure the user principal name to be adatum.com. Place users in the AdventureWorks OU. Configure the .csv import file to be D:\Labfiles\Users.csv. Configure the $pwd to be based on the password field in the Users.csv. Configure the first and last name. Configure the user principal name (UPN) as first name@adatum.com. Configure the alias to be the first name and last name, with no space between the names. Configure the display name to be the first name and last name, with a space between the names.
3-47
Set mailbox limits by piping the list of mailboxes to the Set-Mailbox cmdlet: IssueWarningQuota 100MB ProhibitSendQuota 150MB
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script, and then have set the storage quota.
3-48
Review Questions
1. 2. 3. How would you ensure that meeting requests to room mailboxes are validated manually before being approved? How would you give access to allow a user to send messages from another mailbox, without giving them access to the mailbox contents? What should you consider when configuring offline address book distribution?
The offline address book is not up- Check to make sure that the offline address book is scheduled to be to-date with changes made during generated more than one time each day. the day. Outlook 2003 clients are not able to download the offline address book. Check to make sure the offline address book is being distributed in a public folder.
3-49
2.
An organization has a large number of projects that leverage distribution groups. Managing group members takes considerable time. You need to reduce the time the help desk spends managing groups so that they can work on other issues. You employ contractors that need an e-mail address from your company. The company needs to enable the contracts to receive these messages in their current third-party mailboxes.
3.
3-50
4-1
Module 4
Managing Client Access
Contents:
Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lab A: Configuring Client Access Servers for Outlook Anywhere Access Lesson 3: Configuring Outlook Web App Lesson 4: Configuring Mobile Messaging Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync 4-3 4-18 4-37 4-43 4-53 4-61
4-2
Module Overview
Microsoft Exchange Server 2010 provides access to user mailboxes for many different clients. All messaging clients access Exchange Server mailboxes through a Client Access server. Because of the importance of this server role, you must understand how to configure it to support all different client types. This module provides details on how to implement the Client Access server role in Exchange Server 2010. After completing this module, you will be able to: Configure the Client Access server role. Configure Client Access services for Outlook Clients. Configure Microsoft Office Outlook Web App. Configure mobile messaging.
4-3
Lesson 1
You can implement the Client Access server role on an Exchange server that has other roles except the Edge Transport server role. Alternately, you can deploy the Client Access server role on one or more dedicated servers. In many organizations, the Client Access server is accessible from the Internet, thus securing the Client Access servers is an important part of deployment. This lesson describes the process for deploying and securing a Client Access server. After completing this lesson, you will be able to: Describe how client access works in Exchange Server 2010. Describe how client access works with multiple sites. Describe the Client Access server deployment options. Configure a Client Access server. Secure a Client Access server. Explain Client Access server deployment considerations. Configure Client Access server certificates. Describe the configuration options for Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) client access. Describe how to configure the Client Access server for secure Internet access.
4-4
Key Points
In Exchange Server 2010, all messaging clients connect to a Client Access server when accessing an Exchange Server mailbox. For users to access their mailbox, you must deploy a Client Access server in the same site as the Mailbox server. Important: In Exchange Server 2007 or earlier Exchange server versions, MAPI clients such as Microsoft Office Outlook, connect directly to Mailbox servers. In Exchange Server 2010, with the introduction of the Remote Procedure Call (RPC) Client Access service, MAPI clients no longer connect directly to the Mailbox servers for mailbox access.
2. 3.
4.
4-5
Key Points
Deploying Client Access servers in an environment with multiple Active Directory sites adds complexity to deployment planning, particularly when you consider the options for providing Internet access to those Client Access servers.
4-6
Note: Exchange Server 2010 can redirect only Outlook Web App clients to another Client Access server in a different site. It proxies all other Client Access server client requests to a Client Access server in the same site as the user mailbox. To optimize access for non-Outlook Web App clients, you must configure the clients to connect directly to a Client Access server in the users home site.
4-7
Key Points
When planning your Client Access server deployment, you must meet certain requirements to ensure a successful deployment. Additionally, there are options for deploying Client Access servers in scenarios where servers require higher availability, or you have multiple sites.
4-8
You can deploy the Client Access server role on the same computer as all other Exchange Server 2010 server rolesexcept for the Edge Transport server role. Installing all server roles on a single server does not provide additional availability, and does offer limited scalability. You can deploy the Client Access server role on a dedicated server. This deployment provides additional scalability and performance benefits. You also can deploy multiple servers running the Client Access server role. To provide high availability for Client Access servers, you can deploy Network Load Balancing, or deploy a hardware network load balancer to manage connections to the Client Access servers. In Exchange Server 2010, you also can configure Client Access arrays to provide failover and redundancy. A Client Access array is a container object used by Exchange Server 2010 Client Access servers. When you deploy database availability groups (DAGs) Exchange Server 2010 uses Client Access arrays to track which mailbox databases are located in each Active Directory site, and to manage the client connection failovers to the local mailbox databases.
Note: You can install Client Access servers on Mailbox servers that are DAG members. However, just adding the Client Access server to a DAG member does not provide high availability for the Client Access server. To provide high availability for Client Access servers, you need to implement a Client Access array, and deploy a network load balancing solution. For more information on Client Access arrays, see Module 7, Implementing High Availability.
4-9
Key Points
In this demonstration, you will see how to configure the global Client Access server settings, as well as the settings for each Client Access server in the organization.
Demonstration Steps
1. 2. Open the Exchange Management Console. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Client Access. You apply settings to all Client Access servers and mailboxes while in the Organization Configuration node. Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync Mailbox Policies tabs. In the left pane, expand Server Configuration, and then click Client Access. Examine the properties of one of the listed Client Access servers. These properties display information only, and cannot be used to configure the server settings. In the results pane, review the settings available on each of the tabs. These settings configure the Client Access server settings for the Client Access server virtual directories.
3. 4. 5. 6.
Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the default policies? Question: Why would you modify the server settings on one Client Access server to be different from those on another Client Access server?
4-10
Key Points
In many organizations, the Client Access server is accessible from the Internet for Outlook Anywhere, Outlook Web App, or Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client Access server that faces the Internet is as secure as possible.
2.
4-11
Important: When using a single Internet-accessible Client Access server for all sites, you must enable Windows Integrated authentication on all of the Client Access servers that are not Internet accessible. For example, the outward-facing Outlook Web App server can use forms-based authentication, but the internal Client Access servers must be configured to allow Integrated Windows authentication. Digest authentication. Digest authentication secures the password by transmitting it as a hash value over the network. Basic authentication. Basic authentication transmits passwords in clear text over the network: therefore, you should always secure Basic authentication by using SSL encryption. Basic authentication is the authentication option that is most widely supported by clients.
Forms-Based Authentication Forms-based authentication is available only for Outlook Web App and ECP. When you use this option, it replaces the other authentication methods. This is the preferred authentication option for Outlook Web App because it provides enhanced security. When you use forms-based authentication, Exchange Server uses cookies to encrypt the user logon credentials in the client computer's Web browser. Tracking the use of this cookie allows Exchange Server to time-out inactive sessions. The time required before an inactive session times out varies depending on the computer type selected during logon. If you choose a public or shared computer, the session times out after 15 minutes of inactivity. If you choose a private computer, the session times out after 12 hours of inactivity. Note: You can configure the time-out values for public and private computers by modifying the Client Access server registry. You can do this by using the Regedit utility, or the Set-ItemProperty cmdlet. For more information about how to configure these settings, see the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value topic in Exchange Server 2010 Help. Forms-based authentication is enabled by default for Outlook Web App, and for ECP.
4-12
Key Points
Because of the importance of using SSL secure network traffic between Client Access servers and messaging clients, you must ensure that you deploy the appropriate certificates on the Client Access servers. You can secure all client connections to the Client Access server using SSL. Note: By default, the Client Access server is configured with a self-signed certificate that is not trusted by clients. You should remove this certificate and install a certificate from a trusted CA.
4-13
Note: If you are planning to enable Federated Sharing, you must obtain a certificate for your Internet-accessible Client Access servers from a public, trusted CA.
4-14
Key Points
In this demonstration, you will see how to configure a Windows Server 2008 Certification Authority to support certificate requests with multiple subject alternative names. You will then see how to use the New Exchange Certificate Wizard to request a certificate for a Client Access server, and how to install that certificate.
Demonstration Steps
By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple subject alternative names, so you will need to modify the server configuration. To enable the CA to issue these certificates, perform the following steps: 1. 2. 3. 4. 5. 6. 7. 8. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and then restart the Certificate Services. In the Exchange Server, open the Exchange Management Console, select Server Configuration, and then click Client Access. Click Configure External Client Access Domain, and configure the external domain name for Client Access servers in the organization. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, enter a user-friendly name for your certificate. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box. On the Exchange Configuration page, configure the certificate request to include Outlook Web App on the Internet and Intranet, Exchange ActiveSync and Autodiscover. On the Certificate Domains page, accept the names that will be added to the certificate request.
4-15
9.
On the Organization and Location page, enter information about your Exchange organization. Click the Browse button to select a location for the certificate request file, and enter the desired file name.
10. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click the New button. 11. On the Completion page, click Finish. 12. Provide the certificate request file to your CA. After the certificate has been issued, complete the certificate installation process. 13. In the Exchange Management Console, select Server Configuration. 14. In the Actions pane, click Complete Pending Request. 15. Import the certnew.cer file. 16. In the Actions pane, click Assign Services to Certificate. 17. Assign the certificate to Internet Information Services on VAN-EX1. Question: What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4? Question: How would this process change if you were requesting a certificate from an external, public CA?
4-16
Key Points
By default, Exchange Server 2010 supports POP3 and IMAP4 client connections, but the services are set to start manually. If you want to enable user access for these protocols, you must start the services and configure them to start automatically.
Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following settings. Option Bindings Authentication Description Enables the configuration of the local server addresses that will be used for unencrypted TLS or SSL connections. Enables the configuration of supported authentication options. Support options include basic authentication, Integrated Windows authentication, and secure logon requiring TLS. The default setting is secure logon. Enables the configuration of server settings, such as time-out settings, connection limits, and the command relay or proxy target port (used for connections to an Exchange Server 2003 back-end server). Enables the configuration of the message formats used for these protocols, and for configuring how clients will retrieve calendar requests. On each user account, you can enable or disable access for the POP3 and IMAP4 protocols. By default, all users are enabled for access.
Connection settings
4-17
Key Points
To enable access to the Client Access server from the Internet, you need to complete the following steps: 1. Configure the external URLs for each of the required client options. You can configure all of the Client Access server Web server-based features with an external URL. This URL is used to access the Web site from external locations. By default, the external URL is blank. For Internet-facing Client Access servers, the external URL should be configured to use the name published in DNS for that Active Directory site. The external URL should also use the same name as the one used for the server certificate. For Client Access servers that will not have an Internet presence, the setting should remain blank. Configure external DNS name resolution. For each Client Access server that you are exposing to the Internet, you need to verify that the host name can be resolved on the Internet. Configure access to the Client Access server virtual directories. Each of the client access methods uses a different virtual directory. If you are using a standard firewall or application layer firewall that filters client requests based on the virtual directory, you need to ensure that all virtual directories are accessible through the firewall. Implement SSL certificates with multiple subject alternative names. If you are using multiple host names for the Client Access services, or if you are publishing Autodiscover to the Internet, then ensure that the SSL certificates that you deploy on each Client Access server have the required server names listed in the subject alternative name extension. Plan for Client Access server access with multiple sites. If your organization has multiple locations and Active Directory sites, and you are deploying Exchange servers in each site, your first decision is whether you will make the Client Access servers in each site accessible from the Internet. If you choose not to make the Client Access server accessible, you should not configure an external URL for it. All client requests to that server will then be proxied from an Internet-accessible Client Access server.
2. 3.
4.
5.
4-18
Lesson 2
The Client Access servers in Exchange Server 2010 provide several services for Office Outlook clients. For the most part, these services are enabled by default for Outlook clients on the internal network, but you may need to modify some of the settings. Additionally, you can make some of these services available to Outlook clients connecting the Exchange servers from outside the environment. In this case, you need to enable these features, and ensure that they are configured correctly. After completing this lesson, you will be able to: Describe the services provided by a Client Access server for Outlook clients. Describe the RPC client access services feature. Describe Autodiscover functionality. Configure Autodiscover. Describe the Availability Service, and its purpose. Explain the MailTips purpose and functionality. Configure MailTips. Describe the Outlook Anywhere functionality. Configure Outlook Anywhere. Explain how to troubleshoot Outlook client connectivity.
4-19
Key Points
In Exchange Server 2010, the Client Access server role provides critical services for all messaging clients, including Office Outlook clients. The following table lists the services provided for Outlook clients: Service RPC Client Access services Autodiscover Description Enables MAPI clients such as Outlook to connect to user mailboxes. The client connects to the Client Access server using a MAPI connection. The Autodiscover service configures client computers that are running Outlook 2007 or later, or supported mobile devices. The Autodiscover process configures the Outlook client profile, including the mailbox server, Availability service, and offline address book download locations. The Availability service is used to make free/busy information available for Outlook 2007 and Outlook Web App clients. The Availability service retrieves free/busy information from Mailbox servers or Public folders, and presents the information to the clients. The MailTips feature provides notifications for users regarding potential issues with sending a message, before they send the message. The Client Access server makes offline address book available through a Web service. Only Microsoft Office Outlook 2007 or later clients are capable of retrieving OABs from a Web service. The ECP is a Webbased management interface that can be used to enable self service for mailbox users, and enables users to perform specific management tasks without having access to the entire Exchange management interface. Exchange Web Services enables client applications to communicate with the Exchange server. You also can access Exchange Web Services programmatically. It
Availability
Exchange Web
4-20
Service Services
Description provides access to much of the same data made available through Office Outlook. Exchange Web Services clients can integrate Outlook data into line-of-business (LOB) applications. Outlook Anywhere enables Outlook 2003 or later clients to access the user mailbox by using RPCs encapsulated in an HTTP or HTTPS packet. This enables secure access to user mailboxes from clients located on the Internet.
Outlook Anywhere
4-21
Key Points
One the most significant architectural changes in Exchange Server 2010 is that the Client Access server now supports all client connections, including MAPI client connections from Outlook clients. In previous Exchange Server versions, Outlook configured as a MAPI client always connects to the Mailbox server directly, rather than connecting to a front-end or Client Access server. In Exchange Server 2010, all clients connect to the Client Access server role, regardless of the client protocol used.
4-22
within seconds. In a failover scenario, clients in Exchange Server 2007 would be disconnected for one to 15 minutes. In Exchange Server 2010, if one Client Access server in a Client Access server array fails, the client will immediately reconnect to another Client Access server in the array. If a mailbox server fails, the client is disconnected for 30 seconds. Mailboxes can now be moved from one Mailbox server to another, even while the user is online and connected to the mailbox. The new architecture supports more concurrent client connections to the mailbox server. In Exchange Server 2007, each mailbox server can handle 64,000 connections. That number increases to 250,000 RPC context handle limit in Exchange 2010.
4-23
What Is Autodiscover?
Key Points
The Autodiscover service in Exchange Server 2010 simplifies Office Outlook 2007 or later client configuration. Autodiscover provides configuration information that Outlook requires to create a profile for the client. Outlook clients can also use the Autodiscover service to repair Exchange Server connection settings if a profile is corrupted, or if the user mailbox is moved to a different server. The Autodiscover service uses a users e-mail address and password to provide profile settings to Outlook 2007 or later clients, and supported mobile devices.
2.
3.
4. 5.
4-24
Client application
Office Outlook 2010 Outlook Anywhere Exchange ActiveSync Entourage 2008, Exchange Web Services Edition
Protocol
RPC over TCP/IP RPC over HTTP Exchange ActiveSync over HTTP Exchange Web Services (HTTPS)
Note: Exchange Server 2010 supports Autodiscover for Exchange ActiveSync Service clients. However, the Exchange ActiveSync Service client must be running Windows Mobile 6 to support this feature.
4-25
Configuring Autodiscover
Key Points
By default, the Autodiscover settings for internal clients are automatically configured, and Outlook 2007 or later clients are automatically configured to use the appropriate services. In some cases, you may want to modify the default settings. For external clients, you need to configure the appropriate DNS settings to ensure that external clients can locate the Client Access server that is accessible from the Internet.
Task
Configure the Autodiscover SCP Create a new Autodiscover virtual directory Remove an Autodiscover virtual directory Configure an Office Outlook provider Locate an Office Outlook provider or providers on the virtual directory
4-26
This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to use the VAN-EX1 server.
To enable Autodiscover, you must configure a DNS record on the DNS server that the client uses to provide name resolution for that request. The DNS record should point to a Client Access server that is accessible from the Internet.
4-27
Key Points
Exchange Server 2010 makes free/busy information available to both Outlook 2007 or later, and Outlook Web App clients, by using the Availability service. The Availability service replaces the public folder used to store free/busy information in previous Exchange Server versions. Note: Only Outlook 2007 or later and Outlook Web App use the Availability service. Outlook 2003 clients continue to use the Schedule+ Free Busy Information public folder. This folder must be available on an Exchange server for these clients to function. How Availability Service Works Availability service provides free/busy information by using the following process: 1. When you start the Scheduling Assistant in Outlook 2007 or Outlook Web App, the client sends a request to the URL provided to the client during Autodiscover. The request includes all invited users, including resource mailboxes. The Client Access server Availability service queries Active Directory to determine the user mailbox location. For any mailbox in the same site as the Client Access server, the request is sent directly to the Mailbox server to retrieve the users current free/busy information. If the mailbox is in a different site than the Client Access server, the request is sent by proxy to a Client Access server in the site where the user mailbox is located. The Client Access server in the destination site extracts the availability information from the Mailbox server, and replies to the requesting Client Access server. If the mailbox for one of the invited users is on a computer running Exchange Server 2003, Availability service queries the public folder that contains the free/busy information for the user.
2.
3.
4.
4-28
5.
Availability service combines the free/busy information for all invited users, and presents it to the Outlook 2007 or Outlook Web App client.
4-29
Key Points
MailTips are informative messages displayed to users before they send a message. MailTips inform a user about issues or limitations with the message the user intends to send. Exchange Server 2010 analyzes the message, including the list of recipients to which it is addressed. If it detects a potential problem, it notifies the user with MailTips prior to sending the message. With the help of the information provided by MailTips, senders can adjust the message they compose to avoid undesirable situations or nondelivery reports (NDRs).
Types of MailTips
Exchange Server 2010 provides several default MailTips, including the following examples: Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if your organization has implemented a Prohibit Receive restriction for mailboxes over a specified size. Recipient Out of Office. This MailTip displays the first 250 characters of the out-of-office reply configured by the recipient, if a recipient has configured an out-of-office rule. Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrictions are configured, and prohibits this sender from sending the message. External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a distribution group that contains external recipients. Large Audience. This MailTip displays if the sender adds a distribution group that has more than the large audience size configured in your organization. By default, Exchange Server displays this MailTip for messages to distribution groups that have more than 25 members.
You can also configure custom MailTips in the Exchange Management Shell. A custom MailTip can be assigned to any recipient. For example, you could configure a custom MailTip for a recipient who is on an extended leave, or for a distribution group where all members of the group will be out of the office. Alternately, you can create a custom MailTip for a distribution group that explains the purpose of the
4-30
group and thus reduces its misuse. When you configure a custom MailTip, it displays when a user composes a message for a specified recipient. Note: MailTips are available only in Exchange Server 2010 Outlook Web App, or when using Microsoft Office Outlook 2010 or later. MailTips are not available in Outlook 2007.
3.
The Client Access server returns MailTips data back to the client. Note: Several MailTips are available when the Outlook client is offline. To enable this functionality, the redesign of the structure of the offline address book now includes some of the information that MailTips requires. MailTips that require current information from Active Directory or the user mailbox, are the only MailTips that will not work while the Outlook client is offline. MailTips that will not work offline are the Invalid Internal Recipient, the Mailbox Full, and the Recipient Out-of-Office MailTips.
4-31
Key Points
In this demonstration, you will see how to review and configure default MailTips for an Exchange Server 2010 organization, and how to configure custom MailTips. You will also confirm that the MailTips functions as expected.
Demonstration Steps
1. 2. 3. 4. In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default configuration for MailTips. Use the Set-OrganizationConfig MailTipsLargeAudienceThreshold 10 cmdlet to modify the large distribution group threshold setting. Use the Set-DistributionGroup Marketing MailTip The marketing team will be at a conference till next week. cmdlet to configure a custom MailTip. Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips work as expected.
Question: Will you leave MailTips enabled in your organization? How will you modify the default configuration?
4-32
Key Points
When you enable Outlook Anywhere, an Outlook 2003 or later client can connect to a server running Exchange Server 2010 or Exchange Server 2007 using RPCs encapsulated in an HTTP or HTTPS packet. This feature is a secure option for connecting to the Exchange server from the Internet while using a MAPI client. How Does Outlook Anywhere Work? To deploy Outlook Anywhere, you need to deploy the Outlook 2007 or Outlook 2003 client and the RPC proxy service running on Windows Server 2008. The following is a description of the communication process between all components in an RPC-over-HTTP configuration: 1. All communication between the Outlook client and the Client Access server is sent using HTTPS. The client establishes a connection to the Client Access server for each RPC request that it sends, and then establishes a second connection for responses from the Client Access server. When the client connects, the Client Access server authenticates the user by forwarding the authentication request to a domain controller. After the user is authenticated, the Client Access server uses an RPC connection to communicate with the Mailbox server hosting the user mailbox. If the client requests a Global Address List lookup, the NSPI component on the Client Access server will send a Lightweight Directory Access Protocol (LDAP) query to a global catalog server.
2. 3. 4.
4-33
Key Points
When configuring Outlook Anywhere, you must configure the Exchange Client Access server, and then configure the Outlook clients.
2. 3. 4.
Demonstration Steps
1. On the Client Access server, use the following cmdlet to review the Autodiscover configuration:
Get-ClientAccessServer id VAN-EX1 | FL
2. 3.
On the Client Access server, verify that the RPC over HTTP Proxy feature is installed. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere, using a host name that is resolvable from the Internet.
4-34
4.
On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual directory is configured to use SSL and that it is configured to accept Basic and Windows Authentication. On the client computer, configure the Outlook account properties to Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use the URL (https://): external host name for the Client Access server. Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
5. 6.
7. 8.
From the client, open Outlook and connect to the server. Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Press and hold CTRL, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.
9.
10. Click Test. View the information displayed on both the Results and Log tabs.
4-35
Key Points
To troubleshoot Outlook with MAPI connectivity to an Exchange server, use the following steps: 1. Identify network connectivity issues. If the Outlook client or the Exchange server experiences problems connecting to the network, Outlook shows a status of Disconnected, and no new messages can be transferred between the client and the server. Identify name resolution issues. Outlook clients must be able to resolve the name of the Exchange server to which they are connecting. By default, Outlook 2007 clients use DNS host-name resolution to resolve the name of the Exchange server to its IP address. Identify client configuration issues. A client configuration issue can occur in Outlook or Windows configurations. An improperly configured client can prevent the computer from connecting to the Exchange server, or create intermittent connectivity problems. Identify server configuration or service-availability issues. A configuration error can prevent some or all users from connecting to the Exchange server. Based on the symptom that the user is experiencing, you can verify configuration by using the Exchange Server Best Practices Analyzer Tool, or examine server properties by using the Exchange Management Console. If the client computer is using Outlook Anywhere to connect to the Client Access server, it may be a Client Access server certificate issue. Outlook Anywhere relies on valid server certificates to provide secure communication with the server. Invalid names on certificates, expired certificates, or nontrusted certificates can cause connectivity issues between these clients and a Client Access server. Tip: To ensure that a valid server certificate is trusted and can be used for connecting with Outlook Anywhere, you should connect from a Web browser to the RPC virtual directory on the Exchange server. If the user receives a prompt with a warning message about the certificate authenticity, then there is an issue with the certificate configuration. This will lead to problems with Outlook Anywhere, Autodiscover, and Exchange ActiveSync.
2.
3.
4.
5.
4-36
6.
You can use the Test E-Mail AutoConfiguration Wizard in Outlook 2007 to test whether Autodiscover is configured correctly. When you run the wizard, it will provide information whether the client could connect to the Autodiscover service on a Client Access server, and it will display the information that it received through the Autoconfiguration process.
4-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain 10135A-VAN-CL1: Client computer in the Adatum.com domain
Important: If you are using Windows Server 2008 R2 as the host operating system, you must complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. 3. If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
4-38
Lab Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to deploy Client Access servers so that the servers are accessible from the Internet for a variety of messaging clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server, and configure a certificate on the server that will support the messaging client connections. You also need to configure the server to support Outlook Anywhere connections.
4-39
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple subject
alternative names
1. 2. On VAN-DC1, open a command prompt and use the certutil -setreg policy \EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA policy. Restart the Certificate Services.
4-40
2.
State/province: BC
3. 4.
4-41
Close Outlook.
3. 4.
4-42
Results: After this exercise, you should have enabled Outlook Anywhere on VAN-EX2, and configured a client profile to use Outlook Anywhere. You also verified the Outlook Anywhere functionality.
4-43
Lesson 3
Exchange Server 2010 uses Outlook Web App to provide access to user mailboxes through a Web browser. Many organizations provide users with access to Outlook Web App from the Internet. Some organizations also use Outlook Web App internally. In both scenarios, deploying Outlook Web App is quite easy because only a Web browser is required as a client. This lesson describes how to configure Outlook Web App for Exchange Server 2010. After completing this lesson, you will be able to: Describe Outlook Web App features. Identify Outlook Web App configuration options. Describe the file and data access options in Outlook Web App. Configure Outlook Web App. Configure Outlook Web App policies. Configure user options using the ECP.
4-44
Key Points
Outlook Web App allows users to access their mailboxes through a Web browser. The feature set in Outlook Web App closely mimics features available in Outlook 2010, and may provide features that are not available in previous Outlook versions. In some cases, it may be possible to use Outlook Web App in place of Outlook 2010. Outlook Web App has been redesigned in Exchange Server 2010 to include features such as chat, text messaging, mobile phone integration, and enhanced conversation view. In Exchange Server 2010, these features are accessible from an expanded set of Web browsers, including Microsoft Internet Explorer 6.0 or later, Firefox, Safari, and Google's Chrome.
4-45
4-46
Key Points
Although Outlook Web App is available automatically on Client Access servers, you must configure Outlook Web App to support your users specific requirements.
4-47
change the type of filtering that is used for Web beacon and HTML form content in Outlook Web App. If you change the setting to ForceFilter, this blocks all Web beacons and HTML forms. If you change the setting to DisableFilter, this allows all Web beacons and HTML forms.
4-48
Key Points
File and data access provide Outlook Web App users different levels of access to files that are attached to messages or that are located in Microsoft Windows SharePoint Services document libraries, and shared folders on the internal network. When using the Windows SharePoint Services and Windows file shares integration option, users can access documents from a link embedded in an e-mail message.
4-49
computers, use the Set-OwaVirtualDirector -Identity owa (default web site) UNCAccessOnPublicComputersEnabled $false cmdlet. Restrict or enable access. You can configure how users interact with files by using the Allow, Block, or Force Save options for direct file access and by configuring the file extensions for WebReady Document Viewing. You can also configure which servers will be accessible through Outlook Web App.
4-50
Key Points
In this demonstration, you will see how to configure several different Outlook Web App aspects. As you will see in this demonstration, you may need to use several different tools to configure Outlook Web App.
Demonstration Steps
1. 2. 3. On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use SSL, and is using the correct server certificate. In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the external URL with the required authentication and segmentation settings. In the Exchange Management Shell, use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk before they can be opened. Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, cmdlet to disable Gzip compression for Outlook Web App. Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.
4. 5.
4-51
Key Points
One of the new features in Exchange Server 2010 is the option to configure multiple Outlook Web App policies for users. In previous Exchange Server versions, all users receive the same settings when they connect to Outlook Web App. With Exchange Server 2010 Outlook Web App policies, you can configure unique policies and assign them to users.
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, in the Organization Configuration node, click Client Access. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the policy settings. After creating the policy, you can configure additional settings by accessing the policy properties. Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox Features tab. Log on to Outlook Web App as the user, and test the policy application.
4-52
Key Points
Another new feature in Exchange Server 2010 is the ECP. You can use the ECP to perform several different administrative functions, but users also can use the ECP to modify their mailbox settings. In this demonstration, you will see how you can configure the ECP virtual directory and view some of the available ECP configuration options.
Demonstration Steps
1. 2. 3. 4. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual directory on each Client Access server. As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp. Log on to the ECP, and review the settings that can be modified by the user.
4-53
Lesson 4
Exchange Server 2010 supports mobile devices as a messaging client. With Exchange Server 2010, you can synchronize mailbox content and perform most of the same tasks with mobile devices as you can with other messaging clients. Exchange Server 2010 also provides administrative options for managing mobile devices. This lesson describes how to implement and manage mobile access for Exchange Server 2010. After completing this lesson, you will be able to: Describe the purpose and functionality of Exchange ActiveSync. Configure Exchange ActiveSync. Identify security options for Exchange ActiveSync. Configure Exchange ActiveSync policies. Manage mobile devices.
4-54
Key Points
Exchange ActiveSync provides mobile devices with access to Exchange Server 2010 mailboxes. The Exchange ActiveSync communication process is optimized to function over high-latency and lowbandwidth networks. By default, Exchange ActiveSync is available for all users after you install a Client Access server. Note: Exchange ActiveSync has been licensed to many different mobile device manufacturers that produce devices that run Windows Mobile or another operating system. Exchange ActiveSync features are dependent on the mobile device and the operating system version running on the mobile device. You will need to verify which features are supported on your mobile device.
3.
4-55
Key Points
In this demonstration, you will see how to configure the Exchange ActiveSync settings on a Client Access server and how to configure a Windows Mobile device to use ActiveSync to synchronize with the Exchange server.
Demonstration Steps
1. On the Client Access server, in IIS Manager, clear the option to require SSL for the Exchange ActiveSync virtual directory. Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate. 2. 3. 4. 5. 6. In Exchange Management Console, configure authentication and remote file server settings on the Microsoft-Server-ActiveSync virtual directory. On the mobile device emulator, configure the network settings so that the emulator can communicate with the Client Access server. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the Client Access server using an account that is enabled for Exchange ActiveSync. Synchronize the device. Test ActiveSync by sending a message from another user to the user logged on to the mobile device. Verify that the message arrives, and respond to the message.
4-56
Mobile clients such as Exchange ActiveSync clients, are difficult to secure. Because the devices are small and portable, they are susceptible to being lost or stolen. At the same time, they may contain highly confidential information. The storage cards that fit into mobile device expansion slots can store increasingly large amounts of data. While this data-storage capacity is important to the mobile-device user, it also heightens the concern about data falling into the wrong hands. Mobile clients also are difficult to manage using centralized policies because the devices might rarely, or never, connect to the internal network. The devices also do not require Active Directory accounts, so you cannot use Group Policy Objects (GPOs) to manage the client settings. Note: System Center Mobile Device Manager 2008 is a System Center products available from Microsoft is. If you deploy this product, Windows Mobile 6.1 devices can be listed in Active Directory, and managed through Active Directory and Mobile Device Manager policies.
4-57
View the status of pending remote-wipe requests for each mobile device. View a transaction log that indicates which administrators have issued remote-wipe commands, and the mobile devices to which those commands pertain. Delete an old or unused partnership between devices and users. Note: The option to manage a mobile device for a user mailbox in the Exchange Management Console is available only after the user has synchronized with the Exchange Server from a mobile device. You also can manage mobile devices in the Exchange Management Shell by using the Remove-ActiveSyncDevice and the Clear-ActiveSyncDevice cmdlets.
4-58
Key Points
One of the features in Exchange Server 2010 is that you can manage mobile users and devices with Exchange ActiveSync mailbox policies. When you create a policy, you can configure the following options: Allow or block nonprovisionable devices. This option permits you to specify whether devices that do not fully support the device security settings can synchronize with the Exchange Server computer. Enable, disable, or limit attachment downloads. This option allows you to enable or disable attachment downloads, and configure a maximum attachment download size. Configure devices to require passwords. If you choose to require passwords, you also can configure the following attributes: Minimum password length. A requirement for alphanumeric passwords. Inactivity time before the password is required. The option to enable password recovery. A requirement for device encryption. Number of failed attempts allowed. This option specifies whether you want the device memory wiped after a specific number of failed logon attempts.
Options for disabling removable storage, cameras, Wi-Fi, or Bluetooth. Options for configuring synchronization settings such as message size limits. Options for enabling additional mobile device applications such as Web browsers, unsigned applications, or for defining allowed and blocked applications.
4-59
Note: Some of these features were implemented with Windows Mobile 5.0 devices. Some features, such as encryption on the local device, and Windows SharePoint Services and Windows File Shares integration, are available only with Windows Mobile 6 or later. Some settings also require an Enterprise Client Access License for each mailbox. In this demonstration, you will see how to configure Exchange ActiveSync policies.
Demonstration Steps
1. 2. 3. 4. 5. In the Exchange Management Console, access the Organization Configuration node, and then click Client Access. Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings. After creating the policy, access the policy properties and configure the additional settings. Access a user mailboxs properties. On the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. Assign the appropriate Exchange ActiveSync policy. Confirm that the policy is being applied to the user.
4-60
Key Points
In this demonstration, you will view the options that a user has for managing their mobile devices, using ECP. You will then see how an administrator can also manage the user's mobile device.
Demonstration Steps
1. 2. 3. As a user, connect to the ECP site on a Client Access server. Log on and access the Phone tab on the user Properties page. As an Exchange administrator, access the user in the Exchange Management Console Mailbox container, and then click OK. 4. 5. In the Actions pane, click Manage Mobile Device. On the Manage Mobile Device page, view the options available to manage the mobile device, including wiping the device.
4-61
Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
Lab Scenario
To enable client access to the server, your organization has decided to enable both Outlook Web App and Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you need to enable the security features for both Outlook Web App and Exchange ActiveSync.
4-62
2. 3. 4. 5. 6.
Task 3: Configure an Outlook Web App Mailbox Policy for the branch managers
1. 2. 3. Create a new Outlook Web App Mailbox policy, and configure the policy with the name Branch Managers Policy. Configure the policy to prevent branch managers from changing their password. Apply the policy to all users in the Branch Managers organizational unit (OU).
4-63
4. 5.
Connect to OWA again, and log on as Adatum\Johnson using the password Pa$$w0rd. Johnson is in the Branch Managers OU. Verify that the Tasks folder is listed in the user mailbox, but that Johnson is not able to change his password. Results: After this exercise, you should have configured Outlook Web App on VAN-EX2. This configuration includes assigning the internal CA certificate to the Default Web Site, and configuring Outlook Web App settings for all users, as well as for specific users. You also should have verified the Outlook Web App settings.
4-64
In Windows Mobile 6 Professional, start ActiveSync, and start the process for setting up the device to sync with Exchange Server.
7.
4-65
8. 9.
E-mail address: ScottMacdonald@adatum.com User name: Scott Password: Pa$$w0rd Domain: Adatum Server address: VAN-EX2.adatum.com SSL: Disabled Synchronize all Calendar and E-mail items
Verify that the synchronization succeeds. On VAN-CL1, connect to https://mail.adatum.com/owa, and log on as adatum\Wei using the password Pa$$w0rd.
10. Send a test message to Scott. 11. On the mobile device, verify that Scott received the message, and reply to it. 12. In Outlook Web App, verify that the reply message was received.
Review the other Exchange ActiveSync Mailbox policy settings. Apply the Exchange ActiveSync Mailbox policy to Scott MacDonald.
4-66
7. 8.
On VAN-CL1, in the Windows Professional emulator, modify the ActiveSync settings to use SSL. Verify that the client can synchronize successfully.
4-67
Review Questions
1. You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server? You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do? You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes on the Exchange Server 2003 servers?
2. 3.
4-68
Troubleshooting tip enable connectivity. The Remote Connectivity Anaylzer tool will check information such as DNS records, authentication, certificate issues, and Autodiscover.
2.
3.
Tools
Tool Use for Where to find it http://go.microsoft.com/fwlink /?LinkId=179969 Open Outlook, press and hold CTRL, right-click the Outlook connection object, and then click Test E-Mail AutoConfiguration. Administrative Tools
Microsoft Exchange Server Troubleshooting Internet Remote Connectivity Anaylzer connectivity for messaging clients. Test E-Mail AutoConfiguration
Troubleshooting Outlook
Connectivity to the Client Access server.
4-69
Where to find it
4-70
5-1
Module 5
Managing Message Transport
Contents:
Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Lab: Managing Message Transport 5-3 5-16 5-32
5-2
Module Overview
This module details how to manage message transport in Microsoft Exchange Server 2010. To implement message transport in Exchange Server 2010, it is important to understand the components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot messagetransport issues. This module also provides details on deploying the Exchange Server 2010 Hub Transport server, and the options that you can configure. After completing this module, you will be able to: Describe message transport in Exchange Server 2010. Configure message transport.
5-3
Lesson 1
In this lesson, you will review message flow and the components that message transport requires, especially when you implement multiple Exchange Server 2010 Hub Transport servers. To understand message flow, you should know how message routing works within an Exchange Server organization, and how Exchange Server routes messages between Active Directory Domain Services (AD DS) sites or outside the Exchange Server organization. Exchange Server 2010 provides several tools for troubleshooting Simple Mail Transfer Protocol (SMTP) message delivery, and this lesson describes how you can use these troubleshooting tools. After completing this lesson, you will be able to: Describe message flow. Describe the components of message transport. Describe how an Exchange Server organization routes messages. Describe message routing between Active Directory sites. Describe options for modifying the default message flow. Describe the tools for troubleshooting SMTP message delivery. Troubleshoot SMTP message delivery.
5-4
Key Points
Exchange Server 2010 uses the SMTP message protocol standard. Therefore, it is important to understand how SMTP works. Exchange Server 2010 also supports several message-flow scenarios. Based on your organizations messaging environment, you can implement a suitable message-flow scenario.
Discussion Questions
Based on your experience, consider the following questions: Question: What is SMTP? Question: What are the various message-flow scenarios? Question: What type of message-flow scenarios do most organizations implement?
5-5
Key Points
The message transport pipeline in Exchange Server 2010 consists of several components that work together to route messages. Messages from outside the organization enter the transport pipeline through an SMTP Receive connector on an Edge Transport server, a Hub Transport server, or another SMTP server. Messages inside the organization enter the transport pipeline through the SMTP connector on a Hub Transport server, through agent submission, from the Pickup or Replay directory, or by direct placement by the store driver in the Submission queue.
Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one Submission queue on each Edge Transport server and Hub Transport server. The Submission queue stores all messages on disk until the categorizer processes them for further delivery. The categorizer cannot process a message unless a server promotes it to the Submission queue. While the categorizer processes a message, it remains in the Submission queue. After the categorizer categorizes a message successfully, it removes it from the Submission queue.
Store Driver
Messages sent by mailbox users enter the message-transport pipeline from the senders Outbox. The store driver on the Hub Transport server retrieves messages from the senders Outbox, and submits them to a Submission queue.
5-6
Categorizer
The categorizer retrieves one message at a time from the Submission queue, and always picks the oldest message first. On an Edge Transport server, categorization of an inbound message is a short process in which the categorizer verifies the recipient SMTP address and places the message directly into the delivery queue. From the delivery queue, it routes the message to a Hub Transport server.
Pickup Directory
Most messages enter the message transport pipeline through SMTP Receive connectors or by submission through the store driver. However, messages also can enter the message transport pipeline by being placed in the Pickup directory on a Hub Transport server or an Edge Transport server.
5-7
Key Points
In an Exchange Server messaging environment, you must deploy a Hub Transport server role in each Active Directory site where a Mailbox server role or a Unified Messaging server is installed. Hub Transport servers deliver all messages in an Exchange Server 2010 organization, including messages sent between two recipients with mailboxes located in the same Mailbox database, on the same site, and between Active Directory sites. The following process describes how a Hub Transport server delivers mail within a single Active Directory site: 1. 2. The message flow begins when a message is submitted to the message store on an Exchange Server 2010 Mailbox server role. When the Microsoft Exchange Mail Submission service detects that a message is available and waiting in an Outbox, it picks an available Hub Transport server and submits a new message notification to the store driver. The store driver retrieves the message from the Mailbox server role. The store driver uses MAPI to connect to the users Outbox and collect any messages that are awaiting delivery. The store driver submits the messages to the categorizer submission queue, for processing, and also moves a copy of the message from the users Outbox to the users Sent Items folder. Note: While the message is passing through the Hub Transport server role, the server can use transport agents to modify the message or the message flow. For example, transport agents can apply custom routing or journaling rules, or perform antivirus filtering. 4. For messages destined to arrive at a Mailbox server on the same Active Directory site, the store driver places the message in a local delivery queue and delivers the message through MAPI to the Mailbox server role.
3.
5-8
5.
6.
For messages destined to arrive at a Mailbox server on another Active Directory site, the Hub Transport server uses the Active Directory site-link information to determine the route to the destination site. After determining the path, the Hub Transport server connects directly to the server on the remote site. If no Hub Transport server on the destination site is available, the store driver routes the message to a Hub Transport server that is closer to the destination site. For messages destined for the Internet, the Hub Transport server delivers the message to an Edge Transport server, which delivers the message to the appropriate Internet e-mail server. If the organization does not use an Edge Transport server, a Hub Transport server delivers the message directly to the appropriate Internet e-mail server using SMTP.
5-9
Key Points
For remote mail-flow scenarios, the initial steps, in which the message passes from the Mailbox server to the Hub Transport server, are identical to those of the local mail-flow scenario.
5-10
2.
3.
4.
The Hub Transport server performs recipient resolution and queries AD DS to match the recipient email address to a recipient account. The recipient account information includes the fully qualified domain name (FQDN) of the users Mailbox server. The FQDN determines the Active Directory site of the users Mailbox server. In a default configuration, the local Hub Transport server opens an SMTP connection to the remote Hub Transport server in the destination site, and then delivers the message. After a Hub Transport server in the destination Active Directory site receives the message, it forwards the message to the appropriate Mailbox server in the destination Active Directory site. If the message has multiple recipients whose mailboxes are in different Active Directory sites, Exchange Server uses delayed fan-out to optimize message delivery. If the recipients share a portion of the path, or the entire path, then Exchange Server sends a single copy of the message with these recipients until the bifurcation point. Exchange Server then bifurcates and sends a separate copy to each recipient. For example, if the least-cost routes from Site1 to Site3 and Site4 both pass through Site2, then Exchange Server sends a single copy of a message intended for recipients in Site3 and Site4 to a Hub Transport server in Site2. Then, the Hub Transport server in Site2 sends two copies of the message: one each to a Hub Transport server in Site3 and Site4.
5-11
Key Points
In some cases, you may want to modify the default message routing configuration. You can do this by configuring specific Active Directory sites as Hub sites, and by assigning Exchange Server-specific routing costs to Active Directory site links. Hub sites are central sites that you define to route messages. By default, Hub Transport servers in one site will try to deliver messages to a recipient in another site by establishing a direct connection to a Hub Transport server in the remote Active Directory site. However, you can modify the default message-routing topology in three ways.
5-12
Note: Use the Set-AdSiteLink Identity ADsitelinkname ExchangeCost value cmdlet to assign Exchange specific routing costs. You also can use the Set-AdSiteLink Identity ADsitelinkname MaxMessageSize value cmdlet to assign a maximum message size limit for messages sent between Active Directory sites.
5-13
Key Points
Similar to Exchange Server 2007, Exchange Server 2010 also provides several tools for troubleshooting SMTP message delivery. Tip: Exchange Server 2010 relies on the Active Directory site configuration for message routing. Therefore, to troubleshoot a message-routing issue, you might need to use Active Directory tools to validate or modify site, site link, or IP subnet information, and to verify Active Directory replication. You can use the Active Directory Sites and Services tool to view IP subnets and site links.
5-14
Note: For more information on the queues that Exchange Server 2010 uses, and the process for troubleshooting message flow, see the Managing Queues page on the Microsoft Technet Web site.
Using Telnet
You can use Telnet to check if the SMTP port responds, or to directly send a SMTP mail to a connector to see if the connector accepts it. Telnet is a Windows Server 2008 feature, and you use it from the command line using the following syntax: telnet <servername> SMTP or Port #. For example, you can use either TELNET VAN-EX1 SMTP or TELNET VAN-EX1 25, both being basically the same.
5-15
Key Points
In this demonstration, you will see how to use Telnet and Queue Viewer to troubleshoot SMTP message delivery.
Demonstration Steps
1. 2. 3. 4. 5. Open the Command Prompt window. To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail using Telnet. In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start the Queue Viewer tool. Suspend and resume the Submission queue. Close Queue Viewer.
5-16
Lesson 2
To configure message transport in an Exchange Server organization, you must first configure the Hub Transport servers. It is important to understand the various message-transport concepts and components, such as accepted and remote domains and SMTP connectors. This lesson also describes the various tasks of configuring a Hub Transport server and message routing. After completing this lesson, you will be able to: Describe the process for configuring Hub Transport Servers. Configure Hub Transport Servers. Describe the options for configuring message transport. Describe accepted domains. Describe remote domains. Configure accepted and remote domains. Describe an SMTP connector. Configure SMTP Send and Receive connectors. Describe the purpose and functionality of back pressure.
5-17
Key Points
By default, when you install a Hub Transport server in an Exchange Server 2010 organization, this enables message routing within the organization. However, you might need to configure additional options on the Hub Transport server role. To configure a Hub Transport server, use the following process: 1. 2. Configure server-specific settings. These settings include internal Domain Name System (DNS) configuration and connection limits. Configure authoritative domains and e-mail address policies. An authoritative domain is one for which the Exchange Server organization accepts messages and has mailboxes. You first must configure an authoritative domain before you can configure e-mail address policies to apply e-mail addresses to recipients and accept inbound SMTP messages for those recipients.
5-18
3.
4.
Configure a postmaster mailbox. For each accepted domain, you must configure a postmaster mailbox. The postmaster mailbox must meet the requirements of RFC 2822, and to receive NDRs and DSNs. You can create a new mailbox, or you can add the postmaster alias to an existing mailbox user. Configure Internet message flow. If you are not deploying an Edge Transport server, you will need to configure the Hub Transport server to enable inbound and outbound mail flow. To enable inbound mail flow, configure an SMTP Receive connector to accept anonymous connections on port 25 using a network interface that is accessible from the Internet. To enable outbound e-mail flow, configure an SMTP Send connector with an address space of *that can use DNS or a smart host to send messages to the Internet. If you are using the Hub Transport server to send and receive e-mail from the Internet, you should configure antivirus and anti-spam agents on the Hub Transport server. Note: We strongly recommend that you use an Edge Transport server role or some other SMTP relay server to send and receive messages from the Internet. If you are using an SMTP gateway server other than an Exchange Server 2010 Edge Transport server role, you still will need to configure the SMTP Send connector and SMTP Receive connector. The only difference is that you should configure the SMTP gateway server as the smart host on the SMTP Send connector and accept only connections from the SMTP gateway server on the SMTP Receive connector. As an alternative to managing your own Edge Transport server role, you should also consider Exchange Hosted Services.
5.
6.
Configure messaging policies. By default, messaging policies are not applied to messages passing through the Hub Transport server role. As part of the Hub Transport server role deployment, you must configure your organizations transport and journaling rules. Configure administrative permissions. As part of the Hub Transport server role deployment, you can choose to delegate permissions to configure and monitor the server.
5-19
Key Points
In this demonstration, you will review the options for configuring Hub Transport servers.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. On the Global Settings tab, double-click Transport Settings and review the options on the Message Delivery tab. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Open Hub Transport server properties and review the options on the Log Settings tab and Limits tab. At the Exchange Management Shell command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.
5.
5-20
Key Points
Exchange Server 2010 supports various additional options that you can configure on the message transport. These options include transport rules, Rights Protection using transport protection rules, journaling, enhanced disclaimers, and moderated transport. Note: This module provides a high-level overview of these options. Module 8 provides more details on these options.
Transport Rules
Transport Rules inspect messages for conditions that the rule specifies, and then applies the rules to messages that meet the conditions, and none of the exceptions. Exchange Server 2010 includes several new predicates and actions, and provides additional flexibility in creating rules and additional options for actions that you can apply to messages.
Journaling
Journaling is the ability to record all communications, including e-mail communications, in an organization for use in the organizations e-mail retention or archival strategy.
5-21
Enhanced Disclaimers
Exchange 2010 lets you add disclaimers that can include hyperlinks, images, and HTML-formatted text. You also can insert Active Directory attributes that are substituted for the senders attributes when a message triggers a disclaimer rule.
Moderated Transport
Using the moderated transport feature in Exchange Server 2010, you can make it mandatory that a moderator approves all e-mail messages that are sent to specific recipients. You can configure any type of recipient as a moderated recipient, and Exchange 2010 Hub Transport servers ensures that all messages sent to those recipients go through an approval process.
5-22
Key Points
As part of the Hub Transport server-configuration process, you should configure the domains for which the Hub Transport server will accept e-mail, and configure users with alternate e-mail addresses.
5-23
Note: To configure accepted domains using the Exchange Management Shell, use the NewAcceptedDomain or Set-AcceptedDomain cmdlet.
5-24
Key Points
Remote domains define SMTP domains that are external to your Exchange organization. You can create remote domain entries to define the settings for message transfer between the Exchange Server 2010 organization and domains outside your AD DS forest. When you create a remote domain entry, you control the types of messages that are sent to that domain. You also can apply message-format policies and acceptable character sets for messages that are sent from your organizations users to the remote domain. The settings for remote domains determine the Exchange organizations global configuration settings.
5-25
Character Sets
The Characters Sets options let you select a MIME character set and a non-MIME character set to use when you send messages to a remote domain.
5-26
Key Points
In this demonstration, you will review the default accepted domain configuration, and then see how to configure accepted and remote domains.
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Accepted Domains tab, and then double-click Adatum.com. Click OK. Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay Domain. Click the Remote Domains tab, and review the default remote domain settings. Click OK. Click New Remote Domain, and create a remote domain for contoso.com.
5-27
Key Points
For a Hub Transport server to send or receive messages using SMTP, at least two SMTP connectors must be available on the server. An SMTP connector is an Exchange Server component that supports one-way SMTP connections that route mail between Hub Transport and Edge Transport servers or between the transport servers and the Internet. You create and manage SMTP connectors from the Exchange Management Console or the Exchange Management Shell. Exchange Server 2010 provides two types of SMTP connectors: SMTP Receive connectors and SMTP Send connectors. Note: Exchange Server 2010 automatically creates the Send and Receive connectors that intraorganization mail flow requires. These are implicit connectors that are not visible in the Exchange management tools, and you cannot modify them.
5-28
5-29
Key Points
In this demonstration, you will see how to configure SMTP Send and Receive connectors.
Demonstration Steps
1. 2. 3. 4. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab and create a New Send Connector. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Click New Receive Connector and create a Receive connector that allows the anonymous group to send messages.
5-30
Key Points
Back pressure is a system-resource monitoring feature of the Microsoft Exchange Transport service that exists on computers that have the Hub Transport server role or Edge Transport server role installed. Back pressure monitors important system resources, such as available hard-disk drive space and available memory. If utilization of a system resource exceeds the specified limit, the Exchange server stops accepting new connections and messages. This prevents the system resources from being completely overwhelmed, and enables the Exchange server to deliver the existing messages. When utilization of the system resource returns to a normal level, the Exchange server accepts new connections and messages. Back pressure can be used to: Monitor system resources, such as available hard disk drive space and memory. Restrict new connections and messages if a system resource exceeds a specified level. Prevent the server from being completely overwhelmed.
For each monitored system resource on a Hub Transport server or Edge Transport server, the following three levels of resource utilization are applied: Normal. The resource is not overused. The server accepts new connections and messages. Medium. The resource is slightly overused. Back pressure is applied to the server in a limited manner. Mail from senders in the authoritative domain can flow. However, the server rejects new connections and messages from other sources. High. The resource is severely overused. Full back pressure is applied. All message flow stops, and the server rejects all new connections and messages.
5-31
The EdgeTransport.exe.config file is an XML application configuration file that is associated with the EdgeTransport.exe file. The Microsoft Exchange Transport service uses the EdgeTransport.exe and MSExchangeTransport.exe executable files. This service runs on every Hub Transport server or Edge Transport server. Exchange Server applies the changes that are saved to the EdgeTransport.exe.config file after the Microsoft Exchange Transport service is restarted.
5-32
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1 and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a messaging administrator in A Datum Corporation., which is a large multinational organization that has offices in London, Tokyo, and Vancouver, which is its headquarters. Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the main site in Vancouver. As part of your job responsibilities, you need to set up the message transport to and from the Internet and also ensure that the message flow works within and between the various sites.
5-33
5-34
2. 3. 4.
Switch to the c:\Program Files\Microsoft\Exchange Server\v14\scripts directory and use the install-AntispamAgents.ps1 cmdlet to install the anti-spam agents on the Hub Transport server Restart the Microsoft Exchange Transport Verify that anti-spam configuration options are now available on VAN-EX1 and at the organization level.
5-35
Task 1: Check the routing log, and verify that mail delivery works correctly
1. 2. On VAN-EX1, use the Routing Log Viewer to verify that VAN-EX1 is located in the Default-First-SiteName site, and the VAN-EX2 is located in the Site2 site. Log on to Outlook Web App as Wei, and send an email to Anna, whose mailbox is on VAN-EX2. Verify that the mail is received and that Anna can respond to the e-mail.
5-36
6. 7. 8.
5-37
5.
To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
7. 8.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
5-38
6-1
Module 6
Implementing Messaging Security
Contents:
Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions 6-3 6-19 6-27 6-31 6-44 6-57
6-2
Module Overview
The Edge Transport server role is designed to be placed directly in a perimeter network, therefore directly in the Internet. Placing a server directly in the Internet can be the cause of numerous security concerns. This module describes how to plan for and deploy a Microsoft Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. This module describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security, a feature available in Exchange Server 2007 and later versions. The Edge Transport role provides powerful anti-spam functionalities, and some antivirus features. As the Edge Transport role does not include a virus scanner, you can integrate additional antivirus products such as Microsoft Forefront Protection for Exchange Server. After completing this module, you will be able to: Deploy Edge Transport servers. Deploy an antivirus solution. Configure an anti-spam solution. Configure secure SMTP messaging.
6-3
Lesson 1
In any Exchange Server deployment, it is important that you do not expose too much information to the Internet. You must ensure critical data such as e-mail messages are protected from unauthorized access from the Internet. The Edge Transport server role provides functionalities that secure this data from unauthorized Internet access. If you are planning to place a server in your perimeter network, you should plan to use an Edge Transport server. This lesson describes features and functionalities of the Edge Transport server role, and explains how you can configure data synchronization between Active Directory directory service and the Edge Transport server. After completing this lesson, you will be able to: Describe the Edge Transport server role. Identify the infrastructure requirements for the Edge Transport server role. Describe the functionality of Active Directory Lightweight Directory Services (AD LDS). Configure Edge Transport servers. Describe the purpose and functionality of Edge Synchronization. Explain how Internet message flow works in Exchange Server 2010. Describe the concept of cloned configuration. Configure Edge synchronization. Describe how to secure Edge Transport servers.
6-4
Key Points
The Edge Transport server role in Exchange Server 2010 provides a secure SMTP gateway for all incoming and outgoing e-mail in an organization. As an SMTP gateway, the Edge Transport servers primary role is to maintain message hygiene, which includes anti-spam and antivirus filtering. You also can use the Edge Transport server to apply messaging policies to messages that are sent to the Internet.
Address rewriting
6-5
You cannot combine the Edge Transport server role with any other Exchange Server 2010 server role. To provide increased security, you must install the Edge Transport server role on a separate computer, which can be virtual or physical. The computer should not be a member of an Active Directory domain. Note: You should not install the Edge Transport server role on a computer that is a member of the internal Active Directory domain, but you can install it in a perimeter network forest. Even if you install the Edge Transport server role on a member server, the server still uses Active Directory Application Mode (ADAM) or AD LDS to store its configuration and recipient information.
You should deploy the Edge Transport server role in a perimeter network to ensure network isolation from both the internal network and the internal Exchange servers.
6-6
Key Points
The Edge Transport server role is different from any other Exchange Server 2010 server role, because you can install it on servers running the Windows Server 2008 operating system that are not members of the internal Active Directory Domain Services (AD DS). This configuration makes it much easier and more secure to deploy Edge Transport servers in a perimeter network. When deploying Edge Transport servers, consider the following infrastructure requirements: You can install Edge Transport servers either on standalone servers, or on servers that are members of an extranet domain. The computer running the Edge Transport server role must have a fully qualified domain name (FQDN) configured. You must deploy Edge Transport servers in a perimeter network. This configuration provides the highest level of security. The firewall configuration required for Edge Transport servers is greatly simplified, because the server does not need to be an internal domain member. The following table describes the firewall configuration requirements. Firewall External Firewall rule Allow port 25 from all external IP addresses to the Edge Transport server. Allow port 25 to all external IP addresses from the Edge Transport server. Allow port 53 to all external IP addresses from the Edge Transport server. Explanation This rule enables SMTP hosts on the Internet to send e-mail. This rule enables the Edge Transport server to send e-mail to SMTP hosts on the Internet. This rule enables the Edge Transport server to resolve Domain Name System (DNS) names on the Internet.
External
External
6-7
Firewall Internal
Firewall rule Allow port 25 from the Edge Transport server to specified Hub Transport servers. Allow port 25 from specified Hub Transport servers to the Edge Transport server. Allow port 50636 for secure Lightweight Directory Access Protocol (LDAP) from specified Hub Transport servers to the Edge Transport server. Allow port 3389 for Remote Desktop Protocol (RDP) from the internal network to the Edge Transport server.
Explanation This rule enables the Edge Transport server to send inbound SMTP e-mail to Hub Transport servers. This rule enables the Hub Transport servers to send e-mail to the Edge Transport server. This rule enables the Hub Transport server to replicate information to the Edge Transport servers using Edge Synchronization. This port is not the default Secure LDAP port, but it is used specifically for the Edge Synchronization process. This rule is used for optional remote desktop administration of the Edge Transport server.
Internal
Internal
Internal
If the Edge Transport server directly routes e-mail to the Internet, you must configure the server with the IP addresses for Domain Name System (DNS) servers that can resolve DNS names on the Internet.
6-8
What Is AD LDS?
Key Points
The Edge Transport server does not use the Active Directory directory service to store its configuration information; instead, Edge Transport servers use AD LDS to store this data. Note: AD LDS runs only on Windows Server 2008 computers, while the ADAM service can run on Windows Server 2003 computers. AD LDS is an update of ADAM.
What Is AD LDS?
AD LDS is a special mode of the AD DS that stores information for directory-enabled applications. AD LDS is an LDAP-compatible directory service that runs on servers running the Windows Server 2008 operating system. AD LDS is designed to be a standalone directory service. It does not require the deployment of DNS, domains, or domain controllers; instead, it stores and replicates only application-related information.
How AD LDS Works with Exchange Server 2010 Edge Transport Servers
AD LDS stores configuration and recipient data for the Exchange Server 2010 Edge Transport server role. Before you can install the Edge Transport server role, you must install the AD LDS server role on a Windows Server 2008 computer. AD LDS is then configured automatically when you install the Edge Transport server role. The following types of information are stored in AD LDS: Schema Configuration Recipient information
6-9
Managing AD LDS
The AD LDS database is stored in the %programfiles%\Microsoft\Exchange Server\TransportRoles\data\Adam directory. The primary database is adamntds.dit, which is similar to the databases that Exchange Server uses for mailbox stores and mail queue databases. In general, minimal administration is required for the AD LDS instance running on an Edge Transport server. You can make most changes to the AD LDS directory information using Exchange Server 2010 management tools. Note: Before installing the Edge Transport server role, you must install AD LDS on the computer. However, you do not need to perform any configuration steps in AD LDS before installing the Edge Transport server role.
6-10
Key Points
In this demonstration, you will review the Edge Transport server role default configuration before implementing Edge Synchronization.
Demonstration Steps
1. 2. Open the Exchange Management Console. Review the Edge Transport server roles default configuration settings including the default anti-spam settings, Send and Receive Connectors and Accepted Domains.
6-11
Key Points
Edge synchronization is a process that replicates information from Active Directory directory service to AD LDS on Edge Transport servers. Because Edge Transport servers are not joined to the internal Active Directory domain, they cannot directly access the Exchange Server organization configuration or recipient information that is stored in Active Directory. EdgeSync enables the shared information to be replicated from Active Directory directory service to AD LDS. You can deploy Edge Transport servers without using EdgeSync, but using EdgeSync can decrease the effort needed to administer the Edge Transport servers. The Active Directory contains much of the configuration information required by the Edge Transport server. For example, if you configure accepted domains on the Hub Transport servers, these accepted domains can be replicated automatically to the Edge Transport servers. To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to replicate the recipient information to AD LDS. Best Practice: When you deploy Edge Transport servers, it is strongly recommended that you also deploy Edge Synchronization.
6-12
During synchronization, EdgeSync replicates the following data from Active Directory directory service to AD LDS: Accepted domains Recipients (hashed) Safe senders (hashed) Send connectors Hub Transport server list (for dynamic connector generation) Note: The recipient and the safe senders are hashed using a one-way hash, which prevents an attacker from retrieving recipient information from the Edge Transport server.
6-13
Key Points
The primary function of the Edge Transport server is to secure both inbound and outbound Internet email. After you configure an Edge subscription between your organizations Hub Transport servers and the Edge Transport servers in the perimeter network, both inbound and outbound Internet e-mail is enabled.
2.
3. 4.
5. 6.
6-14
Note: You can modify the default message flow by creating additional SMTP connectors. For example, you may need to create a new SMTP send connector to send e-mail to a specific destination domain. You can do this by creating a new send connector, and then configuring the destination domain name as the address space for the connector. Finally, configure the connector to support the unique message-routing requirements for messages sent to the domain.
6-15
Key Points
In this demonstration, you will see how to enable Edge synchronization and test its working. You also will see how to configure address rewriting.
Demonstration Steps
1. 2. 3. 4. 5. On the Edge Transport server, in the Exchange Management Shell, run the New-EdgeSubscription FileName c:\van-edge.xml command on the Edge Transport server. Import the Edge subscription file using the Exchange Management Console on the Hub Transport server. Use Start-EdgeSynchronization and Test-EdgeSynchronization to test Edge synchronization. Review the changes made to the Edge Transport server after Edge Synchronization. Configure address rewriting using the New-addressRewriteEntry command.
6-16
Key Points
Cloned configuration is the process of configuring multiple Edge Transport servers with identical configurations. The Exchange Server transport services running on Edge Transport servers do not support Windows Failover Clustering. A failover cluster provides high availability by making application software and data available on several servers that are linked together in a cluster configuration. But since failover clustering is not available with Exchange Server transport services, to achieve high availability for messaging transport, you should ensure that multiple Edge Transport servers are available at all times. You can use cloned configuration to ensure that all the Edge Transport servers have the same configuration. You only configure one server, and export the configuration to an XML file that is then imported to the target servers. Note: Although AD LDS supports directory replication, Exchange Server 2010 does not provide an option to use directory replication for configuring multiple Edge Transport servers. You must use cloned configuration if you want to automate this process, and you must repeat the edge-cloning steps each time you make a configuration change on one of the servers.
6-17
2.
3.
Validate the configuration on the target server. In this step, you run the ImportEdgeConfig.ps1 script. This script checks the existing information in the intermediate XML file to see whether the exported settings are valid for the target server, and then it creates an answer file. The answer file specifies the server-specific information used during the next step when you import the configuration on the target server. The answer file contains entries for each source server setting that is not valid for the target server. You can modify these settings so that they are valid for the target server. If all settings are valid, the answer file contains no entries. During the import-configuration phase, use the ImportEdgeConfig.ps1 script to import the information from both the intermediate XML file and the answer file, into a new Edge Transport server.
The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell scripts, not individual cmdlets. The scripts are located in the %programfiles%\Microsoft\Exchange\v14\Scripts folder on all servers running Exchange Server 2010.
6-18
Key Points
The Edge Transport servers in an organization directly face the Internet, and consequently are most susceptible to unauthorized security attacks. Therefore, it is critical that you secure the Edge Transport servers. You can use the various options available in Exchange Server 2010 to secure Edge Transport servers based on your organizational requirements. Discussion Questions Based on your experience, consider the following questions: Question: Why is it important to secure Edge transport servers? Question: What factors should you consider at the operating system level? Question: How do you secure an Edge Transport server?
6-19
Lesson 2
Although Exchange Server 2010 already provides some basic antivirus features, it is important to implement a separate antivirus product such as Forefront Protection 2010 for Exchange Server. This lesson describes the importance of protecting your Exchange Server organization from virus attacks, and also describes the Forefront features Security. After completing this lesson, you will be able to: Describe antivirus solution features. Describe the Forefront Protection 2010 for Exchange Server features. Explain the Forefront Protection 2010 deployment options. Explain the best practices for deploying an antivirus solution. Install and configure Forefront Protection 2010 for Exchange Server.
6-20
Key Points
E-mail is one of the most common ways to spread viruses from one organization to another. One of the primary tasks in protecting your Exchange Server organization is to ensure that all messages containing viruses are stopped at the messaging environments perimeter. Exchange Server 2010 includes the following virus protection features: Continuing support of the Virus Scanning application programming interface (VSAPI). In Exchange Server 2010, Microsoft maintains support for the same VSAPI used in Exchange Server 2003 and Exchange Server 2007. Transport agents that filter and scan messages. Exchange Server 2010 introduces the concept of transport agentssuch as the attachment filtering agentto reduce spam and viruses. By enabling attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, third-party vendors can create transport agents that specifically scan for viruses. Because all messages must pass through a Hub Transport server, this is an efficient and effective means to scan all messages in transit. Antivirus stamping. Antivirus stamping reduces how often a message is scanned as it proceeds through an organization. It does this by stamping scanned messages with the version of the antivirus software that performed the scan and the scan results. This antivirus stamp travels with the message as it is routed through the organization, and determines whether additional virus scanning must be performed on a message. Integration with Forefront Protection 2010 for Exchange Server. Forefront Protection 2010 for Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2010 to provide advanced protection, optimized performance, and centralized management. This helps customers deploy and maintain a secure messaging environment. Forefront Protection 2010 for Exchange Server provides: Advanced protection against viruses, worms, phishing, and other threats by using up to five antivirus engines simultaneously at each layer of the messaging infrastructure.
6-21
Optimized performance through coordinated scanning across Edge Transport servers, Hub Transport servers, and Mailbox servers and features, such as in-memory scanning, multithreaded scanning processes, and performance bias settings. Centralized management of remote installation, engine and signature updating, and reporting and alerts through the Forefront Online Server Security Management Console.
6-22
Key Points
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that you can integrate with Exchange Server 2010 to provide antivirus protection for the Exchange environment. The following table lists the benefits of implementing Forefront Protection 2010 for Exchange Server. Service Antivirus scan with multiple engines Full support for VSAPI Microsoft IP Reputation Service Description You can automatically scan messages using multiple virus pattern engines, not just a single one. Forefront Protection 2010 for Exchange Server fully supports the Exchange VSAPI. Provides sender reputation information about IP addresses that are known to send spam. This is an IP-block list offered exclusively to Exchange Server. Identifies the most recent spam campaigns. The signature updates are available on a need basis, up to several times a day. Includes automated updates for this filter, available on an as-needed basis, up to several times a day. Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates.
6-23
Key Points
When you implement Forefront Protection 2010 for Exchange Server, you must consider the various deployment options.
You do not need to install Forefront Protection 2010 on the Client Access server role, because Forefront is only needed on the Mailbox, Edge or Hub Transport server roles. As previously mentioned, Forefront Protection 2010 for Exchange scans each e-mail only once, and then stamps it with a special AV Stamp so that other servers do not scan that message again. This also means that you do not need to scan the Mailbox servers, as any message that comes in or leaves the system is eventually scanned by Forefront Protection 2010 when you install it on the Edge and Hub Transport servers. However, it is up to your security team to decide on this matter.
6-24
As a best practice, you should use five scanners as this provides an optimum combination with third-party virus scanners. You can also change the selection of the virus scanners later.
6-25
Key Points
Although implementing an antivirus solution in Exchange Server is straightforward, there are some factors that you should keep in mind when choosing and configuring an antivirus solution.
6-26
Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
Key Points
In this demonstration, you will see how to install and configure Forefront Protection 2010 for Exchange Server, and how to manage Forefront Protection 2010.
Demonstration Steps
1. 2. 3. 4. 5. Install Forefront Protection 2010 for Exchange Server. Open the Forefront Protection 2010 administration console. Configure Antimalware - Edge Transport settings. Configure Antispam - Content Filter settings. Configure Global Settings.
6-27
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running: 3. 4. 5. 6. 7. 8. 9. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd. On the host computer, in Hyper-V Manager, click VANSVR1, and in the Actions pane, click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then click Open. Click OK. On VAN-SVR1, dismiss the Autoplay dialog box.
6-28
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. Your organization has deployed Exchange Server 2010 internally, and now must extend it so that everyone within the corporation can send and receive Internet e-mail. As part of your job responsibilities, you need to set up an Edge Transport server, and then install an antivirus solution to scan all mail.
6-29
6-30
2.
6-31
Lesson 3
Spam messages can adversely impact the messaging environment of an organization. Therefore, implementing an anti-spam solution is a critical component of maintaining your organizations messaging environment hygiene. Exchange Server 2010 includes several features that you can use to implement antispam protection in your organization. This lesson provides an overview of the options available for anti-spam filtering, and describes how you can configure your Edge Transport servers to reduce spam in your organization. After completing this lesson, you will be able to: Describe the spam-filtering features available in Exchange Server 2010. Explain how Exchange Server 2010 applies spam filters. Describe the concept of Sender ID filtering. Describe the concept of Sender Reputation filtering. Describe the concept of content filtering. Configure anti-spam options.
6-32
Key Points
The spam-filtering functionality available on the Edge Transport server has a primary advantage when you install it to route all e-mail to and from the Internet. You can implement this anti-spam functionality using a series of Edge Transport server transport agents. Note: Forefront Protection 2010 for Exchange Server does provide more frequent updates for the anti-spam patterns than Exchange Server 2010 built-in anti-spam features. Typically, the built-in anti spam pattern is updated daily, whereas in Forefront Protection 2010, you can configure the updates to update multiple times a day.
Enabled
Enabled Enabled
6-33
Default status
Enabled Enabled
Filters messages based on the recipients in the RCPT TO: SMTP header in the message. Filters messages based on many characteristics of the sender accumulated over a specific period. Filters messages based on attachment file name, file name extension, or file Multipurpose Internet Mail Extensions (MIME) content type.
Enabled
Note: You can view all the agents installed on the Edge Transport server by using the GetTransportAgent cmdlet on the Edge Transport server. The default Edge Transport server installation also includes other transport agents, such as the Address Rewriting Inbound Agent, the Address Rewriting Outbound Agent, and the Edge Rule Agent. You cannot use these agents for spam filtering.
Safelist Aggregation
In Exchange Server 2010, the Content Filter agent on the Edge Transport server uses the Microsoft Office Outlook Safe Senders Lists, Safe Recipients Lists, and trusted contacts to optimize spam filtering. Safelist aggregation is a set of anti-spam functionality that Outlook and Exchange Server 2010 share. This antispam functionality collects data from the anti-spam safe lists that Outlook users configure, and makes this data available to the anti-spam agents on the Edge Transport server. You must use the Update-Safelist cmdlet to configure safelist aggregation.
6-34
Key Points
The Edge Transport server role in Exchange Server 2010 uses spam-filtering agents to examine each SMTP connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge Transport server and initiates an SMTP session, the Edge Transport server examines each message using the following sequence: 1. When the SMTP session is initiated, the Edge Transport server applies connection filtering using the following criteria: Connection filtering examines the administrator-defined IP Allow list. Administrators might include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP address is on the administrator-defined IP Allow list, the server does not apply any other filtering and accepts the message. Connection filtering examines the local IP Block list. Administrators might include the IP addresses for the SMTP servers of known spam writers, or other servers from which the organization does not want to receive e-mail, in the IP Block list. If the connection filtering agent finds the IP address of the sending server on the local IP Block list, the server rejects the message automatically, and other filters are not applied. Connection filtering examines the real-time block list (RBL) of any IP Block List Providers that you have configured. If the agent finds the sending servers IP address on an RBL, the server rejects the message, and other filters are not applied.
2.
The Edge Transport server compares the senders e-mail address with the list of senders configured in sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the connection, and no other filters are applied. Additionally, you can configure the server to accept the message from the blocked sender, but stamp the message with the blocked sender information and continue processing. The blocked sender information is included as one of the criteria when content filtering processes the message.
6-35
3.
4.
5. 6.
The Edge Transport server examines the recipient against the Recipient Block list configured in recipient filtering. If Edge Synchronization is enabled, the Edge Transport server can use the information about recipient filtering from Active Directory. If the intended recipient matches a filtered e-mail address, the Edge Transport server rejects the message for that particular recipient. If multiple recipients are listed on the message, and some are not on the Recipient Block list, further processing is done on the message. Exchange Server 2010 applies Sender ID filtering. Depending on how the Sender ID is configured, the server might delete, reject, or accept the message. If the message is accepted, the server adds the Sender ID validation failure to the message properties. The failed Sender ID status is included as one of the criteria when content filtering processes the message. The Edge Transport server applies content filtering and performs one of the following actions: Content filtering compares the sender to the senders in the Safelist aggregation data from Office Outlook users. If the sender is on the recipients Safe Senders List, the message is sent to the users mailbox store. If the sender is not on the recipients Safe Senders List, the message is assigned a spam confidence level (SCL) rating. If the SCL rating is higher than one of the configured Edge Transport server thresholds, content filtering takes the appropriate action of deleting, rejecting, or quarantining the message. If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed to a Hub Transport server for distribution to the Exchange Mailbox server containing the users mailbox.
Tip: You can bypass spam filtering for a specific recipient by setting the AntispamBypassEnabled property to True on the users mailbox. This causes the message to bypass filtering and be delivered directly to the recipients mailbox.
6-36
Key Points
The Sender ID Framework is an industry standard that verifies the Internet domain from which each e-mail message originates, based on the senders server IP address. The Sender ID Framework provides protection against e-mail domain spoofing and phishing schemes. By using the Sender ID Framework, email senders can register all e-mail servers that send e-mail from their SMTP domain, and then e-mail recipients can filter e-mail from that domain that does not come from the specified servers.
Sender ID Configuration
After you configure the SPF records, any destination messaging servers that use the Sender ID features can identify your server using Sender ID.
6-37
After you enable Sender ID filtering, the following process shows how all e-mail messages are filtered: 1. 2. The sender transmits an e-mail message to the recipient organization. The destination mail server receives the e-mail. The destination server checks the domain that claims to have sent the message, and checks DNS for that domains SPF record. The destination server determines if the IP address of the sending e-mail server matches any of the IP addresses that are in the SPF record. The IP address of the server authorized to send e-mail for that domain is called the purported responsible address (PRA). If the IP addresses match, the destination server authenticates the mail and delivers it to the destination recipient. However, other anti-spam scanners such as content filtering are still applied. If the addresses do not match, the mail fails authentication. Depending on the e-mail server configuration, the destination server might delete the message or forward it with additional information added to its header indicating that it failed authentication.
3. 4.
6-38
Key Points
The Exchange Server 2010 Sender Reputation feature makes message filtering decisions based on information about recent e-mail messages received from specific senders. The Sender Reputation agent analyzes various statistics about the sender and the e-mail message, to create a Sender Reputation Level (SRL). This SRL is a number between 0 and 9, where a value of 0 indicates that there is less than a 1 percent chance that the sender is a spammer, and a value of 9 indicates that there is more than a 99 percent chance of it. If a sender appears to be the spam source, then the Sender Reputation agent automatically adds the IP address for the SMTP server that is sending the message to the list of blocked IP addresses.
6-39
Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from which the sender transmitted the message matches the registered domain name that the sender submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS query by submitting the originating IP address to DNS. If the domain names do not match, the sender is more likely to be a spammer, and the overall SRL rating for the sender is adjusted upward. SCL ratings analysis on a particular senders messages. When the Content Filter agent processes a message, it assigns an SCL rating to the message. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. The Sender Reputation agent analyzes data about each senders SCL ratings, and uses it to calculate SRL ratings. More information on SCL ratings +can be found in the next topic, What is Content Filtering?.
The Sender Reputation agent calculates the SRL for each unique sender over a specific time. When the SRL rating exceeds the configured limit, the IP address for the sending SMTP server is added to the IP Block list for a specific time.
6-40
Key Points
The Content Filter agent uses SmartScreen technology to analyze the content of every e-mail message, to evaluate whether it is spam. The Content Filter agent is similar to the Exchange Server 2003 Intelligent Message Filter feature. When the Edge Transport server receives a message, the Content Filter agent evaluates the messages content for recognizable patterns, and then assigns a rating based on the probability that the message is spam. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. A rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that the message is very likely to be spam. This rating persists with the message when it is sent to other servers running Exchange Server. Depending on how you configure the content filter, if a messages SCL score is greater than or equal to the threshold you configure, then the Content Filter agent rejects, silently deletes, or quarantines the message.
6-41
Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the Content Filter agent to delete, reject, or quarantine messages with an SCL higher than the value you specify. Note: When the Content Filter agent rejects a message, it uses the default response of 550 5.7.1 Message rejected due to content restrictions. You can customize this message using the setContentFilterConfig cmdlet in the Exchange Management Shell.
6-42
Key Points
In this demonstration, you will see how to configure the various anti-spam options available in Exchange Server 2010, such as Connection filters, Sender filters, and Recipient filters. You will also see how to configure the Sender ID, Sender Reputation, and content filtering features.
Demonstration Steps
1. 2. Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab. Configure the following Connection filters: IP Allow List IP Block List IP Block List Providers
6-43
3. 4.
Add the zen.spamhaus.org domain to the IP Block List Providers list. Configure the following filtering features: Sender filtering Recipient filtering Sender ID Sender Reputation Content filtering
5.
Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.
6-44
Lesson 4
To configure secure SMTP messaging, you can use Transport Layer Security (TLS) in Exchange server or Domain security, which is a new feature in Exchange Server 2007 and Exchange Server 2010. This lesson describes how to secure SMTP messaging by using the available options. After completing this lesson, you will be able to: Describe the common SMTP security issues. Describe the options for securing SMTP e-mail. Configure SMTP security. Explain the concept of Domain Security. Explain how Domain Security works. Describe the Domain Security configuration process. Configure Domain Security. Explain how Secure MIME works.
6-45
Key Points
Although SMTP messaging is common in many organizations, there are a few security issues that you must consider. Question: What are the security issues with SMTP? Question: How do you currently secure SMTP?
6-46
Key Points
Exchange Server 2010 offers several options to secure SMTP messaging traffic. All these options rely on certificates to encrypt the traffic. The following methods for securing SMTP require that you implement the option both on the source and the target side. Since you most likely will not have access to the target side, the methods listed here have limitations.
IPSec
IPSec provides a set of extensions to the basic IP protocol, and is used to encrypt server-to-server communication. IPSec can be used to tunnel traffic, or peer- to-peer, to secure natively all IP communications. Because IPSec operates on the transport layer and is network-based, applications running on Exchange Server 2010 do not need to be aware of IPSec. You use IPSec normally to secure server-to-server or client-to-server communication. You do not need another encryption method when using IPSec.
VPN
Virtual private network (VPN) also operates on the transport layer, and very often uses IPSec as the underlying protocol. VPN is used for site-to-site or client-to-site connections. Both operate on the transport layer, which can be an advantage over application-layer protocols such as Secure MIME (S/MIME) which does not require the application on both ends to know about the protocol.
TLS
The TLS protocol is the default protocol that is used in an Exchange Server 2010 organization to encrypt server communication. It is a standard protocol that you can use to provide secure Web communications on the Internet or intranet. TLS enables clients to authenticate servers, or optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the SSL protocol.
6-47
Exchange Server 2010s Domain Security feature uses TLS with mutual authenticationalso known as mutual TLSto provide session-based authentication and encryption. Standard TLS is used to provide confidentiality by encrypting but not authenticating the communication partners. This is typical of SSL, which is the HTTP implementation of TLS.
S/MIME
S/MIME is a standard that you can use to implement public-key encryption, and e-mail message signatures. You can use encryption to protect message contents so that only the intended recipients can read it. If a message is signed, the recipient can verify whether the message has been changed on the way from the sender to the recipient. S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the transport layer (such as TLS) the message also remains encrypted and signed within the mailbox. Even administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing S/MIME, you can perform the following tasks: Use digital signatures as a way to prove to your communication partners that the content was not altered. Authenticate messages, especially for crucial functions, such as when your employer approves your travel requests. Encrypt messages to prevent accidental content disclosure.
By default, Exchange Server 2010 fully supports S/MIME for message encryption and signatures. Unlike in previous versions, where you must configure every mailbox database, you do not need to configure any server-side setting to support S/MIME. Because S/MIME provides end-to-end security, it is important that the e-mail application you use to read and write S/MIME messages meets the following two requirements: The application must support S/MIME encryption and signatures. You must configure the digital signature in the e-mail application. Note: When using S/MIME, you can send digitally signed messages to anyone, but you can only encrypt messages to recipients whose certificates are available in the Global Address List (GAL) or in contacts.
6-48
Key Points
In this demonstration, you will see how to configure an externally secured SMTP Connector and how to configure an SMTP Connector that requires TLS and authentication.
Demonstration Steps
1. 2. 3. 4. 5. Use the Exchange Management Console to create a new Receive Connector. Configure the Receive Connector to be externally secured. Use Telnet to connect to Receive Connector. Configure the Receive Connector to use TLS and authentication. Use Telnet again to connect to Receive Connector.
6-49
Key Points
Exchange Server 2010 can use TLS to provide security for SMTP e-mail. In most cases, you cannot use TLS when sending or receiving e-mail because SMTP servers are not configured to use TLS. However, by requiring TLS for all SMTP e-mail sent between your organization and other specified organizations, you can enable a high security level for SMTP e-mail.
6-50
Key Points
Domain Security works in a manner similar to establishing a TLS connection to an SMTP Receive connector. However, as mutual TLS is used, both the sender and the receiver authenticate one another before they send data. The message takes the following route from one organization to the other when using Domain Security: 1. 2. The Edge Transport server receives the e-mail message from a source Hub Transport server. The Edge Transport server initiates a mutual TLS session to the target Edge Transport server by exchanging and verifying their certificates. This is only established when both the sending and receiving SMTP connector can identify the sending domain. You must set the domain information on the sending side by using the Set-TransportConfig -TLSSendDomainSecureList <domain name> cmdlet. On the receiving side, use the: Set-TransportConfig -TLSReceiveDomainSecureList <domain name> cmdlet to set the domain information.
6-51
3. 4.
The message is encrypted and transferred to the target Edge Transport server. The Edge Transport server delivers the e-mail to the target Hub Transport for local delivery. The message is marked as Domain Secure, which will display in Outlook 2007 or later, and in Outlook Web App.
6-52
Key Points
To configure Domain Security, you need to perform the following process: 1. On the Edge Transport server, generate a certificate request for TLS certificates. You can request the certificate from an internal, private certification authority (CA) or from a commercial CA. The SMTP server in the partner organization must trust the certificate. When you request the certificate, ensure that the certificate request includes the domain name for all internal SMTP domains in your organization, as well as the FQDN of the Edge Server name as Subject Alternative Name (SAN). Import and enable the certificate on the Edge Transport server. After you request the certificate, you must import the certificate on the Edge Transport server, and then enable the certificate for use by the SMTP connectors that are used to send and receive domain-secured e-mail. Configure outbound Domain Security. To configure outbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will send domain-secured e-mail, and then configure the SMTP Send connector to use domain-secured e-mail. Configure inbound Domain Security. To configure inbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will receive domain-secured e-mail, and then configure the SMTP Receive connector to use domain-secured e-mail. Notify partner to configure Domain Security Domain Security must be configured on both sides (on the sending and receiving side) thus you also need to contact your partners administrator to configure your domain for Domain Security. Test message flow. Finally, send a message to the partner and vice-versa to verify that domain security is working correctly. You can see an extra icon in Outlook and Outlook Web App.
2.
3.
4.
5.
6.
6-53
Note: When you install the Edge Transport server role, a self-signed certificate is issued to the server. No others computers trust this certificate. When you require that the partner organization trust the certificate, you should purchase a certificate from a commercial CA. You also can make cross-forest trust, or import a CAs certificate in the Trusted Root CA store on both sides, if you do not want to purchase a certificate from a commercial CA.
6-54
Key Points
In this demonstration, you will see how to configure Domain Security.
Demonstration Steps
1. 2. 3. 4. 5. Verify a computer certificate in the certificate store. Enable Domain Security on the Receive connector. Enable Domain Security on the Send connector. Run Set-TransportConfig -TLSSendDomainSecureList and Set-TransportConfig TLSReceiveDomainSecureList to configure Domain Security partnership. Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.
6-55
Key Points
S/MIME is a messaging client-based solution for securing SMTP e-mail. With S/MIME, each client computer must have a certificate, and the user is responsible for signing or encrypting each e-mail.
Message encryption. When a user chooses to encrypt a message using S/MIME, the messaging client generates a one-time symmetric session key, and encrypts the entire message using the session key. The session key then is encrypted using the recipients public key, and the encrypted session key is combined with the encrypted message when the message is sent. When the message arrives at the recipient, the recipients private key decrypts the message.
6-56
Message encryption enhances confidentiality. You can decrypt a message using only the private key associated with the public key that was used to encrypt it. Therefore, only the intended recipient can view the contents.
6-57
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. After configuring the Edge Transport server and installing an antivirus solution, you must implement an anti-spam solution.
6-58
6-59
3.
On VAN-EX1, in the Exchange Management Shell, run d:\labfiles\Lab6Prep.ps1. This script will send 11 messages from VAN-SVR1 with the following SCL ratings: Mail Sender Msg1@contoso.com Msg2@contoso.com Msg3@contoso.com Msg4@contoso.com Msg5@contoso.com Msg6@contoso.com Msg7@contoso.com Msg8@contoso.com Msg9@contoso.com Msg10@contoso.com Msg11@contoso.com SCL Level 7 8 7 7 8 6 8 7 6 6 8
4. 5.
Log on to Outlook Web App as Wei and verify that three messages were sent to the user mailbox, and that eight messages were sent to the Junk E-Mail folder. View the message details for one of the messages to verify the SCL value assigned to the message.
6-60
6-61
Review Questions
1. 2. 3. Is Edge Synchronization a mandatory requirement? Which Exchange Server versions support the Domain Security feature? Does the Edge Transport server role in Exchange Server 2010 include virus-scanning capabilities?
You configured Domain Security Ensure both domains trust each others CA. Also, Domain Security with a partner domain, but must be configured on both the local side and the partner side. messages only use TLS for message encryption, not mutual TLS or Domain Security. Edge Synchronization is not working anymore. Youre logged on to your Windows Server 2008 machine using your own account. When you run TestEdgeSynchronization, it shows that the connection is broken. Use Test-EdgeSychronization to verify that the connection is established. If that does not work, try to reestablish the Edge Synchronization. When you use your own account instead of an administrator account to log on to a Windows Server 2008 system, ensure that you always start the Exchange Management Shell in Administrator mode. You sometimes need full access to run a cmdlet.
6-62
7-1
Module 7
Implementing High Availability
Contents:
Lesson 1: Overview of High Availability Options Lesson 2: Configuring Highly Available Mailbox Databases Lesson 3: Deploying Highly Available Non-Mailbox Servers Lab: Implementing High Availability 7-3 7-8 7-21 7-26
7-2
Module Overview
Many people rely on messaging environments so that they can perform critical business tasks, and it is extremely important for your messaging solution to be available for an extended time. Thus, many organizations place strict availability requirements on e-mail and other critical applications. As the Microsoft Exchange Server product has improved over the last decade, it has become very stable and resilient, even in standalone configurations. To be a truly high availability solution, however, further designing and configuration was required. Not only are technology and configuration crucial, but also the processes and procedures that you use to maintain the messaging system. This module describes the high availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions. After completing this module, you will be able to: Describe high availability options. Configure highly available mailbox databases. Deploy highly available non-Mailbox servers.
7-3
Lesson 1
High availability is a commonly used term that refers to a specific technology or configuration that promotes service availability. Although many technologies and configurations can lead to highly available configurations, they are not by themselves truly highly available. Much more effort is required to provide a high availability solution. In this lesson, you will review high availability, and some of the factors that go into designing and deploying a highly available solution. After completing this lesson, you will be able to: Describe high availability. Identify the components of a high availability solution. Implement a high availability solution for Mailbox servers. Implement a high availability solution for non-Mailbox servers.
7-4
Key Points
High availability is a system design implementation that ensures a high level of operational continuity over a specific time. Although many people attribute high availability to a specific technology, such as failover clustering or load balancing, you can truly achieve high availability only with good design, testing, training, and operational processes. There are two types of downtime: planned and unplanned. Planned downtime is the result of events you schedule, such as maintenance. By contrast, unplanned downtime is the result of events not within direct control of information technology (IT) administrators. These events can be minor, such as a buggy hardware driver or a processor that fails, or catastrophic, such as flood, fire, or earthquake.
Measuring Availability
Availability often is expressed as the percentage of time that a service is available for use. For example, a requirement for 99.9 percent availability over a one-year period allows 8.75 hours of downtime. In complex environments, organizations typically specify availability for a specific service, such as Exchange messaging, which in turn may have availability goals tied to specific features such as Microsoft Outlook Web App, Simple Mail Transfer Protocol (SMTP) message delivery, and Outlook Anywhere. For more information on high availability, refer to the CD content.
7-5
Key Points
Numerous components can comprise a messaging solution, and you should scrutinize them to ensure that failures will not affect the entire solutions availability. Once you identify these components, you can mitigate failures. Question: Which components are important for running a high availability solution? Question: What are some common single points of failure in a messaging solution?
7-6
Key Points
Exchange Server 2010 provides a number of improvements for mailbox availability. Although mailbox high availability implementation differs in Exchange Server 2007, the basic concepts are the same. Exchange Server 2010 improves upon many of the Exchange Server 2007 mailbox availability features. For example, one database can have as many as 16 copies on 16 servers, and you can activate it on any of the servers without disconnecting clients. Additionally, to provide increased insurance against corruption, you can set these database copies to not apply transaction logs for up to 14 days. With the appropriate tools, you can use these lag copies to recover database information from a point up to 14 days previously. Details about how mailbox high availability works appears later in this module. There are no changes to public folder high availability in Exchange Server 2010. Although you should consider the location of the public folder servers, create a high availability environment by adding replicas to multiple servers. Since this requires no additional configuration, this module does not discuss public folder high availability.
7-7
Key Points
It is as important to have high availability solutions for non-Mailbox server roles as for the Mailbox server roles, because not having them affects connectivity with the Mailbox server. For each of the non-Mailbox server roles, adding redundancy starts with adding multiple servers, and ends with configuring load balancing, whether with configuration, or software or hardware load balancing. If you are familiar with the high availability solutions for non-Mailbox server roles in Exchange Server 2007, these concepts largely hold true in Exchange Server 2010. This module provides details about making each of the non-Mailbox server roles highly available.
7-8
Lesson 2
Historically, the Mailbox server role was the most complex and critical component in a highly available Exchange Server deployment. Although this remains true, to a degree, Exchange Server 2010 reduces the complexity of deploying a highly available Mailbox server. In doing so, it also reduces the likelihood that administrators will configure an Mailbox server cluster improperly. After completing this lesson, you will be able to: Describe database availability group (DAG). Describe Active Manager. Describe continuous replication. Describe how DAGs protect databases. Identify the differences between Exchange Server 2010 and Exchange Server 2007 mailbox availability options. Configure databases for high availability. Create and configure a DAG. Describe the transport dumpster. Describe the failover process. Monitor replication health.
7-9
Key Points
A DAG is a collection of servers that provides the infrastructure for replicating and activating database copies. The DAG leverages continuous transaction log replication to each of the passive database copies within the DAG, which: Requires the failover clustering feature, although all installation and configuration tasks occur with the Exchange Server management tools. Although a DAG requires the failover clustering feature, Exchange Server does not use Windows failover clustering to handle database failover. Instead, it uses Active Manager to control failover. Uses an enhanced version of the continuous replication technology that was in Exchange Server 2007. The best continuous replication pieces from Exchange Server 2007 were improved. Can be created after you install the Mailbox server. You can set up a Mailbox server to host active mailboxes, and then add it to the DAG later. Allows you to move a single database between servers in the group without affecting other databases. Failover clustering occurs per mailbox database, not for an entire server, which makes Exchange Server 2010 more flexible than previous Exchange Server versions. Allows up to 16 copies of a single database on separate servers. You can add up to 16 servers to a DAG, which allows you to create up to 16 copies of a database. The database copies must be stored in the same path on all servers. For example, if you store Mailbox Database 1 in D:\Mailbox\DB\Mailbox Database 1\ on VAN-EX1, then you must also store it in D:\Mailbox\DB \Mailbox Database 1\ on all other servers that host Mailbox Database 1 copies. Defines the boundary for replication since only servers within the DAG can host database copies. You cannot replicate database information to Mailbox servers outside the DAG.
7-10
Key Points
Exchange Server 2010 includes a new component called Active Manager. Active Manager replaces the resource model and failover management features that previous Exchange Server versions provided during integration with the cluster service. Exchange Server no longer uses the cluster resource model for high availability. Exchange Server uses a Windows failover cluster, but there are no cluster groups for Exchange Server, and the cluster has no storage resources. In the Failover Cluster Management Console, you will see only the core cluster resources (IP Address and Network Name). The Active Manager runs on all Mailbox servers that are DAG members and runs as either the primary active manager (PAM) or a standby active manager (SAM). The PAM is the Active Manager in a DAG that decides which copies will be active and passive, and it is responsible for processing topology change notifications and reacting to server failures. Far from having a passive role, the SAM provides information about which server hosts the active copy of a mailbox database to other components of Exchange Server, such as the RPC Client Access service and the Hub Transport server. The SAM detects local database and local Information Store failures. It reacts to failures by asking the PAM to initiate a failover (if the database is replicated).
7-11
Key Points
Continuous replication was introduced for Mailbox servers in Exchange Server 2007. This feature creates a passive database copy on another Exchange Server computer in the DAG, and then uses asynchronous log shipping to maintain the copies. The continuous replication process is as follows: 1. 2. 3. The active log is written, and then closed. The Replication Service replicates the closed log to servers hosting the passive databases. Since each copy of the database is identical, the transaction logs are inspected and then replayed or applied to the database copies. The databases remain in sync.
7-12
Key Points
The active database copy uses continuous replication to keep the passive copies in sync based on their lag-time setting. A DAG leverages the Windows Server operating system failover clustering feature. However, it relies on the Active Manager server to maintain the status of all of the DAGs hosted databases. You can switch or fail over a single database between DAG servers. However, it is only active on one node at a time. At any given time, a copy is either the replication source or the replication target, but not both. A server may not host more than one copy of a given database. Not all databases need to have the same number of copies. In a 16-node DAG, one database can have 16 copies, while another database is not redundant and contains only the one active copy.
Database failovers occur when failures cause the active database to go offline. Either a single server failure or something specific to a database may cause the failure. A switchover occurs when an administrator intentionally coordinates moving the active database from one server to another.
7-13
Comparing Exchange Server 2010 to Exchange Server 2007 Mailbox Availability Options
Key Points
Exchange Server 2010 extends and improves upon the continuous replication technology that Exchange Server 2007 used. The new high availability model using the DAG is a more flexible and resilient solution than previous high availability solutions. The Exchange Server 2010 database high availability model: Has no single point of failure. Supports backups. Allows up to 16 copies of a database with a 14-day lag time. Can have multiple servers roles run on the same server as the mailbox server. Allows you to move a single database between servers.
7-14
Key Points
Creating a DAG is only the first step to providing database availability. You must create and configure additional database copies. Not only can you create a database copy initially, but an administrator also can create one at any time. You can distribute database copies across Mailbox servers in a flexible and granular way. You can replicate one, some, or all mailbox databases on a server in several ways. Specify the following information when creating a mailbox database copy: The name of the database you are copying. The name of the Mailbox server that will host the database copy. The amount of time (in minutes) for log replay delay. This is as the replay lag time, which sets how long to wait before the logs are committed to the database copy. Setting the value for replay lag time to 0 turns off log replay delay. The amount of time (in minutes) for log truncation delay. This is truncation lag time, which sets how long to wait before truncating committed transaction logs. Setting the value for truncation lag time to 0 turns off log truncation delay. An activation preference number. This is referred to as a preferred list sequence number, and it represents the activation preference order of a database copy after a failure or outage of the active copy.
DAG Networks
A DAG network is a collection of one or more subnets that Exchange Server uses for either replication traffic or MAPI traffic. Although Exchange Server supports one network adapter and path, we recommend a minimum of two DAG networks. In a two-network configuration, you typically dedicate one network to replication traffic and the other network to MAPI traffic. You can create additional networks in a DAG and configure them as replication networks for redundancy. We recommend that you do not use Internet SCSI (iSCSI) networks for DAG replication.
7-15
Question: How do you plan to use the preferred list sequence number?
7-16
Key Points
In this demonstration, you will review how to create a new database availability group, add member servers to it, and create a copy of a mailbox database.
Demonstration Steps
1. 2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Use the New-DatabaseAvailabilityGroup cmdlet to create a Database Availability Group named DAG1 with a WitnessServer on VAN-DC1, and a WitnessDirectory of C:\FSWDAG1. Assign the DAG an IP Address of 10.10.0.25. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. Use the Manage Database Availability Group Membership Wizard to add VAN-EX2 as a member of DAG1. Use the Add Mailbox Database Copy Wizard to add a copy of Mailbox Database 1 to the second Mailbox server. Note: Once you create a DAG, you then can create and configure DAG networks for replication or for MAPI traffic. Add additional networks for redundancy or improved throughput. Question: What information do you need before you can configure a DAG?
3. 4. 5. 6.
7-17
Key Points
If a failure occurs and some transaction logs are not replicated to the passive copy, you can use the transport dumpster to redeliver any recently delivered e-mail. The transport dumpster operates on the Hub Transport servers within Active Directory Domain Services (AD DS) or Active Directory directory service. When a database failover occurs, a request will be made to the Hub Transport servers to redeliver the lost e-mail messages. The next section details database failovers. The transport dumpster only holds e-mail that has been delivered. The local submission queue holds any pending e-mail. Once the transaction logs are replicated to each DAG server, the transport dumpster purges the message.
7-18
Key Points
A failover occurs when the server hosting the active database goes offline or something causes the active database to dismount. A switchover occurs when an administrator moves the active database from one server to another. When a failure affecting the active database occurs, Active Manager uses several sets of selection criteria to determine which database copy to activate. In the process for selecting the best copy to activate, Active Manager: 1. 2. 3. 4. Enumerates the available copies. Ignores all unreachable servers. Sorts available copies by how current they are. The factors considered include the content index, copy queue length, and replay queue length. Uses the activation preference, if a tie breaker is necessary.
Database Failovers
Before using the previously mentioned criteria to locate the best copy to activate, a process called attempt copy last logs (ACLL) occurs. ACLL makes parallel remote procedure calls to each DAG Mailbox server that hosts a copy of the mailbox database. This call checks if the server is available and healthy, and to examine the LogInspectorGeneration value for the database copy. The mailbox database copy with the highest LogInspectorGeneration value is the best source for copying log files. After the ACLL process is complete, and if all missing log files were copied from the selected best source, the database mounts without any data loss. This is known as a lossless failure. If the ACLL process fails, then the configured AutoDatabaseMountDial value is consulted. If the number of lost logs is within the configured AutoDatabaseMountDial value, then Exchange Server mounts the database. If the number of lost logs falls outside the configured AutoDatabaseMountDial value, then Exchange Server does not mount the database until either missing log files are recovered, or an administrator explicitly mounts the database and accepts the larger data loss.
7-19
Use the Set-MailboxServer cmdlet to configure the AutoDatabaseMountDial setting for each DAG Mailbox server.
7-20
Key Points
In this demonstration, you will review how to use the Exchange Management Console and Exchange Management Shell to review the available information regarding database-replication health.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox. Review the status of each of the Mailbox Database 1 database. Close Exchange Management Console.
7-21
Lesson 3
Other Exchange Server roles now handle some functionality that was handled by the Mailbox server in previous Exchange Server versions. For example, Microsoft Office Outlook clients no longer directly connect to the Mailbox server, but rather connect to the Client Access server for MAPI-based communication. Additionally, the Mailbox server no longer processes mailbox. The Hub Transport server now performs this task. With the other server roles performing more tasks, they become more important to the messaging environments overall health. In this lesson, you will consider providing high availability for these non-mailbox servers. After completing this lesson, you will be able to: Describe and configure high availability for Client Access servers. Describe and configure high availability for Hub Transport servers. Describe and configure high availability for Edge Transport servers.
7-22
Key Points
A client access array is a load-balanced collection of Client Access servers that is in a single site. Since all client connections, including MAPI, rely on connections to Client Access servers, it is important to provide a redundant server array to improve availability. To create a client access array, you first must deploy multiple Client Access servers. Next, you need to use either hardware or software-based network load balancing to create a cluster. Then, add the name for the network load-balanced cluster into the Domain Name System (DNS). For example, you could add an A record for caa1.contoso.com that points to 10.10.10.25. After adding the DNS record, you can create the client access array and assign it to an Active Directory site using the New-ClientAccessArray cmdlet. Finally, you must assign the client access array to each of the mailbox databases in the site using the Set-MailboxDatabase cmdlet with the RpcClientAccess parameter. A client access array can exist only in a single Active Directory site. Therefore, you would need to create a client access array in each Active Directory site that needs to load balance client access servers.
7-23
How Shadow Redundancy Provides High Availability for Hub Transport Servers
Key Points
Exchange Server 2010 includes the shadow redundancy feature, which provides redundancy for messages for the entire time they are in transit. This is in addition to the transport dumpster. With shadow redundancy, the message deletion from the transport databases is delayed until the transport server verifies that all of the next hops for that message have completed delivery. If any of the next hops fail before reporting successful delivery, the transport server resubmits the message for delivery to that next hop. In the shadow redundancy scenario, the message flow follows these stages: 1. Hub delivers message to Edge. a. Hub opens SMTP session with Edge. b. Edge advertises shadow redundancy support. c. Hub notifies Edge to track discard status. d. Hub submits message to Edge. e. Edge acknowledges the receipt of message and records the Hubs name for sending discard information for the message. f. Hub moves the message to the shadow queue for Edge and marks Edge as the primary server. Hub becomes the shadow server. Edge delivers message to the next hop: a. Edge submits message to third-party mail server. b. Third-party mail server acknowledges the messages receipt. c. Edge updates the discard status for the message as delivery complete. Hub queries Edge for discard status (success case): a. At end of each SMTP session with Edge, Hub queries Edge for discard status on messages previously submitted. If Hub has not opened any SMTP sessions with Edge after the initial
2.
3.
7-24
message submission, it will open an SMTP session with Edge to query for discard status after a specific time. b. Edge checks local discard status and sends back the list of messages that have been delivered, and removes the discard information. c. Hub server deletes the list of messages from its shadow queue. 4. Hub queries Edge for discard status and resubmits the message (failure case): a. If Hub cannot contact Edge, Hub resumes the primary server role and resubmits the messages in the shadow queue. b. Resubmitted messages are delivered to another Edge server, and the workflow starts from step 1. Within Exchange Server 2010, the Shadow Redundancy Manager (SRM) is the core component of a Transport server that is responsible for managing shadow redundancy. The SRM is responsible for maintaining the following information for all the primary messages that a server is currently processing: The shadow server for each primary message being processed. The discard status to be sent to shadow servers. The SRM is responsible for the following, for all the shadow messages that a server has in its shadow queues: Maintaining the list and checking primary server availability for each shadow message. Processing discard notifications from primary servers. Removing the shadow messages from the database once it receives all expected discard notifications. Deciding when the shadow server should take ownership of shadow messages, thus making it the primary server.
7-25
Key Points
Edge Transport servers provide both inbound and outbound e-mail delivery. For outbound delivery, providing high availability is as simple as deploying multiple Edge Transport servers and creating an Edge subscription. If you have deployed Exchange servers in multiple Active Directory sites, you may need additional redundant Edge Transport servers.
7-26
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-EX3 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the virtual machines as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. You have completed the basic installation for three Exchange servers. Now you must complete the configuration so that they are highly available.
7-27
Task 1: Create a DAG named DAG1 using the Exchange Management Shell
1. 2. On VAN-EX1, open the Exchange Management Shell. Use the New-DatabaseAvailabilityGroup cmdlet to create a DAG with the following information: 3. 4. 5. Name: DAG1 WitnessServer: \\VAN-DC1\FSWDAG1 WitnessDirectory: C:\FSWDAG1 IP Address: 10.10.0.80
Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member of DAG1. On VAN-EX2, open the Exchange Management Console. On the Database Availability Groups tab, add VAN-EX2 as a member of DAG1.
7-28
Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers
Scenario
The network team used a hardware load balancer to load balance VAN-EX1 and VAN-EX2 for Client Access connections. They have assigned a load balanced IP address of 10.10.0.30, and have created a DNS record for the name CASArray.adatum.com. Now you must complete the Client Access configuration. The main tasks for this exercise are: 1. 2. Create and configure a client access array for CASArray.adatum.com. Assign the client access array to the databases.
7-29
Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1. 2. On VAN-DC1, open Server Manager. Start the SMTP service.
Task 6: Verify that the messages were removed from the shadow redundancy queue
1. 2. On VAN-EX2, open Queue Viewer. Connect to VAN-EX3, where the message was queued in the shadow redundancy queue, and then verify that it is no longer queued.
7-30
Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1. 2. 3. On VAN-EX2, open the Exchange Management Console. View the database copy health on the Suspended copy on VAN-EX2. Resume the database copy on VAN-EX2, and wait until the copy status is Healthy.
Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy
active
1. 2. 3. On VAN-EX2, open the Exchange Management Console. Verify that the active Accounting database is on VAN-EX1. Select the Accounting database on VAN-EX2, and then activate the copy.
7-31
Review Questions
1. 2. Besides planning for Exchanger Server failures, what other failures should you consider? In which scenarios might you use hardware load balancing with Edge Transport servers?
2.
7-32
8-1
Module 8
Implementing Backup and Recovery
Contents:
Lesson 1: Planning Backup and Recovery Lesson 2: Backing Up Exchange Server 2010 Lesson 3: Restoring Exchange Server 2010 Lab: Implementing Backup and Recovery 8-3 8-14 8-25 8-37
8-2
Module Overview
Your Exchange Server databases contain the messages for all of your users. Thus, these databases contain the data that is most important for you to ensure is retained and backing up the databases that contain these messages is one of your key concerns regarding your messaging system. Sometimes users accidentally delete their e-mails, and you, as the administrator, must restore their messages. This can take a long time. Microsoft Exchange Server 2010 contains new backup and restore features that you should consider before using the traditional backup-to-tape approach that most organizations use. This module describes the backup and restore features of Exchange Server 2010, and details what you need to consider when you create a backup plan. After completing this module, you will be able to: Plan backup and recovery. Backup Exchange Server 2010. Restore Exchange Server 2010.
8-3
Lesson 1
Before deciding on which backup type you want to use and which software to buy, you first need to consider your available options. Exchange Server 2010 provides many new options for backing up your databases and restoring single items. In this lesson, you will learn the important considerations for backing up and restoring Exchange Server 2010, so that you can create a good plan for your organization. After completing this lesson, you will be able to: Describe the importance of planning for disaster recovery. Integrate high availability and disaster recovery. Identify and mitigate potential Exchange Server 2010 disasters. Recover deleted items. Describe the disaster-recovery options for Mailbox servers. Create a point-in-time database snapshot. Describe backup and restore scenarios.
8-4
Key Points
This discussion details the importance of disaster-recovery planning and of having an understanding of the options that Exchange Server has available should a disaster occur. Question: Why is it important to plan for a disaster? Question: What current plan does your organization have for disaster recovery?
8-5
Key Points
You can integrate your high availability deployment with disaster recovery, especially if you consider the Exchange Server 2010 high availability features sufficient to satisfy your backup requirements.
8-6
mailboxes better than previous versions, you should be aware of the additional data requirements for backup. The time it takes to restore a backup during disaster recovery skyrockets when you have large mailboxes. When you implement large mailboxes, consider using backup-less Exchange Server and the recoverable items folder in Exchange Server 2010 to recover data. These features provide you with two viable options to move away from traditional backups.
8-7
Key Points
As you prepare to implement disaster-recovery solutions in Exchange Server 2010, you first must identify the potential risks to the Exchange Server environment, and then identify the options for mitigating those risks. The following table lists potential risks and the Exchange Server 2010 options for mitigating the risks:
Risks
Loss of a single message Loss of a single mailbox
Configure recoverable items folder and deleted item retention settings Recover messages from backup by using the recovery database Configure mailbox-retention settings to ensure that you can recover most
deleted mailboxes before they are deleted permanently Configure hold policy, and recover it from there using a discovery mailbox Recover mailbox using the recovery database
Create a DAG on another server Back up the Exchange Server data, and recover lost mailbox databases from
backup
Create a lagged database copy in a DAG environment Back up the Exchange Server data, and recover lost mailbox databases from
backup
Loss of an Exchange Implement redundant computers running Exchange Server for each role Server computer Back up all information on the computer running Exchange Server, and running the Hub
8-8
Risks
Transport, Client Access, or the Unified Messaging server roles
Loss of an Exchange Implement redundant databases using DAGs Server computer Implement a dial-tone recovery running the Mailbox Back up all information on the computer running Exchange Server, and server role recover the server from backup Install Exchange Server 2010 on a new server in Recover Server mode Loss of an Exchange Implement redundant Exchange servers for each role Server computer Back up all information on the computer running Exchange Server, and restore running the Edge the server from backup Transport server role Back up the Edge Transport server configuration using ExportEdgeConfig, and restore from backup Loss of a supporting Implement redundant servers for each of the required services service, such as DNS Implement a disaster-recovery plan for restoring Active Directory Domain or the Active Services (AD DS) or Active Directory directory service from backup Directory
8-9
Key Points
In this demonstration, you will review how to configure the global hold policy for recoverable items, so that you can recover a deleted folder using the Discovery Search Mailbox.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald SingleItemRecoveryEnabled:$true, and then press ENTER. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role Mailbox Import Export -User adatum\administrator, and then press ENTER. In the Exchange Management Console, assign the Administrator account full access permissions to the Discovery Search Mailbox. In Scott MacDonalds mailbox, create a new folder, populate that folder with messages, and then delete the folder. Login to Microsoft Outlook Web App as Administrator to define a Mailbox Search. Open the Discovery Search Mailbox, and verify that it contains the deleted message. Use the Export-Mailbox cmdlet to recover the folder to its original mailbox. Verify that the message was recovered by accessing Scott MacDonalds mailbox.
Question: What is the benefit of using this feature to recover mailboxes compared to existing brick-level backup solutions?
8-10
Key Points
Exchange Server 2010 includes new recovery options for mailbox servers.
8-11
8-12
Key Points
In this demonstration, you will review how to configure a database copy on a remote server, and how to configure a database copy to be a lagged database. Additionally, you also will see how to disable an active server to prevent accidental activation.
Demonstration Steps
1. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup Name DAG1 WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER. Note: You can only place the witness directory on a Hub Transport server when you are using the Exchange Management Console. However, when using the Exchange Management Shell, you can place the witness directory on any server, including a server that is not running the Exchange server role. 2. 3. On the Exchange Management Console, add VAN-EX1 and VAN-EX2 to DAG1, and then add a copy of the Accounting database to VAN-EX2 with a replay lag time of 7 days. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER.
8-13
Key Points
Even though Exchange Server 2010 supports backup-less scenarios, there are cases in which your organization may want to maintain its traditional backup methods.
No Available DAGs
Organizations that do not use DAGs need to consider traditional ways to back up their databases.
8-14
Lesson 2
Backing up your companys data is the most serious task in your Exchange Server installation. You cannot recover necessary data if you have not backed it up correctly. In this lesson you will learn the different ways that you can back up data with Exchange Server 2010. After completing this lesson, you will be able to: Describe the backup changes in Exchange Server 2010. Describe the backup requirements for Exchange Server 2010. Describe backup strategies. Describe how a Volume Shadow Copy Service (VSS) backup works. Select an Exchange Server backup solution. Back up Exchange Server 2010.
8-15
Key Points
Exchange Server 2010 changes to the backup application-programming interface (API) and the underlying database structure affects how you backup the Exchange Server database.
8-16
Key Points
The backup requirements for Exchange Server 2010 computers differ depending on the Exchange server roles that you install on the computers. The following table lists the information that you need to back up for each Exchange server role:
Purpose
System State includes the local configuration data of the machine AD DS and Active Directory store most Exchange server configuration information, which is required to rebuild the server using Recover Server mode
Databases and transaction logs Restore data if a database or storage group is lost Server certificates used for Secure Sockets Layer (SSL) Specific Internet Information Server (IIS) configuration Message-tracking logs Restore the server certificate on a new Client Access server Restore IIS configuration Restore tracking information for analysis
Content-filtering database
Restore the content-filtering configuration Restore the Edge Transport server configuration by enabling edge synchronization Restore audio prompts
Unified
8-17
Purpose
The Exchange Server environment includes additional information, such as the Offline Address Book, availability data that a local folder stores, and other configuration data. This information is rebuilt automatically when you rebuild the Exchange Server environment. AD DS and Active Directory store much of the configuration information, which you can restore only if an Active Directory domain controller is available. You must ensure that your disaster-recovery planning includes backing up and restoring AD DS and Active Directory.
8-18
Backup Strategies
Key Points
You can use Windows Server Backup in Windows Server 2008 or a third-party Exchange Server-aware backup tool to implement different backup strategies. The backup strategies from which you can choose include full, full plus incremental, full plus differential, copy, and brick-level backup. Each backup strategy has advantages and disadvantages in terms of storage requirements and performance. The backup strategy you select can affect how the restore process occurs.
Full Backups
A full backup performs an online backup of both the database files and transaction logs. After successful completion of a full database backup, transaction logs that have been committed to the Exchange Server database are deleted. Note: If a backup is not functioning properly, transaction logs on a server can grow quickly and cause a partition to run out of space. When the partition holding the transaction logs is out of space, the databases will dismount and be unavailable for use. A full backup each day is the preferred strategy. Restoring a full backup is simple, and it requires only one backup set.
8-19
Copy Backups
A copy backup is equivalent to a full backup of the databases. However, the transaction logs are not backed up, deleted, or marked in any way. This ensures that the copy does not affect scheduled incremental or differential backups.
Brick-Level Backups
Brick-level backups copy every message in all mailboxes. As a result, identical messages stored in several mailboxes all are backed up. This type of backup requires much more storage capacity and time than standard backup strategies, and it results in a backup that is significantly larger than the Exchange Server database. For a brick-level backup, you need specific third-party backup software that is capable of storing the backed-up data so you have single-item recovery. You use this when a user requests single-item recovery, even though the item is not available in the Deleted Items folder anymore.
8-20
Key Points
Exchange Server 2007 and Exchange Server 2003 include two different options for data backup and recovery: ESE streaming backup APIs and support for the VSS backup APIs. ESE streaming APIs are not available in Exchange Server 2010, thus you must back up Exchange Server with VSS backup APIs.
What Is VSS?
VSS provides the backup infrastructure for Windows Server 2008, as well as a mechanism for creating consistent point-in-time data copies, which are known as shadow copies. VSS produces consistent shadow copies by coordinating with business applications, file-system services, backup applications, fast-recovery solutions, and storage hardware. It includes the following components: Writer. The VSS writer that is included with Exchange Server 2010 and that coordinates Exchange Server 2010s input/output (I/O) with VSS. Requestor. Backup or restore application, such as Windows Server Backup. Provider. Low-level system or hardware interfaces, such as Storage Area Networks (SANs).
8-21
It notifies applications and services that a backup is about to occur. The services and applications, such as Exchange Server, therefore can prepare for the backup by cleaning up on-disk structures and flushing caches.
8-22
Key Points
When selecting a backup solution for Exchange Server, you must consider your systems characteristics and those of the software and hardware. System characteristics to consider include: The amount of data you are backing up. The time window in which the backup can occur. The type of backup you are performing. Recovery time requirements. Archiving requirements.
Selection criteria
Backup architecture
Explanation
Your backup software should provide support for any operating systems that you have. Additionally, the backup software should be able to back up Exchange Server to your desired media, either on the local computer or over the network. Windows Server Backup is not capable of backing up to a remote tape drive. Your backup software should support the ability to schedule backups that you require for your organization. Most backup software allows you to schedule jobs at any time you require. However, it is easier to configure in some software packages.
Scheduling
8-23
Selection criteria
Brick-level backup support Exchange Server VSS API support Tape management
Explanation
If desired, ensure that your software supports brick-level backups. Your backup software must support the Exchange Server Backup VSS API to perform online backups successfully. Different backup software has varying degrees of flexibility for tape management. This includes automated naming of blank tapes and preventing existing tapes from being overwritten accidentally. Vendor support is essential if you experience any problems during disaster recovery. Ensure that vendor support is available for your backup software. Some backup software has a disaster-recovery option that provides complete disaster recovery for a failed server, including Exchange Server. Your backup software must support the technologies that your company uses, including clustering or SANs.
Characteristic
Speed Capacity
Tape
Slower Up to 400 GB per tape (Tape libraries allow the use of multiple tapes.) Yes
Off-site storage
Many organizations use disk-based backup as the first tier, and then utilize tape as a second tier. This allows you to perform primary backups quickly to disk. Typically, any data that you need to archive off site is backed up to tape from the disk backup.
8-24
Key Points
In this demonstration, you will review how to install the Windows Server Backup program and how to use Windows Server Backup to back up Exchange Server 2010. You will also use the Event Viewer to verify that the Exchange Server databases were backed up correctly.
Demonstration Steps
1. 2. 3. In Server Manager, add the Windows Server Backup feature. In Windows Server Backup, create a backup set to back up the C: drive and run the backup. In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have been backed up successfully.
Question: Do you plan to can use Windows Server Backup as your primary Exchange Server backup solution?
8-25
Lesson 3
Another important component in ensuring availability of e-mail services is planning for recovery. Organizations that implement high availability solutions still need to plan for scenarios in which the high availability solutions are not enough. These scenarios might include something as minor as needing to recover a single mailbox or message, to something as catastrophic as losing an entire data center. This lesson discusses how to restore Exchange Server 2010. After completing this lesson, you will be able to: Describe restore strategies. Recover data using the recovery database. Recover data by using the recovery database. Describe dial-tone recovery. Implement dial-tone recovery. Describe database mobility. Recover computers that run Exchange Server.
8-26
Restore Strategies
Key Points
You can use several strategies to restore Exchange Server data. The strategy that you select depends upon the data that you need to recover.
Database Restores
Restoring a database overwrites the existing database with a restored copy of the database. After you restore the database, you can replay the current transaction logs to bring the database to its current state. You typically restore a database when it becomes corrupt or a disk fails.
Recovery Database
The recovery database restores databases without affecting current mailboxes. After you restore a database to the recovery database, you can copy messages to a folder or merge them into user mailboxes.
8-27
Dial-Tone Recovery
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. This module discusses dial-tone recovery in more depth later.
Recovery Server
A recovery server is a dedicated server for restoring Exchange Server databases. This can be useful to test backups to ensure they are capturing functions properly. However, improvements in recovery-database performance has reduced the requirement to use a recovery server for data recovery.
8-28
Key Points
The recovery database is a recovered database that can coexist on the same server that hosts the original database. Users cannot access it directly. Only administrators can access it to recover single items, folders, mailboxes, or complete databases from the recovery database. The recovery database replaces the recovery storage group from previous Exchange Server versions. You can use the Exchange Management Shell to create a recovery database.
8-29
Specific item recovery. If a message no longer exists in the production database, you can recover the database that held the message to the recovery database. Then you can extract the data from the mailbox and copy it to a target folder or mailbox in the production database. However, you also should consider using hold policy for this situation, as recovering the database might be time consuming.
8-30
Key Points
In this demonstration, you will review how to create a recovery database and how to restore data to the recovery database.
Demonstration Steps
1. 2. Use Windows Server Backup to restore the Exchange Server databases to C:\DBBackup. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup \C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting \Accounting.edb -Logfolderpath c:\DBBackup\C_\Program Files \Microsoft\Exchange Server\V14\Mailbox\Accounting -Recovery, and then press ENTER. This command creates the recovery database using the recovered Accounting database. Use the eseutil /p c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb command to repair the recovered database. At the Exchange Management Shell prompt, type Mount-Database RecoverDB, and then press ENTER. Use the Get-MailboxStatistics -Database RecoverDB command to display the mailboxes in the recovery database. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato RecoveryDatabase RecoverDB, and then press ENTER.
3. 4. 5. 6.
Question: What is the difference between using Single Item Recovery and performing a restore by using the recovery database?
8-31
Key Points
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. Users can send and receive e-mail messages, but they do not have access to the historical mailbox data. You then can recover the database or server, and restore the historical mailbox data. After you bring the recovered database back online, you can merge the dial-tone database and the recovered database into a single up-to-date mailbox database.
8-32
Key Points
There are several dial-tone recovery scenarios. However, all scenarios follow the same general steps.
3.
If necessary, configure the mailboxes that were on the failed database to use the new dial-tone database. You must configure the mailboxes to use the new database if you create the dial-tone database on a different server. If necessary, configure the Microsoft Office Outlook client profiles: If the server with the failed database is operational, you do not need to reconfigure Office Outlook client computers to use the new mailbox database. When the Outlook client computer tries to connect to the mailbox, the client profile reconfigures automatically to use the mailbox database on the original or new Mailbox server. If the original server is not available, and you are using AutoDiscover for Outlook 2007 client computers, the user profile updates automatically. If you are using previous Outlook client computers, you need to reconfigure the user profiles manually to use the new server.
8-33
If users are using Outlook Web App, they will connect automatically to their mailboxes when they access Outlook Web App on a Client Access server.
Note: At this point, users can connect to their mailboxes in the dial-tone database. The dial-tone database does not contain any data, so the mailboxes will be empty. Additionally, the database does not retain user-specific settings, such as folder hierarchy, Inbox rules, meetings, and contacts. However, users should have messaging functionality. If the client computers are running Outlook 2007 or Outlook 2003, and you configure the client computers to run in cached mode, users receive a prompt to connect or work offline when they connect to the dial-tone database. If users choose to connect to the server, they will see an empty mailbox (local cached copy is replaced with the empty mailbox). If they choose to work offline, they will see all of the historical data stored in the offline folders (.ost) file. 4. Restore the failed databases from backup. After the dial-tone database is operational and you reconfigure the client computers to use the new database, if necessary, you can work on restoring the failed database. If the original server is operational, you can restore the database on the failed server using a recovery database. If the original server is not operational, you can recreate the failed database on another server, and then restore both to the new server. Merge the data in the two databases. Because you have restored messaging functionality by implementing the dial-tone database, users will be sending and receiving e-mail while you are restoring the original databases. When the recovery is complete, users should be able to access both the original and the dial-tone data. This means that you must merge the contents of the dial-tone database with those of the original database. To do this, you will use the recovery database.
5.
8-34
Key Points
Database mobility disconnects databases from servers, adds support for up to 16 copies of a single database, and provides a native experience for adding database copies to a database. Additionally, DAGs use database mobility to enable database copying between servers. In Exchange Server 2007, the database portability feature enabled you to move a mailbox database between servers. A key distinction between database portability and database mobility, however, is that all copies of a database have the same globally unique identifier (GUID). Other key characteristics of database mobility are: Because Exchange Server 2010 does not use storage groups, continuous replication now operates at the database level. Transaction logs replicate to one or more other Mailbox servers, and replay into a copy of a mailbox database that those servers store. A failover or switchover can occur at the database or server level. Database names for Exchange Server 2010 must be unique within the Exchange Server organization. When you configure a mailbox database with one or more database copies, the full path for all database copies must be identical on all Mailbox servers that host a copy. You can back up any mailbox database copy (the active or any passive copy) by using an Exchange Server-aware, VSS-based backup application. Note: Only mailbox databases are mobile. Public folder databases are not portable because replication between public folder databases is controlled by each database being linked to, and accessed through, a specific server.
8-35
Key Points
When recovering a failed Exchange Server, you have several options. The option you choose determines the process that you use to restore the server.
8-36
Directory, the original Exchange Server files and services then are installed on the server, and the Exchange server roles and settings that AD DS and Active Directory stored then are applied to the server. Important: When you run Exchange Server Setup in Recover Server mode, it must be able to connect to AD DS and Active Directory, and read the Exchange Server configuration information that links to the name of the computer that is running Exchange Server. This means that the computer account still must exist in AD DS and Active Directory. If you delete the computer account, you will not be able to restore the Exchange Server.
8-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running. 3. 4. 5. 6. 7. 8. 9. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd. In Microsoft Hyper-V Manager, click VANSVR1, and, in the Actions pane, click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso and click Open. Click OK. On VAN-SVR1, close the AutoPlay dialog box.
Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. You now want to ensure that all Exchange Server-related data is backed up and that you can restore not only the full server or database, but also a mailbox or mailbox folder.
8-38
Task 2: Perform a backup of the mailbox database using Windows Server Backup
1. 2. Use Server Manager to install Windows Server Backup. Perform a custom backup of the C:\ drive using a VSS full backup. Store the backup files on \\VANDC1\Backup.
8-39
8-40
8-41
4. 5.
In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
8-42
Review Questions
1. 2. What kind of backup options for Exchange Server 2010 do you find suitable for your organization? What options does Exchange Server 2010 include for restoring a single item from a mailbox?
9-1
Module 9
Configuring Messaging Policy and Compliance
Contents:
Lesson 1: Introducing Messaging Policy and Compliance Lesson 2: Configuring Transport Rules Lesson 3: Configuring Journaling and Multi-Mailbox Search Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search Lesson 4: Configuring Messaging Records Management Lesson 5: Configuring Personal Archives Lab B: Configuring Messaging Records Management and Personal Archives 9-3 9-7 9-27 9-37 9-43 9-56 9-62
9-2
Module Overview
Microsoft Exchange Server 2010 provides new tools for coping with a growing number of legal, regulatory, and internal policy and compliance requirements that relate to e-mail. Most organizations must be able to filter e-mail delivery based on several criteria, and to manage e-mail retention and deletion. This module describes how to configure the Exchange Server 2010 messaging policy and compliance features. After completing this module, you will be able to: Describe messaging policy and compliance. Configure transport rules. Configure journaling and Multi-Mailbox Search. Configure Messaging Records Management (MRM). Configure Personal Archives.
9-3
Lesson 1
In most countries, governments have implemented legislation that restricts the storage and movement of certain information. Additionally, many organizations have implemented corporate security policies that limit how to share information within the organization. Because e-mail is a critical business tools in most organizations, it is important that you configure your organizations messaging system so that it is compliant with government legislation and corporate policies. Messaging policies in Exchange Server 2010 enable messaging administrators to manage e-mail messages that are in transit and at rest, and ensure that your organization meets compliance requirements. This lesson provides an overview of messaging policies and their use. After completing this lesson, you will be able to: Describe messaging policy and compliance. Identify compliance requirements. Implement messaging policy and compliance.
9-4
Key Points
Messaging compliance features in Exchange Server 2010 consist of a set of rules and settings that restrict message flow and storage. You can use these features to apply rules to messages as your organizations users send and receive them. You can use the messaging policy and compliance features to regulate how users store messages, and to search all user mailboxes for messages based on a variety of criteria. You can apply these features to Exchange Server computers running the Edge Transport, Hub Transport, and Mailbox server roles.
9-5
Key Points
E-mail is a primary means of communication in many organizations, and users typically send a great deal of business information by e-mail. This information may include confidential information, such as customer data or business intelligence. One use of Exchange Server 2010 messaging policies is to provide features that help you comply with legal requirements and corporate messaging policies regarding e-mail messages. Question: What type of business does your organization conduct? What are some legislated compliance requirements for your organization? Question: What additional compliance requirements does your organization have? Question: How are you currently meeting these compliance requirements?
9-6
Key Points
Exchange Server 2010 provides many options for implementing messaging policies, including the following: Transport rules. You can define transport rules on both the Edge Transport and Hub Transport servers. On Edge Transport servers, you can restrict message flow based on message data, such as specific words or text patterns in the message subject, body, header, or From address; the spam confidence level (SCL); and attachment type. On Hub Transport servers, you configure rules that support an extended set of conditions, which allows you to control message flow based on distribution groups, internal or external recipients, message classifications, and message importance. Rights management integration. Exchange Server 2010 enables integration with Active Directory Rights Management Service (AD RMS) to apply policies that restrict what recipients can do with their received messages. Message journaling. Exchange Server 2010 provides several options for saving copies of messages. For example, you can configure journal rules on Hub Transport servers. You can journal messages according to the messages distribution scope, and you can define the conditions that trigger the journaling action by specifying as criteria an individual user, the sender, or the recipients distributionlist membership. You also can configure message journaling for specific mailbox databases, or implement message journaling as part of a Messaging Records Management deployment. Mailbox searching. The Multi-Mailbox Search feature enables users with the appropriate permissions to search all mailboxes for specific content. In Exchange Server 2010, the mailbox search functionality is available through the Multi-Mailbox Search interface in the ECP. Message retention and deletion. Administrators can use the MRM features to retain messages that organizations require for business or legal reasons, and to delete unnecessary messages. Personal Archives. Exchange Server 2010 allows you to create archive mailboxes for users so they can store the contents of .pst folders and old messages that they want to retain. You can search and manage archive mailboxes like any other mailboxes on the Exchange servers.
9-7
Lesson 2
You can implement messaging policies and compliance by applying transport rules to messages as users send them within the organization. By implementing transport rules, you ensure that all e-mail messages sent within the organization or to external recipients meet your organizations compliance requirements. You also can apply rights management policies to messages by using transport rules. This lesson describes how to implement transport rules in Exchange Server 2010. After completing this lesson, you will be able to: Describe transport rules. Describe transport rule components. Configure transport rules. Identify message classifications. Describe AD RMS. Describe how AD RMS components work together. Describe AD RMS interaction. Configure AD RMS integration. Describe options for moderated transport. Configure moderated transport.
9-8
Key Points
Exchange Server applies transport rules to messages as they pass through Edge Transport or Hub Transport servers. The Transport Rule agent applies transport rules on Hub Transport servers, and the Edge Rule agent applies them on Edge Transport servers. Transport rules restrict message flow or content modification while messages are in transit.
9-9
Key Points
All transport rules, whether they apply to Hub Transport or Edge Transport servers, have similar configurations.
9-10
Predicates. Conditions and exceptions use predicates to define which part of an e-mail message the conditions and exceptions examine to determine whether Exchange Server should apply the transport rule to that message. Some predicates examine the To: or From: fields, whereas other predicates examine the subject, body, or attachment size. To determine whether Exchange Server should apply a transport rule to a message, most predicates require that you specify a value that the predicates use to test against the message.
9-11
Key Points
In this demonstration, you will review how to configure transport rules. You can configure transport rules by using either the Exchange Management Console or the Exchange Management Shell. If you are using the Exchange Management Console on a Hub Transport server, access the Hub Transport container in the Organization Configuration work area. To configure transport rules using the Exchange Management Shell, run the following cmdlets: The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule, Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport rules. The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions. The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates. The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and export a set of transport rules configured on a Hub Transport server or Edge Transport server. Note: Implementing transport rules with security features, such as digital signatures or encryption, can result in potential issues. For example, if you add a disclaimer to digitally signed messages, the signature becomes invalid. When users open the message, the original message displays as an attachment and only the signature that the transport rule adds is visible in plain text. If users encrypt messages using Secure Multipurpose Internet Mail Extensions (S/MIME) or another encryption tool, the transport rules can access the message envelope headers and process messages based on unencrypted information. Transport rules that require inspection of message content, or actions that may modify content, cannot process with encrypted messages.
Demonstration Steps
1. Open the Exchange Management Console.
9-12
2.
Under Organization Configuration, in the Hub Transport node, create a new transport rule with the following configuration: Name: Type Company Disclaimer HTML. Condition: Choose sent to users that are inside the organization. Action: Choose append disclaimer text and fallback to action if unable to apply. Disclaimer text: Type the following:
<html> <body> <br> </br> <br> </br> <b><font color=red>This e-mail and attachments are intended for the individual or group addressed.</font></b> </body> </html>
3. 4.
Open the Exchange Management Shell. Type the following cmdlet: New-TransportRule -Name Social Insurance Number Block Rule SubjectOrBodyMatchesPatterns \d\d\d-\d\d\d-\d\d\d -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText This message has been rejected because of content restrictions
5.
To test the transport rules: Send a message from one internal user to another. Verify that the HTML disclaimer is attached. Send a message from one internal user to another with the string 111-111-111 in the message body. Verify that the sender receives a non-delivery report (NDR).
Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a variety of pattern strings to search the message contents for a consistent pattern. For example, you can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information about configuring regular expressions in a transport rule, see the topic Regular Expressions in Transport Rules in Exchange Online Help. Question: What transport policies will you need to implement in your organization?
9-13
Key Points
Message classifications are Exchange Server 2007 or later and Outlook 2007 (or later) features that enable users or transport rules to mark a message with a label. When a message is classified, the message contains metadata that describes some information about the recipient or sender of the message, or some other information about the message. Outlook 2007 and Outlook Web App then act on this metadata and display the classifications description to the messages senders and receivers. In Exchange Server 2010, you also can configure a transport rule that acts on the metadata by applying an action based on the classification.
9-14
Deploy the .xml file that contains definitions of the message classifications to each client computer that uses these classifications. You must recreate and redeploy this file whenever you update the message classification list on an Exchange server. Create a new registry key that enables message classification and references the Classifications.xml file on the client computer.
Note: For detailed information about deploying message classifications for Outlook 2007, see the topic Deploy Message Classification for Outlook 2007 in Exchange Server Help file.
9-15
What Is AD RMS?
Key Points
AD RMS is an information-protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use.
AD RMS Components
Several components interact with AD RMS. It is important to understand each of these components: Author. The user or service that generates the rights-protected document.
9-16
AD RMS-enabled applications. Specific applications are enabled for, and can interact with, AD RMS. Authors can use these applications to create and protect content, and recipients can use them to read protected content and apply the appropriate rights to them. Recipient. The user or service that accesses the rights-protected document. AD RMS server. The server with an installed AD RMS server role. This server is responsible for providing the licenses that control access to content. When you install the first AD RMS server, Exchange Server creates an AD RMS root cluster. You can add other AD RMS servers to the cluster. Database server. AD RMS requires a database service. The Windows Internal Database feature deployed on the same server as the AD RMS server provides this service, as does the Microsoft SQL Server installed on another computer. The database stores configuration and other AD RMS-related information. AD DS and Active Directory. These services authenticate authors and recipients so that Exchange Server applies the appropriate rights to the content.
9-17
Key Points
The AD RMS components work together to enable secure creation, distribution, and consumption of protected data.
2.
3. 4.
9-18
with the recipients public key. It then adds the encrypted session key to the use license. This ensures that only the intended recipient can access the file. 5. The AD RMS cluster sends the generated use license to the recipients computer. The application examines both the license and the recipients account certificate. Exchange Server then grants the user access per the content authors specifications.
9-19
Key Points
Exchange Server 2010 integrates with AD RMS to provide several options for ensuring content protection as users send messages through e-mail. To use any of these features in an onsite Exchange Server deployment, Exchange Server 2010 requires an on-premise Windows Server2008 AD RMS deployment.
9-20
9-21
the users computer is enrolled in the AD RMS deployment. When you open or view a message in the preview pane, the message is decrypted using the use license added to message by the pre-licensing agent. Once decrypted, the message displays in the preview pane. If a pre-license is not available, Outlook Web App requests one from the AD RMS server before displaying the message. Important: Before configuring Journal Report Decryption, Transport Decryption, or IRM for Outlook Web App, you must provide Exchange servers with the right to decrypt IRM-protected content .Do this by adding the Federated Delivery Mailbox to the super users group configured on the AD RMS cluster. You must also use the Set-IRMConfiguration cmdlet to enable the required features.
9-22
Key Points
In this demonstration, you will review how to configure and test AD RMS and Exchange Server 2010 integration. The first part of the demonstration will show you how to protect e-mail messages by using AD RMS. This feature does not require any special Exchange Server functionality. The second part of the demonstration will show you how to configure a transport rule that applies AD RMS protection to a message based on message properties.
Demonstration Steps
Open Outlook 2007 and create a new message for an internal recipient. In the Message ribbon, click the Permission icon. In the Windows Security dialog box, log on as the mailbox user. In the Permission dialog box, select the Restrict permission to this document check box. When the message appears, verify that the message now contains the Do Not Forward header. Send the message. 6. Log on as the message recipient, open Outlook 2007, open the restricted message, and then log on using the user credentials. Verify that you do not have permission to forward the message. 7. On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot \_wmcs\certification\servercertification.asmx file to grant Read and Execute access to the Exchange Servers group and the anonymous Internet Information Services (IIS) user account. 8. Restart the IIS. 9. On an Exchange server, at the PS prompt, type the following cmdlet, and press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server: set-irmconfiguration InternalLicensingEnabled:$true. 10. Use the test-irmconfiguration cmdlet to test the IRM configuration. 11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent between two specified users. 1. 2. 3. 4. 5.
9-23
12. Send a message from one of the specified users to the other. Verify that the Do Not Forward template is applied to the message. Question: Does your organization have AD RMS deployed? Are you planning to deploy AD RMS? Question: How will Exchange Server 2010 make it easier to deploy AD RMS?
9-24
Key Points
The Exchange Server 2010 moderated transport feature enables you to require moderator approval for all e-mail messages sent to specific recipients, and you can specify any type of recipient as a moderator. The Hub Transport servers ensure that all messages sent to those recipients go through an approval process. You can also use transport rules to enforce moderation. For example, you could configure a transport rule that sends a message for moderation based on any of the available criteria.
9-25
Note: Previous Exchange Server versions do not support moderated recipients. If a message sent to a moderated distribution group is expanded on a Hub Transport server that is running Exchange Server 2007, it will be delivered to all members of that distribution group, and bypass the moderation process. If you have Exchange Server 2007 Hub Transport servers in your Exchange Server 2010 organization, and you want to use moderated distribution groups, you must designate an Exchange Server 2010 Hub Transport server as the expansion server for the moderated distribution groups. Doing this ensures that all messages sent to the distribution group are moderated. For more information about moderation, refer to the CD content.
9-26
Key Points
In this demonstration, you will review how to configure a distribution list for moderation and how to configure a transport rule that enforces moderation for all messages sent to a distribution list. Note: In this demonstration, you will configure a distribution list by using the Exchange Management Console. If you need to enable a mailbox or contact for moderation, you will need to use the setmailbox cmdlet with the moderationenabled:$true and moderationedby parameters.
Demonstration Steps
1. 2. 3. 4. In the Exchange Management Console, under Recipient Configuration, click Distribution Group. In the middle pane, right-click a distribution list, and then click Properties. On the Mail Flow Settings tab, double-click Message Moderation. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Add the group moderators and add any users who do not require moderation to send to the group. Create a new transport rule that forwards any message sent to a distribution list for moderation. Choose a moderator for the rule, and then configure any exceptions that are required. Send a message to the distribution group configured for moderation. Send a message to the distribution group configured for moderation in the transport rule. Open the mailbox of a moderator configured for both the distribution group and transport rule. Approve both messages.
5. 6. 7. 8.
Question: Will you deploy moderated transport in your organization? If so, where would you use it?
9-27
Lesson 3
Message journaling and Multi-Mailbox Search, second only to transport rules, are important components for enforcing messaging compliance. Message journaling allows you to archive all messages automatically that meet criteria that you specify. You can archive journaled messages to any SMTP address, including an Exchange mailbox, Microsoft SharePoint document library, or a third-party archiving solution. In addition to message journaling, Exchange Server 2010 also includes the Multi-Mailbox Search feature, which enables an authorized user to search all of the organizations mailboxes based on specific criteria. This lesson describes how to configure and manage message journaling and Multi-Mailbox Search in Exchange Server 2010. After completing this lesson, you will be able to: Describe message journaling options. Configure message journaling. Manage the message journal mailbox. Describe Multi-Mailbox Search. Configure Multi-Mailbox Search.
9-28
Key Points
Journaling enables you to save copies of all e-mail messages in a collection mailbox when they are sent to, or from, specified mailboxes, contacts, or distribution-group members. You also can configure journaling based on messages sent to, or received from, mailboxes in a mailbox database, or configure journaling as part of a messaging-records management rule. Messages that meet the journaling criteria are sent to the collection mailbox as a journal report. This report includes detailed information such as the recipients address, the senders address, and the messages subject.
Scope
Internal
Description
Rules with this scope process messages sent and received by recipients inside the
9-29
Scope
Description
organization.
External Rules with this scope process messages sent to recipients or from senders outside the organization. Global Rules with this scope process all messages that pass through a computer that has a Hub Transport server. These include messages that journal rules processed previously in the Internal and External scopes.
Journal rules configured on a Hub Transport server apply to the entire Exchange Server organization.
Journal Reports
When a message meets the journal criteria, a journal report is sent to the SMTP address that the rule lists. The journal report is a new e-mail message that includes the original message, unaltered, as an attachment. The information that the journal report contains is organized so that every value in each header field has its own line. The Journaling agent captures as much detail as possible about the original message. This information is important in determining the messages intent, its recipients, and its senders. For example, how the message identifies recipients (directly addressed in the To field or the Cc field, or included in a distribution list) may determine how the recipient is involved in the discussion occurring in the message. For more information about the journal report, refer to the CD content.
9-30
Key Points
In this demonstration, you will review how to configure a message journaling rule using the Exchange Management Console. You can configure journaling rules by using either the Exchange Management Console or the Exchange Management Shell. To configure transport rules with the Exchange Management Shell, use the following commands: Enable-JournalRule Disable-JournalRule Get-JournalRule Set-JournalRule New-JournalRule Remove-JournalRule
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, under Organization Configuration, click Hub Transport. Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages that the rule affects will be sent to the journal mailbox. Specify the journal rule scope and recipients. The scope defines whether only internal or only external messages, or both, will be journaled. All messages that the recipient sends or receives are journaled. Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to the message. Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both the sent message and the reply message.
9-31
Question: What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature?
9-32
Key Points
In a large organization or if you configure journaling for a large number of users, the journal mailbox can grow very rapidly. Additionally, the journal mailbox may contain highly confidential information that should not be accessible to most users. This means that you will need to develop policies for managing the journal mailbox.
9-33
9-34
Key Points
Many organizations need to be able to search mailboxes for specific content while performing compliance audits. By using the Exchange Server 2010 Multi-Mailbox Search feature, organizations can now easily search all user mailboxes.
9-35
9-36
Key Points
In this demonstration, you will review how to configure Multi-Mailbox Search. To use Multi-Mailbox Search feature, you must add the users who will perform the search to the Mailbox Search management role. The easiest way to do this is to add the user to the Discovery Management universal security group in AD DS or Active Directory. The user then can use the ECP to search for messages based on multiple criteria.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, add the user or group that will perform Discover searches to the Discovery Management group. Send a message with a key word or phrase in it. You will be searching on this key word or phrase. Connect to the Exchange Control Panel on a Client Access server using the account that will perform the search. On the Reporting tab, under Multi-Mailbox Search, configure the search parameters. Select the Send me an e-mail when the search is done check box, and then start the search. Open the e-mail indicating the search is finished, and then click the Discovery Search Mailbox link. Review the messages located by the search.
9-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running: 3. 4. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
If required, connect to the virtual machines. Log on to VAN-DC1, and VAN-EX1 as Adatum\Administrator using the password Pa$$w0rd. Log on to VAN-CL1 as Adatum\Luca using the password Pa$$w0rd.
Lab Scenario
You are a messaging administrator in A. Datum Corporation. Your organization has deployed Exchange Server 2010. The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include applying rights protection to some messages sent inside and outside the organization, restricting message flow based on message classifications, and restricting which messages are sent to critical distribution lists. You also must ensure that you establish a separate and secure mailbox in which to retain all messages that the legal department sends and receives.
9-38
The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Create a transport rule that adds a disclaimer to all messages sent to the Internet. Enable message classifications for Outlook 2007 clients. Create a transport rule that blocks all messages with an Internet Confidential classification from being sent to the Internet. Enable AD RMS integration for the organization. Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Configure a moderated group. Test the transport rule configuration.
Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet
On VAN-EX1, create a new transport rule with the following settings: Name: Internet E-Mail Disclaimer Conditions: Sent to users outside the corporation Actions: Add a disclaimer
9-39
Disclaimer text: This e-mail is intended solely for the use of the individual to whom it is addressed
Task 2: Configure and enable message classifications for Outlook 2007 clients
1. On VAN-EX1, use the new-messageclassification -Name CompanyConfidential displaynameCompany Confidential -senderdescription Do not forward to the Internet cmdlet to configure a new message classification. Use the Export-Classification.ps1 script in the c:\Program Files \Microsoft\Exchange Server\v14\scripts folder to export the message classifications to the C:\Classifications.xml file. Copy the Classifications.xml file to drive C on VAN-CL1. On VAN-CL1, import the EnableClassifications.reg file from \\van-ex1\d$\Labfiles.
2.
3. 4.
Task 3: Create a transport rule that blocks all messages with a Company Confidential
classification from being sent to the Internet
Create a new transport rule with the following settings: Name: Company Confidential Rule Condition: Marked with classification Company Confidential Actions: Send rejection message to sender with enhanced status code Rejection message text: Company confidential e-mail messages cannot be sent to the Internet Enhanced status code: 5.7.1
Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to
all messages with the words confidential or private in the subject
Create a new transport rule with the following settings: Name: Confidential E-Mail Rule Condition: Where the subject contains the words Confidential or Private Actions: protect the message with the Do not Forward template
9-40
3.
4. 5. 6. 7. 8. 9.
On VAN-DC1, open Windows Explorer. Browse to the C:\inetpub\mailroot \queue folder. Open the EML file with Notepad. Scroll to the middle of the message, and verify that the disclaimer has been added to the message. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the second message could not be delivered. In Outlook, create a new message, and send it to the All Company distribution group. Connect to the Outlook Web App site on VAN-EX1. Log on as Andreas. Approve the message. In Outlook, verify that the message to the All Company distribution list has arrived. In Outlook Web App, logged on as Andreas, create a new message with a subject of Private. Send the message to Luca. In Outlook, verify that Luca received the message and that it has the Do Not Forward template applied. Verify that the Forward option is not available on the message. Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with an Company Confidential classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.
9-41
The main tasks for this exercise are: 1. 2. 3. 4. Create a mailbox for the Executives department journaling messages. Create a journal rule that saves a copy of all messages sent to and from Executives department members. Create and configure the MailboxAuditor account. Test the journal rule and Multi-Mailbox Search configuration.
Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members
Create a new journal rule with the following attributes: Rule name: Executives Department Message Journaling Journal mailbox: Executives Journal Mailbox Scope: Global Recipient: Executives distribution group
Grant the Mailbox Auditor account full access to the Executives Journal Mailbox and Discovery Management Mailbox mailboxes. Add the Mailbox Auditor account to the Discovery Management Active Directory group.
9-42
5.
Connect to the Exchange Control Panel as the MailboxAuditor. Create a new search named Customer Number Discovery. Configure the search to look for the phrase customer number in George Schaller and Luca Dellamores mailboxes. Wait until the search finishes, and then in the bottom right pane, click the Open link. In Outlook Web App, verify that the discovery folder named Customer Number Discovery contains two subfolders and contains the discovered messages. Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.
9-43
Lesson 4
An important requirement for many organizations is managing the e-mail stored in users mailboxes. In some cases, organizations may need to retain some messages while deleting others after a specified time. Exchange Server 2010 uses MRM to implement this functionality through retention policies and managed folders. This lesson describes how to implement MRM in Exchange Server 2010. After completing this lesson, you will be able to: Describe Retention Tags and retention policies. Configure Retention Tags and retention policies. Describe managed folders. Deploy managed folders. Implement managed custom folders and content settings. Identify options for implementing MRM.
9-44
Key Points
In Exchange Server 2010, you use Retention Tags to tag messages or folders for retention or deletion. Each Retention Tag is associated with one or more managed content settings, which define the time for which items are retained, and what will happen when the retention period expires. You can associate multiple Retention Tags with a retention policy, which then is assigned to a user mailbox.
Retention Tags
Use Retention Tags to apply retention settings to mailbox folders and individual items. The following types of Retention Tags are available: Retention Policy Tags: Retention Policy Tags are applied to default mailbox folders such as Inbox, Deleted Items, and Junk Mail. A Retention Policy Tag has one or more Managed Content Settings associated with it for retaining messages of different types. It may have an additional Managed Content Settings associated with journaling settings. Default Policy Tag: A Default Policy Tag can be associated with a retention policy and applies to all items in the mailbox that do not have a Retention Tag explicitly applied to them, or that do not inherit a tag from the folder they reside in. A Default Policy Tag can have more than one Managed Content Settings associated with it for different item types such as e-mail messages, voice mail, and Contacts. Additionally, it can also have a Content Settings with journaling settings. You cannot have more than one Default Policy Tag associated with a retention policy. Personal Tags: Personal Tags are Retention Tags available to users as part of their retention policy. A user can opt-in to use additional Personal Tags using the ECP, and can apply them to folders or items in the mailbox. Personal Tags can have only one managed content setting for expiry of all message types.
9-45
Retention Policies
Retention policies group one or more Retention Tags and apply the tags to mailboxes. A Retention policy consists of one or more Retention Policy Tags, a maximum of one Default Policy Tag, and any number of Personal Tags. You can link or unlink tags from a retention policy at any time. You can apply Retention policies to mailboxes using the Exchange Management Shell or the ECP. A mailbox cannot have more than one retention policy.
9-46
What Is AutoTagging?
Key Points
AutoTagging is an Exchange Server 2010 feature that optimizes the use of Retention Tags by automatically applying Retention Tags to items based on past user behavior.
Administrative Control
Regardless of whether a user or administrator enables AutoTagging on a mailbox, Exchange Server 2010 lets the administrator control AutoTagging functionality, as necessary. Administrators can enable or disable AutoTagging for a mailbox. To do this, use the Set-MailboxComplianceConfiguration -Identity user -RetentionAutoTaggingEnabled cmdlet to assign a value of $true or $false.
9-47
Key Points
In this demonstration, you will review how to configure the three types of Retention Tags, and how to configure content settings for the Retention Tags. Then you will see how to combine the Retention Tags into a retention policy and how to assign the retention policy to a user.
Demonstration Steps
Use the following cmdlets to configure Retention Tags and policies: New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete isprimary:$true This cmdlet creates a new default Retention Policy Tag that applies to all folders named DefaultTag. The retention policy content settings will apply to all messages that do not have another Retention Tag assigned to them, and will permanently delete all messages after 365 days. New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems This cmdlet sets a Retention Tag for the Inbox folder and configures a content setting to move all messages to the Deleted Items folder after 30 days. New-RetentionPolicyTag Business Critical -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive This cmdlet creates a Personal Tag named Business Critical that sets a retention period of about three years and moves the messages to the user archive mailbox when the retention period expires. New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,Business Critical
9-48
This cmdlet creates a new retention policy named AllTagsPolicy, and adds all of the Retention Tags to the policy. Set-Mailbox Luca -RetentionPolicy AllTagsPolicy
Question: Do you think you will implement retention policies? Question: Which MRM option are you more likely to implement: managed custom or default folders, or retention policies?
9-49
Key Points
In addition to retention policies, you can implement MRM by configuring managed folders. When you configure managed folders, you can configure managed content settings that specify how long to retain messages in specified e-mail folders. You can apply managed content settings to the default e-mail folders or to managed custom folders that you create in user mailboxes. You then can create managed folder mailbox policies that apply the content settings for a folder or group of folders to specified users. Note: Exchange Server 2007 introduced managed folders, and Exchange Server 2010 supports managed folders that are configured in Exchange Server 2007.
9-50
Configure retention periods, which enable you to define how long content will remain in users mailboxes. You can configure these policies by content age and message type, such as voice mail or appointments. Configure what action occurs when the retention period expires. For example, you can configure messages to be deleted permanently, moved to the Deleted Items folder, or moved to anther folder. Configure journal settings to ensure copies of all messages in the specified folder are sent to another recipient.
9-51
Key Points
To implement MRM, you must complete the following steps: 1. 2. Specify the folders to which you want to apply MRM. You can apply managed content settings to default folders in user mailboxes, or you can create managed custom folders in user mailboxes. Specify the managed content settings for selected folders. When you configure content settings, you can configure options that define the message types you want to manage, how long to retain the messages, and what action to take when messages expire. You also can configure journaling settings that will save a copy of all messages in the folder. Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed folders. Apply the managed folder mailbox policy to users mailboxes. By default, no managed folder mailbox policies are created or applied to user mailboxes. Schedule the managed folder assistant to apply the changes to users mailboxes. The managed folder assistant creates managed folders in users mailboxes and applies managed content settings to them. By default, the managed folder assistant runs from 1 A.M. to 5 A.M. everyday.
3. 4. 5.
9-52
Key Points
In this demonstration, you will review how to configure a managed custom folder, and then apply a content setting to the custom folder. You also will see how to configure a managed folder mailbox policy and apply it to a user account.
Demonstration Steps
1. 2. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox. Create a new managed custom folder using the following configuration: 3. Name: Contoso Project Comment: All items related to Contoso Project should be posted here and will be retained for 2 years
Right-click the Contoso Project folder, and then create a new managed content setting with the following configuration: Name: Contoso Project Content Settings Message type: All Mailbox Content Length of retention period: 731 Retention period starts: When item is moved to the folder Action to take at the end of the retention period: Permanently delete Journaling: Disabled
4.
In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed folder mailbox policy named Accounting Department Policy that includes the Contoso Project folder.
9-53
5. 6. 7. 8.
Assign the Accounting Department Policy to all users in the Accounting OU. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current time. Restart the Microsoft Exchange Mailbox Assistants service. Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the Contoso Project folder was created in the users mailbox.
9-54
Key Points
MRM policies deal primarily with other message retention issues. By implementing MRM policies, you can ensure that certain messages are deleted in user mailboxes and that certain messages are retained for an extended period. Note: MRM requires an Exchange Enterprise CAL for each mailbox on which it is enabled. Ensure that you have business and legal approval before configuring MRM policies. This is particularly important if you are configuring policies that will delete messages from user mailboxes. You can use retention policies and managed folder mailbox polices to group a collection of folders with associated Retention Tags or content settings. If different user groups in your organization have different requirements for MRM, you can create a unique policy for each user group that includes just the folders that should apply to those users. If your organization requires messages to be retained or managed based on projects, consider using managed custom folders to apply messaging records management policies. With managed custom folders, you can create the required folders in the mailboxes for all users associated with the projects, and then ensure appropriate management of the folders messages. If you want to automate the MRM process for all users, consider using retention policies and AutoTagging. With retention policies, you can set default tags that will be assigned to all folders, while providing users with the option of overriding the tags. With AutoTagging, you can further automate the process for managing Retention Tags to the extent that users no longer have to manage the tags. If you need to ensure that copies of some messages are retained for extended periods, consider using journaling as part of a content setting to ensure message retention. When you configure a content setting, you can add a journal location so that all messages that the content setting covers also are
9-55
moved automatically to the journal location. With this as an option, you can consider deleting messages from user mailboxes. Use MRM policies to limit mailbox sizes. You can use MRM policies to remove old messages from folders such as the Deleted Items folder, or the Sent Items folder.
9-56
Lesson 5
A compliance issue that many organizations must solve is that much of the information users receive by email is not stored within the e-mail system. Because of mailbox size limits, many users move messages from their mailboxes to personal storage table (PST) files, where the messages are not backed up regularly, and where the messages are not available for discovery or indexing. Exchange Server 2010 introduces Personal Archives as an option for ensuring that all messages are stored in a mailbox on an Exchange server. This lesson describes how to configure and manage Personal Archives in Exchange Server 2010. After completing this lesson, you will be able to: Describe options for implementing mailbox archiving. Describe how Personal Archives work in Exchange Server 2010. Configure Personal Archives. Identify options for implementing Personal Archives.
9-57
Key Points
Some organizations have implemented mailbox archiving by using third-party products. These products provide different types of functionality and implement the functionality in different ways. In this discussion, you will review the mailbox archiving solutions that organizations have implemented. Question: Do you have any archiving or journaling requirements in your organization? Question: How are you currently meeting these requirements?
9-58
Key Points
Exchange Server 2010 provides Personal Archives as a feature that enables users to move their PST files back into the Exchange Server database. To implement a Personal Archive, create a second mailbox that the user can use to store messages that are no longer current, but which they may need to retain. The user can access this archive mailbox in Outlook 2010 or Microsoft Outlook Web App just like any other folder in the user mailbox.
9-59
Key Points
In this demonstration, you will review how to configure a Personal Archives mailbox for a user account. You will also see how to access the mailbox by using Outlook Web App.
Demonstration Steps
1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox. Right-click a mailbox, and then click Enable Archive. On the mailbox properties, review the archive quota settings. Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and ArchiveQuota settings. Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook Web App.
Question: Will you implement Personal Archives in Exchange Server 2010? Question: What are the benefits and disadvantages of the Personal Archives feature?
9-60
Key Points
Personal Archives provides an excellent opportunity for organizations to ensure that all messages in the email system are stored in a location where the messages can be managed and accessed. However, deploying Personal Archives will also require careful planning to ensure that the implementation is a success. In many organizations, some users may have several gigabytes of data stored in PST files. If all of these messages are moved into archive mailboxes, the amount of storage required for the mailbox databases will increase dramatically. Some considerations for managing the implementation for Personal Archives include: Consider an incremental implementation for Personal Archives. If your storage infrastructure cannot handle implementing Personal Archives for all users, start by identifying the users that will benefit most from Personal Archives. This may include users with the most critical information currently stored in PST files, or it may include all executives in the organization. With the decrease in disk input/output (IO) per mailbox and the option of using database availability groups (DAGs) for high availability, Exchange Server 2010 enables some important new options for implementing storage. Because of the decrease in disk IO, it is now feasible to store mailbox databases on lower performance and less expensive disk arrays using SATA drives. Additionally, rather than depending on redundant disk arrays and backup to provide high availability, you can use DAGs to provide the required level of availability. You can also use MRM policies to manage the archive mailboxes. By configuring retention tags for the primary mailbox, you can ensure that messages are moved into the archive mailbox on a regular basis. You can also use retention tags to manage the messages in the archive mailbox. After you implement Personal Archives, you should consider removing the option for users to use PST files. You can start moving users away from using PST files by creating a Group Policy object that prevents new items from being added to existing PST files. Making PST files read-only gives users access to the PST files they may already have while encouraging them to keep the messages that they
9-61
want to keep in their mailboxes. Eventually, you may want to create a GPO to remove access to PST files altogether.
9-62
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include configuring rules that will ensure that some messages are retained for an extended period, while other messages are deleted when they expire. Finally, you must enable Personal Archives for all of the users in the Executives department.
9-63
A. Datum Corporation would like to automate message management in user mailboxes. To test this implementation, the executives have approved a pilot project to use retention policies for the ITAdmins group. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create a managed custom mailbox folder named Executives Confidential. Configure content settings for the Executives Confidential folder. Configure content settings for all mailbox folders. Configure a managed folder mailbox policy that applies to all users. Configure a managed folder mailbox policy that applies to the Executives department. Start the managed folder assistant process. Test the managed custom folder implementation. Configure Retention Tags and a retention policy. Apply the retention policy to the Marketing group.
9-64
Messages will be retained for 90 days. Retention period starts when messages are delivered. Delete messages, and allow recovery.
Task 4: Configure a managed folder mailbox policy that applies to all users
1. Create a new managed folder mailbox policy with this attribute: 2. 3. Name: Default Policy All Users
Associate the Entire Mailbox with the policy. Use the following command to assign the policy to all users: Get-Mailbox | Set-Mailbox ManagedFolderMailboxPolicy Default Policy All Users.
Task 5: Configure a managed folder mailbox policy that applies to the Executives
department
1. Create a new managed folder mailbox policy with the following attribute: 2. 3. Name: Executives Department Policy
Associate the Entire Mailbox and the Executives Confidential mailbox to this policy. Use the following command to assign the new policy to the users in the Finance OU: Get-Mailbox | where-object {$_.distinguishedname -ilike *ou=executives,dc=adatum,dc=com} | SetMailbox ManagedFolderMailboxPolicy Executives Department Policy
Task 7: Confirm that the managed custom folder is created for the Executives
department users
1. 2. 3. In the Exchange Management Console, confirm that the managed folder mailbox policy is assigned to Marcel Truempy. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with the password of Pa$$w0rd. Confirm that the Finance Confidential folder was created in Marcels mailbox.
9-65
2. 3.
9-66
Task 1: Create an archive mailbox for all members of the Marketing group
On VAN-EX1, in the Exchange Management Console, under Recipient Management, click Mailbox. Sort the mailbox list by organizational unit, select all of the users in the Marketing OU, and then create an archive mailbox for them.
Task 2: Verify that the archive mailbox was created for members of the Marketing group
Log on to Outlook Web App as Manoj, and then verify that the archive mailbox was created. Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.
9-67
Review Questions
1. You need to ensure that a copy of all messages sent to a particular distribution group is saved. You only want copies of messages sent to the distribution group, not copies of all messages sent to individual members of the group. What should you configure? You need to ensure that a user can search all Exchange Server organization mailboxes for specific content. What should you do? What user training will you need to provide? You need to ensure that all messages related to a particular project are retained for three years. Users in your organization use both Outlook 2007 and Outlook 2010. What should you do?
2. 3.
Message recipients report that they are receiving error messages when they receive digitally signed messages from other users in the organization.
After you implement a transport Ensure that when you implement a transport rule that might affect rule, users report that some of message delivery, you configure an action in the transport rule that
9-68
Issue the messages they send to Internet recipients are not delivered and they do not receive notification of why the messages were not delivered.
Troubleshooting tip informs the user if the message cannot be delivered. Normally, you would do this with a bounce message.
2.
3.
10-1
Module 10
Securing Microsoft Exchange Server 2010
Contents:
Lesson 1: Configuring Role Based Access Control Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 Lesson 3: Configuring Secure Internet Access Lab: Securing Exchange Server 2010 10-3 10-20 10-24 10-38
10-2
Module Overview
In many organizations, Microsoft Exchange Server 2010 provides a critical business function for both internal and external users. Additionally, many organizations expose at least a few of their Exchange servers to the Internet. For these reasons, it is important that you do what you can to secure the Exchange Server deployment. There are two components to securing your Exchange Server deployment: configuring administrative permissions appropriately and securing the Exchange Server configuration. This module describes how to configure permissions and secure Exchange Server 2010. After completing this module, you will be able to: Configure role based access control (RBAC) permissions. Configure security for Exchange Server 2010 server roles. Configure secure Internet access.
10-3
Lesson 1
Exchange Server 2010 uses the RBAC permissions model to restrict which administrative tasks users can perform on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC, you can control the resources that administrators can configure and the features that users can access. This lesson describes how to implement RBAC permissions in Exchange Server 2010, and how to configure permissions on Edge Transport servers. After completing this lesson, you will be able to: Describe RBAC and management role groups. Identify Exchange Server 2010 built-in management role groups. Manage RBAC permissions. Configure custom management role groups. Describe management role assignment policies. Work with management role assignment policies. Manage permissions on Edge Transport servers.
10-4
Key Points
RBAC is the new permissions model in Exchange Server 2010. With RBAC, you do not have to modify and manage access control lists (ACLs) on Exchange Server or Active Directory Domain Services (AD DS) and Active Directory directory services objects. In Exchange Server 2010, RBAC controls the administrative tasks that users can perform and the extent to which they can administer their own mailbox and distribution groups. When you configure RBAC permissions, you can define precisely which Exchange Management Shell cmdlets a user can run and which objects and attributes the user can modify. All Exchange Server administration tools, including Exchange Management Console, Exchange Management Shell, and Exchange Control Panel (ECP), use RBAC to determine user permissions. Therefore, permissions are consistent regardless of which tool you use.
RBAC Options
RBAC assigns permissions to users in two primary ways, depending on whether the user is an administrator or end user: Management role groups. RBAC uses management role groups to assign permissions to administrators. These administrators may require permissions to manage the Exchange Server organization or some part of it. Some administrators may require limited permissions to manage specific Exchange Server features, such as compliance or specific recipients. To use management role groups, add users to the appropriate built-in management role group, or to a custom management role group. RBAC assigns each role group one or more management roles that define the precise permissions that RBAC grants to the group. Management role assignment policies. Management role assignment policies are used to assign enduser management roles. Role assignment policies consist of roles that control what users can do with
10-5
their mailboxes or distribution groups. These roles do not allow management of features with which users are not associated directly.
Note: You also can use direct role assignment to assign permissions. Direct role assignment is an advanced method for assigning management roles directly to a user or Universal Security Group, without the need to use a role group or role assignment policy. Direct role assignments are useful when you need to provide a granular set of permissions to a specific user only. However, we recommend that you avoid using direct role assignment, as it is significantly more complicated to configure and manage.
Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure?
10-6
Key Points
Use management role groups to assign administrator permissions to groups of users. To understand how management role groups work, you need to understand their components.
10-7
Management role scope. A management role scope is the scope of influence or impact that the role holder has once RBAC assigns a management role. When assigning a management role, use management scopes to target which objects that role controls. Scopes can include servers, organizational units, recipient objects, and more.
For more information about management role groups, refer to the CD content.
10-8
Key Points
Exchange Server 2010 includes several built-in role groups that you can use to provide varying levels of administrative permissions to user groups. You can add users to, or remove them from, any built-in role group. You also can add or remove role assignments to or from most role groups. Role group Organization Management View-Only Organization Management Recipient Management UM Management Description Role holders have access to the entire Exchange Server 2010 organization and can perform almost any task against any Exchange Server object. Role holders can view the properties of any object in the organization. Role holders have access to create or modify Exchange 2010 recipients within the Exchange Server organization. Role holders can manage the Unified Messaging features within the organization, such as Unified Messaging server configuration, properties on mailboxes, prompts, and auto-attendant configuration. Role holders can perform searches of mailboxes in the Exchange organization for data that meets specific criteria. Role holders can configure compliance features, such as retention policy tags, message classifications, transport rules, and more. Role holders have access to Exchange server configuration. They do not have access to administer recipient configuration. Role holders can perform limited recipient management.
10-9
Description Role holders can manage public folders and databases on Exchange servers. Role holders can deploy previously provisioned Exchange servers.
Note: All of these role groups are located in the Microsoft Exchange Security Groups OU in AD DS or Active Directory. This OU contains several other universal security groups that grant permissions to the Exchange server computer accounts.
10-10
Key Points
In this demonstration, you will review how to manage RBAC permissions in Exchange Server 2010 by using the built-in role groups. You will see how to add users to the built-in role groups and how RBAC assigns the resulting permissions to the user accounts.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, add a user or security group to the Recipient Management group. Log on to an Exchange server using the delegated user account. Open the Exchange Management Console and the Exchange Management Shell. Verify that the user has read access to the Exchange Server organization configuration. Verify that the user cannot modify the settings on the Mailbox databases. Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user account has permission to move mailboxes to another server. In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user has Read permission to the Exchange server information. Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.
10-11
Key Points
In addition to the built-in role groups, you also can create custom role groups to delegate specific permissions within the Exchange Server organization. Use this option when your ability to limit permissions is beyond the scope of the built-in role groups.
2.
10-12
Note: You also can configure a new management role rather than use one of the existing management roles. To do this, use the New-ManagementRole cmdlet to create a custom management role based on one of the existing management roles. You can then add and remove management role entries as needed. By default, the new management role inherits all of the permissions assigned to the parent role. You can remove permissions from the role, as necessary, by using the Remove-managementroleentry cmdlet. However, it can be complicated to create a new management role and remove unnecessary management role entries, so we recommend that you use one of the existing roles whenever possible.
3. 4. Identify the management scope for the management role. For example, in the branch office scenario, you could create a role assignment with an OU scope that is specific to the branch office OU. Create the management role group using the information that you collect. Use the New-RoleGroup cmdlet to create the link between the role group, the management roles, and the management scope.For example, consider the following command: New-RoleGroup Name BranchOfficeAdmins roles Mail Recipients, Distribution Groups, Move Mailboxes, Mail Recipient Creation User BranchOfficeAdmins RecipientOrganizationalUnitScope Contoso.com/BranchOffice. It does the following: Creates a new role group named BranchOfficeAdmins. Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation management roles to the BranchOfficeAdmins role group. Configures a management role scope limited to the BranchOffice OU in the Contoso.com domain.
10-13
Key Points
In this demonstration, you will review how to create a custom role group and how to assign management roles to the group. You also will verify that the correct permissions are assigned to the user accounts.
Demonstration Steps
1. 2. On VAN-EX1, open the Exchange Management Shell. Create a new management scope that will limit the tasks that can be performed by using the following command: New-ManagementScope Name MarketingMailboxes recipientroot adatum.com/Marketing -RecipientRestrictionFilter {RecipientType -eq UserMailbox} 3. Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup Name MarketingAdmins roles Mail Recipients, Mail Recipient Creation -CustomRecipientWriteScope MarketingMailboxes 4. Add a user to the management role group by using the following command: Add-rolegroupmember id MarketingAdmins member Andreas 5. 6. In Active Directory Users and Computers, verify that the group has been created in the Microsoft Exchange Security Groups OU and that the user has been added to the group. Open the Exchange Management Console as the delegated user account. Verify that the user can modify mailboxes and create new mailboxes only in the Marketing OU.
Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles?
10-14
Key Points
Management role-assignment policies associate end-user management roles with users. You do not configure administrative permissions with management role-assignment policies. Rather, you use management role assignment policies to configure what changes users can make to their mailbox settings and to distribution groups that they own.
10-15
Management role entry. A management role entry is a cmdlet, script, or special permission that enables users to perform a specific task. Each role entry consists of a single cmdlet and the parameters that the management role can access.
10-16
Key Points
Exchange Server 2010 includes a default role assignment policy that provides end users with the most commonly used permissions. For most organizations, you do not need to modify the configuration. However, you can change the management role assignment policy if your organization has specific requirements regarding how users can interact with their mailboxes or groups.
Note: To view the default management role assignment policy configuration, use the GetManagementRoleAssignment RoleAssignee Default Role Assignment Policy cmdlet. This cmdlet lists all the management roles that are assigned to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, executing the get-managementrole Mybaseoptions | FL cmdlet displays all management role entries associated with the Mybaseoptions management role.
10-17
Note: When you change the default role assignment policy, RBAC does not assign the new default role assignment policy automatically. You will need to use the Set-Mailbox cmdlet to update previously created mailboxes to the new default role assignment policy.
Configure additional role assignment policies and assign the policies to a mailbox manually by using the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox, or Enable-Mailbox cmdlets. When you assign an explicit role assignment policy, the new policy takes effect immediately and replaces the previously assigned explicit role assignment policy. If you have many different user groups with special needs, you can create role assignment policies for each group.
Question: How will you configure role assignment policies in your organization?
10-18
Key Points
You deploy the Edge Transport server role in an organizations perimeter network, either as a stand-alone server or as a member of a perimeter Active Directory domain. No Exchange Server-specific groups are created when you install an Edge Transport server role. The Administrators local group is granted full control of the Edge Transport server, which includes an instance of Active Directory Lightweight Directory Service (AD LDS). You can administer Edge Transport servers remotely by using Remote Desktop. The Administrators local group is granted remote logon permissions automatically when you enable Remote Desktop.
10-19
10-20
Lesson 2
The second component to configuring Exchange Server 2010 security is to secure the Exchange Server deployment as much as is possible. To do this, you should understand the security risks for which you need to prepare, and then you need to configure your Exchange Server security settings appropriately. After completing this lesson, you will be able to: Identify the Exchange Server security risks. Implement best practices security measures.
10-21
Key Points
To prepare for Exchange Server security, you first must understand the security risks that threaten the Exchange server environment. Question: What security risks do you need to protect against when deploying Exchange Server? Question: What risks are the most serious?
10-22
Key Points
The design of Exchange Server 2010 makes it secure when you deploy it. Many of its features, such as server roles, Kerberos authentication, and self-signed certificates ensure that the servers present a minimal attack surface and facilitate encryption for most network traffic sent to and from Exchange servers. To maintain Exchange Server security, implement regular processes to monitor and validate the Exchange Server configuration.
10-23
10-24
Lesson 3
Exchange Server 2010 provides access to user mailboxes from a wide variety of clients. In many cases, these clients may be located outside the corporate network and may be accessing the user mailboxes through an Internet connection. Because the Exchange servers cannot provide this functionality without being accessible from the Internet, it is important that the connections from the Internet be as secure as possible. This lesson describes how to configure secure access to the Exchange servers from the Internet. After completing this lesson, you will be able to: Describe secure Internet access components. Deploy Exchange Server 2010 for Internet access. Secure Client Access server traffic from the Internet. Secure SMTP connections to the Internet. Describe reverse proxy. Configure secure access.
10-25
Key Points
Exchange Server 2010 enables users to access their mailboxes from many different types of messaging clients and from almost anywhere. To provide secure access for the messaging clients, you need to understand what types of access each client type requires.
Exchange ActiveSync
Internet Message Access to the IMAP4 service on a Client Access server Access Protocol version Access to a SMTP Receive connector on either a Hub Transport server, a Edge
10-26
Access requirements Transport server, or another SMTP server Protocol requirements: IMAP4, SMTP (Port 25 or 587) Access to the POP3 service on a Client Access server Access to a SMTP Receive connector on either a Hub Transport server, a Edge Transport server, or another SMTP server Protocol requirements: POP3, SMTP (Port 25 or 587)
Note: In addition to the Client Access components, you also need to configure the environment to support secure sending and receiving of SMTP e-mail. In most cases, this includes deploying an Edge Transport server in the perimeter network.
10-27
Key Points
When deploying Exchange Server 2010 so that it is accessible from the Internet, you must deploy all server roles on the internal network, except for the Edge Transport server role. You should deploy the Edge Transport server role in the perimeter network, and it should run on a server that is not an internal domain member. The recommended deployment for Exchange Server 2010 Internet access includes two firewalls in a backto-back firewall scenario, which enables you to implement a perimeter network between the two. An external firewall faces the Internet and protects the perimeter network. You then deploy an internal firewall between the perimeter and internal networks.
80, 443
110, 993
10-28
Destination port
Address Destination address: External IP address of the internal firewall Only required for POP3 access
143, 995
Source address: All Destination address: External IP address of the internal firewall Only required for IMAP4 access Source address: All Destination address: External IP address of the internal firewall Only required if POP3 and IMAP4 clients are using the SMTP client submission port to send SMTP e-mail
587
80, 443
110, 993
143, 995
587
50636
3389
10-29
Note: Edge Transport servers also listen on port 50389 for unencrypted LDAP connections. This port is used only for administering the AD LDS instance on the Edge Transport server using standard LDAP tools. However, this port does not have to be open on the internal firewall.
10-30
Key Points
To ensure that the client connections are as secure as possible, implement the following recommendations: Create and configure a server certificate. By default, all Client Access servers are configured with selfsigned certificates during Exchange Server 2010 installation. Because clients do no trust this certificate, you should replace the certificate with one from a public Certification Authority (CA) or from an internal CA. If you use an internal enterprise CA, the certificates will be trusted by computers that are the internal domains members, but not by other client computers. Require Secure Sockets Layer (SSL) for all virtual directories. With Exchange Server 2010, you can configure all of the Client Access server virtual directories to require SSL. Enable only required client access methods. You should enable access to only the client access options that your organization requires. For example, if your organization only requires Exchange ActiveSync and Outlook Web App connectivity from the Internet, then only allow access to those virtual directories through the firewall. Require secure authentication. Forms-based authentication is the most secure authentication mechanism for Outlook Web App. Other client access options, such as Outlook Anywhere or Exchange ActiveSync, cannot use forms-based authentication, and may need to use authentication by Microsoft Windows NTLAN) Manager, also known as NTLM, or use basic authentication. If you configure the virtual directories to require SSL, the network traffic that authenticates the user is encrypted. Require TLS/SSL for IMAP4 and POP3 access. To help secure communications between your POP3 and IMAP4 clients and the Client Access server, configure the Client Access server to use a certificate for these protocols, and then force all clients to use Transport Layer Security (TLS) or SSL to encrypt all authentication and message access traffic. Implement an application layer firewall or reverse proxy. To provide additional security, place an application layer firewall or reverse proxy between the Internet and the Client Access server. This
10-31
firewall can decrypt all network traffic between the client and the Client Access server, and inspects the traffic for malicious code.
10-32
Key Points
If you enable POP3 and IMAP4 connections from the Internet to your Client Access servers, you must provide a means by which those clients can send e-mail using SMTP. As part of ensuring security for your client-access deployment, you also need to ensure secure SMTP connectivity.
Note: If you accept anonymous SMTP connections from the Internet on the Hub Transport server, using the Default SMTP Receive connector, you need to create an additional SMTP Receive connector for the POP3 and IMAP4 clients, and configure the new connector to required authenticated connections. Note: You cannot use an Edge Transport server to accept authenticated SMTP connections, and then use it to relay SMTP messages from POP3 and IMAP4 clients. You can configure a SMTP Receive connector on an Edge Transport server that uses port 587, and you can configure the Receive connector to accept authenticated connections. However, you cannot configure the connector to authenticate the client connections using the users internal Active Directory account.
10-33
2.
3.
Note: In some cases, you may need to enable anonymous relay to allow internal applications to send SMTP e-mail through the Exchange server. If you require this functionality, then configure restrictions on the Receive connector so that only the IP addresses that you specify can relay through the server.
4. Enable IMAP4 and POP3 selectively. If only some users in your organization require POP3 and IMAP4 access, then disable this option on all other mailboxes.
10-34
Key Points
You may want to use a reverse proxy server to manage incoming requests to a Client Access server. A reverse proxy server provides the following advantages over a direct connection to a Client Access server: Security. The reverse proxy server provides an extra protective layer between the network and external computers. This is because the reverse proxy server is the endpoint for all client connections. The reverse proxy server then creates a new connection to the internal server. Application layer filtering. Most reverse proxy servers also can operate as application layer firewalls. Application layer filtering enables the proxy to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an HTTP filter intercepts communication on port 80 and inspects it to verify that the commands are authorized before passing the communication to the destination server. Firewalls that are capable of application-layer filtering can stop dangerous code at the networks edge before it does any damage. SSL bridging. If you must encrypt communication between the reverse proxy server and the Client Access server, do this by ending the SSL session between the Web browser and reverse proxy server. You then establish a new SSL session between the reverse proxy server and the Client Access server. This protects the Client Access server from direct access from the Internet, enables the reverse proxy server to filter the data packets before they reach the Client Access server, and encrypts the data along the whole path between the Web browser and the Client Access server. Load balancing. A reverse proxy server can distribute the traffic that is destined for a single URL to a group of servers. You automatically implement Web load-balancing features when you publish Outlook Web App and Outlook Anywhere. Outlook Web App automatically selects a rule by using cookie-based load balancing. With cookie-based load balancing, the reverse proxy server forwards all requests that relate to the same session (the same unique cookie provided by the server in each response) to the same server. Outlook Anywhere uses source-IP-based load balancing. With sourceIP-based load balancing, the reverse proxy server forwards all requests from the same client (source) IP address to the same server. Other Exchange services and features, such as Exchange ActiveSync,
10-35
must use cookie-based load balancing. This also includes the Exchange services, such as the offline address book and the Availability Service. SSL offloading. Instead of configuring the Client Access server to provide SSL encryption, you can offload that function to the reverse proxy server. Not only does it encrypt data that is sent between the Web browser and the Client Access server, but it also enables the reverse proxy server to inspect the data packets and apply filters before they reach the Client Access server. If you offload SSL encryption to a proxy server, data that is sent between the reverse proxy server and the Client Access server will not be encrypted unless you use SSL bridging.
10-36
Key Points
In this demonstration, you will review how to create an Outlook Web App publishing rule in Forefront TMG.
Note: Forefront TMG is an upgrade of Microsoft Internet Security and Acceleration (ISA) Server 2006.
Demonstration Steps
1. 2. On VAN-TMG, open the Forefront TMG Management console. In the Firewall Policy node, create an Exchange Server publishing rule by using the New Exchange Publishing Rule Wizard. Configure the rule with the following settings: 3. Name: OWA Access Rule Exchange version: Exchange Server 2010 Service: Outlook Web App Server Connection Security: Use SSL to connect the published Web server or server farm Internal site name: VAN-EX1.Adatum.com Public Name Details page: mail.Adatum.com
Create a new Web Listener with the following settings: Name: HTTP Listener Client Connection Security: Do not require SSL secure connections from clients Web Listener IP Addresses: External
10-37
4. 5.
Authentication Settings: HTML Form Authentication Single Sign-On (SSO) Settings: Enabled SSO domain name: ADatum.com
On the Authentication Delegation page, click Basic authentication. Accept the default User Sets configuration, finish the wizard, and then apply the changes.
Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG?
10-38
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-EX2 at this point.
Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include: Exchange Server administrators should have minimal permissions, which means that, whenever possible, you should delegate Exchange Server management permissions. Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.
10-39
The main tasks for this exercise are as follows: 1. 2. 3. Configure permissions for the ITAdmins group. Configure permissions for the Support Desk and HRAdmins groups. Verify the permissions.
4. 5.
10-40
3.
On VAN-EX1, open Internet Explorer and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Anna, and verify that the account has the following permissions: Can modify mailbox settings for users by using the Exchange Control Panel. For example, try modifying the department attribute for Andreas Herbinger. Can modify distribution groups using the Exchange Control Panel. For example, add a group description for the Accounting group.
Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer.
4. Close Internet Explorer, and open it again and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Paul, and verify that the account has the following permissions: Can modify mailbox settings for users by using the Exchange Control Panel. Cannot modify distribution groups using the Exchange Control Panel.
Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.
10-41
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple SANs
1. 2. On VAN-DC1, use the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA to issue certificates with multiple SANs. Stop and restart the Certificate Services service.
Task 2: Request a server certificate with multiple SANs on the Client Access server
1. On VAN-EX1, run the New Exchange Certificate Wizard using the following configuration options: 2. 3. 4. Friendly name: Adatum Mail Certificate Outlook Web App: Outlook Web App is on the intranet and uses a host name of VANEX1.adatum.com Outlook Web App: Outlook Web App is on the Internet and uses a host name of mail.adatum.com Exchange ActiveSync: Enabled and uses a host name of mail.adatum.com Autodiscover: Used on the Internet Long URL: Used for AutoDiscover with a host name of Autodiscover.adatum.com Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
Save the file using the name CertRequest.req. Copy the text of the certificate request file to the clipboard. Connect to http://van-dc1.adatum.com/certsrv, and create an advanced certificate request using a certificate request file. Paste the contents of the certificate request file into the Saved Request field. Request a Web server certificate. Download the certificate and save it to the C: drive.
5.
10-42
6. 7.
In the Exchange Management Console, use the Complete Pending Request Wizard to import the Adatum Mail certificate. In the Exchange Management Console, use the Assign Services to Certificate Wizard to assign the Adatum Mail certificate to IIS.
Create a new Web Listener with the following settings: Name: HTTPS Listener Client Connection Security: Require SSL secured connections with clients Web Listener IP Addresses: External Listener SSL Certificates: mail.adatum.com Authentication Settings: HTML Form Authentication Single Sign On Settings: Enabled SSO domain name: Adatum.com
4.
Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible.
10-43
2.
Results: After this exercise, you should have configured a Forefront Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You will also have verified that the access is configured correctly.
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
10-44
Review Questions
1. 2. 3. You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Users in your organization are using POP3 clients from the Internet. These users report that they can receive, but not send, e-mail. What should you do? Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do?
Common Issues Related to Configuring Exchange Server Publishing Rules on a Reverse Proxy
Identify the causes for the following common issues related to configuring Exchange Server publishing rules on a reverse proxy, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Clients cannot connect to the published sites, and they receive internal server errors. Clients cannot connect to the published sites, and they receive certificate errors. Clients cannot connect to the published sites, and Troubleshooting tip Normally, these errors occur when the reverse proxy cannot connect to the internal site. Verify that the reverse proxy can connect to the virtual directories on the Client Access server. When configuring a reverse proxy to use SSL bridging, you need to ensure that the configuration is correct for certificates on both the reverse proxy and the Client Access server. Check information such as whether the certificates are trusted and whether the names the certificates use match the names that the clients use when connecting to the site. Normally, this type is error displays when there is a problem connecting to the reverse proxy from the Internet. Verify that DNS name resolution is
10-45
Troubleshooting tip working correctly and that the external firewall is not blocking access to the reverse proxy.
2.
3.
10-46
11-1
Module 11
Maintaining Microsoft Exchange Server 2010
Contents:
Lesson 1: Monitoring Exchange Server 2010 Lesson 2: Maintaining Exchange Server 2010 Lesson 3: Troubleshooting Exchange Server 2010 Lab: Maintaining Exchange Sever 2010 11-3 11-13 11-20 11-26
11-2
Module Overview
Once you deploy Microsoft Exchange Server 2010, you must ensure that it continues to run optimally by maintaining a stable environment. To maintain a stable environment, you must monitor Exchange Server performance, and make adjustments as required. This module describes how to monitor and maintain your Exchange Server environment. This module also describes troubleshooting techniques. From time to time, problems arise that need to be fixed. Although troubleshooting problems can be complex, using a troubleshooting methodology can help you pinpoint the problem and then determine the proper method to use to fix the problem. After completing this module, you will be able to: Monitor Exchange Server 2010. Maintain Exchange Server 2010. Troubleshoot Exchange Server 2010.
11-3
Lesson 1
Monitoring practices typically are an afterthought, and people often configure them after deploying the solution. However, having a well-tuned and consistently used monitoring solution can greatly improve your ability to identify, troubleshoot, and repair issues before end users notice them. Reducing end-user problems and preventing more-serious problems are worth the additional thought and effort that it requires to design a comprehensive monitoring solution for your Exchange Server organization. In this lesson, you will review the basic monitoring tools as well as the metrics that you should monitor. After completing this lesson, you will be able to: Describe the importance of performance monitoring. Identify key monitoring metrics for monitoring Exchange Server 2010. Collect performance data for the Exchange server. Collect performance data for the Mailbox server. Collect performance data for the Hub Transport and Edge Transport servers. Collect performance data for the Client Access server. Use the collected performance data.
11-4
Key Points
Monitoring the Exchange Server environment is important for the following reasons: Identifying performance issues. When problems arise, you can pinpoint and repair them without relying on users to report the problems. Identifying growth trends to improve plans for upgrades. As the system grows and usage patterns change, hardware modifications may be required to accommodate these changes. Identifying trends also allows you to forecast future changes that might be necessary. Measuring performance against service level agreements. Demonstrating whether Exchange Server meets performance-based service level agreements and measuring the end-user experience shows the value that Exchange Server administrators are providing. Identifying security issues and denial-of-service attacks. When performance and other metrics stray from the established baselines, you can correlate these incidents to identify and mitigate the source.
Since Exchange Server 2010 is complex, you need to monitor several aspects. Primarily, you should gather and monitor metrics from the processor, memory, disk, and the Exchange services. You may monitor additional information, depending on the Exchange Server roles that you install.
11-5
Key Points
Most enterprise environments already use monitoring and alerting systems across their IT infrastructures. In cases where a monitoring solution does not exist, Microsoft System Center Operations Manager 2007 or System Center Essentials (with the Exchange Server 2010 management pack) provide an easily deployable Exchange Server monitoring solution. Enterprise-class monitoring solutions also allow you to customize the data you want to collect, which can be helpful when tracking down specific problems, or when default monitoring sets do not collect the appropriate data. Since each deployment is unique, adjustments are required to fit particular usage and hardware scenarios. In instances where a problem exists on a single or limited number of servers, you can use the Performance and Reliability Monitor to collect additional performance data that standard monitors might not capture.
11-6
Key Points
When monitoring Exchange servers, you should know which performance aspects are most important. You can use the common counters and threshold values detailed in this lesson to identify potential issues proactively, and help identify the root cause of issues when troubleshooting. Since these values are general guidelines, it is important to trend and perhaps adjust these values to meet the needs of the specific environment. You can determine values that work in a specific environment by documenting normal operating values to create a baseline. After creating the baseline, set thresholds so that when performance metrics are not met, you know that the server is not operating optimally. For more information about the performance counters, refer to the CD content.
Processor
The processor is one of the fundamental components that you need to monitor to ensure server health on all Exchange Server roles. Standard counters include the total percentage of processor time, the percentage of user-mode processor time, and the percentage of privilege-mode processor time. An additional counter related to processor performance is the processor queue length. If a processor queues length is greater than the specified threshold value, this may indicate that there is more work available than the processor can handle. If this number is greater than 10, per processor core, this is a strong indicator that the processor is at capacity, particularly when coupled with high CPU utilization. Although you typically do not use processor queue length for capacity planning, you can use it to identify whether systems within the environment are capable of running the loads, or whether you should purchase faster processors for future servers.
11-7
Memory
Another key performance indicator is the memory counter. Tracking the available memory and how much memory has to be written to the page file can tell you when you need to increase server memory, or reduce server load.
11-8
Key Points
When you collect performance data about Mailbox servers, you may focus on disk-response time and the speed with which the server responds to requests. The average response time for reading data should be under 20 milliseconds (ms) and the average write response time should be less than 100 ms on average. If the disk queue length begins to grow, this is another indicator that the disk system is not meeting demand. All of these may require you to purchase additional or faster disks, or to modify the disk configuration. There are many performance counters for Mailbox servers for which you can trend, depending on your messaging environment. However, the following counters are crucial and are a good place to begin when collecting performance data for the Mailbox server. For more information about the performance counters, refer to the CD content.
Logical Disk
Logical Disk counters determine whether disk performance is meeting demands. As disk latency increases, database reads and writes take more time.
MSExchangeIS
The Client Access and transport servers use Microsoft Remote Procedure Call (RPC) to communicate with Mailbox servers, thus it is important to monitor the response time for RPC requests, to be sure that the mailbox server is responding quickly enough to support the load.
11-9
Question: If any of these performance counters measured outside its normal range, what is the most likely cause?
11-10
Collecting Performance Data for the Hub Transport and Edge Transport Servers
Key Points
The transport servers store message queue information to disk. The average response time for reading data should be less than 20 ms, and the average write-response time should be less than 100 ms on average. Another indicator that the disk system is not keeping up with demand is if the disk queue length starts to grow. All of these may require you to purchase additional or faster disks, or modify the disk configuration. For more information about the performance counters, refer to the CD content.
Logical Disk
Logical Disk counters determine whether disk performance is meeting demands. As disk latency increases, database reads and writes take more time.
11-11
Key Points
The Client Access server role performs many of the key client connectivity functions for Exchange Server clients. Disk performance is important for determining overall server health. Additionally, you should monitor the response time for services used by Client Access servers to ensure proper performance. For more information about the performance counters, refer to the CD content.
Logical Disk
Logical Disk counters determine whether disk performance is meeting demands. As disk latency increases, database reads and writes take more time.
11-12
Key Points
To determine which thresholds denote an existing problem, set a monitoring baseline by reviewing monitoring data over a full business cycle. Business cycles vary for each company, and your cycle should include both busy and slow periods. For some businesses, busy periods might correlate with the end-ofmonth accounting close process or periods with notably high sales figures. Gathering a broad data set will provide sufficient data to determine the appropriate operating thresholds. To use the collected performance data: 1. Create a monitoring baseline by averaging performance metrics from a properly operating system: 2. 3. Monitor performance for a full business cycle. Note any peaks or troughs in the data.
Set warning and error level thresholds. Review growth trends regularly to: Adjust thresholds. Adjust server configurations.
It is important that you review your thresholds periodically, so you can adjust the serversor the thresholds themselvesto ensure proper monitoring.
11-13
Lesson 2
Maintaining the Exchange Server messaging solution is an ongoing process that requires discipline, not only for the administrator but also for the organization. Using change management techniques to control change has many benefits as described in this lesson. Change management often includes controlling which software updates are applied, how the updates are applied, and when the updates are applied. It also includes managing your hardware upgrades. In this lesson, you will review the importance of change management, and techniques you can use to perform upgrades to your Exchange Server computers. After completing this lesson, you will be able to: Describe change management. Describe the change management process. Describe software updates. Deploy software updates. Determine when to upgrade your hardware. Implement hardware upgrades.
11-14
Key Points
The change management process controls environmental change through a frameworksuch as the Microsoft Operations Frameworkthat includes change management components. Change management is important, as it can lead to better application availability, better educated IT staff, and a more predictable infrastructure. Planning which changes to deploy, and how and when to deploy them, falls into the purview of a change management framework. Question: How does your organization address change management? Question: Are there some situations where change management is more important? Question: What are the benefits of having a formal change management process? Question: Are there situations in which you cannot follow the normal change process?
11-15
Key Points
The change management process varies widely from organization to organization. The basic components for managing change are as follows: 1. Adopt a process model like the Microsoft Operations Framework. A number of well-defined frameworks are available. Adopting an established framework may make educating employees easier, because they already may be familiar with the framework. Define a process and use it consistently. Once you have a process, ensure that everyone involved understands why it was adopted, and how to follow the process. Support the change management process. If you do not support the process properly, it will not be as effective as possible. It is essential that everyone work to support the process.
2. 3.
11-16
Key Points
Software requires continuous improvement, whether to fix software bugs, mitigate security risks, add features, or improve performance. Every month Microsoft releases relevant security updates for affected products. These updates are usually important updates that reduce security vulnerabilities. Additionally, Microsoft product groups periodically release hotfixes (interim updates), update rollups, and service packs. Question: What is the difference between a hotfix and an update? Question: Why should your organization deploy software updates?
11-17
Key Points
You should adopt an update deployment strategy that suits your organizations requirements. Some businesses choose to deploy updates only at set intervals, while others deploy all updates as they become available. Once you adopt a strategy, the process for deploying it is: 1. 2. Determine which updates are required. This step relies heavily on you deployment strategy for software updates. Test and document the update in a compatible environment. Testing updates before you place them in production is an essential step to ensure that the changes do not cause other problems. The testing process should include installing the update, as well as verifying that all related software still functions as expected. Testing updates often is done in a lab environment that is configured similar to the production environment. Many companies have adopted a virtualized platform such as Hyper-V to create a flexible and inexpensive test environment. Test and document the back-out plan. Update deployments can fail for many reasons: updates can fail to install, can cause server failure, or can alter software behavior in an unexpected way. Back up the server. Before applying an update, ensure that you can recover the server data and configuration in the event of an unsuccessful update. Performing a full backup of all data unique to the server is an essential step in deploying an update. Schedule and install the software update. You can install updates in a variety of ways: you can use tools such as Windows Server Update Services or System Center Configuration Manager to complete the installation, or in smaller and more restrictive environments, you can manually install the updates. Verify and monitor the software update installation. After installation, test the updated application to ensure the updates completed successfully. At times, this includes verifying that the proper file versions are present, and that the software is behaving as if the update was applied.
3. 4.
5.
6.
11-18
Key Points
Exchange Server 2010 uses hardware more efficiently than previous Exchange Server versions, which means there may be less need than in the past to upgrade hardware. In particular, Exchange Server 2010 reduces disk activity. Disk capacity is one of the most commonly required hardware upgrades. Proactively monitoring hardware performanceprocessor, memory, disk, or networkis the best way to determine whether bottlenecks exist in the environment. Another valid trigger for researching hardware issues is gathering and examining user feedback. You should not rely solely on user feedback as the first indication of issues, but it can help you pinpoint particular user issues with the hardware.
11-19
Key Points
Hardware upgrades are more difficult to test than software upgrades. Many organizations do not use exactly the same hardware in a test environment as they do in a production environment. However, to the extent possible, test your hardware upgrades on non-production hardware. The upgrade process works as follows: 1. 2. 3. Determine which upgrades are required. After reviewing the monitoring data to determine the bottleneck, you will know which hardware changes or upgrades you need to deploy. Test and document the upgrade in a test environment. Testing and documenting updates in a test lab reduces the likelihood of running into problems during hardware deployment. Test and document the back-out plan. Sometimes the upgrade does not go as planned, so documenting the steps required to return the server to the pre-upgraded state is essential. Although this may seem like extra work, when problems arise during a change and you must complete or back out the change within a limited amount of time, it is best to have the steps already worked out. Back up the server. Before applying the upgrade, ensure that you can recover the server data and the configuration should your upgrade be unsuccessful. Performing a full backup of all data unique to the server is an essential step in deploying an update. Schedule and install the hardware upgrade. Working within the change management process, schedule the upgrade and then assign a qualified person to complete the documented steps. Verify and monitor the hardware upgrade. After completing the upgrade, monitor the hardware for basic functionality and to ensure that it performs as you would expect.
4.
5. 6.
11-20
Lesson 3
Even in a well-maintained Exchange Server organization, problems can arise that you must identify and repair. Although general troubleshooting guidelines exist, often experience and an analytical attitude provide the best tools for successfully discovering the problems source and fixing it. After completing this lesson, you will be able to: Develop a troubleshooting methodology. Identify troubleshooting tools that you can use. Troubleshoot Mailbox servers. Troubleshoot Client Access servers. Troubleshoot Message Transport servers.
11-21
Key Points
The goal of troubleshooting is to identify and diagnose problems, and then determine and execute the necessary repair. There are many troubleshooting methods, and they vary by type of problem that you are trying to resolve. Implementing a repeatable troubleshooting process is important so that you can quickly resolve problems. A common troubleshooting method is as follows: 1. 2. 3. 4. Clearly define the problem. Obtain an accurate description of the problem by verifying the reported problem, including when you noticed it and how you can reproduce it. Gather information related to the problem. Turn up logging, review event logs, and try to reproduce the problem. List the potential cause of the problem. With the problem statement and gathered data, you can enumerate all potential problem causes. Rank the possible causes by probability, and define their solutions. Create a list of either solutions or additional troubleshooting that is required to address each potential cause. Search your knowledge base, product support documentation, and the Internet for information about possible resolutions. Rank solutions by ease of resolution and impact to complete. Try the most probable and easily implemented resolutions first. Work through the list of solutions, one at a time, until you resolve the issue, or gather additional information that changes the definition of the problem. Reduce logging to normal. Document resolution and root cause for future reference. Although you may remember details of the solution later, documenting the root cause and the resolution will reduce resolution times in the future.
5. 6.
7. 8.
11-22
Troubleshooting Tools
Key Points
Over the years, a number of useful Exchange Server troubleshooting tools have been introduced. Each tool has a specific use, but they all use detailed product knowledge and information about your environment to suggest potential problem solutions. Exchange Best Practices Analyzer (ExBPA). This invaluable tool enables you to identify potential issues based on deviations from best practices, and for gathering a great deal of information about the Exchange Server organization that you can use for reference and for troubleshooting problems. Performance Troubleshooter. This tool helps you locate and identify performance-related issues that could affect Exchange servers. You diagnose problems by selecting the symptoms observed. Based on the symptoms, the tool walks you through the correct troubleshooting path. Performance Troubleshooter identifies possible bottlenecks and suggests corrective actions. The Exchange Mail Flow Troubleshooter. This tool helps provide easy access to various data sources that are required to troubleshoot problems with mail flow, such as non-delivery reports, queue backups, and slow deliveries. The tool then automatically diagnoses the retrieved data, presents an analysis of the possible root causes, and suggests corrective actions.
Other tools such as the Performance and Reliability Monitor check the health of the Exchange Server processes. You can use the Queue Viewer to view the message status in transport queues. Tools such as Network Monitor and Telnet can help you troubleshoot network issues and message tracking, and the routing log viewer can help you troubleshoot message delivery issues. For information about other troubleshooting tools, refer to the CD content.
11-23
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with Mailbox servers. Use tools such as the Database Troubleshooter and the Event Viewer to identify the problem and work toward a resolution. Question: A database has gone offline. What process can you use to troubleshoot the problem?
11-24
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with Client Access servers. Use tools such as the Exchange Best Practices Analyzer and the Event Viewer to identify the problem and work toward a resolution. Question: Outlook users can no longer connect to the system. What process can you use to troubleshoot the problem?
11-25
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with transport servers. Use tools such as the Queue Viewer, message tracking system, and Mail Flow Troubleshooter to identify the problem, and then work toward a resolution. Question: Users are reporting non-deliverable and slow-to-deliver outbound e-mail. What process can you use to troubleshoot the problem?
11-26
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1 and the 10135A-VAN-EX1 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the virtual machines as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are the messaging administrator at A. Datum Corporation. You need to configure basic monitoring by using the Performance and Reliability Monitor. You also must troubleshoot issues with a mailbox database and a Client Access server.
11-27
Task 2: Create a new performance counter data collector set for monitoring basic
Exchange Server performance
1. 2. Create a performance data collector set named Base Exchange Monitoring. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1: Object Processor Counter % Processor Time % User Time % Privileged Time Available Megabytes (MB) Page Reads/sec Pages Input/sec Pages/sec Pages Output/sec Pool Paged Bytes Transition Pages Repurposed/sec LDAP Read Time LDAP Search Time LDAP Searches timed out per minute Long running LDAP operations/Min Processor Queue Length
Memory
System
Task 3: Create a new performance counter data collector set for monitoring Mailbox
server role performance
1. 2. Create a performance data collector set named Mailbox Role Monitoring. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1:
11-28
Object LogicalDisk
Counter Avg.Disk sec/Read Avg.Disk sec/Transfer Avg.Disk sec/Write RPC Averaged Latency RPC Num Slow Packets RPC Operations/sec RPC Requests Messages Queued for Submission Messages Queued for Submission
MSExchangeIS
Results: After this exercise, you should have created a data collector set for monitoring VANEX1 that uses the performance counters that this module recommends.
11-29
Preparation
Before you begin this exercise, complete the following steps: 1. 2. 3. On VAN-EX1, open a Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep2.ps1, and then press ENTER. When prompted, type N, and press ENTER. Close the Exchange Management Shell.
Task 4: List the probable causes of the problem, and rank the possible solutions if
multiple options exist
List the problems and possible solutions: Problem Possible solution
11-30
Problem
Possible solution
Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.
11-31
Preparation
Before you begin this exercise, complete the following steps: 1. 2. On VAN-EX1, open Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep3.ps1, and then press ENTER. Close the Exchange Management Shell.
3.
Task 4: List the probable causes of the problem, and rank the possible solutions if
multiple options exist
List the problems and possible solutions: Problem Possible solution
11-32
Problem
Possible solution
Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible.
2. Take the necessary actions to fix the problem. Run IISReset after fixing the problem.
Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Client Access server problem.
Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
11-33
Review Questions
1. 2. Users are reporting issues with sending e-mail to a remote domain. You need to determine the problem and then resolve it. What should you do? Recent organizational growth has resulted in two issues. It has caused several memory thresholds to exceed recommended issues, as well as the average read-latency threshold for the logical disk that stores the page file. What issue should you address first? After reviewing the trend information retrieved from the monitoring system, you noticed that the processor usage for one of the four Mailbox servers is higher than average. What should you do?
3.
Multiple sources are simultaneously Gather as much information as possible about each of the reporting different problems. reported problems. Although there might be multiple issues, it is likely that you will find a connection between the multiple reported problems. Users are reporting slowness or other subjective problems. As always, take each report seriously and try to gather as much objective information about the problem as possible. Only then will you reach a suitable and objective solution.
11-34
2.
3.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-1
Module 12
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
Contents:
Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview Lesson 2: Upgrading from Exchange Server 2003 to Exchange Server 2010 Lesson 3: Upgrading from Exchange Server 2007 to Exchange Server 2010 12-3 12-10 12-27
12-2
Module Overview
Many organizations already use Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007 to provide messaging services. When these organizations choose to implement Microsoft Exchange Server 2010, they can upgrade the existing Exchange Server organization to Exchange Server 2010. Alternately, they can deploy a parallel Exchange Server organization, and then move mailboxes and other data from one organization to the other. Most organizations might choose to perform an upgrade because it is significantly easier and results in minimal disruption for the messaging users. This module provides an overview of the options that organizations have when they choose to implement Exchange Server 2010. This module also provides details on how to upgrade an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. After completing this module, you will be able to: Describe the general Microsoft Exchange Server 2010 upgrade scenarios and strategies. Upgrade from Microsoft Exchange Server 2003 to Exchange Server 2010. Upgrade from Microsoft Exchange Server 2007 to Exchange Server 2010.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-3
Lesson 1
When you decide to implement an Exchange Server 2010 messaging system in your organization, you may need to maintain both your previous messaging system and Exchange Server 2010 until you ensure the new implementation works correctly. While you upgrade the system, users will need to send e-mail and schedule meetings. The Exchange Server 2010 implementation should disrupt normal business processes minimally, if at all. This lesson describes the options that are available for upgrading existing messaging systems to Exchange Server 2010, and it provides recommendations for when to use each approach. After completing this lesson, you will be able to: Describe the upgrade options for Exchange server. Describe the upgrade scenarios that are supported in Exchange Server 2010. Explain the various upgrade strategies.
12-4
Key Points
Exchange Server 2010 supports several different options for upgrading from other messaging systems.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-5
Important: When you perform a migration from one Exchange Server organization to another, you also need to deploy a second Active Directory Domain Services (AD DS) forest, and then migrate all user accounts to the second forest. Each Exchange Server organization requires a unique Active Directory forest. In-Place Upgrade. In this scenario, you upgrade a single computer that is running a previous Exchange Server version to a newer Exchange Server version. Exchange Server 2010 does not support in-place upgrades.
12-6
Key Points
Upgrading an Exchange Server organization to Exchange Server 2010 is usually the easiest option. Therefore, most organizations choose this path for upgrading their existing Exchange Server deployments. However, this option has several prerequisites.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-7
Exchange Server version Exchange Server 2007 Service Pack 2 or newer Mixed Exchange Server 2007and Exchange Server 2003 organization
Note: When upgrading from Exchange Server 2007, you must upgrade all of your organizations Exchange Server 2007 servers to Service Pack 2. Note: Before you install Exchange Server 2010 servers into an existing Exchange Server 2003 organization, you must configure the organization to run in native mode.
12-8
Upgrade Strategies
Key Points
When planning an Exchange Server 2010 upgrade, you can choose between several options for the upgrade process. Choosing the best option for your organization depends on your current environment, your organizations requirements for data migration, and your project timeline.
While this upgrade is the fastest option, it also introduces a significant risk if the upgrade fails. This scenario is feasible only for small organizations that must replace just a few servers and there are only a small number of users to migrate. Multiphase upgrade with coexistence. In a multiphase upgrade, you upgrade one server or site at a time to Exchange Server 2010. Because you spread this incremental upgrade over a longer period, you decrease your organizations risk. However, in this scenario, you also must plan for coexistence or interoperability. This is the best approach for medium to large organizations because of their complex messaging requirements.
Coexistence Components
In most coexistence scenarios, you must ensure that users with mailboxes on both messaging systems have access to the following: E-mail message flow. When you run two messaging systems, users must be able to send e-mail to other organizational users, and to and from users on the Internet. Message flow should be
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-9
transparent to users. Users do not need to know, nor should it matter, which messaging system contains the recipients mailbox. Global Address List (GAL).To simplify the process of sending messages between messaging systems, you must ensure that you synchronize the GAL between the messaging systems. Calendar information. To facilitate scheduling of meetings between the two messaging systems, you must ensure that Free/Busy information replicates between the two messaging systems. Public folder contents. If the organization stores important information in public folders, you may need to replicate the public-folder contents between the messaging systems. Note: If you implement an upgrade to Exchange Server 2010, the design of the upgrade process ensures the maintenance of these coexistence components throughout the coexistence.
12-10
Lesson 2
Many organizations still use Exchange Server 2003 for their messaging system, and they might not have any plans of upgrading to Exchange Server 2007. Microsoft supports an upgrade from Exchange Server 2003 to Exchange Server 2010 for these organizations. This lesson describes how to upgrade an Exchange Server 2003 organization to Exchange Server 2010. After completing this lesson, you will be able to: Describe how to prepare an Exchange Server 2003 organization for Exchange Server 2010. Explain the process for installing Exchange Server 2010 in an Exchange Server 2003 organization. Describe how client access works during coexistence. Describe how to implement client access. Describe the considerations for Microsoft Office Outlook client coexistence. Describe the considerations for message transport coexistence. Describe the considerations for administration coexistence. Describe the process for removing Exchange Server 2003 from an organization.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-11
Preparing the Exchange Server 2003 Organization for Exchange Server 2010
Key Points
Before you start the upgrade process, you must prepare the Active Directory directory service and AD DS for the Exchange Server 2010 deployment. To do this, you must run Exchange Server 2010 setup using the /PrepareLegacyExchangePermissions parameter and the /PrepareAD parameter.
12-12
Note: For more information on the /PrepareLegacyExchangePermissions setup parameter, see the Preparing Legacy Exchange Permissions page on the Microsoft TechNet Web site. Note: You can run Exchange Server 2010 setup with the /PrepareLegacyExchangePermissions parameter on a computer running Windows Server 2008 or newer, or on a computer running the Windows Vista operating system with SP2 or newer. You must install the prerequisite software on the computer where you run setup. The prerequisite tools are Microsoft .NET Framework 3.5 SP1 or newer, AD DS management tools, and Microsoft Windows PowerShell version 2. The Remote Server Administration Tools for Windows Vista includes the AD DS management tools. If you run the command from a computer running Windows Server 2008 R2, all the prerequisite components are installed already, except for Microsoft .NET Framework 3.5 and the Active Directory management tools.
The PrepareAD command also extends the schema to include the Exchange Server 2010 schema objects and attributes.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-13
Process for Installing Exchange Server 2010 in an Exchange Server 2003 Organization
Key Points
When deploying Exchange Server 2010 in a supported Exchange Server organization, you must follow a specific process.
3.
12-14
or more Internet-accessible sites. When upgrading Active Directory sites, you should upgrade Internet-accessible sites before non-Internet accessible sites.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-15
Key Points
The Client Access server role provides the functionality that a front-end server provided in Exchange Server 2003, and it includes additional functionalities. All client connectivity, including Microsoft Office Outlook MAPI connectivity, now goes through the Client Access server role. You must deploy the Client Access server role in every Active Directory site that includes an Exchange Server 2010 Mailbox server.
12-16
When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the Mailbox server using RPC.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-17
Key Points
During coexistence, you need to ensure that users have access to their mailboxes on both the Exchange Server 2003 back-end servers and Exchange Server 2010 Mailbox servers. The following steps describe how to enable this: 1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange server, you may need to acquire a new certificate. You should request a certificate that supports at least the following subject alternative names: 2. The primary URL used to access the Exchange 2010 Client Access server. The AutoDiscover server name. An alternate name for the URL that connects to the Exchange Server 2003 front-end server.
Install and configure the Exchange 2010 Client Access server. You should configure the following settings: Configure the external name space during or after setup by using the Exchange Management Console or Exchange Management Shell (EMS). Configure the Client Access server virtual directories to meet your company requirements. Configure the Exchange 2003 URL for Outlook Web App redirection. To do this, use the SetOWAVirtualDirectory -Exchange2003URL cmdlet. For example, you could use a cmdlet such as set-owavirtualdirectory LON-EX3\owa* Exchange2003Url https://legacy.contoso.com/exchange.
12-18
Note: The Exchange Server 2003 URL must refer to an Exchange Server 2003 front end server or a load balanced array of front end servers if you have multiple Exchange Server 2003 servers that host mailboxes. 3. Configure DNS. To configure DNS, you should: Create the legacy host record, such as legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2003 front-end server. This record is required to ensure that the client computers on the Internet can locate the Exchange Server 2003 frontend server when they are redirected to the legacy URL. Create the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server. Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.
4.
5.
If you are using RPC over HTTPS on the Exchange Server 2003 servers, configure the Exchange Server 2003 front-end server to not participate in an Exchange managed RPC-HTTP topology. This is because the Exchange 2010 Client Access server operates as the RPC over HTTPS proxy server rather than the Exchange Server 2003 front-end server. To disable this setting in Exchange System Manager, select the Not part of an Exchange managed RPC-HTTP topology option on the RPC-HTTP tab of the front-end servers properties. Test all client scenarios, and ensure they function correctly.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-19
Key Points
Exchange Server 2003 and Outlook 2003 or earlier clients require system public folders to provide access to free\busy information and to enable offline clients to download the offline address book. Exchange Server 2010 and Outlook 2007 or newer clients do not use public folders to provide this functionality. As you upgrade your Exchange Server organization, you need to ensure that all messaging clients continue to have access to the services they require.
12-20
connecting to an Exchange Server 2007 Client Access server use a Web service to download the offline address book. In an Exchange Server 2003 organization, one of the Exchange servers performs daily updates of the offline address book. When you deploy an Exchange Server 2010 Mailbox server in your organization, you can use the Exchange Server 2010 management tools to move this role to a server running Exchange Server 2010. You will also need to configure the offline address book so that it is distributed through the Exchange Web service. If your organization includes Outlook 2003 clients, you need to ensure that you create a replica, on the Exchange Server 2010 mailbox server, of the system folders for the offline address book.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-21
Key Points
To support coexistence between different Exchange versions, all servers running Exchange Server 2010 are added automatically to a single routing group when you install Exchange Server 2010. The Exchange System Manager in Exchange Server 2003 or Exchange 2000 Server recognizes the Exchange Server 2010 routing group as Exchange Routing Group (DWBGZMFD01QNBJR) within Exchange Administrative Group (FYDIBOHF23SPDLT). The Exchange Server 2010 routing group includes all Exchange Server 2010 servers, regardless of the Active Directory site in which they reside. Important: You never should modify the default configuration for the Exchange Server 2010 routing group. Exchange Server 2010 does not support moving servers from this routing group to another, renaming the Exchange Server 2010 routing group, or manually adding Exchange 2003/2000 Servers to the Exchange Server 2010 routing group.
12-22
that is created when you install the first Hub Transport Server. For example, if a user with a mailbox on an Exchange Server 2003 server sends a message to a user with a mailbox on an Exchange Server 2010 server, the message is sent using the following process: 1. 2. 3. The Exchange 2003 server that hosts the mailbox sends the message to the Exchange Server 2003 bridgehead server that you configure on the routing-group connector. The Exchange 2003 bridgehead server sends the message to the Exchange Server 2010 Hub Transport server that is the bridgehead server on the routing-group connector. The Exchange Server 2010 Hub Transport server sends the message to the Exchange 2010 Mailbox server hosting the user mailbox.
To optimize message routing, consider creating a new routing-group connector in each routing group as you deploy a Hub Transport server in the corresponding Active Directory sites. This enables you to send messages between the messaging systems, without routing them to another company location. You must use Exchange Management Shell to manage routing-group connectors. If you implement multiple routing-group connectors between the two Exchange Server versions, you also must suppress link-state updates on Exchange Server 2003. Servers running Exchange Server 2003 maintain a link-state routing table that determines a messages routing inside the organization. If a particular routing group is inaccessible by using the lowest cost route, the routing group master updates the link-state table to show the links state as down.
Exchange Server 2010 Hub Transport servers do not use link-state routing, and Exchange Server 2010 cannot propagate link-state updates. You should suppress link-state updates for each server running Exchange Server 2003 or Microsoft Exchange 2000 Server. This enables the servers that are running Exchange Server 2003 to queue at the failure point rather than recalculating the route. Note: For more information on configuring link-state updates, see the How to Suppress Link State Updates page on the Microsoft TechNet Web site.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-23
Key Points
As you perform the upgrade to Exchange Server 2010, you also must plan for continued administration of the organization.
12-24
Exchange Server 2003 administrative option Exchange Server 2010 equivalent role at the organization level. role group.
Assign Exchange Administrator role at Exchange Server 2010 does not have a role group equivalent to the organization level. the Exchange Administrator role. You can create a role group and assign the required permissions through RBAC. Assign Exchange View Administrator role at the organization level. Assign Exchange Full Administrator role at the administrative group level. Assign Exchange View Administrator role at the administrative group level. Add users or groups to the Exchange View-Only Administrator role. Create a new role group that is assigned all management roles, but with a limited scope. Create a new role group with View-Only permissions and a limited scope.
Assign recipient administrators with Add users and groups to the Exchange Recipient Administrator Exchange View Administrator role and role group. Active Directory permissions.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-25
Key Points
After you deploy the Exchange Server 2010 servers in the Exchange Server 2003 organization, you can start moving the mailboxes and other resources from the existing servers to the Exchange 2010 servers. Then you can start removing the Exchange 2003 servers.
12-26
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-27
Lesson 3
The second scenario for upgrading to Exchange Server 2010 is for organizations that are running Exchange Server 2007 currently. This scenarios upgrade process is similar to upgrading from Exchange Server 2003, but there are some important differences. This lesson describes how to complete the upgrade from Exchange Server 2007 to Exchange Server 2010. After completing this lesson, you will be able to: Explain the process for installing Exchange Server 2010 in an Exchange Server 2007 organization. Describe how client access works during coexistence. Describe how to implement client access. Describe the considerations for message transport coexistence. Describe the considerations for administration coexistence. Describe the process for removing Exchange Server 2007 from an organization.
12-28
Process for Installing Exchange Server 2010 in an Exchange Server 2007 Organization
Key Points
Complete the following steps to deploy Exchange Server 2010 servers in an Exchange Server 2007 organization: 1. Update all of the Exchange Server 2007 servers to Service Pack 2. Exchange Server 2010 setup checks the server versions of all Exchange servers and the requirement checks fail if a server is not upgraded. Exchange Server 2007 SP2 includes several schema updates that are required for interoperability with Exchange Server 2010. If an organization only has a single Active Directory site, use the following process for deploying Exchange Server 2010. 2. Install the Exchange Server 2010 Client Access server. After you complete this installation, you should use this as the primary connection point for all client connections. This means that you should modify the AutoDiscover settings, both internally and externally, to point to the Exchange Server 2010 Client Access server. Note: Later sections of this lesson include more information on how to configure the client-access settings, including the Autodiscover settings. 3. Install the Exchange Server 2010 Hub Transport server. Both Exchange Server 2007 and Exchange Server 2010 Mailbox servers must use a Hub Transport server that is the same version as the Mailbox server for routing messages in the same site. Install Exchange Server 2010 Unified Messaging servers. If you have deployed Unified Messaging in Exchange Server 2007, add the Exchange Server 2010 UM Server to one of your organizations dial plans.
4.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-29
5.
6.
Install the Exchange Server 2010 Mailbox servers. After the rest of the infrastructure is in place, you can deploy the Exchange Server 2010 Mailbox servers, and start moving mailboxes and public folders to the new servers. Install the Exchange Server 2010 Edge Transport servers. Exchange Server 2010 Edge Transport servers can synchronize only with Exchange Server 2010 Hub Transport servers.
For organizations with multiple sites, there typically are two types of Active Directory sites: Internetaccessible sites, and non-Internet accessible sites. A single Exchange Server organization may have one or more Internet-accessible sites. When upgrading Active Directory sites, you must begin your upgrade by upgrading Internet-accessible sites first, followed by non-Internet accessible sites. You should follow the same process for deploying Exchange 2010 servers in both Internet accessible and non-Internet accessible sites. Before deploying any Exchange Server 2010 Mailbox server in a site, you must deploy Exchange Server 2010 Client Access and Hub Transport servers.
12-30
Key Points
The Client Access server role in Exchange Server 2010 has changed significantly from the Client Access server in Exchange Server 2007. The most important change is that all client connectivity, including Outlook MAPI connectivity, now goes through the Client Access server role.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-31
If the Mobile client does support Autodiscover, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to use the external URL configured on the Exchange Server 2007 Client Access server.
When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the Client Access server connects to the Mailbox server using RPC and provides access to the user mailbox. When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2007 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC. When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC. If the user mailbox is on an Exchange Server 2007 Mailbox server in a different Active Directory site, the Exchange Server 2010 Client Access server always proxies the client requests. For Outlook Web App and Exchange ActiveSync clients, the Client Access server proxies the requests using HTTP to an Exchange Server 2007 Client Access server. For Outlook Anywhere clients, the Client Access server proxies the request using RPC to an Exchange Server 2007 Mailbox server. When a MAPI client connects to the user mailbox, and the user mailbox is on an Exchange Server 2007 server, the MAPI client connects directly to the Mailbox server. If the user mailbox is on an Exchange Server 2010 server, the MAPI client connects to an Exchange 2010 Client Access server. Note: When you move a user mailbox from an Exchange Server 2007 Mailbox server to an Exchange Server 2010 Mailbox server, the client profile is configured automatically to use the Exchange Server 2010 Client Access server for MAPI connectivity. You do not need to modify the client profile manually.
12-32
Key Points
During coexistence, you need to ensure that users with mailboxes on both Exchange Server 2007 Mailbox servers and Exchange Server 2010 Mailbox servers can access their mailboxes. The following steps describe how to enable this: 1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange servers, you may need to acquire a new certificate. You should request a certificate that supports at least the following Subject Alternative Names: The primary URL to use to access the Exchange 2010 Client Access server. The AutoDiscover server name. An alternate name for the URL to use to connect to the Exchange 2007 Client Access server.
Note: The Exchange Server 2010 Client Access server requires this certificate, but you also might install the same certificate on the Exchange 2007 Client Access server. The Exchange Server 2007 Client Access server requires a certificate with subject alternative names that include the alternate name, legacy.contoso.com, and the Autodiscover server name. 2. 3. Install and configure the Exchange Server 2010 Client Access server. You should configure external name space during or after setup by using the Exchange Management Console or EMS. Modify the external URLs on the Exchange Server 2007 Client Access server to use the alternate name. If you are using legacy.contoso.com as the alternate name, configure this as the external URL for the Outlook Web App, Offline Address Book, Unified Messaging, Web Services and Exchange ActiveSync virtual directories. Configure DNS. To configure DNS, you should:
4.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-33
5.
Create the legacy host record, which is legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2007 Client Access server. Create or modify the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange 2010 Client Access server. Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.
6.
If you use Outlook Anywhere on the Exchange Server 2007 servers, disable Outlook Anywhere on the Exchange Server 2007 Client Access server. When you implement Outlook Anywhere on the Exchange Server 2010 Client Access server, it proxies the Outlook Anywhere client requests directly to the Exchange Server 2007 Mailbox server. Test all client scenarios, and ensure they function correctly.
12-34
Key Points
A second coexistence component between the two Exchange Server versions is message transport. Message transport coexistence is configured automatically, as long as the correct versions of Hub Transport servers are available.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-35
Note: In Exchange Server 2010, you can view message-tracking information using the Exchange Management Console or the Exchange Control Panel. If an administrator or user views the messagetracking information in Exchange Control Panel, the message can be tracked only on Exchange Server 2010 Hub Transport servers. Administrators can track messages on both Exchange Server 2010 and Exchange Server 2007 Hub Transport servers by using the Message Tracking tool in Exchange 2007 and the Tracking Log Explorer tool in Exchange Server 2010.
12-36
Key Points
When implementing Exchange Server 2010 in an Exchange Server 2007 organization, you also need to plan for administrative coexistence. In this scenario, you need to consider how you will use the Exchange Server management tools and how you will delegate permissions.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-37
You can view only Exchange Server 2007 and Exchange Server 2010 servers from their corresponding version of the Exchange Management Console. The Queue Viewer tool in Exchange Server 2010 Management Console cannot connect to an Exchange Server 2007 server to view queues or messages.
12-38
Key Points
After deploying the Exchange Server 2010 servers, you can start moving resources to the Exchange Server 2010 servers and removing the Exchange Server 2007 servers.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-39
2. 3. 4.
Remove the Exchange Server 2007 Unified Messaging server role. Remove the Exchange Server 2007 Hub Transport servers. Remove the Exchange Server 2007 Client Access Servers.
After you remove the last mailbox and public folder from the Exchange Server 2007 Mailbox server, you may remove all other Exchange Server 2007 servers in the Active Directory site.
12-40
Review Questions
1. Your organization is deploying Exchange Server 2010 in an Exchange 2003 organization. You have made the changes to Active Directory. What is the first Exchange 2010 server role that you should deploy? How will this deployment change the user experience? Why do you need to configure a new external URL on Exchange Server 2007 Client Access servers when you deploy Exchange Server 2010 Client Access servers? Your organization includes two locations and Active Directory sites. You have deployed Exchange Server 2007 servers in both sites. You now are deploying Exchange Server 2010 servers in one of the sites and removing the Exchange Server 2007 servers. When can you remove the last Exchange 2007 Hub Transport server in the site?
2. 3.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-41
Issue
Troubleshooting tip
Client Access servers for Internet firewall configuration to ensure that all client requests to the access. Users with mailboxes on legacy URL are directed to the Exchange Server 2007 Client Exchange Server 2010 Mailbox servers Access server. can access their mailbox using Outlook Web App from the Internet, but users with mailboxes on the Exchange Server 2007 Mailbox servers cannot. You have deployed Exchange Server You have to use the same version of the Exchange 2010 servers in your Exchange Server Management Console as the server that you are managing. 2007 organization. You need to modify the settings on both Exchange Server 2007 and Exchange Server 2010 servers, but you cannot see both servers in the Exchange Management Console.
2.
3.
Tools
Tool Use for Where to find it
12-42
Use for
Where to find it
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-43
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
12-44
A-1
Appendix A
Implementing Unified Messaging
Contents:
Lesson 1: Overview of Telephony Lesson 2: Introducing Unified Messaging Lesson 3: Configuring Unified Messaging Lab: Implementing Unified Messaging A-3 A-13 A-28 A-39
A-2
Appendix Overview
Unified Messaging combines voice and e-mail messaging into one location, accessible from a telephone and a computer. Microsoft Exchange Server 2010 Unified Messaging integrates Exchange Server with telephony networks and makes the Unified Messaging features available in the user mailbox. This module describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging. After completing this module, you will be able to: Describe telephony systems. Describe Unified Messaging features and integration with Exchange Server 2010. Configure Unified Messaging.
A-3
Lesson 1
Overview of Telephony
Unified Messaging enables you to integrate telephony systems with Exchange Server 2010. You must have an understanding of core telephony concepts to understand how Unified Messaging works and how to implement it. In this lesson, you will learn the basics about a telephony system and what protocols Unified Messaging provides. After completing this lesson, you will be able to: Describe types of telephone systems. Describe telephony-system components. Describe types of Private Branch Exchange (PBX) phone systems. Describe Voice over IP (VoIP) gateway. Describe Unified Messaging protocols.
A-4
Key Points
There are three general types of business telephone systems: Centrex, Key Telephone System, and PBX. You can integrate each of these phone systems with Unified Messaging.
A-5
The PBX routes internal phone calls, and those between external and internal users. In a PBX system, each user has a telephone extension. When an internal user places a call to another internal user, they use just the extension number, and the PBX routes the call to the appropriate extension. Users make external telephone calls through a PBX by dialing 9 or 0, and then the external number. You can configure the external access number configure-on the PBX, which automatically selects an outgoing trunk line to complete the call. The PBX accepts incoming calls and automatically forwards them to the appropriate organizational extension. In larger organizations, PBXs make it possible for users to reach other users in different locations just by dialing an extension number. This may involve networking multiple PBXs.
A-6
Key Points
Telephony administrators use specialized terminology to describe many of the features and concepts that relate related to PBXs. When deploying Unified Messaging servers, you need to understand these terms and how they relate to Unified Messaging.
Dial Plan
A dial plan consists of the rules that a PBX uses to determine what action to take when it receives a set of dialed numbers. For example, a 9 often triggers call setup to an outside line, so that users can call external phone numbers. When 9 is not the first number, the PBX needs to know how many numbers to collect before taking action. If internal extension numbers are three digits long, it waits for just three numbers before taking action.
Hunt Group
A hunt group is a collection of extensions. In most cases, a hunt group represents a set of identical resources that an application or a group shares. This provides more-efficient access to applications, like voice mail, an auto attendant, or even a call center, so that callers do not experience a busy signal. Instead, the PBX hunts for an open line to which to connect them.
A-7
Pilot Number
A pilot number is the address or label that the PBX uses to identify a hunt group. It is an unused extension, meaning it is not associated with a person or phone. For example, there may be a specific extension number 3900 for the telesales team, which may be the pilot number for the hunt group of telesales extension numbers. When a call comes into the 3900 sales number, the PBX recognizes it as a pilot number and searches for an available line within the sales hunt group. The PBX then delivers the call to an available sales extension number.
Coverage Path
A PBX uses a set of directions that you configure for each extension, and it tells the PBX where to route unanswered calls and calls that receive busy signals. The set of directions is a coverage path. If a DID call arrives at the Unified Messaging server via a users desktop phone, and the line is busy or not answered within a certain number of rings, the PBX knows to send the call to the pilot number for the hunt group that attaches to the VoIP gateway. The PBX routes the call through the VoIP gateway to the Unified Messaging server, where the caller can record a voice message. The Unified Messaging server sends the voice message to the Unified Messaging users mailbox.
Call Transfer
Users transfer calls routinely from one extension to another. An unsupervised transfer occurs when a user transfers a call to the next extension without determining whether the extensions user answers the call. For example, consider when a user transfers a call to voice mail when a phone is not answered or is busy.
A-8
Types of PBXs
Key Points
The PBX system is the most common type that medium- and large-size organizations use. There are several types of PBX systems available.
Analog PBX
Analog PBX systems send voice and signaling information, like the touch tones of dialed phone numbers, as actual analog sound. Analog PBX systems never digitize the sound. To direct the call, the PBX and the phone companys CO listens for the signaling information.
Digital PBX
Digital PBXs encode analog sound into a digital format. They typically encode the voice using a standard industry audio codec, G.711. Once digital PBXs encode the sound, they send the digitized voice on a channel using circuit switching. The process of circuit switching establishes an end-to-end, open connection, and leaves the channel open for the calls duration and for the calls users only. Some PBX manufacturers have proprietary signaling methods for call setup.
IP PBX
IP PBXs carry voice-over data networks. The IP phone contains a Network Interface Card (NIC), so it is part of the network. The phone converts voice into digitized packets, which it then places on the data network. The network sends the voice packets via packet switching, a technique that enables a single network channel to handle multiple calls. The IP PBX also acts as a gateway between the internal packet-switched network and the external circuitswitched networks that telephone companies use. In this situation, external phone calls arrive at the IP PBX on the normal public phone lines, and the IP PBX converts the phone call to packets sent on the internal IP-based network.
A-9
Hybrid PBX
Hybrid PBXs provide both digital and IP PBX capabilities. This hybrid approach enables a customer to run a mixture of digital and IP-based phones. Most modern PBXs are in this hybrid category.
A-10
Key Points
Telephony and computer systems traditionally use different types of networks to enable communication between attached devices. A telephony system typically uses a circuit-switching network, while the computer system traditionally uses a packet-switching network. You may need to deploy a VoIP gateway to translate data between a circuit-switched network and the data-switched network.
Circuit-Switched Networks
A circuit-switched network uses a dedicated connection between two network devices. For example, you pick up the telephone receiver and dial a phone number. By answering the call, the recipient completes the circuit. After the two nodes establish a call between them, only these two nodes may use the connection. When one of the nodes ends the call, this cancels the connection. Circuit-switched networks, such as the Public Switched Telephone Network (PSTN), transmit multiple calls across the same transmission medium. Frequently, the medium that a PSTN uses is copper. However, it also may use fiber optic cable.
Packet-Switched Networks
Packet switching is a technique that divides a data message into smaller units called packets. The network sends the packets to their destination by the best route available, and then reassembles them at the receiving end.
VoIP
VoIP is a technology that enables an IP-based network to act as the transmission medium for telephone calls. It sends voice data in IP packets rather than by circuit-switched telephone lines. Translating a call from a circuit-switched network to a packet-switched network is complicated because the underlying network connections are so different.
A-11
VoIP Gateway
A VoIP gateway is a third-party hardware device or product that converts traditional phone-system or circuit-switching protocols into data-networking or packet-switched protocols. The VoIP gateway connects a telephone network with a data network. Unified Messaging servers can connect only to packet-switched data networks. This means that organizations with a traditional PBX must deploy a VoIP gateway to communicate between the PBX and the Unified Messaging server. The following table lists the types of telephony systems, and explains when a VoIP gateway is required:
Note: For a list of VoIP gateways and IP/PBX systems that Unified Messaging supports, see the Exchange Server TechCenter.
A-12
Key Points
There are a number of voice-related, IP-based protocols. A Unified Messaging environment with Exchange Server 2010 uses the following: Session Initiation Protocol (SIP). SIP is a real-time signaling protocol that creates, manipulates, and tears down interactive communication sessions on an IP network. You can use SIP in conjunction with Transport Layer Security (TLS) to provide security. Exchange Server Unified Messaging uses SIP mapped over Transmission Control Protocol (TCP) and supports TLS for secured SIP environments. SIP clients, such as IP/VoIP gateways and IP/PBXs, can use TCP port 5060 or port 5061 (for Secure SIP) to connect to SIP servers. Real-Time Transport Protocol (RTP). RTP is for voice transport between the IP gateway and the Unified Messaging server. RTP provides high-quality, real-time, streaming voice delivery. One of the issues with sending voice messages over an IP network is that voice requires real-time transport with specific quality requirements to ensure that the voice sounds normal. If the protocol uses large packets, listeners must wait for the entire packet to arrive before they can respond. Any delay in packet delivery can produce undesirable periods of midstream silence. Packet loss can cause voice garbling. For more information: Request for Comment (RFC) 3550 (which updates RFC 1889) describes RTP), while RFC 3261 (which updates RFC 2543) describes SIP. Real-Time Facsimile or T.38. Real-Time Facsimile or T.38 is an Internet fax-transport protocol. T.38 sets procedures for fax transmission when a portion of the path includes an IP network. The Unified Messaging system uses it to relay a fax that a user originally sends, via voice line across an IP network, in real time.
A-13
Lesson 2
Unified Messaging enables users to receive e-mail, voice, and fax services in their Exchange Server inbox, and allows users to access mailbox contents by phone. This simplifies the experience for users, because they must access and manage only one location for all message types. This also provides more functionality for users because they can use traditional messaging clients to access voice or fax messages, and they can use telephone technology to access e-mail messages. Unified Messaging also simplifies administrators workloads because they must manage this data in one location only. This lesson introduces the features and requirements for Exchange Server 2010 Unified Messaging. After completing this lesson, you will be able to: Describe Unified Messaging. Describe Unified Messaging communication. Describe server communications for Unified Messaging. Describe Unified Messaging call-answering features. Describe Microsoft Office Outlook Voice Access features. Describe how Unified Messaging works with a VoIP gateway. Integrate Unified Messaging with Office Communications Server (OCS) 2007 R2. Describe international Unified Messaging requirements.
A-14
Key Points
Unified Messaging provides the convergence of voice and e-mail messaging into one store, accessible from a phone, a computer running an e-mail client, and mobile devices. Most users and information technology (IT) departments manage their voice mail separately from their email. Usually, voice messages and e-mail exist as separate inboxes on separate servers, and users access them with different clients. Frequently, each communication tool requires a separate address list, which can make it difficult to keep all address lists synchronized. Unified Messaging brings these tools together, and it offers an integrated store and user experience for all Exchange Server message types.
A-15
Call-answering rules (Personal Auto Attendant). The Unified Messaging role allows Unified Messaging-enabled users to create and customize call-answering rules to enhance their callers callanswering experience.
A-16
Key Points
Unified Messaging combines voice and e-mail messaging in the Exchange Server store, and it integrates telephony networks into Exchange Server 2010. Phone calls enter the organization through an IP PBX or a legacy PBX. Legacy PBX needs a Unified Messaging IP Gateway to talk to a Unified Messaging protocol, such as SIP, whereas most of the IP PBX already support this feature. The Unified Messaging role communicates with the regular phones or PSTN using the PBX. The public telephone network that connects to the PBX communicates using Time Division Multiplex (TDM). TDM is a technique of transmitting multiple digitized data, voice, and video signals simultaneously over one communication media. It does this by interleaving pulses representing bits from different channels or time slots. Unified Messaging handles all internal communications, as follows: It connects to Active Directory Domain Services (AD DS) and Active Directory directory services using Lightweight Directory Access Protocol (LDAP). It connects to the Mailbox server using MAPI. It accepts requests from that Client Access server as RPC. In the case of OCS 2007 integration, it accepts SIP request from the OCS server for missed call notifications.
As usual, any Exchange Server client computer using Outlook 2007, Outlook 2010, or Outlook Web App communicates to the Client Access server role. In Exchange Server 2010, Outlook 2007, and Outlook 2010 access the Client Access server for Unified Messaging release Web-services requests. However, there is no separate Unified Messaging virtual directory as there was in Exchange Server 2007.
A-17
Key Points
To install Unified Messaging servers, you also must have the Mailbox, Hub Transport, and Client Access server roles installed in the same Active Directory site. The Unified Messaging servers cannot provide full functionality unless they can communicate with all of these server roles.
A-18
When Unified Messaging subscribers call the Unified Messaging server to access their mailbox contents via Outlook Voice Access, the Unified Messaging server directly accesses the Mailbox server to extract the mailbox contents. All communications between the Unified Messaging server and the Mailbox server use MAPI. Communication with the Hub Transport server role. The Unified Messaging server communicates with the Hub Transport server role to send messages to the Mailbox server. When a caller leaves a voice mail for a Unified Messaging subscriber or sends a fax to a Unified Messaging subscriber, the Unified Messaging server attaches the voice mail or fax to a message and forwards it to the Hub Transport server using Simple Mail Transfer Protocol (SMTP). Communication with the Client Access server role. The Unified Messaging server communicates with the Client Access server role when a subscriber uses the Play on Phone feature or when they reset their personal identification number (PIN) through Outlook Web App. Using Play on Phone, a Unified Messaging subscriber can use Outlook 2007 or Outlook Web App to instruct the Unified Messaging server to send a voice mail to a telephone number. When the user does this, the client communicates with Unified Messaging Web Services, which you install on a Client Access server. Unified Messaging Web Services then uses SIP to communicate with the Unified Messaging server, which instructs the VoIP gateway to place the phone call.
A-19
Key Points
Call handling describes how an Exchange Server 2010 Unified Messaging server answers and handles incoming calls. The Unified Messaging server can handle a variety of incoming calls.
Voice Calls
The Unified Messaging server uses voice-call handling when an internal or external user leaves a voice message for Exchange Server 2010 Unified Messaging system user. The Unified Messaging server creates Multipurpose Internet Mail Extensions (MIME) messages from incoming calls, and then submits them to a Hub Transport server using SMTP. The Hub Transport server submits the message to the users Mailbox server. The Unified Messaging server always uses SMTP to send voice messages, even if the mailbox resides on the same computer on which you install the Unified Messaging server role.
A-20
When you configure a Unified Messaging auto attendant, you can create custom WAV files and replace the default prompts to meet your organizations needs.
A-21
Key Points
Outlook Voice Access enables Unified Messaging users to access their Exchange Server 2010 mailbox using mobile devices or an analog, digital, or wireless telephone.
Reply to meeting requests using voice inputs to send messages to meeting participants. Decline or cancel meetings. Interact with their global address list (GAL) and their personal contact list. These interactions can include: Locating a person in the GAL or personal contact list. Inputting a telephone extension number to leave a message. Sending voice messages.
Outlook Voice Access is central to the Unified Messaging infrastructure because it allows users to access their mailboxes through universally accessible telephones.
A-22
Key Points
The following steps describe the communication flow for an organizations incoming phone calls when it deploys Exchange Server 2010 Unified Messaging: 1. A caller dials a users number in the organization. This caller could be inside or outside the organization. Unified Messaging connects the call to the PBX. The PBX uses the call recipients extension number to route the call to the appropriate desk phone, which then rings. If the recipient does not answer the call, the PBX checks its configuration to see where to route the unanswered call. In this case, the PBX routes the unanswered calls for this phone to the number associated with the VoIP gateway. The VoIP gateway converts the circuit-switched protocols to packet-switched protocols. It uses the information about the Exchange Server Unified Messaging environment, which you configure during the VoIP gateway installation, to route the call to the appropriate Unified Messaging server. The Unified Messaging server receives the now VoIP-based, packet-switched call. The Unified Messaging server contacts AD DS to retrieve the recipient information. This Active Directory lookup occurs using the combination of dial plan plus extension number, which provides a unique identifier for each mailbox. The Unified Messaging server uses this information to contact the users mailbox to play the individuals greeting. Then the Unified Messaging server answers the call and captures the voice message. The Unified Messaging server packages the message into a voice message for Exchange Server. It then uses SMTP to route the message to a Hub Transport server in the same site. The Hub Transport server routes the voice message to the users Exchange Server mailbox, where it is stored. The message is accessible to the Unified Messaging subscriber through Outlook Voice Access, Outlook, Outlook Web App, or Exchange ActiveSync.
2.
3.
4.
A-23
Note: These steps describe the communication flow when Exchange Server 2010 Unified Messaging answers a call. The process is similar when you use other systems, such as Outlook Voice Access or auto attendant access. For example, when using Outlook Voice Access, the user calls a number that you configure the PBX to forward automatically to the VoIP gateway. The gateway then forwards the call to the Unified Messaging server, which checks AD DS for the user mailbox location. It then uses MAPI to connect to the appropriate Mailbox server. When you use an auto attendant, the PBX forwards the phone number through the VoIP gateway to the Unified Messaging server, which locates the requested information in AD DS and Active Directory.
A-24
Key Points
Exchange Server 2010 Unified Messaging provides OCS 2007 R2 with the voice mailbox feature. Only Unified Messaging supports this feature. Additionally, since Unified Messaging utilizes existing IP PBX that is configured with OCS 2007 R2, you do not need additional hardware to connect Unified Messaging to your PBX if OCS 2007 R2 is installed already. OCS 2007 R2 also provides other features that integrate into Unified Messaging, such as instant messaging, presence information, Web conferencing, and VoIP telephony: Instant messaging. The OCS 2007 R2 client provides instant messaging (IM) functionality that the OCS hosts. The solution provides IM features, such as group IM, and extends the internal IM infrastructure to external IM providers. Presence information. OCS 2007 R2 tracks presence information for all OCS users, and it provides this information to the OCS 2007 R2 client and other applications, such as Outlook 2007. Web conferencing. OCS 2007 R2 can host on-premise conferences, which you can schedule or reschedule, and they can include IM, audio, video, application sharing, slide presentations, and other forms of data collaboration. Audio conferencing. Users can join OCS 2007-based audio conferences using any desk or mobile phone. When connecting to an audio conference using a Web browser, users can provide a telephone number that the audio-conferencing services calls. VoIP telephony. Enterprise Voice enables OCS 2007 R2 users to place calls from their computers by clicking an Outlook or Communicator contact. Users receive calls simultaneously on all their registered user endpoints, which may be a VoIP phone, mobile phone, or OCS 2007 R2 client. The OCS 2007 R2 Attendant is an integrated call-management client application that enables a user, such as a receptionist, to manage many conversations simultaneously.
A-25
Response Group service. This service enables administrators to create and configure one or more small response groups for routing and queuing incoming phone calls to one or more designated agents. Typical scenarios include an internal help desk or customer-service desks.
A-26
Key Points
Unified Messaging provides language packs to satisfy international Unified Messaging requirements. In multiple language environments, you should install the applicable Unified Messaging language packs, because some Unified Messaging users prefer their voice prompts in a different language or because they receive e-mail messages in multiple languages that they need to access using OVA. If you do not install the Unified Messaging language pack for a particular language, e-mail messages in that language will be illogical and incoherent when they relayed to the user. Several key components rely on Unified Messaging language packs to enable users and callers to interact effectively with Exchange Server 2010 Unified Messaging in multiple languages. Each language pack includes: A Text-to-Speech (TTS) engine to read and convert messages when Outlook Voice Access users access their inboxes. The prerecorded prompts used to configure Unified Messaging dial plans and auto attendants. ASR support for speech-enabled Unified Messaging dial plans and auto attendants.
To install a language pack, use Setup.com /AddUMLanguagePack found in the Exchsrvr\Bin directory of the Exchange Server installation. Once you install your language packs, you can change the default language configured for each dial plan. Users automatically use the default language if their configured language setting in Outlook Web App is not available as a language pack. For example, if you install only the English and German language packs, and the English language pack is the default on the dial plan, a user with the French language configuration in Outlook Web App will hear English prompts. In Exchange Server 2007, each language pack included the TTS engine but only supported ASR for US English. In Exchange Server 2010, all available language packs contain ASR support.
A-27
Lesson 3
To enable Unified Messaging in Exchange Server 2010, you first need to understand how Exchange Server 2010 implements Unified Messaging. Then you need to configure the Unified Messaging server role and its required components. This lesson describes the basic Exchange Server 2010 Unified Messaging components. After completing this lesson, you will be able to: Describe the process for installing Unified Messaging. Implement a Unified Messaging dial plan. Implement a Unified Messaging IP gateway. Implement a Unified Messaging hunt group. Implement a Unified Messaging mailbox policy. Create a Unified Messaging auto attendant. Configure call-answering rules.
A-28
Key Points
Complete the following steps to install Unified Messaging: 1. Install the Unified Messaging server role. You must install a Mailbox server, a Hub Transport server, and a Client Access server before you can install the Unified Messaging server role. You can install the Unified Messaging role on the same computer that runs these prerequisite roles or on a separate computer. Note: Before you install the Unified Messaging server role on a Windows Server 2008 computer, you must install the Desktop Experience feature. This feature provides the Windows Media Encoder and Windows Media Audio Voice Codec that the Unified Messaging server requires. 2. Create a Unified Messaging dial plan. A dial plan is the telephony extension-numbering plan. All users within a dial plan have a unique extension number, and the combination of dial plan and the user extension uniquely identifies each Unified Messaging user. After creating the Unified Messaging dial plan, you need to associate it with a Unified Messaging server. Create a Unified Messaging IP gateway. A Unified Messaging IP gateway object represents a physical VoIP gateway (with an IP address) from which a Unified Messaging server can receive calls. The Unified Messaging server requires this information to connect to the VoIP gateway and the PBX. Create a Unified Messaging hunt group. A hunt group groups phone numbers together for specific purposes. An IP gateway object contains hunt groups. You can associate one or more hunt groups with an IP gateway. A default hunt group is created automatically if you create an IP gateway and associate it with a Unified Messaging dial plan. You can customize that hunt group or create additional ones. Configure a Unified Messaging mailbox policy. A Unified Messaging mailbox policy is created by default each time you create a Unified Messaging dial plan. You can configure that mailbox policy or create a new one. When you configure the policy, you can specify policy properties, such as the
3.
4.
5.
A-29
6.
7.
maximum greeting length, the number of unsuccessful login attempts before the Unified Messaging server resets the password, the minimum digits that a PIN requires, and international calling restrictions. Enable mailboxes for Unified Messaging. You must enable mailboxes to allow the mailboxes to access Unified Messaging services. You must associate each user mailbox with a Unified Messaging mailbox policy and a unique extension number. Create a Unified Messaging auto attendant object. The auto attendant feature is an optional component. To enable the auto attendant, you must create and configure an associated dial plan. Note: These steps describe the process of installing Unified Messaging in an Exchange Server 2010 environment. To complete this installation in a production environment, you also must configure the PBX and the VoIP gateway to route calls to the Unified Messaging servers.
A-30
Key Points
The Unified Messaging dial plan is the basic Unified Messaging administrative unit. It is the telephony extension-numbering plan. Within Unified Messaging, the dial plan, plus the extension number, provides the unique identifier for each Unified Messaging user. The dial plan also controls the numbering scheme and the outbound dialing plan.
A-31
Key Points
The Unified Messaging IP gateway is an Active Directory container object that logically represents a physical IP gateway hardware device that translates between the circuit-switched telephone network and an IP or packet-switched network. The Unified Messaging IP gateway can represent either a VoIP gateway or an IP-PBX. The Unified Messaging IP gateway contains one or more Unified Messaging hunt-group objects and other Unified Messaging IP gateway-configuration settings, including the actual IP gateway object. The combination of the IP gateway object and a Unified Messaging hunt-group object establishes a logical link between an IP gateway hardware device and a Unified Messaging dial plan. Note: Before an IP gateway can process calls, a Unified Messaging IP gateway must be associated with at least one Unified Messaging dial plan.
A-32
Key Points
The Unified Messaging hunt group is a logical representation of an existing PBX or IP PBX hunt group. When the hunt groups pilot number receives a call, the PBX or IP PBX looks for the next available extension number to deliver the call. When the calls recipient does not answer an incoming call, or the line is busy because the recipient is on another call, the PBX or IP PBX routes the call to the Unified Messaging server. Unified Messaging hunt groups act as a connection or link between the Unified Messaging IP gateway and the Unified Messaging dial plan. Therefore, you must associate a single Unified Messaging hunt group with at least one Unified Messaging IP gateway and one Unified Messaging dial plan. Unified Messaging hunt groups locate the PBX hunt group from which the incoming call was received. A pilot number that is specified for a hunt group in the PBX also must be specified within the Unified Messaging hunt group. The pilot number enables the Unified Messaging server to associate the call with the correct dial plan so that it can route the call correctly.
A-33
Key Points
Unified Messaging mailbox policies apply and standardize Unified Messaging configuration settings for Unified Messaging-enabled users. You can create Unified Messaging mailbox policies, and then add the policy to Unified Messaging-enabled mailboxes to apply a common set of policies or security settings. Unified Messaging mailbox policies are required before you can enable users to use Unified Messaging.
Each Unified Messaging-enabled users mailbox must link to only one Unified Messaging mailbox policy.
A-34
Key Points
A Unified Messaging auto attendant is an optional component of the Unified Messaging server. It creates a voice-menu system that enables external and internal callers to navigate through voice menus to locate and place, or transfer, calls to company users or organizational departments. When anonymous or unauthenticated users call an external business telephone number, or when internal callers call a specified extension number, voice prompts help them place a call to a user, or locate and call a user. The Unified Messaging auto attendant uses a series of WAV files that callers hear instead of a human operator. The Unified Messaging auto attendant lets callers navigate the menu system, place calls, or locate users using DTMF or voice inputs. A Unified Messaging auto attendant provides: Corporate or informational greetings, such as business hours or directions to a location. Custom corporate menus that you can customize to have more than one level. A directory search function that enables callers to search the organizations name directory. The ability for callers to connect to the telephone of, or leave a message for, organizational members.
A-35
A Unified Messaging auto attendant can reference only one Unified Messaging dial plan. However, Unified Messaging auto attendants can reference or link to other Unified Messaging auto attendants. When you create an auto attendant, you must provide the associated dial plan and extension numbers. After creating the auto attendant, you can configure alternative greetings by specifying the WAV files to use. You also can configure different settings for work and nonwork hours, and features such as call transferring. Create auto attendants in the Exchange Management Console or by running the NewUMAutoAttendant cmdlet in the Exchange Management Shell.
A-36
Key Points
Call-answering rules, also known as Personal Auto Attendants, allow users to create and customize rules to enhance the experience that callers have when their calls are answered. For example, the call-answering rules can include features such as special greetings by contact or time of the day. Using call answering rules, the caller can decide to: Leave a voice message for the Unified Messaging-enabled user. Transfer to an alternate contact of the Unified Messaging-enabled user. Transfer to an alternate contacts voice mail. Transfer to other phone numbers that the Unified Messaging-enabled user configures. Use the Find-Me feature or locate the Unified Messaging-enabled user via a supervised transfer.
Call-answering rules consist of conditions, a greeting and menu, and actions. You can configure callanswering rules in Outlook Web App or Outlook 2010.
Condition
The following conditions are available: If the caller is: calling from a phone number, this specific contact, or in my contacts folder. If it is during this period: working hours or nonworking hours to a specific time defined. If the users schedule shows a status of: free, tentative, busy, away. If you turn on automatic replies, such as when you turn on an automatic Out of Office message.
A-37
Actions
Actions define the tasks that occur when callers choose specific menu selections. You can select the following actions: Find me at the following numbers: Defines a recording text, the number key to press to transfer, and enables you to call two phone numbers for a specific time. Transfer the call to: Defines a recording text, the number key to press to transfer, and either a phone number or a contact, or indicates that the call should transfer directly to voice mail. Leave a voice message. Directly transfers the caller to voice mail.
A-38
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the virtual machines as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. Your users expect to have voice access to their mailboxes, so you must enable this feature and configure Unified Messaging. Additionally, many native German speakers work at A. Datum, so you need to install the German language pack so that they also can use Unified Messaging.
A-39
Lab preparation
1. 2. 3. 4. 5. On the host computer, open Hyper-V Manager. Right-click 10135A-VAN-EX2, and then click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso.iso, and then click Open. Click OK.
A-40
2.
Task 7: Associate the Unified Messaging server with the dial plan
1. 2. Open the VAN-EX2 server properties in Exchange Management Console. Add an associated dial plan to the server.
A-41
Review Questions
1. If your company already implemented Microsoft Office Communication Server 2007 R2 and connected OCS to the PBX, do you need an additional IP PBX for Exchange Server 2010 Unified Messaging? Users want to ensure that private voice mails are protected. Does Exchange Server 2010 Unified Messaging have a feature to do this?
2.
A-42
Messaging server. Then use the Exchange Unified Messaging Test Phone to see if the configuration is working, before you configure your IP PBX or PBX to communicate with the Exchange server.
Tools
Tool Exchange Server Unified Messaging Test Phone Use for Connect to your Unified Messaging server via voice access to your mailbox. Where to find it Exchange Server\bin\ ExchangeUMTestPhone.exe http://go.microsoft.com/fwlink /?LinkId=179981
B-1
Appendix B
Advanced Topics in Exchange Server 2010
Contents:
Lesson 1: Deploying Highly Available Solutions for Multiple Sites Lesson 2: Implementing Federated Sharing B-3 B-9
B-2
Appendix Overview
Microsoft Exchange Server 2010 offers several advanced features that organizations with special requirements may find interesting. These features include the ability to deploy a highly available Exchange Server across multiple data centers and deploy Federated Sharing, which enables sharing of availability and contact information between organizations. This appendix provides an overview of how to deploy these two features. After completing this appendix, you will be able to: Implement high availability solutions for multiple sites. Implement Federated Sharing.
B-3
Lesson 1
Multiple site recovery is an important concern for many companies because of the natural disasters that have affected many organizations and resulted in increased regulatory-compliance requirements. Exchange Server 2010 greatly simplifies creating a multiple-site, high-availability solution, and it enables organizations to adopt the solution more easily than previous Exchange versions. This lesson provides an overview of how to apply single-site, high availability concepts to a multiple-site configuration. After completing this lesson, you will be able to: Describe scenarios for deploying multiple-site, high-availability solutions. Describe the challenges of creating a multiple-site database availability group (DAG). Describe the challenges of implementing high availability across multiple sites for nonmailbox roles. Describe the data center failover process. Describe the best practices for implementing a multiple-site, high-availability solution.
B-4
Single-site availability enables you to host your companys Exchange Server environment in many different scenarios. You also can use a secondary site for maintenance events or in cases where the primary site experiences a level of failure that your organization cannot sustain. Although Exchange Server 2010 simplifies multisite configuration, it still requires ample planning and configuration to implement and maintain a multisite configuration successfully. Question: What are some common multisite high availability scenarios? Question: Does your company have a warm disaster-recovery site or is it planning to have one? Question: After mail services successfully fail over to the second site, what other issues might you still need to address?
B-5
Key Points
Exchange Server 2010 enables a multisite deployment of the Exchange Server infrastructure that reduces the requirements you must meet compared to previous Exchange Server versions. In earlier Exchange Server versions, multisite clustering requires complicated hardware and is difficult to configure. For example, creating a multisite an Exchange Server 2007 mailbox cluster on Windows Server 2003 requires a complicated network configuration to span a subnet, and the Active Directory directory service site, between the two sites. Exchange Server 2007 Service Pack 1 introduced a failover method called Standby Continuous Replication (SCR). However, as the name suggests, it does not take advantage of clustering and only provides a standby copy of the data, which requires a manual activation process. With Exchange Server 2010 combined with Windows Server 2008 failover clustering, you can create a cross-site DAG without any need for special network hardware, a single subnet spanned, or a shared Active Directory site between the two locations. However, you need to meet a number of requirements to configure and maintain a cross-site DAG configuration: Less than 250 milliseconds (ms) latency between all DAG nodes. To maintain the cluster operation properly, there should be minimal latency as each node communicates with the other nodes. Reestablishing of cluster quorum after site failure. If the majority of the nodes are not available because a failure occurs at the initial site, you should reconfigure the DAG manually to reestablish quorum, by using the Exchange Management Shell. Supporting nonmailbox roles in each site. To provide mail delivery and client access to the second sites DAG members, you must ensure that the appropriate Exchange server roles are available. At least one domain controller in each site. In any configuration, Exchange Server requires that each Active Directory site into which you deploy Exchange Server have a domain controller available. To provide redundancy, you should deploy at least two domain controllers per site.
Question: Why should you not implement an automatic data center failover, even if it is possible?
B-6
Key Points
When you deploy nonmailbox servers to support a cross-site failover, you might come across several issues, including: You have to change Domain Name System (DNS) entries for Microsoft Outlook Web App, Outlook Anywhere, and Autodiscover to reflect the secondary sites IP addresses. If you do not change these entries quickly, it may increase the time that it takes users to reconnect to the secondary sites Exchange server. You also can handle these changes by deploying DNS servers in multiple locations or by using third-party global-server load balancing to provide traffic only to the active site. Certificates should include all possible service names in both data centers. However, each separate certificate that you use in each data center should have the same principal name. You must redirect external services to the secondary site, so that Exchange can accept inbound connections and you can restore service. This would include changing the weight of mail exchanger (MX) resource records for inbound e-mail, or reconfiguring hosted anti-spam, antivirus, and archiving services. A standard configuration requires users to log off and then log on to their client, since it must switch to the remote procedure call (RPC) client-access array to which it is connected. You need to notify or train users that this is expected behavior. Alternatively, using the same server certificate in both RPC client-access arrays, and then pointing the DNS record for the primary RPC client-access array to the secondary RPC client-access array, will remove this requirement for Outlook 2007 and newer clients. However, Outlook 2003 clients require that you repair the MAPI profile manually to complete the failover.
B-7
Key Points
To prepare for failure activation, you must enable datacenter activation coordination (DAC) mode on the DAG. This allows an administrator to activate the site, even if a majority of DAG members remains unavailable in the failed site, and it prevents split-brain scenarios. The failover process includes the following steps: 1. 2. The primary data center fails. Adjust DNS records, if necessary, for Simple Mail Transfer Protocol (SMTP), Outlook Web App, Autodiscover, Outlook Anywhere, and any legacy protocols. You can make adjustments manually or use third-party, global-server load balancing to make changes automatically. Reconfigure the DAG to remove the primary sites servers from the Windows Failover Cluster, but retain them in the DAG. Reconfigure the DAG to use an alternative file-share witness and restore the functionality in the Secondary site. The remaining Active Managers coordinate mounting databases in Site B.
3. 4. 5.
B-8
Key Points
By implementing certain best practices, you can ensure a successful highly available, multiple-site configuration. To begin, reduce failover time by using low Time to Live (TTL) on DNS records for the Client Access server array, Client Access server URLs, and SMTP records. Using a low TTL enables the DNS clients to discover DNS entries more quickly that point to the secondary site. If a failure occurs, it is important to ensure that everything works as designed. Therefore, you should continually monitor and verify that all messaging-system components are functioning properly. To do this, you should first monitor all aspects of the Exchange Server environment to ensure that it is functioning normally, and that mailbox data is successfully replicating to the secondary site in a timely manner. Next, you can schedule periodic failover tests to provide an additional level of preparation and to validate the configuration and operation of the cross-site failover process. You also should follow a change-management process to ensure that each Mailbox server in the DAG, each Client Access server, and each Hub Transport server are configured identically and have the same updates applied. Doing this reduces the possibility of incompatibilities and unexpected behavior if a failover occurs. Finally, we recommend that you follow the Windows Server Failover Clustering best practice of having each node connected to multiple networks. These multiple networks provide communication redundancy between cluster nodes, however, to reduce network congestion and potential communications problems, you should not allow them to perform cluster heartbeat communications.
B-9
Lesson 2
Federated Sharing enables organizations to share availability and contact information, and send secure messages, to other organizations that also are running Exchange Server 2010. Federated Sharing enables a user to share information transparently with users in other Exchange Server organizations. Information that they can share includes free or busy data or Calendar details. After you configure Federated Sharing, your users can book meetings with a partner organizations users by utilizing exactly the same steps as booking meetings with users inside your organization. After completing this lesson, you will be able to: Define Federated Sharing. Describe the components that are required for Federated Sharing. Describe how Federated Sharing works. Describe how Federated message delivery works. Describe how to configure a Federated Trust. Describe how to configure organizational relationships and sharing policies.
B-10
Key Points
Federated Sharing uses standard federation technologies to allow organizations to establish trusted relationships with each other. To establish federation trust, organizations exchange certificates with public keys, or with a trusted third party, and use those certificates to authenticate and secure all communications between them. In Exchange Server 2010, you use the Microsoft Federation Gateway to establish the federation. The Microsoft Federation Gateway is an identity service that runs over the Internet and works as a trust broker for Federated Sharing. To enable Federated Sharing, the organization must register with the Microsoft Federation Gateway, and then configure a federated sharing relationship with another organization that also registers with the Federation Gateway. The Federation Gateway then acts as a hub for all connections that the organizations make to each other. For example, in a Federated Sharing scenario, the Client Access servers in each organization should be able to establish an authenticated and secure connection with each other to enable the exchange of availability information or to enable calendar sharing. The Client Access servers use the federated trust that you configure with the Federation Gateway to verify the other organizations Client Access servers and to encrypt all traffic sent between the organizations. You also can use the federated sharing relationship to send encrypted and authenticated e-mail between the organizations. Note: The Federation Gateway only provides a broker service to establish the communication between the organizations. The Federation Gateway does not authenticate individual users or require any user accounts from either organization. Although the Federation Gateway uses Windows Live as the authentication mechanism, it shares no user accounts with Windows Live.
B-11
In a Federation Sharing scenario, each organization only needs to manage its trust relationship with the Federation Gateway, and to manage only its user accounts. After the organization establishes the trust relationship with the Federation Gateway, you can configure other trusted organizations with which you want to share information, and the types of information that you want to share. When you enable Federation Sharing, all communications between organizations is sent through the organizations Exchange Server 2010 servers. This communication is transparent to the messaging clients. This means that the feature works with any client that can connect to Exchange Server 2010, including Outlook Web App, Outlook 2003, and Outlook 2007.
B-12
Key Points
To set up federation, you must configure three major components in Exchange Server 2010.
Federation Trust
This establishes a trust with Microsoft Federation Gateway. The federation trust configures the Microsoft Federation Gateway as a federation partner with the Exchange Server organization. This means that Exchange Web Services on the Client Access servers can validate all Microsoft Federation Gateway authentication requests.. You establish the federation trust by submitting the organizations public key and certificate to Microsoft Federation Gateway and downloading Window Microsoft Federation Gateway public key and certificate.
Organization Identifier
The organization identifier defines which of the Exchange organizations authoritative accepted domains is available for federation. If an organization supports multiple SMTP domains, you can include one or all of the domain names in the organization identifier. Users can participate in Federated Sharing only if they have e-mail addresses in the domains that you configure with the organization identifier. The first domain that you specify with the organization identifier is the Account namespace. Microsoft Federation Gateway creates federated users identifiers within this account namespace when the Client Access server requests a delegation token for an Exchange Server organization user. This process is transparent to the Exchange Server organization.
Organization Relationships
An organization relationship allows you to establish a federated sharing relationship with another federated organization for the purpose of sharing availability (free/busy) information, or enabling federated delivery of e-mail. Organization relationships are one-to-one relationships established between two organizations. To configure an organization relationship, you must establish a single Federation Trust with the Microsoft Federation Gateway, and configure the Organization Identifier.
B-13
When you create an organization relationship with an external organization, it allows users in the external organization to access your users availability information, allowing them to schedule meetings easily with your users. No replication of Global Address List (GAL) information is required. Outlook 2010 and Outlook Web App allow users to enter the SMTP address of an external recipient when scheduling meetings. For users in your organization to have similar access to availability information of users in the external organization, the administrator in the external organization must also create an organization relationship with your organization.
Sharing Relationships
You can use sharing policies to enable users to share calendar and contact information that resides in the respective folders with users in external federated organizations. After configuring the sharing relationship, a user can send a sharing invitation to an external recipient to share his/her calendar or contact folder. Using sharing policies, you control the domains with which your users share information with, and the extent of sharing. You can also disable a sharing policy for a user or a group of users to deny any sharing for those users. Sharing policies are assigned to mailbox users. A default sharing policy applies to users by default, and allows sharing of their calendar to the extent of availability information with all external domains. After you create a Federation Trust with the MFG, and configure the Federated Organization Identifier (OrgID), users can send sharing invitations to share their availability information with users in any external organization. Note: Although organization relationships and sharing policies allow sharing of availability information with external users, they are intended for different scenarios. Organization relationships are created to collaborate with external organizations, and include the capability to enable Federated Delivery of e-mail between the two organizations. Sharing policies govern what your users can share on an ad-hoc basis with users in external organizations, including organizations with which an organization relationship does not exist.
B-14
Key Points
One of the options when configuring a sharing relationship is to enable users from one organization to view availability information for another organizations users. The following steps describe the communication flow when you configure this option, and a user in one organization invites another organizations user to a meeting. 1. 2. A user in the Contoso.com organization invites a user in the Adatum.com organization to a meeting. This meeting request is sent to the Exchange Web Service on the Client Access server at Contoso. The Contoso Client Access server checks with a Contoso.com domain controller to verify that the user has permission to utilize the sharing relationship to request availability information and that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step. The Contoso Client Access server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because you configure Contoso.com in the organization identifier, the Federation Gateway issues the token. The Contoso Client Access server sends a request for the availability information for the user to the Adatum Client Access server. The Contoso Client Access server includes the security token with the request. The Adatum Client Access server validates the security token and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com. The Adatum Client Access server retrieves the users availability information from the users Mailbox server. The Adatum Client Access server sends the availability information to the Contoso Client Access server. The Contoso Client Access server provides the availability information to the Contoso user.
3.
4.
5.
6. 7. 8.
B-15
Key Points
The second option you can use when configuring a sharing relationship is to enable Federated Delivery. When you enable this option, users from one organization can send encrypted and authenticated e-mail to users in the other organization. The following steps describe the communication flow when you configure this option, and a user in one organization sends an e-mail to a user in the other organization: 1. 2. A user in the Contoso.com organization sends an e-mail to a user in the Adatum.com organization. The message is sent through the Mailbox server to a Hub Transport server at Contoso. The Hub Transport server at Contoso checks with a Contoso.com domain controller to verify that the user has permission to send messages across the sharing relationship, and to verify that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step. The Contoso Hub Transport server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because Contoso.com is configured in the organization identifier, the Federation Gateway will issue the token. The Contoso Hub Transport server encrypts the message and sends the message to the Adatum.com Hub Transport server. The Contoso Hub Transport server encrypts the message using a key that the security token includes. The security token is encrypted using the Federation Gateway public key, and is sent to the Adatum.com Hub Transport server. The Adatum Hub Transport server validates the security token, and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com. The Adatum Hub Transport server decrypts the security token and extracts the encryption key. The Hub Transport server then decrypts the message and forwards it to the users mailbox server.
3.
4.
5.
6.
B-16
Note: When you configure a sharing relationship with another organization and enable Federated Delivery, all messages sent by users with the appropriate permissions to use the sharing relationship are encrypted automatically. Users do not need to have certificates installed locally, and do not need to choose the option to send encrypted e-mail in Outlook.
B-17
Key Points
Before you can configure a sharing relationship with another organization, both organizations must configure a federation trust with the Microsoft Federation Gateway.
B-18
2.
Create a new TXT record on the DNS server that is accessible from the Internet. The TXT record should include the following information: domainname IN TXT AppID=ApplicationIdentifier.
B-19
Key Points
After you create the federated trust, the next steps are to configure the organizational relationships and sharing policies that will enable your organizations users to share information with other organizations.
Enable Federated Delivery. When you enable Federated Delivery, you also must configure the SMTP address for a valid mailbox in the destination domain. Configure the information for the external organization. You can configure the Exchange Server to discover the external organizations configuration information automatically. When you do this, the Exchange server contacts the Microsoft Federation Gateway to locate this information. Alternatively,
B-20
you can enter the external organizations information manually, including the domain names, application uniform resource identifier (URI), and Autodiscover endpoint.
L1-1
10. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Configuration, and then click OK. 11. In the left pane, expand Configuration[NYC-DC1.Contoso.com], and then click CN=Configuration,DC=Contoso,DC=com. 12. Expand CN=Services, and verify that the CN=Microsoft Exchange has not been created. 13. Close ADSI Edit.
L1-2
4. 5. 6. 7. 8. 9.
Click Start and point to Administrative Tools. Verify that Internet Information Services (IIS) Management is not listed. Click Start, click All Programs, click Accessories, click Windows PowerShell, and then click Windows PowerShell. At the PS prompt, type help about_windows_powershell, and then press ENTER. Verify that about_Windows_PowerShell_2.0 is listed. It is installed with Windows PowerShell v2. Close Windows PowerShell. Click Start, and then click Control Panel.
10. In the Control Panel, click Programs. 11. In the Programs window, click Programs and Features. Verify that Microsoft Filter Pack 1.0 is installed. Close the Programs and Features window. Results: After this exercise, you should have evaluated the requirements for Active Directory directory service, DNS, and servers.
3. 4. 5. 6. 7. 8. 9.
10. Under IIS 6 Management Compatibility, select the IIS 6 Management Console check box. 11. Click Next, and then click Install. 12. Click Close. 13. Click Start, point to Administrative Tools, and click Services. 14. In the Services list, double-click Net.Tcp Port Sharing Service. 15. In the Net.TCP Port Sharing Service Properties dialog box, in the Startup type drop down list, click Automatic, then click Apply. 16. Click Start, wait for the service to start, click OK, and then close the Services console.
L1-3
10. On the Configure Client Access server external domain page, click Next. 11. On the Customer Experience Improvement Program page, click I dont wish to join the program at this time, and click Next. A readiness check takes place to ensure that Exchange is ready to install on the server. This check takes several minutes to complete. 12. Click Install. The installation begins, and takes approximately 15-20 minutes to complete. 13. Click Finish.
L1-4
14. Click Close and Yes to exit Exchange Server 2010 Setup. You are not obtaining the critical updates for Exchange Server 2010 because the virtual machine does not have Internet connectivity. Results: After this exercise, you should have installed Exchange Server 2010.
3. 4.
L1-5
11. On the Mailbox Settings page, in the Alias box, type TestUser, and then click Next to accept the mailbox settings. 12. On the Archive Settings page, click Next. 13. Click New to create the new mailbox. 14. Click Finish. 15. Click Start, point to All Programs, and then click Internet Explorer. 16. In the Address bar, type https://NYC-SVR2/owa, and then press ENTER. 17. Click Continue to this website (not recommended) to proceed. 18. Log on as Contoso\TestUser with a password of Pa$$w0rd. 19. Click OK to accept the default Outlook Web App settings. 20. Click New to create a new message. 21. Click Continue to this website (not recommended). 22. In the To box, type Administrator. 23. In the Subject box, type Test Message, and then click Send. 24. Close Internet Explorer. 25. Click Start, point to All Programs, and then click Internet Explorer. 26. In the Address bar, type https://NYC-SVR2/owa and press ENTER. 27. Click Continue to the website (not recommended) to proceed. 28. Log on as Contoso\Administrator with a password of Pa$$w0rd. 29. Click OK to accept the default Outlook Web App settings. 30. Double-click the message from TestUser to read it. Click Continue to this website (not recommended). 31. Close the message from TestUser. 32. Close Internet Explorer.
10. When the scan is complete, click the View a report of this Best Practices scan link.
L1-6
11. On the Critical Issues tab, click Unrecognized Exchange signature. This gives you the option to get information about how to fix the problem or hide the message. 12. Click Tell me more about this issue and how to resolve it. This opens the Microsoft Exchange Server Best Practices Analyzer Help, and provides specific information about the warning and troubleshooting it. 13. Close Exchange Server Best Practices Analyzer Help. 14. Close the Exchange Server Best Practices Analyzer Tool. Results: After this exercise, you should have verified the successful installation of Exchange Server 2010 by viewing the Exchange Server services and folders. You should also have created a new user and sent a test message to that user. Finally, you should have used the Exchange Server Best Practices Analyzer tool to view information about any installation issues.
L2-1
Results: After this exercise, you should have created a new database, set the specified limits, and moved the existing Accounting database to a new folder.
L2-2
L2-3
2. 3. 4. 5. 6. 7. 8.
In the Select Public Folder Servers dialog box, select VAN-EX3, click OK, and then click Connect. In the Console Tree, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. On the General tab, note the Total Items and Size of the items in the public folder. Click OK. Close the Public Folder Management Console. Close the Exchange Management Console.
Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added replicas for each public folder.
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
L2-4
L3-1
Click Next. Type AdventureWksQ as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and click Browse. Click Mailbox Database 1, click OK, and then click Next.
10. Click Next. 11. Click New. 12. Click Finish. 13. In the Results pane, select the Adventure Works Questions mailbox, and then in the Actions pane, click Manage Full Access Permission. 14. In the Manage Full Access Permission Wizard, click Add. 15. In the Select User or Group dialog box, choose George Schaller, and then click OK. 16. Click Manage. 17. Click Finish.
Task 2: Create resource mailboxes, and configure auto-accept settings for the
ProjectRoom
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mailbox. In the Actions pane, click New Mailbox. In the New Mailbox Wizard, select Room Mailbox, and then click Next. Verify New user is selected, and then click Next. Fill in the following information: Name: ProjectRoom User logon name (User Principal Name): ProjectRoom
L3-2
Click Next. Type ProjectRoom as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and then click Browse. Click Mailbox Database 1, click OK, and then click Next. Verify that the Create an archive mailbox for this account check box is not selected, and then click Next. Click New, and then click Finish. In the Results pane, click ProjectRoom, and in the Actions pane, click Properties. Click the Resource General tab. Select the Enable the Resource Booking Attendant check box. If you do not enable this option, the resource will not process meeting requests, even if you configure other settings. Click OK.
Note: If the mailbox move fails, and the error indicates that no MRS service is available, start the Microsoft Exchange Mailbox Replication service, and try the mailbox move again.
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mail Contact. In the Actions pane, click New Mail Contact. Verify that New contact is selected. Click Next. Fill in the following information: 6. 7. 8. 9. 10. First Name: Ian Last name: Palangio Alias: IanPalangioWB
To set the e-mail address, click Edit. In the E-mail address box, type ian.palangio@woodgrovebank.com, and then click OK. Click Next. Click New. Click Finish.
L3-3
Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1. 2. 3. 4. 5. 6. In the console tree, under Recipient Configuration, click Distribution Group. In the Actions pane, click New Distribution Group. Verify New group is selected. Click Next. Under Group Type, verify that Distribution is selected. Fill in the following information: 7. 8. 9. 10. 11. 12. 13. Name: Adventure Works Project Alias: AdventureWorksProject
Click Next. Click New. Click Finish. In the Work pane, select the Adventure Works Project group. In the Actions pane, click Properties. Click the Members tab. Click Add, and then select the following users by holding down CTRL: George Schaller Ian Palangio Wei Yu Paul West
Click OK. Click the Mail Flow Settings tab. Select Message Moderation, and then click Properties. Select the Messages sent to this group have to be approved by a moderator check box. In the Specify group moderators section, click Add. Select George Schaller, and then click OK. Click OK. Click OK.
Note: If you receive an error message when you click To, click Cancel. Start or restart the Microsoft Exchange Address Book Service on VAN-EX1, and then try this step again. 5. 6. 7. 8. 9. 10. 11. Select the Adventure Works Project group, and then click Required. Select the ProjectRoom, and then click Resources. Click OK. Select a time. Type Project Kickoff as the subject. Click Send. Close Outlook.
L3-4
Log off from VAN-CL1. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer. Type https://VAN-EX1.Adatum.com/OWA in the address bar. Log on to Microsoft Outlook Web App as Adatum\George with a password of Pa$$w0rd. Click OK. Double-click the message with the subject of Project Kickoff. Click Accept. Choose to send the response now. Close Windows Internet Explorer.
Results: At the end of this exercise, you will have completed all of the assigned tasks, including creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
7.
L3-5
Results: At the end of this exercise, you will have created an e-mail address policy for Adventure Works users.
L3-6
Click Preview, and then click OK. Click Next. Verify Immediately is selected, and then click Next. Click New. Click Finish.
Task 4: Verify the new address list is available in Microsoft Office Outlook
1. 2. 3. 4. On VAN-CL1, log on as Administrator with a password of Pa$$w0rd. Open Office Outlook 2007. Click the Tools menu, and then click Address Book. Under Address Book, click the down arrow to display the options. You can see that under All Address Lists, the Companies container is listed and includes the address lists Adventure Works and A. Datum. Close all open windows, and log off VAN-CL1.
5.
Task 5: Create a new offline address book for the Adventure Works address list to
support both Office Outlook 2003 and Outlook 2007 clients
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox, and then click the Offline Address Book tab. In the Actions pane, click New Offline Address Book. In the Name box, type Companies. Click Browse, select VAN-EX1, and then click OK. Clear the Include the default Global Address List check box. Select the Include the following address lists check box. Click Add, expand Companies, click Adventure Works, and then click OK. Click Add, expand Companies, click A. Datum, and then click OK. Click Next. Select Enable Web-based Distribution and Enable public folder distribution. Click Add, and in the Microsoft Exchange dialog box, click OK. Click OAB (Default Web Site), click OK, and then click Next. Click New, and then click Finish.
Results: At the end of this exercise, you will have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
6. 7.
L3-7
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a
.csv file
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Click Start, point to All Programs, click Accessories, and then click Notepad. Click the File menu, click Open. Change the Files of Type to All Files. Select D:\Labfiles\CreateUsersLab.ps1, and then click Open. In Section 1, define $db as Mailbox Database 1. In Section 1, define $upndom as adatum.com. In Section 1, define $ou as Adventureworks. In Section 1, define $csvFile as D:\Labfiles\Users.csv. In Section 4, replace all instances of property1 with firstname. In Section 4, replace all instances of property2 with lastname. In Section 4, replace property3 with password. Click the File menu, and then click Save. Close Notepad.
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script and set the storage quota.
L3-8
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. 8. Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
L4-1
L4-2
11. Click Browse, type CertRequest as the File name, and then click Save. 12. Click Next, click New, and then click Finish.
Task 5: Import and assign the IIS Exchange Service to the New Certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. In the Exchange Management console, click Server Configuration. Click ADatum Mail Certificate, and in the Actions pane, click Complete Pending Request. On the Complete Pending Request page, click Browse. Under Favorites, click Downloads. Click certnew.cer and click Open. Click Complete, and then click Finish. In the Exchange Management console, click Server Configuration. In the results pane, click VAN-EX2. In the bottom pane, click Adatum Mail Certificate. In the Actions pane, click Assign Services to Certificate. On the Select Servers page, verify that VAN-EX2 is listed, and then click Next. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
L4-3
2. 3. 4. 5. 6.
Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. On the Outlook 2007 Startup page, click Next. On the E-Mail Accounts page, click Next. On the Auto Account Setup page, click Next. On the Configuring page, click Finish. Note: If Microsoft Office Outlook cannot connect to the server, ensure that all of the Microsoft Exchange Server services on VAN-EX2 that are set to Automatic start are started. Start all services that have not started, and try connecting again.
In the User Name dialog box, click OK. On the Privacy Options page, clear all check boxes, and then click Next. On the Sign up for Microsoft Update page, click I dont want to use Microsoft Update, and then click Finish. In the Microsoft Office Outlook dialog box, click No. In Office Outlook, click Tools, and then click Account Settings. Click MollyDempsey@adatum.com, and then click Change. Verify that the user mailbox is located on VAN-EX2, click Cancel, and then click Close. Close Outlook.
L4-4
5. 6. 7.
On the Microsoft Exchange Settings page, click More Settings. In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): mail.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
8. 9. 10. 11.
Click OK, and then click OK again to close the Microsoft Exchange dialog box. On the Microsoft Exchange Settings page, click Next. On the Change E-mail Account page, click Finish. On the E-mail Accounts page, click Close, and then click Close again to close the Mail Setup Outlook dialog box.
L4-5
Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
Exercise 1: Configuring Outlook Web App
Task 1: Configure IIS to use the Internal CA certificate
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX2 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click owa. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Under Sites, click Default Web Site, and in the Actions pane, click Bindings. In the Site Bindings dialog box, click https, and then click Edit. In the SSL Certificate drop-down list, verify that Adatum Mail Certificate is selected Click OK, click Close, and then close the Internet Information Services (IIS) Manager.
Task 3: Configure an Outlook Web App Mailbox Policy for the Branch Managers
1. 2. 3. 4. 5. 6. On VAN-EX2, in Exchange Management Console, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Outlook Web App Mailbox Policy. In the New Outlook Web App Mailbox Policy page, type Branch Managers Policy as the policy name. In the list of features, click Change Password, and then click Disable. Click New, and then click Finish. Right-click Branch Managers Policy, and then click Properties.
L4-6
On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes, and then click OK. Under Recipient Configuration, click Mailbox. Click the Organizational Unit column heading to sort the view by organizational units (OU). Select all the users in the Branch Managers OU, right-click, and then click Properties. On the Mailbox Features tab, click Outlook Web App, and then click Properties. Select the Outlook Web App mailbox policy check box, and then click Browse. Click Branch Managers Policy, and then click OK four times.
L4-7
On the Name Servers tab, type 10.10.0.10 as the Domain Name System (DNS) server address, and then click OK twice. Close the Settings window.
10. In Windows Mobile 6 Professional, click Start, click Programs, and then click ActiveSync. 11. Read the Microsoft ActiveSync information, and then click the set up your device to sync with it link. 12. On the Enter Email Address page, in the Email address box, type ScottMacDonald@adatum.com, and then click Next. The device will attempt to use Autodiscover to configure the user settings. 13. On the User Information page, type Scott in the User Name field, type Pa$$w0rd in the Password field, and Adatum in the Domain field, and then click Next. 14. On the Edit Server Settings page, in the Server Address field, type VAN-EX2.adatum.com. Clear the This server requires an encrypted (SSL) connection check box. In the ActiveSync message, click OK, and then click Next. 15. In the Choose the data you wish to synchronize box, click Calendar, and then click Settings. 16. In the Synchronize only the past list, click All, and in the upper-right corner, click OK. 17. In the Choose the data you wish to synchronize box, click E-mail, and then click Settings. 18. In the Download the past list, click All, and in the upper-right corner, click OK. 19. Confirm that the Contacts, Calendar, E-mail, and Tasks check boxes are selected, and then click Finish. 20. In the ActiveSync dialog box, click OK. After synchronization is complete, click the X in the upperright corner to close ActiveSync. Close the Programs window. 21. On VAN-CL1, open Internet Explorer, and connect to https://mail.adatum.com/owa. 22. Log on as Adatum\Wei using the password Pa$$w0rd. Click OK. 23. Click New, and then in the To field, type Scott, and then press CTRL+K to resolve the name.
L4-8
24. In the Subject line, type Test Message from Wei. 25. In the message body, type Testing mobile messaging, and then click Send. 26. On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scotts mailbox. Wait for the Windows Mobile device to complete synchronization. 27. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click View. 28. Open the message. Click Reply at the bottom of the message window. 29. In the message body, type Test Reply, and then click Send. 30. Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received. Close Internet Explorer.
10. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has additional options. 11. Click the Password tab. Notice the additional password-option list that was not available when creating the mobile mailbox policy. 12. On the Sync Settings tab, review the configuration options. 13. On the Device tab, review the configuration options. 14. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. 15. On the Other tab, review the options for allowing or blocking specific applications, and then click OK. 16. In the console tree, expand Recipient Configuration, and then click Mailbox. 17. In the result pane, right-click Scott MacDonald, and then click Properties. 18. Click the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. 19. In the Exchange ActiveSync Properties dialog box, click Browse. 20. Select EAS Policy 1, and then click OK.
L4-9
10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.
L4-10
In the action pane, click Manage Mobile Phone. On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data, and then click Clear. 10. In the Microsoft Exchange warning message, click Yes, and then click Finish. 11. In Windows Mobile 6 Professional, and wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe. 12. On the Windows Mobile 6.1.4 Professional window, click File, and then click Exit.
8. 9.
L5-1
Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.
10. In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, click OK, and then click Next. 11. On the Configure smart host authentication settings page, click Next. 12. On the Source Server page, ensure that VAN-EX1 is listed, and then click Next. 13. On the New Connector page, click New, and then click Finish.
L5-2
3. 4. 5. 6. 7. 8. 9.
In the New Receive Connector window, in the Name box, type Internet Receive Connector. In the Select the intended use for this Receive connector list, click Custom, and then click Next. On the Local Network Settings page, click Next. On the Remote Network Settings page, click the red X to delete the entry, and then click Add. In the Address or address range box, type 10.10.0.10, click OK, and then click Next. On the New Connector page, click New, and then click Finish. In the VAN-EX1 pane, double-click Internet Receive Connector.
10. In the Internet Receive Connector window, on the General tab, in the Protocol logging level list, click Verbose. 11. On the Permission Groups tab, select the Anonymous users check box, and then click OK.
L5-3
9.
On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt.
10. At the command prompt, type telnet van-ex1 smtp, and then press ENTER. 11. Type helo, and press ENTER. 12. Type info@internet.com, and press ENTER. Response: 250 2.1.0 Sender OK 13. Type rcpt to:WeiYu@adatum.com, and press ENTER. Response: 250 2.1.5 Recipient OK 14. Type data, and press ENTER. Response: 354 Start mail input; end with <CRLF>.<CRLF> 15. Type Subject: Test from Internet, and press ENTER. 16. Press the PERIOD key, and then press ENTER. 17. Type Quit, and press ENTER. 18. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. 19. Log on as Adatum\Wei with the password Pa$$w0rd. 20. Verify that the mail with the subject Test from Internet mail has arrived in the Junk E-Mail folder. Close Internet Explorer. Results: After this exercise, you should have configured Internet message transport by configuring Send and Receive connectors, enabling anti-spam functionality, and verifying Internet message delivery.
10. On VAN-EX2, start Internet Explorer, and connect to https://VAN-EX2.adatum.com/OWA. 11. Log on as Adatum\Anna with the password Pa$$w0rd. 12. On the Microsoft Outlook Web App page, click OK. 13. Reply to the mail Test Mail to VAN-EX2 from Wei.
L5-4
14. Switch back to VAN-EX1, and check the Inbox in Microsoft Outlook Web App to see if the mail has arrived.
10. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 11. At the command prompt, type telnet van-ex2 smtp, and press ENTER. Verify that you receive a Connect failed error. 12. On VAN-EX2, open the Exchange Management Console. Expand Microsoft Exchange On-Premises, expand Server Configuration, click Hub Transport, and then click VAN-EX2 in the Hub Transport pane. 13. On the Receive Connectors tab, notice that only the Client VAN-EX2 connector exists. This is the reason the server does not accept a port 25 connection. 14. In the Actions pane, click New Receive Connector. 15. In the New Receive Connector window, in the Name box, type Internal VAN-EX2. 16. In the Select the intended use for this Receive connector list, click Internal, and then click Next. 17. On the Remote Network settings page, click Next. 18. On the New Connector page, click New, and then click Finish. 19. Switch to VAN-EX1, and in Exchange Management Console, click Toolbox. 20. In the Toolbox pane, under Mail flow tools, click Queue Viewer. 21. Right-click site2, and then click Retry to force an immediate retry of the message delivery. Verify that the queue now has a message count of 0. 22. Switch to VAN-EX2, and check Annas Inbox in Outlook Web App to see that the message is now delivered. Results: After this exercise, you should have verified routing logs, and used the other troubleshooting tools in Exchange Server to troubleshoot message transport.
L5-5
L5-6
21. On the Basic Server Information page, review the information, and then click Next. 22. On the Initial Queue Analysis Results page, click the displayed item, review the information, and then click Next. 23. On the Remote Delivery Queue(s) Initial Analysis Results page, review the information, scroll down, and then click Next. 24. On the DNS Availability Check Results, review the information, and then click Next. 25. On the DNS Record Analysis Results, review the information, and then click Next. 26. On the Remote Delivery Queue(s) DNS Records Analysis Results, notice that the wizard has identified a possible root cause, and then click Next. 27. On the Remote Delivery Queue(s) Connectivity Test Results page, review the information, and then click Next. 28. On the Remote Delivery SMTP Instance Configuration Analysis Results page, click Next. 29. On the Remote SMTP Service Diagnosis Results page, click Next. 30. On the Remote Delivery Queue(s) Message Tracking Log Analysis Results page, click Next. 31. On the Remote Delivery Queue(s) SMTP Commands Analysis Results page, click Next. 32. On the Third-Party Application Analysis Results, click Next. 33. On the View results page, click the Root Causes tab, review the displayed information, and then close the Troubleshooting Assistant. 34. Switch to VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. 35. At the command prompt, type nslookup, and then press ENTER. 36. Type set querytype=MX, and press ENTER. 37. Type internet.com, and press ENTER. The query will timeout, which indicates that the domain name cannot be resolved. This means that the host cannot directly resolve a Domain Name System (DNS) domain and has to use a smart host to send a message to the internet. 38. On VAN-EX1, in Exchange Management Console, expand Organization Configuration, and then click Hub Transport. 39. On the Send Connectors tab, double-click Internet Send Connector. 40. Click the Network tab, select Route mail through the following smart hosts, and then click Add. 41. In the Add smart host dialog box, in the Fully qualified domain name (FQDN) box, type vandc1.adatum.com, click OK, and then click OK again. 42. In Exchange Management Console, click Toolbox. 43. In the Toolbox pane, under Mail flow tools, double-click Queue Viewer. 44. Right-click internet.com, and then click Retry to force message delivery retry. Results: After this exercise, you should have identified and resolved issues in Internet message delivery by using the Exchange Server troubleshooting tools such as Message Tracking and Mail Flow Troubleshooter.
L5-7
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
L5-8
L6-1
3. 4.
5. 6. 7. 8. 9.
10. Beside Subscription file, click Browse. Browse to the C:\ click VAN-SVR1.XML click Open, and then click New. 11. On the Completion page, click Finish.
L6-2
Task 3: Verify that EdgeSync is working and that Active Directory Lightweight Directory
Services contains data
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, at the command prompt, type Start-EdgeSynchronization, and then press ENTER. At the command prompt, type Test-EdgeSynchronization, and then press ENTER. Ensure that the result displayed includes SyncStatus: Normal, otherwise you need to wait for another minute and run Test-EdgeSynchronization again. At the command prompt, type Get-User -Identity Wei | ft Name, GUID, and then press ENTER. Write down the first eight characters of the globally unique identifier (GUID) in your notes. Switch to VAN-SVR1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type LDP, and then press ENTER. In the LDP window, click Connection on the menu bar, and then click Connect.
10. In the Connect window, type VAN-SVR1 in the Server box, type 50389 in the Port box, and then click OK. 11. Click Connection on the menu bar, and then click Bind. 12. In the Bind window, in the Bind type pane, click Bind as currently logged on user, and then click OK. 13. Click View on the menu bar, and then click Tree. 14. In the Tree View dialog box, clear any entry in the BaseDN field, and then click OK. 15. In the LDP window, in the left pane, double-click OU=MSExchangeGateway to expand it. 16. Double-click CN=Recipients,OU=MSExchangeGateway. 17. By using the GUID you entered in previous steps, you can locate the recipient. It starts with CN=<GUID>. After you find it, double-click the recipient GUID, and review the data that is available for this recipient. Close LDP.
L6-3
11. Create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet. 12. Verify that you do not get a non-delivery report message. Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge Synchronization between a Hub Transport and an Edge Transport server.
10. On the Antispam Configuration page, click Enable antispam later, and then click Next. 11. On the Microsoft Update page, click I dont want to use Microsoft Update, and then click Next. 12. On the Customer Experience Improvement Program page, click Next. 13. On the Confirm Settings page, click Next. Wait for the installation to finish. It will take about five minutes. 14. On the Installation Results page, click Finish. Close Windows Explorer.
L6-4
8. 9.
In the Policy Management pane, expand Global Settings, and then click Advanced Options. On the Global Settings - Advanced Options page, in the Threshold Levels pane, increase the value of Maximum nested depth compressed files to 10 and Maximum nested attachments to 50.
10. Under Intelligent Engine Management, select Manual in the Engine management drop-down list. 11. In the Update scheduling table, click Norman Virus Control, and then click Edit Selected Engines button. 12. In the Edit Selected Engine dialog box, in the Update frequency pane, verify that the Check for updates every check box is selected, type 00:30 in the box, and then click Apply and Close. 13. On the Global Settings - Advanced Options page, click Save. Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for Exchange.
L6-5
L6-6
10. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. 11. Log on as Adatum\Wei using the password Pa$$w0rd. 12. In the Mail pane, click Inbox. You should see three new messages in the Inbox. If not, wait for another minute until they arrive. 13. In the Inbox pane, double-click the message from Msg10@contoso.com. 14. In the message window, click Message Details on the toolbar. 15. In the Message details window, identify the SCL level of this message by looking for X-MSExchange-Organization-SCL in the Internet Mail Headers box. Then click Close to close Message Details. Close the message window. 16. In the Mail pane, click Junk E-Mail. You should see eight new messages in the Junk E-Mail folder that have been identified as junk mail as their SCL level was more than six. You can verify this by looking at the Message Details of the messages. 17. Delete all messages in the Inbox and Junk E-Mail folders.
8. 9.
10. In the Mail pane, click Inbox. Notice the three new messages in the Inbox. 11. To delete all messages in the Inbox, select them, and then click Delete.
L6-7
8. 9.
On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1/OWA. Log on as Adatum\Wei using the password Pa$$w0rd.
10. In the Mail pane, click Inbox. You should see 11 new messages in the Inbox. 11. Double-click one message, and review the Message Detail. The SCL rating should be -1. When the sending SMTP server is added to the IP Allow List, content filtering is not applied to the messages. 12. To delete all messages in the Inbox, select them, and then click Delete.
L6-8
L7-1
L7-2
5.
On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK.
Results: After this exercise, you should have created a DAG and a mailbox database copy of the Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.
Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers
Task 1: Create and configure a client access array for CASArray.adatum.com
On VAN-EX1, in the Exchange Management Shell, at the PS prompt, type New-ClientAccessArray FQDN casarray.adatum.com Name CASArray.adatum.com Site Default-First-Site-Name, and then press ENTER.
Results: At the end of this exercise, you should have created a client access array and assigned it to the databases.
L7-3
On the Network Settings page, click Route mail through the following smart hosts, and then click Add. In the Add smart host dialog box, click Fully qualified domain name (FQDN). In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, and then click OK. On the Network settings page, click Next. On the Configure smart host authenticates settings page, ensure None is selected, and then click Next. On the Source server page, click Add. On the Select Hub Transport or Subscribed Edge Transport Server dialog box, hold the CTRL key, click VAN-EX1 and VAN-EX2, and then click OK. On the Source server page, click Next. Click New to create the connector, and then click Finish to close the wizard.
In the Actions pane, click Connect to Server. On the Connect to Server dialog box, click Browse. On the Select Exchange Server dialog box, click VAN-EX3, click OK, and then click Connect. Click the Queues tab, and then click Create Filter. In the first drop-down menu, select Delivery Type. In the second drop-down menu, select Equals. In the third drop-down menu, select Shadow Redundancy. Click Apply Filter. Examine the shadow-redundancy queue contents.
L7-4
Click on the Messages tab, and then click Create Filter. In the first drop-down menu, select From Address. In the second drop-down menu, select Equals. In the third drop-down menu, type JasonCarlson@adatum.com. Click Apply Filter. Examine the message in the VAN-EX3\Shadow queue.
Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1. 2. On VAN-DC1, in Server Manager, expand Configuration, and then click on Services. In the Results pane, click Simple Mail Transport Protocol (SMTP), and then in the Actions pane, under Simple Mail Transfer Protocol (SMTP), click More Actions, and then click Start.
Task 6: Verify that the messages were removed from the shadow redundancy queue
1. 2. 3. On VAN-EX2, in the Queue Viewer, verify that you are connected to VAN-EX3. Click the Queues tab, and verify that the Shadow Redundancy filter is still being applied. Examine the contents of the shadow redundancy queue.
Note: You may need to wait a few minutes for the message to be removed from the Shadow redundancy queue.
Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1. 2. 3. On VAN-EX1, in the Exchange Management Console, locate the Console Tree, expand Organization Configuration, and then click Mailbox. In the Results pane, click the Database Management tab, and then click Accounting. In the bottom Work pane, view the Copy Status column for each database copy, click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Properties from the context menu. View the Status, Copy queue length, and Replay queue length on the General tab, and then click on the Status tab. On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK. Click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Resume Database Copy from the context menu. On the Resume Mailbox Database Copy dialog box, click Yes. Wait until the copy status of the Accounting database copy on VAN-EX2 is Healthy. You may need to refresh the display.
4. 5. 6. 7. 8.
Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy
active
1. In the bottom Work pane, view the Copy Status column for each database copy, click the Accounting entry that has a Healthy copy status, right-click on it, and then choose Activate Database Copy from the context menu. In the Activate Database Copy dialog box, verify None is selected, and then click OK.
2.
L7-5
L7-6
L8-1
Task 2: Perform a backup of the mailbox database using Windows Server Backup
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Server Manager. In Server Manager, click Features, and then on the Features Summary pane, click Add Features. In the Add Features Wizard, expand Windows Server Backup Features, click Windows Server Backup, and then click Next. On the Confirm Installation Selections page, click Install. When the installation finishes, click Close. Click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup. In Windows Server Backup, on the Actions pane, click Backup Once. In the Backup Once Wizard, on the Backup Options page, select Different options, and then click Next. On the Select Backup Configuration page, select Custom, and then click Next. On the Select Items for Backup page, click Add items, check Local disk (C:) in the Select Items window, and then click OK. On the Select Items for Backup page, click Advanced Settings, click on the VSS Settings tab, select VSS full Backup, click OK, and then click Next. On the Specify Destination Type page, select Remote shared folder, and then click Next. On the Specify Remote Folder page, in the Location field, type \\VAN-DC1\Backup, and then click Next. On the Confirmation page, click Backup. The backup will take approximately 15 to 20 minutes On the Backup Progress page, click Close.
L8-2
Close Internet Explorer. Open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Parna with a password of Pa$$w0rd. Click Sent Items, and delete all messages in the folder. In the left pane, right-click Deleted Items, and then click Empty Deleted Items. In the Empty Deleted Items box, click Yes. Close Internet Explorer.
Results: After this exercise, you should have created a backup of an Exchange Server database, and deleted messages.
8. 9.
2.
3. 4. 5.
L8-3
4. 5. 6. 7. 8.
In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Parna with a password of Pa$$w0rd. Verify that the deleted message is available in the Sent Items folder. Close Internet Explorer. At the Exchange Management Shell prompt, type Remove-Mailboxdatabase -Identity RecoverDB, and then press ENTER. Type Y, and then press ENTER. Results: After this exercise, you should have created a recovery database, and restored a complete mailbox from the recovery database to their original locations.
L8-4
2. 3. 4. 5. 6. 7. 8.
Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Mailbox pane, on the Database Management tab, right-click Accounting, and then click Properties. In Accounting Properties, click on the Maintenance tab, click This database can be overwritten by a restore, and then click OK. Repeat steps 4 and 5 for Mailbox Database 1. In the Mailbox pane, on the Database Management tab, right-click Public Folder Database 1, and then click Properties. In Public Folder Database 1 Properties, on the General tab, click This database can be overwritten by a restore, and then click OK.
L8-5
2. 3. 4. 5.
Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
L8-6
L9-1
Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet
On VAN-EX1, in the Exchange Management Console, expand Organization Configuration, click Hub Transport, and then click New Transport Rule. 2. On the Introduction page, in the Name box, type Internet E-Mail Disclaimer, and then click Next. 3. On the Conditions page, in the Step 1: Select condition(s) area, select the sent to users that are inside or outside the organization, or partners check box. 4. In the Step 2: Edit the rule description by clicking an underlined value area, click Inside the organization. 5. In the Select scope dialog box, under Scope, click Outside the organization, and then click OK. 6. On the Conditions page, click Next. 7. On the Actions page, in the Step 1: Select Action(s) area, select append disclaimer text and fallback to Action if unable to apply. 8. In the Step 2: Edit the rule description by clicking an underlined value area, click disclaimer text. 9. In the Specify disclaimer text box, type This e-mail is intended solely for the use of the individual to whom it is addressed., and then click OK. 10. On the Actions page, click Next. 11. On the Exceptions page, click Next, review the rule description, click New, and then click Finish. 1.
Task 2: Configure and enable message classifications for Outlook 2007 clients
1. 2. On VAN-EX1, open the Exchange Management Shell. At the PS prompt, type new-messageclassification -Name CompanyConfidential displaynameCompany Confidential -senderdescription Do not forward to the Internet, and then press ENTER. At the PS prompt, type cd c:\Program Files\Microsoft\Exchange Server \v14\scripts, and then press ENTER.
3.
L9-2
4. 5. 6. 7. 8. 9.
At the PS prompt, type .\Export-OutlookClassification.ps1 > c:\classifications.xml, and then press ENTER. On VAN-CL1, click Start, type \\van-ex1\c$, and then press ENTER. Copy the \\VAN-EX1\c$\classifications.xml file to the C: drive. Provide the administrator credentials to complete the copy. Click Start, type \\van-ex1\d$\Labfiles, and then press ENTER. Double-click EnableClassification.reg. Click Yes, and then click OK. Close Windows Explorer.
Task 3: Create a transport rule that blocks all messages with a Company Confidential
classification from being sent to the Internet
On VAN-EX1, in the Exchange Management Console, in the Actions pane, click New Transport Rule. On the Introduction page, in the Name box, type Company Confidential Rule, and then click Next. On the Conditions page, in the Step 1: Select condition(s) area, select the marked with classification check box. 4. In the Step 2: Edit the rule description by clicking an underlined value area, click classification. 5. In the Select message classification dialog box, click Company Confidential, and then click OK. 6. On the Conditions page, click Next. 7. On the Actions page, in the Step 1: Select Action(s) area, select the send rejection message to sender with enhanced status code check box. 8. In the Step 2: Edit the rule description by clicking an underlined value area, click rejection message. 9. In the Specify rejection message dialog box, type Company confidential e-mails cannot be sent to the Internet, and then click OK. 10. Click enhanced status code, type 5.7.1, and then click OK. 11. On the Actions page, click Next. 12. On the Exceptions page, click Next, review the rule description, click New, and then click Finish. 1. 2. 3.
L9-3
Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to
all messages with the words confidential or private in the subject
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in the Exchange Management Console, under Organization Configuration, click Hub Transport. In the Actions pane, click New Transport Rule. On the Introduction page, in the Name field, type Confidential E-Mail Rule. Verify that Enable Rule is selected, and then click Next. On the Conditions page, under Step 1, select the when the Subject field contains specific words check box. Under Step 2, click the specific words link. In the Specify words dialog box, type Confidential, click Add, type Private, click Add, and then click OK. Click Next. On the Actions page, under Step 1, select rights protect message with RMS template.
10. Under Step 2, click the RMS Template link. 11. In the Select RMS template dialog box, click Do not Forward, and then click OK. 12. Click Next twice, click New, and then click Finish.
L9-4
Double-click the e-mail message to open it, and click Approve. In Outlook, verify that the message to the All Company distribution list has arrived. In Outlook Web App, create a new message with a subject of Private. Send the message to Luca. Close Internet Explorer. In Outlook, verify that Luca received the message with the subject Private. If prompted for credentials, enter Luca as the user name and Pa$$w0rd as the password. Verify that the message has the Do Not Forward template applied. Verify that the Forward option is not available on the message.
Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with a Company Confidential classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.
Click Next. On the Mailbox Settings page, type ExecutivesJournal as the Alias. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next. 9. On the Archive Settings page, click Next. 10. On the New Mailbox page, click New, and then click Finish.
Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members
1. 2. 3. 4. 5. 6. In the Exchange Management Console, in the Organization Configuration work area, click Hub Transport. In the Actions pane, click New Journal Rule to start the New Journal Rule Wizard. On the New Journal Rule page, in the Rule name box, type Executives Department Message Journaling. Beside Send Journal reports to e-mail address, click Browse, click Executives Journal Mailbox, and then click OK. Under Scope, ensure Global all messages is selected. Select the Journal messages for recipient check box, and then click Browse.
L9-5
7. 8.
In the Select Recipient dialog box, click Executives, and then click OK. On the New Journal Rule page, click New, and then click Finish.
Click Next. On the Mailbox Settings page, type MailboxAuditor as the Alias. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next. On the Archive Settings page, click Next. On the New Mailbox page, click New, and then click Finish. In the recipient list, click Executives Journal Mailbox, and then click Manage Full Access Permission. On the Manage Full Access Permission page, click Add, click Mailbox Auditor, and then click OK. Click Manage, and then click Finish. On VAN-DC1, open Active Directory Users and Computers, and then in the Microsoft Exchange Security Groups OU, double-click the Discovery Management group. In the Discovery Management Properties dialog box, on the Members tab, click Add. Type Mailbox Auditor, and then click OK twice.
4. 5. 6. 7.
In the Microsoft Outlook Web App session where you are logged on as MailboxAuditor, click Options.
L9-6
9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.
In the Select what to manage drop-down list, ensure that My Organization is listed. In the left pane, click Reporting, and then under Multi-Mailbox Search, click New. In the Keywords box, type Customer Number. Expand Mailboxes to Search. Under Select the mailboxes to search, click Add. In the Select Mailbox window, click Luca Dellamore and click Add. Click George Schaller, click Add, and then click OK. Expand Search Name and Storage Location. In the Search name field, type Customer Number Discovery. Next to Select a mailbox in which to store the search results, click Browse. In the Select Mailbox window, click Discovery Search Mailbox, and then click OK. Select the Send me an e-mail when the search is done check box, and then click Save. Wait until the search finishes, and then in the bottom right pane, click the Open link. In the Outlook Web App window, click OK. In the Navigation pane, notice the new discovery folder named Customer Number Discovery. Expand the folder. Note the two folders created that correspond to the mailboxes added to the search criteria. Expand Luca Dellamore, expand Primary Mailbox, expand Sent Items, and then verify that the email was discovered using the search criteria. Expand George Schaller, expand Primary Mailbox, expand Inbox, and then verify that the e-mail was discovered using the search criteria. Close Internet Explorer.
Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.
L9-7
5. 6.
L9-8
Task 4: Configure a managed folder mailbox policy that applies to all users
1. 2. 3. 4. 5. 6. 7. 8. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy Wizard. On the New Mailbox Policy page, in the Managed Folder mailbox policy name box, type Default Policy All Users. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK. On the New Mailbox Policy page, click New, and then click Finish. Open the Exchange Management Shell. At the prompt, type Get-Mailbox | Set-Mailbox ManagedFolderMailboxPolicy Default Policy All Users, and then press ENTER. As the confirmation, type A, and then press ENTER. This command links the policy to all users in the organization.
Task 5: Configure a managed folder mailbox policy that applies to the Executives
department
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy Wizard. On the New Mailbox Policy page, in the Managed folder mailbox policy name box, type Executives Department Policy. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Executives Confidential, and then click OK. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK. On the New Managed Folder Mailbox Policy page, click New, and then click Finish. In the Exchange Management Shell, type Get-Mailbox | where-object {$_.distinguishedname ilike *ou=Executives,dc=adatum,dc=com} | Set-Mailbox ManagedFolderMailboxPolicy Executives Department Policy, and then press ENTER. This command links the policy to all users in the Executives organizational unit (OU).
Task 7: Confirm that the managed custom folder is created for the Executives
department users
1. 2. In the Exchange Management Console, click the Recipient Configuration node. In the Results pane, right-click Marcel Truempy, and then click Properties.
L9-9
3.
4. 5.
On the Mailbox Settings tab, click Messaging Records Management, and then click Properties. Confirm that the Managed folder mailbox policy check box is selected, and that the Executives Department Policy is assigned to the mailbox. Click OK twice. On VAN-EX1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with a password of Pa$$w0rd. Click OK. Confirm that the Executives Confidential folder was created in Marcels mailbox under the Managed Folders node. Close Internet Explorer.
3.
4.
5.
2. 3.
Read the confirmation statement, type A, and then press ENTER. At the PS prompt, type the following, and then press ENTER: Start-ManagedFolderAssistant
4. 5. 6. 7.
Open Internet Explorer, and connect to https://van-ex1.adatum.com/owa. Log on as Adatum\Manoj using a password of Pa$$w0rd. Click a message in the Inbox, and then in the reading pane, point out the expiration time for the message. Right-click the message, and review the options under the Retention Policy and Archive Policy menu items. Close Internet Explorer.
Results: After this exercise, you should have configured a managed folder policy that ensures that all messages in the default mailbox folders are deleted after 90 days. You also will have configured a custom managed folder to ensure that all members of the Executives department have a custom folder
L9-10
in their mailbox that will contain confidential messages. You also should have configured Retention Tags and retention policies for the Marketing group.
Task 2: Verify that the archive mailbox was created for members of the Marketing group
Open Internet Explorer, and then connect to https://VAN-EX1.adatu.com/owa. Log on as Adatum\Manoj with a password of Pa$$w0rd. Click OK. Verify that the archive mailbox is visible through Outlook Web App. Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
L10-1
4. 5.
6. 7. 8. 9.
L10-2
10. On the Mailboxes tab, click Andreas Herbinger, and then click Details. 11. Click Organization, in the Department field, type IT, and then click Save. 12. Click Public Groups. Click Accounting, and then click Details. Verify that you can modify the group properties by typing a group description, and then clicking Save. Close Internet Explorer. Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer. 13. 14. 15. 16. 17. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Paul using a password of Pa$$w0rd, and then click OK. On the Mailboxes tab, click Franz Kohl, and then click Details. Click Organization, in the Department field, type Customer Service, and then click Save. Verify that the Groups tab is not visible. Close Internet Explorer.
Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.
Task 2: Request a server certificate with multiple SANs on the Client Access server
1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Server Configuration. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. On the Introduction page, type Adatum Mail Certificate as the friendly name for the certificate, and then click Next. On the Domain Scope page, click Next. On the Exchange Configuration page, expand Client Access server (Outlook Web App), select the Outlook Web App is on the Intranet check box, and then type VAN-EX1.adatum.com in the domain name box. Select the Outlook Web App is on the Internet check box, and then type Mail.adatum.com in the second text box.
6.
L10-3
Expand Client Access server (Exchange ActiveSync), and then verify that the Exchange Active Sync is enabled check box is selected. Type mail.adatum.com as the domain name. 8. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover), and then enter mail.adatum.com as the external host name. 9. Ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected. In the Autodiscover URL to use field, delete all entries except for autodiscover.adatum.com, and then click Next. 10. On the Certificate Domains page, click Next. 11. On the Organization and Location page, enter the following information: 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
7.
Click Browse, type CertRequest as the File name, and then click Save. Click Next, click New, and then click Finish. Click the Folder icon in the task bar, and then click Documents. Right-click CertRequest.req, and then click Open. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. In the Open with dialog box, click Notepad, and then click OK. In the CertRequest.req Notepad window, select CTRL+A to select all of the text, select CTRL+C to save the text to the clipboard, and then close Notepad. Click Start, click All Programs, and then click Internet Explorer. Connect to https://van-dc1.adatum.com/certsrv. Log on as Adatum\administrator using a password of Pa$$word. On the Welcome page, click Request a certificate. On the Request a Certificate page, click advanced certificate request. On the Advanced Certificate Request page, click Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. In the Certificate Template drop-down list, click Web Server, and then click Submit. In the Web Access Confirmation dialog box, click Yes. On the Certificate Issued page, click Download certificate. In the File Download dialog box, click Save. In the Save As dialog box, browse to the C: drive, and then click Save. In the Download complete dialog box, click Close. Pending Request.
32. In the Exchange Management Console, click Adatum Mail Certificate, and then click Complete 33. On the Complete Pending Request page, click Browse. 34. Browse to the C: drive, click certnew.cer, click Open, click Complete, and then click Finish. 35. On the Exchange Certificates tab, click Adatum Mail Certificate, and then click Assign Services to Certificate. 36. On the Select Servers page, click Next.
L10-4
37. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
L10-5
17. On the Single Sign On Settings page, type Adatum.com as the single sign-on (SSO) domain name, click Next, and then click Finish. 18. On the Select Web Listener page, click Next. 19. On the Authentication Delegation page, accept the default of Basic authentication, and then click Next. 20. On the User Sets page, accept the default, and then click Next. 21. On the Completing the New Exchange Publishing Rule Wizard page, click Finish. 22. Click Apply twice to apply the changes, and then click OK when the changes have been applied.
L10-6
14. Close Internet Explorer. Results: After this exercise, you should have configured a Forefront Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You also will have verified that the access is configured correctly.
L11-1
Task 2: Create a new performance counter data collector set for monitoring basic
Exchange Server performance
1. In the Performance Monitor, in the Navigation pane, expand Data Collector Sets, expand User Defined, click Exchange Monitoring, click the Action menu, click New, and then click Data Collector. In the Create New Data Collector Wizard, in the Name box, type Base Exchange Monitoring, select Performance counter data collector, and then click Next. Click Add. In the Available counters object list, expand Processor, and then click % Processor Time. Press and hold the CTRL key, click % User Time, click % Privileged Time, and then click Add. In the Available counters object list, expand Memory, and then click Available Mbytes. Press and hold the CTRL key, click Page Reads/sec, click Pages Input/sec, click Pages/sec, click Pages Output/sec, click Pool Paged Bytes, click Transition Pages Repurposed/sec, and then click Add. In the Available counters object list, expand MSExchange ADAccess Domain Controllers, and then click LDAP Read Time. Press and hold the CTRL key, and click LDAP Search Time, click LDAP Searches timed out per minute, click Long running LDAP operations/Min, and then click Add. In the Available counters object list, expand System, click Processor Queue Length, and then click Add. Click OK. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and then in the Units dropdown menu, select Minutes and click Finish to create the data collector set.
2. 3. 4. 5.
6.
7. 8. 9.
Task 3: Create a new performance counter data collector set for monitoring Mailbox
server role performance
1. 2. 3. 4. In the Reliability and Performance Monitor, in the Navigation pane, click Exchange Monitoring, click the Action menu, click New, and then click Data Collector. In the Create New Data Collector Wizard, in the Name box, type Mailbox Role Monitoring, select Performance counter data collector, and then click Next. Click Add. In the Available counters object list, expand LogicalDisk, and then click Avg.Disk sec/Read. Press and hold the CTRL key, and click Avg.Disk sec/Transfer, click Avg.Disk sec/Write, and then click Add.
L11-2
5.
6. 7. 8. 9.
In the Available counters object list, expand MSExchangeIS, and then click RPC Averaged Latency. Press and hold the CTRL key, and click RPC Num Slow Packets, click RPC Operations/sec, click RPC Requests, and then click Add. In the Available counters object list, expand MSExchangeIS Mailbox, click Messages Queued for Submission, and then click Add. In the Available counters object list, expand MSExchangeIS Public, click Messages Queued for Submission, and then click Add. Click OK. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and in the Units dropdown menu, select Minutes, and then click Finish to create the data collector set.
L11-3
4. 5.
In the Navigation pane, click on System, and then in the Content pane, review recent events. No notable events are present. Close Event Viewer.
5. 6. 7. 8. 9.
Task 4: List the probable causes of the problem, and rank the possible solutions, if
multiple options exist
List the problems and possible solutions: Problem Disk errors are preventing access to the database. Database path is incorrect because of storage changes. Possible solution Replace disks and restore from backup. Change storage or database configuration.
6. 7.
L11-4
2.
In the Exchange Management Shell, type the follow cmdlet, and then press ENTER. Move-DatabasePath MailboxDB100 LogFolderPath C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100 EdbFilePath C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100\MailboxDB100.edb ConfigurationOnly force
3. 4. 5.
Type Y, and then press ENTER. In the Exchange Management Shell, type Mount-Database MailboxDB100, and then press ENTER. Close Exchange Management Shell. Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.
L11-5
Task 4: List the probable causes of the problem, and rank the possible solutions if
multiple options exist
List the problems and possible solutions: Problem Internet Information Server (IIS) Configuration is not configured correctly. Possible solution Modify the IIS configuration.
Microsoft Outlook Web App authentication Modify Outlook Web App is not configured correctly. authentication configuration.
4. 5. 6. 7.
L11-6
1. 2. 3. 4. 5.
On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
LA-1
LA-2
4.
Task 7: Associate the Unified Messaging server with the dial plan
1. 2. 3. 4. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Unified Messaging. In the Details pane, right-click VAN-EX2, and then click Properties. On the VAN-EX2 Properties page, click the UM Settings tab. On the Associated Dial Plans pane, click Add, select DP-VAN-5digit in the Select Dial Plan window, and then click OK twice.
LA-3
3.
On the DP-VAN-5digit Properties page, click the Settings tab, verify that German (Germany) is selected in the Default language drop-down list, and then click OK. Results: After this exercise, you should have installed the Unified Messaging role and configured the basic server-side settings for Unified Messaging, namely, a dial plan, an IP gateway, a hunt group, and a mailbox policy. You also will have assigned the dial plan to a Unified Messaging server.
LA-4