10135A ENU TrainerHandbook

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
10135A
Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2010 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Product Number: 10135A Part Number: X17-40190
Released: 01/2010
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time. c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter. e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device. f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content. Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location. i.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms. i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session. 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement. c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers: i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks: You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.
o o o o o
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement. iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means. 7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy; transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. 9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR or Not for Resale. 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. 11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts. 12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services. 13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement. 16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouv ez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage partic ulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects , accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
ix
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Siegfried Jagott Content Developer

Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team in Siemens IT Solutions located in Munich, Germany. He has planned, designed, and implemented some of the worlds largest Windows and Exchange Server infrastructures for international customers. Additionally, he hosted a monthly column for Windows IT Magazine called Exchange & Outlook UPDATE: Outlook Perspectives. He writes for international magazines and lectures about Windows and Exchange Server-related topics. He received an MBA from Open University in England, and is a Microsoft Certified Systems Engineer (MCSE) since 1997.
Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc, and he works as a consultant, trainer and author. Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press, and is currently working on an Exchange Server 2010 Best Practices book, also for Microsoft Press. For the last six years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been an MCT for 11 years.
Joel Stidley - Content Developer

Joel Stidley is a MCITP, MCSE, MCTS, and a Microsoft Exchange MVP with over 13 years of IT experience. Currently, he is a principal systems architect at Terremark Worldwide, Inc., where he works with a variety of directory, storage, virtualization, and messaging technologies. Joel has authored several books and courses on Microsoft Technologies including Windows PowerShell, Microsoft Exchange Server and Windows Server 2008. He also manages an Exchange Server blog and forum site.
Damir Dizdarevic - Technical Reviewer

Damir Dizdarevic is a manager of the Learning Center at Logosoft d.o.o. (Sarajevo, Bosnia and Herzegovina) and an MCT. He has worked as a subject matter expert and technical reviewer on several MOC courses, and has published more than 350 articles in various IT magazines such as Windows ITPro. He is an MVP for Windows Server Infrastructure Management, and an MCSE, MCTS, and MCITP (Windows Server 2008 and Exchange Server 2007). He specializes in Windows Server and Exchange Server.
xi
Contents
Module 1: Deploying Microsoft Exchange Server 2010
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-4 1-16 1-32 1-37 1-46
Module 2: Configuring Mailbox Servers

Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Lab: Configuring Mailbox Servers 2-3 2-13 2-32 2-40
Module 3: Managing Recipient Objects

Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Lab: Managing Exchange Recipients 3-3 3-19 3-26 3-31 3-37 3-41
Module 4: Managing Client Access

Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lab A: Configuring Client Access Servers for Outlook Anywhere Access Lesson 3: Configuring Outlook Web App Lesson 4: Configuring Mobile Messaging Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync 4-3 4-18 4-37 4-43 4-53 4-61
Module 5: Managing Message Transport

Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Lab: Managing Message Transport 5-3 5-16 5-32
Module 6: Implementing Messaging Security

Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 6-3 6-19 6-27
xii
Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions
6-31 6-44 6-57
Module 7: Implementing High Availability

Lesson 1: Overview of High Availability Options Lesson 2: Configuring Highly Available Mailbox Databases Lesson 3: Deploying Highly Available Non-Mailbox Servers Lab: Implementing High Availability 7-3 7-8 7-21 7-26
Module 8: Implementing Backup and Recovery

Lesson 1: Planning Backup and Recovery Lesson 2: Backing Up Exchange Server 2010 Lesson 3: Restoring Exchange Server 2010 Lab: Implementing Backup and Recovery 8-3 8-14 8-25 8-37
Module 9: Configuring Messaging Policy and Compliance

Lesson 1: Introducing Messaging Policy and Compliance Lesson 2: Configuring Transport Rules Lesson 3: Configuring Journaling and Multi-Mailbox Search Lab A: Configuring Transport Rules and Journal Rules and Multi-Mailbox Search Lesson 4: Configuring Messaging Records Management Lesson 5: Configuring Personal Archives Lab B: Configuring Messaging Records Management and Personal Archives 9-3 9-7 9-27 9-37 9-43 9-56 9-62
Module 10: Securing Microsoft Exchange Server 2010

Lesson 1: Configuring Role Based Access Control Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 Lesson 3: Configuring Secure Internet Access Lab: Securing Exchange Server 2010 10-3 10-20 10-24 10-38
Module 11: Maintaining Microsoft Exchange Server 2010

Lesson 1: Monitoring Exchange Server 2010 Lesson 2: Maintaining Exchange Server 2010 Lesson 3: Troubleshooting Exchange Server 2010 Lab: Maintaining Exchange Sever 2010 11-3 11-13 11-20 11-26
Module 12: Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview 12-3
xiii
Lesson 2: Upgrading from Exchange Server 2003 to Exchange Server 2010 Lesson 3: Upgrading from Exchange Server 2007 to Exchange Server 2010
12-10 12-27
Appendix A: Implementing Unified Messaging

Lesson 1: Overview of Telephony Lesson 2: Introducing Unified Messaging Lesson 3: Configuring Unified Messaging Lab: Implementing Unified Messaging A-3 A-13 A-28 A-39
Appendix B: Advanced Topics in Exchange Server 2010

Lesson 1: Deploying Highly Available Solutions for Multiple Sites Lesson 2: Implementing Federated Sharing B-3 B-9
Lab Answer Keys Appendix
xiv
About This Course
xiii
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This course will provide you with the knowledge and skills to configure and manage a Microsoft Exchange Server 2010 messaging environment. This course will teach you how to configure Exchange Server 2010, as well as provide guidelines, best practices, and considerations that will help you optimize your Exchange server deployment.
Audience
This course is intended for people aspiring to be enterprise-level messaging administrators. Others who may take this course include IT generalists and help desk professionals who want to learn about Exchange Server 2010. People coming into the course are expected to have at least 3 years experience working in the IT fieldtypically in the areas of network administration, help desk, or system administration. They are not expected to have experience with previous Exchange Server versions.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience managing Windows Server 2003 or Microsoft Window Server 2008 operating systems. Experience with Active Directory directory services or Active Directory Domain Services (AD DS). Fundamental knowledge of network technologies including Domain Name System (DNS) and firewall technologies. Experience managing backup and restore on Windows Servers. Experience using Windows management and monitoring tools such as Microsoft Management Console, Active Directory Users and Computers, Performance Monitor, Event Viewer, and Internet Information Services (IIS) Administrator.
xiv
About This Course
Experience using Windows networking and troubleshooting tools such as Network Monitor, Telnet, and NSLookup. Fundamental knowledge of certificates and Public Key Infractructur (PKI).
Course Objectives
After completing this course, students will be able to: Install and deploy Exchange Server 2010. Configure Mailbox servers and mailbox server components. Manage recipient objects. Configure the Client Access server role. Manage message transport. Configure the secure flow of messages between the Exchange Server organization and the Internet. Implement a high availability solution for Mailbox servers and other server roles. Plan and implement backup and restore for the server roles. Plan and configure messaging policy and compliance. Configure Exchange Server permissions and security for internal and external access. Monitor and maintain the messaging system. Transition an Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Configure the Unified Messaging Server role and Unified Messaging components. Implement high availability across multiple sites and implement Federated Sharing.
Course Outline
This section provides an outline of the course: Module 1, Deploying Microsoft Exchange Server 2010 describes how to prepare for, and perform, an installation of Exchange Server 2010. This module also provides details on the Exchange Server 2010 deployment. Module 2, Configuring Mailbox Servers describes the Exchange Management Console and Exchange Management Shell management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public-folder configuration and usage. Module 3, Managing Recipient Objects describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. Module 4, Managing Client Access describes how to implement the Client Access server role in Exchange Server 2010. Module 5, Managing Message Transport describes how to manage message transport in Exchange Server 2010, which includes topics such as components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot message-transport issues. Additionally, this module provides details on deploying the Exchange Server 2010 Hub Transport server.
About This Course
xv
Module 6, Implementing Messaging Security describes how to plan for and deploy an Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. Additionally, it describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security. Module 7, Implementing High Availability describes the high-availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions. This module provides details about how to deploy highly available mailbox databases as well as other Exchange Server 2010 server roles. Module 8, Implementing Backup and Recovery describes the Exchange Server 2010 backup and restore features, and what you should consider when creating a backup plan. Module 9, Configuring Messaging Policy and Compliance describes how to configure the Exchange Server 2010 messaging policy and compliance features. Module 10, Securing Microsoft Exchange Server 2010 describes how to secure your Exchange Server deployment by configuring administrative permissions and securing the Exchange Server configuration. Module 11, Maintaining Microsoft Exchange Server 2010 describes how to monitor and maintain your Exchange Server environment. Additionally, it also describes troubleshooting techniques for fixing problems that may arise. Module 12, Transitioning from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 describes the options that organizations have when they choose to implement Exchange Server 2010. Additionally, it describes how to transition an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Appendix A, Implementing Unified Messaging describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging. Appendix B, Advanced Topics in Exchange Server 2010 describes how to deploy two advanced Exchange Server features: highly available Exchange Server across multiple data centers and Federated Sharing.
xvi
About This Course
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Course
xvii
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs.
Important: At the end of each lab, you must revert the virtual machine back to the state the virtual machine was in before the lab started. To revert a virtual machine, perform the following steps: 1. In Hyper-V Manager, right click the virtual machine name and click Revert. 2. In the Revert dialog box, click Yes.
The following table shows the role of each virtual machine used in this course: Virtual machine 10135A-NYC-DC1 10135A-NYC-SVR1 10135A-NYC-SVR2 10135A-VAN-DC1 10135A-VAN-EX1 10135A-VAN-EX2 10135A-VAN-EX3 10135A-VAN-EDG 10135A-VAN-CL1 10135A-VAN-TMG 10135A-VAN-Exchange Server 2003 10135A-VAN-SVR1 Role Domain controller in the Contoso.com domain Member server in the Contoso.com domain Member server in the Contoso.com domain Domain controller in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 Edge Transport server Client computer in the Adatum.com domain Microsoft Forefront Threat Management Gateway server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Standalone server
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2, Release Candidate build Windows 7, Release Candidate build Exchange Server 2010, Release Candidate build Microsoft Office 2007, Service Pack 2 Microsoft Forefront Threat Management Gateway, Beta 3
xviii
About This Course
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the aforementioned virtual machines are deployed in each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 GB hard disks 7200 RM SATA or better* 8 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Deploying Microsoft Exchange Server 2010
1-1
Module 1
Contents:
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-3 1-16 1-32 1-37 1-46
1-2
Module Overview
This module describes how to prepare for, and perform, an installation of Microsoft Exchange Server 2010. The most important task in preparing for an Exchange Server 2010 installation is to ensure that the Active Directory directory services environment is ready. Exchange Server 2010 requires an Active Directory deployment because Active Directory stores all configuration and recipient information that Exchange Server uses. This module also provides details on the Exchange Server 2010 deployment. To install Exchange Server 2010 properly for your environment, you must be aware of the server roles that Exchange Server can install. Additionally, you should be aware of the infrastructure, hardware, and software requirements for introducing Exchange Server 2010 into a messaging environment. Finally, you should know how to verify, troubleshoot, and secure the installation. After completing this module, you will be able to: Describe the infrastructure requirements to install Exchange Server 2010. Install Exchange Server 2010 server roles. Complete an Exchange Server 2010 installation.
1-3
Lesson 1
Overview of Exchange Server 2010 Requirements
In this lesson, you will review the requirements for installing Exchange Server 2010. The most important requirement is the Active Directory deployment, but you also must ensure that you implement the appropriate Domain Name System (DNS) infrastructure. You also should be aware of the Exchange Server 2010 infrastructure requirements when you perform an installation, and when you need to troubleshoot deployment issues. After completing this lesson, you will be able to: Describe the Active Directory components. Describe the Active Directory partitions. Describe how Exchange Server 2010 uses Active Directory. Describe the DNS requirements for Exchange Server 2010. Prepare Active Directory for Exchange Server 2010. Describe the integration of Active Directory and Exchange Server 2010.
1-4
Discussion: Reviewing Active Directory Components
Key Points
Active Directory is the integrated, distributed directory service that is included with the Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server operating systems. Many applications, such as Exchange Server 2010, integrate with Active Directory. This creates a link between user accounts and applications, which enables single sign-on for applications. Additionally, the Active Directory replication capabilities enable distributed applications to replicate applicationconfiguration data.
Discussion Questions
Based on your experience, consider the following questions: Question: What is the definition of a domain? Question: What is the definition of a forest? Question: Under what circumstances would an organization deploy multiple domains in the same forest? Question: Under what circumstances might an organization deploy multiple forests? Question: What are trusts? Question: What type of information do domains in a forest share? Question: What is the functionality of a domain controller? Question: What is a global catalog server? Question: What is the definition of an Active Directory site?
1-5
Question: What is Active Directory replication? Question: How do Active Directory sites affect replication?
1-6
Reviewing Active Directory Partitions
Key Points
Active Directory information falls into four types of partitions: domain, configuration, schema, and application. These directory partitions are the replication units in Active Directory.
Domain Partition
A domain partition contains all objects in the domains directory. Domain objects replicate to every domain controller in that domain, and include user and computer accounts, and groups. A subset of the domain partition replicates to all domain controllers in the forest that are global catalog servers. If you configure a domain controller as a global catalog server, it holds a complete copy of its own domains objects and a subset of attributes for every domains objects in the forest.
Configuration Partition
The configuration partition contains configuration information for Active Directory and applications, including Active Directory site and site link information. Additionally, some distributed applications and services store information in the configuration partition. This information replicates through the entire forest so each domain controller has a replica of the configuration partition.
Schema Partition
The schema partition contains definition information for all object types and their attributes that you can create in Active Directory. This data is common to all domains in the forest, and Active Directory replicates it to all domain controllers in the forest. However, only one domain controller maintains a writable copy of the schema. By default, this domain controller, known as the Schema Master, is the first domain controller installed in an Active Directory forest.
Application Partitions
An administrator or an application during installation creates application partitions manually. Application partitions hold specific application data that the application requires. The main benefit of application
1-7
partitions is replication flexibility. You can specify the domain controllers that hold a replica of an application partition, and these domain controllers can include a subset of domain controllers throughout the forest. Exchange Server 2010 does not use application partitions to store information.
1-8
How Exchange Server 2010 Uses Active Directory
Key Points
To ensure proper placement of Active Directory components in relation to computers running Exchange Server, you must understand how Exchange Server 2010 communicates with Active Directory Domain Services (AD DS) and uses Active Directory information to function. Note: The Exchange Server 2010 Edge Transport server role does not use Active Directory to store configuration information. Instead, the Edge Transport server role uses Active Directory Lightweight Directory Services (AD LDS). For more details, see Module 6, Implementing Messaging Security.
Forests
An Exchange Server organization and an Active Directory forest have a one-to-one relationship. You cannot have an Exchange Server organization that spans multiple Active Directory forests. You also cannot have multiple Exchange Server organizations within a single Active Directory forest.
Schema Partition
The Exchange Server 2010 installation process modifies the schema partition to enable the creation of Exchange Server-specific objects. The installation process also adds Exchange Server-specific attributes to existing objects.
Configuration Partition
The configuration partition stores configuration information for the Exchange Server 2010 organization. Because Active Directory replicates the configuration partition among all domain controllers in the forest, configuration of the Exchange Server 2010 organization replicates throughout the forest.
1-9
Domain Partition
The domain partition holds information about recipient objects. This includes mailbox-enabled users, and mail-enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-enabled have preconfigured attributes, such as e-mail addresses.
Global Catalog
When you install Exchange Server 2010, the e-mail attributes for mail-enabled and mailbox-enabled objects replicate to the global catalog. The following is true: The global address list is generated from the recipients list in an Active Directory forests global catalog. Exchange Hub Transport servers access the global catalog to find the location of a recipient mailbox when delivering messages. Exchange Client Access servers access the global catalog server to locate the user Mailbox server and to display the global address list to Microsoft Office Outlook, Microsoft Outlook Web App, or Exchange ActiveSync clients. Important: Because of the importance of the global catalog in an Exchange Server organization, you must deploy at least one global catalog in each Active Directory site that contains an Exchange 2010 server. You must deploy enough global catalog servers to ensure adequate performance.
Note: Windows Server 2008 provides a new type of domain controllera read-only domain controller (RODC). Exchange Server 2010 does not use RODCs or RODCs that you configure as global catalog servers (ROGC). This means that you should not deploy an Exchange 2010 server in any site that contains only RODCs or ROGCs.
1-10
Reviewing DNS Requirements for Exchange Server 2010
Key Points
Each computer running Exchange Server must use DNS to locate Active Directory and global catalog servers. As a site-aware application, Exchange Server 2010 prefers to communicate with directory servers that are located in the same site as the computer running Exchange Server.
Role of DNS
Exchange Server services use DNS to locate a valid domain controller or global catalog. By default, each time a domain controller starts the Netlogon service, it updates DNS with service (SRV) records that describe it as a domain controller and global catalog server, if applicable.
SRV Resource Records

SRV resource records are DNS records. These records identify servers that provide specific services on the network. For example, an SRV resource record can contain information to help clients locate a domain controller in a specific domain or site. All SRV resource records use a standard format, which consists of several fields. These fields contain information that AD DS uses to map a service back to the computer that provides the service. SRV resource records use the following format:
_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target
The SRV records for domain controllers and global catalog servers are registered with several different variations to allow locating domain controllers and global catalog servers in several different ways. One option is to register DNS records by site name, which enables computers running Exchange Server to find domain controllers and global catalog servers in the local Active Directory site. Exchange Server always performs DNS resource queries for the local Active Directory site first.
1-11
Host Records
Host records provide a host name to IP address mapping. Host records are required for each domain controller and other hosts that need to be accessible to Exchange Servers or client computers. Host records can use IPv4 (A records) or IPv6 (AAAA records).
MX Records
A Mail Exchanger (MX) record is a resource record that allows servers to locate other servers to deliver Internet e-mail using the Simple Mail Transfer Protocol (SMTP). An MX record identifies the SMTP server that will accept inbound messages for a specific DNS domain. Each MX record contains a host name and a preference value. When you deploy multiple SMTP servers that are accessible from the Internet, you can assign equal preference values to each MX record to enable load balancing between the SMTP servers. You also can specify a lower preference value for one of the MX records. All messages are routed through the SMTP server that has the lower preference-value MX record, unless that server is not available. Note: In addition to SRV, Host, and MX records, you also may need to configure Sender Policy Framework (SPF) records to support Sender ID spam filtering. Module 6 provides more information on SPF records. Additionally, some organizations use reverse lookups as an option for spam filtering, so you should consider adding reverse lookup records for all SMTP servers that send your organizations e-mail.
1-12
Preparing Active Directory for Exchange Server 2010
Key Points
To install Exchange Server 2010, you need to run the Exchange Server 2010 setup command for preparing the Active Directory forest for the installation. You can use the setup command with the following switches. Setup switch /PrepareAD /OrganizationName: organizationname Explanation
Prepares the global Exchange Server objects in Active Directory, creates

the Exchange Universal Security Groups in the root domain, and prepares the current domain Must be run by a member of the Enterprise Admins group
/PrepareLegacy ExchangePermissions
Necessary if the organization contains Exchange Server 2003 servers Modifies the permissions assigned to the Enterprise Exchange Servers
group to allow the Recipient Update Service to run Must be run by a member of the Enterprise Admins group
/PrepareSchema
Prepares the schema for the Exchange Server 2010 installation Must be run by a member of the Enterprise Admins and Schema
Admins groups
/PrepareDomain /PrepareDomain domainname /PrepareAllDomains
Prepares the domain for Exchange Server 2010 by creating a new

global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers Not required in the domain where /PrepareAD is run Can prepare specific domains by adding the domains fully qualified domain name (FQDN), or prepare all domains in the forest Must be run by a member of the Enterprise Admins and Domain Admins groups
1-13
Important: You must prepare the Active Directory forest in the same domain and the same site as the domain controller that hosts the Schema Master role.
Options for Preparing Active Directory

You have the following options when you prepare Active Directory for Exchange Server 2010: In an organization that is not running an earlier Exchange Server version, and which has a single domain in the Active Directory forest, you do not need to prepare Active Directory before installing the first Exchange server. In this scenario, you can just install Exchange Server 2010, and all of the Active Directory schema changes are implemented during the install. If the user account that you are using to update the schema is a member of the Schema Admins and the Enterprise Admins group, you do not need to run /PrepareLegacyExchangePermissions and /PrepareSchema before running /PrepareAD. If your account has the right permissions, the /PrepareAD process also configures the legacy permissions and makes the required schema changes.
1-14
Demonstration: Integration of Active Directory and Exchange Server 2010
Key Points
In this demonstration, you will review the integration of Active Directory and Exchange Server 2010.
Demonstration Steps
1. 2. 3. On a domain controller, open Active Directory Users and Computers. In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational unit. Review the description and membership of the following Active Directory groups: 4. 5. 6. Organization Management Recipient Management View-Only Organization Management Discovery Management
Open ADSI Edit, and connect to the domain partition. Review the information in the domain partition. Connect to the configuration partition. Review the information in the configuration partition, and in the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container. Connect to the schema partition. Review the information in the schema partition, and point out the attributes and class objects that begin with ms-Exch.
Question: How do you assign permissions in your Exchange organization? How will you assign permissions using the Exchange security groups?
1-15
Question: Which Active Directory partition would you expect to contain the following information? Users e-mail address Exchange connector for sending e-mail to the Internet Exchange Server configuration
1-16
Lesson 2
Installing Exchange Server 2010 Server Roles
Before you install Exchange Server 2010, you need to understand the concept of Exchange Server 2010 server roles. Each server role provides a specific set of functionality that an Exchange Server organization requires. When you install Exchange Server 2010, you can install all server roles on the same computer, except for the Edge Transport server role. Alternately, you can distribute the roles across multiple computers. After you decide which server role to deploy in each Exchange server, you must ensure that the network infrastructure and servers are ready for the Exchange Server 2010 installation. After completing this lesson, you will be able to: Describe the server roles included in Exchange Server 2010. Describe the options for deploying Exchange Server 2010. Describe the hardware recommendations for combining server roles in Exchange Server 2010. Describe the options for integrating Exchange Server 2010 and Exchange Online Services. Describe the infrastructure requirements for installing Exchange Server 2010. Describe the server requirements for installing Exchange Server 2010. Describe the considerations for deploying Exchange Server 2010 servers as virtual machines. Describe the process for installing Exchange Server 2010. Describe the options for performing an unattended installation.
1-17
Overview of Server Roles in Exchange Server 2010
Key Points
Exchange Server 2010 provides functionality that falls into five separate server roles. When you install Exchange Server 2010, you can select one or more of these roles for installation on the server. Large organizations might deploy several servers with each role, whereas a small organization might combine all server roles except the Edge Transport server role on one computer. Important: Exchange Server 2010 server roles are a logical grouping of features and components that perform a specific function in the messaging environment. You can install all server roles, except the Edge Transport server role, on the same physical computer.
Exchange Server 2010 Server Roles

The following server roles are included in Exchange Server 2010: Hub Transport server role. The Hub Transport server role is responsible for message routing. The Hub Transport server performs message categorization and routing, and handles all messages that pass through an organization. You must configure at least one Hub Transport server in each Active Directory site that contains a Mailbox server or a Unified Messaging server, and the server running the Hub Transport server role must be a member of an Active Directory domain. Mailbox server role. The Mailbox server role is responsible for managing mailbox and public folder databases. Mailboxes and public folders reside on the Mailbox servers. Mailbox servers contain mailbox and public folder databases. You can enable high availability by adding mailbox servers to a Database Availability Group (DAG). Because Mailbox servers require Active Directory access, you must install this role on a member server in an Active Directory domain. Edge Transport server role. The Edge Transport server role is the Simple Mail Transport Protocol (SMTP) gateway server between your organization and the Internet. To ensure security, you should deploy the computer that runs the Edge Transport server role in a perimeter network, and it should not be a member of your internal Active Directory forest. Because the Edge Transport server is not
1-18
part of an Active Directory domain, it cannot use Active Directory to store configuration information. Instead, it uses AD LDS on Windows Server 2008 computers to access recipient and configuration information. Client Access server role. The Client Access server role enables connections from all available client protocols to the Exchange Server mailboxes. You must assign at least one Client Access server in each Active Directory site that contains a Mailbox server. Client protocols that connect through a Client Access server include: Messaging Application Programming Interface (MAPI) clients Outlook Web App clients Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients Outlook Anywhere, which is known as remote procedure call (RPC) over HTTP in Exchange Server 2003 Exchange ActiveSync clients
Note: In previous Exchange Server versions, MAPI clients connect directly to the Mailbox servers. In Exchange Server 2010, all clients, including MAPI clients, connect to the Client Access servers. MAPI clients still connect directly to Mailbox servers when accessing public folders. Unified Messaging server role. The Unified Messaging server role provides the foundation of services that integrate voice and fax messages into your organizations messaging infrastructure. This role requires the presence of three server roles: Hub Transport, Client Access, and Mailbox. The Unified Messaging server provides access to voice messages and faxes.
1-19
Deployment Options for Exchange Server 2010
Key Points
You can deploy the server roles in Exchange Server 2010 in several different scenarios, depending on an organizations size and requirements. If you are an administrator, it is important to understand the deployment scenarios when you plan an Exchange Server system.
Exchange Server 2010 Editions

Exchange Server 2010 is available as Standard Edition and Enterprise Edition. The Standard Edition should meet the messaging needs of small and medium corporations, but also may be suitable for specific server roles or branch offices. The Enterprise Edition is for large enterprise corporations, and enables you to create additional databases apart from including other advanced features. Feature Database Support Database Storage Limit DAG membership Standard Edition Five databases No software storage limit; storage limit is hardware dependent Supported Enterprise Edition 100 databases No software storage limit; storage limit is hardware dependent Supported
Exchange Server 2010 Client Access Licenses

Exchange Server 2010 has two client-access license (CAL) options: Exchange Server Standard CAL. Provides access to e-mail, shared calendaring, Outlook Web App, and ActiveSync. Exchange Server Enterprise CAL. Requires a standard CAL, and provides access to additional features such as unified messaging, per-user and per-distribution-list journaling, managed custom e-mail folders, and Forefront Protection for Exchange Server.
1-20
Deployment Scenarios for a Simple Organization

In a small organization, you can install all the server rolesexcept the Edge Transport server roleon a single computer. Small organizations might also consider using Exchange Online services.
Deployment Scenarios for a Standard Organization

Medium-sized organizations should consider installing the required services and Exchange server roles on multiple computers. A typical deployment scenario for a medium-sized organization may include: Two domain controllers for each domain. Two Exchange servers configured with the Mailbox server role and other server roles, except the Edge Transport server role. Note: In Exchange Server 2007, Mailbox servers that were part of a failover cluster could not run additional Exchange server roles. With Exchange Server 2010, Exchange servers that are part of a DAG also can host other Exchange server roles, except the Edge Transport server role. One Exchange server configured with the Edge Transport server role.
Deployment Scenarios for a Large or Complex Organization

A large or complex organization needs to deploy dedicated servers for each server role, and may have to deploy multiple servers for each role. A typical deployment scenario for a large organization can include: Two domain controllers and global catalog servers for each organizational domain. If the organization includes multiple Active Directory sites, and you are deploying Exchange servers in a site, you should deploy global catalog servers in the site. One or more Exchange servers configured with the Mailbox server role. You can deploy multiple Mailbox servers in each Active Directory site. One or more Exchange servers dedicated to each of the other server roles. You must deploy at least one Hub Transport server and Client Access server in each Active Directory site that includes a Mailbox server. If the organization has a smaller branch office, you can deploy multiple Exchange servers hosting all the server roles except for the Edge Transport server role, and configure the Mailbox servers to be part of a DAG. One or more Exchange servers configured with the Edge Transport server role. Multiple servers provide redundancy and scalability.
1-21
Hardware Recommendations for Combining Server Roles
Key Points
You can install all roles, except the Edge Transport server role, on a single computer. When you design the hardware configuration for servers on which you install multiple server roles, consider the following recommendations: You should plan for at least two processor cores, at a minimum, for a server with multiple server roles. The recommended number of processor cores is eight, while 24 is the maximum recommended number. You should design a server with multiple roles to use half of the available processor cores for the Mailbox role and the other half for the Client Access and Hub Transport roles. You should plan for the following memory configuration for a server with multiple server roles: 8 gigabytes (GB) and between 2 megabytes (MB) and 10 MB per mailbox. This can vary based on the user profile and the number of storage groups. We recommend 64 GB as the maximum amount of memory you need. To accommodate the Client Access and Hub Transport server roles on the same server as the Mailbox server role, you should reduce the number of mailboxes per core calculation, based on the average client profile by 20 percent. You can deploy multiple Exchange server roles on a mailbox server that is a DAG member. This means that you can provide full redundancy for the Mailbox, Hub Transport, and Client Access server roles on just two Exchange servers.
1-22
Options for Integrating Exchange Server 2010 and Exchange Online Services
Key Points
One deployment option available in Exchange Server 2010 is to integrate your messaging system with Exchange Online Services. Exchange Online Services is part of the Business Productivity Online services that Microsoft offers.
Business Productivity Online

The Business Productivity Online is a set of Microsoft-hosted messaging and collaboration solutions, including Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Office Live Meeting, and Microsoft Office Communications Online. These services are available on a subscription basis.
Exchange Online Services

When you subscribe to Exchange Online Services, you can take advantage of the following features: E-mail and calendar functions. Exchange Online delivers e-mail services, including spam filtering, antivirus protection, and mobile-device synchronization. Through Microsoft Office Outlook 2007 and Outlook Web App, you can use the advanced e-mail, calendar, contact, and task management features of Exchange Online. E-mail coexistence and migration tools. The Business Productivity Online Standard Suite includes email coexistence and migration tools. If you have Active Directory directory services and Microsoft Exchange Server, the Microsoft Online Services Directory Synchronization tool synchronizes your user accounts, contacts, and groups from your local environment to Microsoft Online Services. This tool also makes your Microsoft Exchange Global Address List (GAL) available in Exchange Online.
Exchange Online Services and Exchange Server 2010

Exchange Server 2010 provides additional functionality with Exchange Online Services. With Exchange Server 2010, you can host some of the mailboxes in an internal Exchange organization, which displays as the On-Premise Exchange organization in the Exchange Management Console. Additionally, you can host
1-23
some of your organizations mailboxes on Exchange Online. You can use the Exchange Management Console to move mailboxes to the Exchange Online Services and manage those mailboxes. For more information on Exchange Online Services, refer to the links provided on the CD.
1-24
Infrastructure Requirements for Exchange Server 2010
Key Points
Before you deploy Exchange Server 2010 in your organization, you need to ensure that your organization meets Active Directory and DNS requirements.
Active Directory Requirements

You must meet the following Active Directory requirements before you can install Exchange Server 2010: The domain controller that is the schema master must have Windows Server 2003 Service Pack 1 (SP1) or later, Windows Server 2008, or Windows Server 2008 R2 installed. By default, the schema master runs on the first Windows domain controller installed in a forest. In each of the sites where you deploy Exchange Server 2010, at least one global catalog server must be installed and run Windows Server 2003 SP1 or later, Windows Server 2008, or Windows Server 2008 R2. The Active Directory domain and forest functional levels must run Windows Server 2003, at the minimum.
DNS Requirements
Before you install Exchange Server 2010, you must ensure that your organization meets the following requirements: You must configure DNS correctly in your Active Directory forest. All servers that run Exchange Server 2010 must be able to locate Active Directory domain controllers, global catalog servers, and other Exchange servers.
1-25
Server Requirements for Exchange Server 2010
Key Points
Exchange Server 2010 requires a minimum level of hardware, and specific software, before you can install it.
Hardware Requirements
You can deploy Exchange Server 2010 only on 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 running on 64-bit hardware. Resource Processor Requirement
x64 architecture-based computer with Intel processor that supports Intel 64

architecture (formerly known as Intel EM64T). AMD processor that supports the AMD64 platform. Intel Itanium IA64 processors not supported.
Memory
A minimum of 2 GB of system memory, plus 2 to 6 MB per mailbox. This recommendation is based on the number of mailbox databases and the user-usage profile. 1.2 GB disk space for Exchange Server files and 200 MB of free disk space on the system drive. Drives formatted with NTFS file systemfor all Exchange Serverrelated volumes.
Disk File system
Important: Exchange Server 2010 is available only in 64-bit versions, which means that you can install all components, including the Exchange Management tools, only on 64-bit operating systems.
1-26
Exchange Server 2010 Prerequisite Software

All Exchange Server 2010 servers must have the following software installed: Active Directory Domain Services (AD DS) management tools, which is required on all Exchange Server 2010 servers, except for Edge Transport servers Microsoft .NET Framework 3.5 (SP1) or later Windows Remote Management (WinRM) Windows PowerShell Version 2 Important: The Net.Tcp Port Sharing Service must be configured to start automatically before starting the Exchange server installation.
Server Role Installation Requirements

Each server role in Exchange Server 2010 has slightly different installation requirements. All server roles, except for the Edge Transport server role, require some Web Server components, such as Internet Information Services (IIS).
1-27
Considerations for Deploying Exchange Server 2010 as a Virtual Machine
Key Points
One option with Exchange Server 2010 is to deploy the servers as virtual machines.
Benefits of Using Virtual Machines

Deploying Exchange Server 2010 servers as virtual machines provides the same advantages as deploying other servers as virtual machines. You can deploy all Exchange Server 2010 server roles as virtual machines, except for the Unified Messaging server role. The benefits of deploying Exchange Servers as virtual machines include: Increases hardware utilization and decreases the number of physical servers. In many organizations, the servers deployed in data centers have very low hardware utilization. Deploying Exchange Servers as virtual machines provides server-management options that are not available for physical servers. Because virtual machines are just a set of files, you may have additional management options with virtual machines. For example, to increase a virtual machines hardware level, you can assign more of the host resources to the virtual machine, or move the virtual machine files to a more powerful host server. Note: Microsoft supports Exchange Server 2010 running as virtual machines for all virtualization vendors that are validated through the Windows Server Virtualization Validation Program. See http://go.microsoft.com/fwlink/?LinkId=179865 for details.
Considerations for Deploying Exchange Server 2010 Servers as Virtual Machines

While running Exchange Server 2010 as a virtual machine provides some benefits, you also should consider the following issues: Exchange servers can be designed to ensure that that the servers fully utilize the available hardware. For example, in a large organization, you can deploy several thousand mailboxes to a Mailbox server
1-28
or deploy a Client Access server with sufficient client connections so that your organization fully utilizes all hardware resources. One of the benefits of running virtual machines is that you can configure high availability within the virtual machine environment. For example, you can deploy Quick Migration in Windows Server 2008 Hyper-V or Live Migration in Windows Server 2008 R2 Hyper-V. However, Microsoft does not support running both DAGs and a virtual machine-based high availability solution. If you require high availability, you should use the Exchange Server 2010 solution. The storage used by the Exchange Server guest machine can be virtual storage of a fixed size, SCSI pass-through storage, or Internet SCSI (iSCSI) storage. Pass-through storage is storage that is configured at the host level and dedicated to one guest machine. To provide the best performance for Exchange server storage, use either pass-through disks or fixed-size virtual disks. Running Exchange servers as virtual machines can complicate performance monitoring. The performance data between the host and virtual machine is not consistent because the virtual machine uses only some part of the hosts resources. One of the most common performance bottlenecks for Mailbox servers is network input/output (I/O). When you run Mailbox servers in a virtual environment, the virtual machines have to share this I/O bandwidth with the host machine and other virtual machine servers deployed on the same host. A heavily utilized Mailbox server can consume all of the available I/O bandwidth, which makes it impractical to host additional virtual machines on the physical server. If you are planning to deploy Exchange Server 2010 as a virtual machine, ensure that you plan the virtual hardware requirements carefully. You must assign the same hardware resources to the Exchange Server virtual machine as you would assign to a physical server running the same workload.
1-29
Process for Installing Exchange Server 2010
Key Points
The Exchange Server 2010 graphical setup program guides you through the installation process. The following steps provide a high-level installation overview: 1. 2. 3. 4. Install the prerequisite software. If you install Exchange Server on Windows Server 2008 R2, the correct versions of Windows PowerShell and Windows Remote Management are installed already. To start the installation, run setup.exe from the installation source. The Setup program checks to ensure that the correct software is installed on the computer. After you finish installing all the required software, you can proceed with the installation of Exchange Server 2010. Exchange Server 2010 provides the option to install additional language packs that will enable the management tools to display in languages other than English. You can choose to install the language packs during the installation. The Installation Type page of the wizard presents you with the option to perform a Typical Exchange Server Installation or a Custom Exchange Server Installation. The typical installation option installs the Hub Transport server role, the Client Access server role, the Mailbox server role, and the Exchange Management tools. The custom installation option allows you to choose the roles you want to install. If this is the first Exchange Server 2010 server in the deployment, and you do not run setup /PrepareAD, you are prompted for the Exchange organization name. If you chose the Mailbox server role, the Exchange Setup program prompts you if you have any Office Outlook 2003 or Entourage clients in the organization. If you choose Yes, Exchange Setup creates the public folders required by these clients for the offline address book and for sharing calendar information. If you choose to install the Client Access server role, you also can configure the external domain name for the Client Access server. Clients use this external domain name to connect to the server from the Internet.
5.
6. 7.
8.
1-30
Note: Exchange Server 2010 supports Office Outlook 2003 SP1 or later clients. The only Entourage version supported by Exchange Server 2010 is Entourage 2008, Web Services Edition. This version of Entourage requires public folders.
1-31
Unattended Installation Options
Key Points
You can use the command line to perform an unattended Exchange Server 2010 installation. When you use the command line, you can use parameters to install specified roles or configure other setup options. Note: To run an unattended installation with setup parameters, you must run setup.com or setup rather than setup.exe. To see all the parameters available for use with setup.com, run the command with the /? parameter. The syntax for this command is:
Setup.com [/roles:<roles to install>] [/mode:<setup mode>] [/console] [/?][/targetdir:<destination folder>] [/prepareAD] [/domaincontroller]
For example, if you want to install Exchange Server 2010 into the default path, and specify the roles of Hub Transport, Client Access, and Mailbox, you would enter the command:
Setup.com /r:H,M,C
1-32
Lab A: Installing Exchange Server 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. In Hyper-V Manager, click 10135A--NYC-DC1, and in the Actions pane, click Start. 3. 4. 10135A- NYC-DC1: Domain controller in the Contoso.com domain.
In the Actions pane, click Connect. Click the CTRL+ALT+DELETE button in the top-left corner of the Virtual Machine Connection window. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
5.
Repeat these steps to start, and log on to the 10135A--NYC-SVR2 virtual machine. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
Lab Scenario
You are working as a messaging administrator in Contoso Ltd. Your organization is preparing to install its first Exchange Server 2010 server. Contoso Ltd. is a large multinational organization that includes offices in Seattle, Washington, in the United States, and in Tokyo, Japan. Contoso Ltd. does not have a previous version of Exchange Server deployed so you do not have to upgrade a previous messaging system. Before installing Exchange Server 2010, you must verify that the Active Directory environment is ready for the installation. You also must verify that all computers that will run Exchange Server 2010 meet the prerequisites for installing Exchange.
1-33
Exercise 1: Evaluating Requirements for an Exchange Server Installation

Scenario
The Active Directory administrators at Contoso Ltd. are testing the Exchange Server 2010 deployment by deploying a domain controller in a test environment. The server administration team has deployed a Windows Server 2008 R2 server that you can use to deploy the first Exchange Server 2010 server in the test organization. You need to verify that the Active Directory environment and the server meet all prerequisites for installing Exchange Server 2010. Use the following checklist to verify that the prerequisites are met. Prerequisite Active Directory domain controllers: Windows Server 2003 SP2 or later Active Directory domain and forest functional level: Windows Server 2003 or higher DNS requirements Exchange Server 2010 schema changes Active Directory Domain Services (AD DS) management tools Microsoft .NET Framework 3.5 or later Windows Remote Management (WinRM) Windows PowerShell Version 2 2007 Office System Converter: Microsoft Filter Pack Web Server (IIS) server role along with the following role services: ISAPI Extensions IIS 6 Metabase Compatibility IIS 6 Management Console Basic Authentication Windows Authentication Digest Authentication Dynamic Content Compression .NET Extensibility Windows Server 2008 features WCF HTTP Activation RPC over HTTP Proxy The main tasks for this exercise are as follows: 1. 2. 3. Evaluate the Active Directory requirements. Evaluate the DNS requirements. Evaluate the server requirements. Achieved? Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No
Yes or No
1-34
Task 1: Evaluate the Active Directory requirements

1. 2. 3. On NYC-DC1, evaluate whether the domain controller requirements are met. Evaluate whether the domain and forest functional level requirements are met. Use Adsiedit.msc to evaluate whether the Exchange schema changes are applied.
Task 2: Evaluate the DNS requirements

On NYC-SVR2, use Ipconfig, Ping, and NSLookup to evaluate DNS name resolution functionality.
Task 3: Evaluate the server requirements

1. 2. 3. On NYC-SVR2, evaluate whether the required Windows Server 2008 features, including the required AD DS administration tools, are installed. Evaluate whether the Microsoft Internet Information Services (IIS) components are installed. Evaluate whether the prerequisite software is installed. Results: After this exercise, you should have evaluated whether your organization meets the Active Directory, DNS, and server requirements for installing Exchange Server 2010. You should have identified the additional components that need to be installed or configured to meet the requirements.
1-35
Exercise 2: Preparing for an Exchange Server 2010 Installation

Scenario
Now that you have identified which prerequisites are not met in the current AD DS and server configuration, you need to update the environment to meet them. The main tasks for this exercise are as follows: 1. 2. Install the Windows Server 2008 server roles and features. Prepare AD DS for the Exchange Server 2010 installation.
Task 1: Install the Windows Server 2008 server roles and features
1. 2. On NYC-SVR2, in Server Manager, install the prerequisite server roles and features for Exchange Server 2010. Configure the Net.Tcp Port Sharing Service to start Automatically.
Task 2: Prepare AD DS for the Exchange Server 2010 installation

1. 2. In Hyper-V Manager, connect C:\Program Files\Microsoft Learning \10135\Drives\EXCH201064.iso as the DVD drive for NYC-SVR2. From a command prompt, run the Exchange Server setup program with the /PrepareAD parameter. Configure an Exchange organization name of Contoso. Results: After this exercise, you should have prepared the Active Directory and server configuration for the Exchange Server 2010 installation.
1-36
Exercise 3: Installing Exchange Server 2010

Scenario
After you prepare the environment, continue with the Exchange Server 2010 server installation. The main task for this exercise is as follows: Install Microsoft Exchange Server 2010.
Task 1: Install Microsoft Exchange Server 2010

1. 2. 3. 4. Start the Exchange Server 2010 installation. Choose to install only the languages on the DVD. Perform a Typical Exchange Server Installation. Choose to enable access for Outlook 2003 or Entourage clients. Results: After this exercise, you should have installed Exchange Server 2010.
1-37
Lesson 3
Completing an Exchange Server 2010 Installation
After you install the necessary server roles in Exchange Server 2010, you should verify the installation and perform post-installation tasks, including securing Exchange Server 2010 and installing additional thirdparty software, if necessary. This lesson describes the post-installation tasks that you should perform. After completing this lesson, you will be able to: Verify an Exchange Server 2010 installation. Verify an Exchange Server 2010 deployment. Describe how to troubleshoot an Exchange Server 2010 installation. Describe how to finalize an Exchange Server 2010 installation.
1-38
Demonstration: Verifying an Exchange Server 2010 Installation
Key Points
If all prerequisites are met, the Exchange Server installation should complete successfully. However, you should verify that the installation was successful.
Demonstration Steps
On VAN-EX1, open the Services management console, and review the Microsoft Exchange services that were added during the installation. 2. Open Windows Explorer, and browse to C:\ExchangeSetupLogs. 3. Review the contents of the ExchangeSetup.log file. 4. Describe some of the other files in this folder: 5. Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders in this location. 6. Open the Exchange Management Console. 7. Under Server Configuration, verify that the server that you installed is listed. 8. Click Toolbox and review the installed tools. 9. In the left pane, click Recipient Configuration. Create a new mailbox. 10. Open Internet Explorer, and connect to the Outlook Web App site on a Client Access server. Log on using the credentials for the new mailbox that you created. 11. Send an e-mail to the mailbox that you created. Verify that the messages delivery. 1.
Additional Tests to Verify Installation

After the Exchange Server 2010 installation finishes, you also can take the following steps to verify that the installation was successful: Check the Exchange setup log files. The installation process creates several log files that the C:\ExchangeSetupLogs directory stores. Review the setup logs for errors that occur during installation. Ensure that the Exchange Management Console opens and displays the installed Exchange server.
1-39
Create a user account with a mailbox and connect to that mailbox using an Office Outlook client or Outlook Web App. For more information: For detailed information about each of the log files created during the installation, see Exchange Server Help.
1-40
Demonstration: Verifying the Exchange Server 2010 Deployment
Key Points
The Microsoft Exchange Server Best Practices Analyzer Tool automatically examines an Exchange Server deployment and determines whether the configuration meets with Microsoft best practices. Microsoft performs periodic updates on the definitions that the Exchange Server Best Practices Analyzer uses, so they typically reflect the latest version of the Microsoft best practices recommendations. We recommend running the Exchange Server Best Practices Analyzer after you install a new Exchange server, upgrade an existing Exchange server, or make configuration changes. You can find the Exchange Server Best Practices Analyzer in the Toolbox node of the Exchange Management Console. In this demonstration, your instructor will run the Exchange Server Best Practices Analyzer and review the generated reports. Note: For more information about the Exchange Server Best Practices Analyzer, view the Exchange Server Best Practices Analyzer Help that is available with the Exchange Server Best Practices Analyzer Tool.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, open Exchange Management Console, and click Toolbox. Start the Best Practices Analyzer, and clear the options to check for updates and to join the customer improvement program. Go to the Welcome page. Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed. When the scan finishes, view the following tabs and reports: Critical Issues All Issues Recent Changes
1-41
Informational Items Tree reports Other reports
1-42
Troubleshooting an Exchange Server 2010 Installation
Key Points
The Exchange Server installation should complete successfully if you meet all prerequisites. However, if the installation does not complete properly, it is important for you to follow a consistent troubleshooting process.
Troubleshooting Process
Each time you troubleshoot any application or service, you should follow a consistent process, as this ensures that you do not miss steps and that problems are resolved quickly.
Potential Problems and Resolutions

Some common installation problems and solutions are: Net.TCP Port Sharing Service not set to start automatically. You must set this service to start automatically. Insufficient disk space. Your server might not have the necessary disk space to install Exchange Server 2010. To resolve this, either increase your servers disk space or remove unnecessary files to create more free space. Missing software components. Your server might not have all of the required software components for the server roles you want to implement. To resolve this, determine the required software components, download them if necessary, and install them. Incorrect DNS configuration. Exchange Server 2010 relies on global catalog servers to perform many operations, and uses DNS to find global catalog servers. If the DNS configuration is incorrect, your server might not be able to find a global catalog server. To verify the problem, use the dcdiag tool. To resolve the problem, ensure that the Exchange server and domain controllers are all using the appropriate internal DNS servers.
1-43
Incorrect domain functional level. All domains with Exchange Server 2010 recipients or servers must be at Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 functional level. To resolve this problem, raise the domain functional level to the appropriate functional level. Insufficient Active Directory permissions. When you install Exchange Server 2010, you need sufficient permissions to extend the Active Directory schema and modify the Active Directory configuration partition. To perform the initial schema extension, you must be a member of the Enterprise Admins and Schema Admins groups. Insufficient Exchange permissions. To install Exchange Server 2010 into an existing organization, you must be a member of the Exchange Admins group. You also must run Setup.exe with the /PrepareLegacyExchangePermissions switch. Wait for replication throughout the Exchange Server organization before you continue.
1-44
Finalizing the Exchange Server Installation
Key Points
After finishing the Exchange Server installation, you might need to perform additional steps to finalize the server deployment.
Configuring Exchange Server Security

Security is important for all the servers in your environment. However, security is even more important for computers running Exchange Server. For most organizations, messaging is a critical part of the network. People rely on messaging to perform their jobs. Use the following steps to secure computers running Exchange Server 2010: Restrict physical access. Like all servers, physical access to a computer running Exchange Server should be restricted. Any server that you can access physically also can be compromised easily. Restrict communication. You can use firewalls to restrict the communication between servers, and between servers and clients. Reduce the attack surface. To limit software flaws that hackers can use, eliminate unnecessary software and services from your Exchange servers. In particular, Edge Transport servers should have only the necessary services and software running because they are exposed to the Internet. Restrict permissions. Evaluate who has permissions to manage Active Directory in your organization. Users who are domain administrators can add themselves to any group, and so they could manage all Exchange Server recipients and computers running Exchange Server in that domain. Reduce delegated Active Directory management permissions in a more granular way if you do not want all of the domain administrators to be capable of managing Exchange Server as well.
Configure Additional Software

Before you install any additional software, ensure that it Microsoft certifies it for use with Exchange Server 2010.
1-45
Some of the additional software you might want to install or configure includes: Antivirus software. Antivirus software can be used with the Edge Transport server and internal servers. You can install ForeFront Protection for Exchange Servers on Exchange Server 2010, or deploy and configure third party antivirus solutions. Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial e-mail messages that your users receive, and have to manage. Exchange Server 2010 provides anti-spam features on the Edge Transport server role and the Hub Transport server role. Most organizations that deploy anti-spam software on Exchange Server 2010 will deploy it on the Edge Transport server, but you also can enable and configure anti-spam features on Hub Transport servers. Many organizations choose to deploy third-party anti-spam solutions. Backup software. To back up Exchange Server 2010 servers, you must deploy backup software that uses Volume Shadow Copy Service (VSS) to perform the backup. Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center Operations Manager. Operations Manager allows you to proactively monitor and manage your Exchange servers by installing monitoring agents on them. Important: There are additional tasks that you must perform for each server role. Later modules cover these tasks.
1-46
Lab B: Verifying an Exchange Server 2010 Installation
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-NYC-DC1 and the 10135A-NYC-SVR2 virtual machines are running. 3. 10135A- NYC-DC1: Domain controller in the Contoso.com domain. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
If required, connect to the virtual machines.
Lab Scenario
You have completed the installation of the first Exchange Server at Contoso Ltd. You now need to verify that the installation completed successfully. You also should ensure that the installation meets the best practices that Microsoft suggests.
1-47
Exercise 1: Verifying an Exchange Server 2010 Installation

The main tasks for this exercise are as follows: 4. 5. 6. 7. View the Exchange Server services. View the Exchange Server folders. Create a new user, and send a test message. Run the Exchange Server Best Practices Analyzer Tool.
Task 1: View the Exchange Server services

1. 2. Open the Services console. Review the status for each Exchange Server service.
Task 2: View the Exchange Server folders.

Using Windows Explorer, browse to C:\Program Files\Microsoft \Exchange Server\v14. This list of folders includes ClientAccess, Mailbox, and TransportRoles. The three roles were installed as part of the typical setup.
Task 3: Create a new user, and send a test message

1. 2. 3. 4. 5. Open the Exchange Management Console. Under Recipient Configuration, create a new mailbox with a new user account named TestUser and a password of Pa$$w0rd. Using Internet Explorer, open https://NYC-SVR2/owa. Log on as TestUser, and send a message to Administrator. Log on to Outlook Web App as Administrator, and verify that the message was delivered.
Task 4: Run the Exchange Server Best Practices Analyzer tool

1. 2. 3. Start the Exchange Server Best Practices Analyzer. Run a Health Check scan with a name of Post-Installation Test. Scan only NYC-SVR2. Review the information in the Exchange Server Best Practices Analyzer report. Results: After this exercise, you should have verified that the Exchange Server 2010 server installation completed successfully.
To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
1-48
6. 7.
Wait for 10135A-VAN-DC1 to start, and then start 10135A-VAN-EX1. Connect to the virtual machine. Wait for 10135A-VAN-EX1 to start, and then start 10135A-VAN-EX3. Connect to the virtual machine.
1-49
Module Review and Takeaways
Review Questions
1. 2. 3. The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot the issue? What factors should you consider while purchasing new servers for your Exchange Server 2010 deployment? How would the deployment of additional Exchange Server 2010 servers vary from the deployment of the first server?
Common Issues Related to Installing Exchange Server 2010

Identify the causes for the following common issues related to installing Exchange Server 2010 and explain the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue You start the Exchange installation and get an error message stating that you do not have sufficient permissions. You start the Exchange installation and the prerequisite check fails. You run setup with /PrepareAD parameter and receive an error message. Troubleshooting tip
Verify that you are logged on to the domain. Verify the account has sufficient permissions. Verify that the server meets the software requirements. Ensure that you are running setup in the same Active
Directory site as the schema master domain controller.
1-50
Real-World Issues and Scenarios

1. An organization has a main office and multiple smaller branch offices. What criteria would you use to decide whether to install an Exchange server in a branch office? What additional factors should you consider if you decide to deploy an Exchange server in the branch office? An organization has deployed Active Directory directory services within two different forests. What issues will this organization experience when they deploy Exchange Server 2010? An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning?
2. 3.
Best Practices for Deploying Exchange Server 2010

Supplement or modify the following best practices for your own work situations: Plan the hardware specifications for your Exchange Server 2010 servers to allow for growth. In most organizations, the amount of e-mail traffic and the size of the user mailboxes are growing rapidly. Consider deploying at least two Exchange Server 2010 servers. With two servers, you can provide complete redundancy for the core Exchange server roles. When deploying multiple Exchange servers with dedicated server roles for each server, deploy the server roles in the following order: a. b. c. d. Client Access server Hub Transport server Mailbox server Unified Messaging server
You can deploy the Edge Transport server at any time, but it does not integrate automatically with your organization until you deploy a Hub Transport server.
Configuring Mailbox Servers
2-1
Module 2
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Lab: Configuring Mailbox Servers 2-3 2-13 2-32 2-40
2-2
Module Overview
The Microsoft Exchange Server management tools provide a flexible environment that enables administrators to manage all sizes of Microsoft Exchange Server 2010 messaging deployments. Successful Exchange Server messaging professionals need to understand where configuration elements reside within the Exchange Management Console and the basics of the Exchange Management Shell. This module describes these management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public folder configuration and usage. After completing this module, you will be able to: Describe the Exchange Server 2010 administrative tools. Configure mailbox server roles. Configure public folders.
2-3
Lesson 1
Overview of Exchange Server 2010 Administrative Tools
This lesson introduces you to the Exchange Management Console, Exchange Management Shell, and the Exchange Control Panel (ECP). These tools are the main interfaces that Exchange Server administrators use daily, so a detailed understanding of when and how to use each interface is vital. After completing this lesson, you will be able to: Describe the Exchange Management Console. Describe the Exchange Management Shell and Windows PowerShell. Identify the benefits of using remote Windows PowerShell. Use Exchange Management Shell cmdlets. Work with the Exchange Management Shell. Apply Exchange Manage Shell cmdlet examples. Describe the Exchange Control Panel.
2-4
Demonstration: What Is the Exchange Management Console?
Key Points
In this demonstration, you will review how to navigate the Exchange Management Console, and use it to manage Exchange Server. The Exchange Management Console uses the Microsoft Management Console 3.0 (MMC) paradigm of a four-pane environment. The Console Tree is a unique feature of the Exchange Management Console, and it has four main nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. These four nodes have four distinct functions.
Organization Configuration
The Organization Configuration node contains all configuration options for each Exchange server role that affects the messaging systems functionality. This node allows you to configure database management, ActiveSync policies, journal and transport rules, message-formatting options, and e-mail domain management.
Server Configuration
The Server Configuration node contains the configuration options for each Exchange server in the organization. Settings that you can manipulate include server diagnostic-logging settings, product-key management, and the per-server configuration of the Microsoft Outlook Web App.
Recipient Configuration
The Recipient Configuration node contains the configuration and creation tasks for mailboxes, distribution groups, and contacts. You also can use it to move or reconnect mailboxes.
2-5
Toolbox
The Toolbox node contains utilities and tools that you can use to monitor, troubleshoot, and manage Exchange Server. These tools include Exchange Best Practices Analyzer, Public Folder Management Console (PFMC), Messaging Tracking, and Database Recovery Management. You also can use the Exchange Management Console to manage both onsite and hosted Exchange Server 2010 environments, most notably the Microsoft Business Productivity Online Suite (BPOS). The Console Trees root node also includes two tabs in the Content pane: Organizational Health and Customer Feedback. The Organizational Health tab displays a report on the overall status of the Exchange Server organization that includes information about the number of deployed databases, servers, and Client Access Licenses. Use the Customer Feedback tab to enable the Customer Experience Improvement Program and to access Exchange Server documentation.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. Open the Exchange Management Console. Note the consoles layout: Console Tree on the left, Content pane in the middle, and Actions pane on the right. Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. Expand each Console Tree section to view the available nodes. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the information available in the Content pane. In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in the Content pane. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information in the Content pane.
Question: Does the Exchange Management Console organization seem logical to you? Why? Question: Does the Exchange Management Console have the same functionality as it did in previous Exchange Server versions? What is different about this version?
2-6
What Are the Exchange Management Shell and Windows PowerShell?
Key Points
The Exchange Management Shell and the Exchange Management Console run on top of Windows PowerShell version 2.0 command-line interface. They use cmdlets, which are commands that run within Windows PowerShell. Each cmdlet completes a single administrative task, and you can combine cmdlets to perform complex administrative tasks. In Exchange Management Shell, there are approximately 700 cmdlets that perform Exchange Server management tasks, and even more non-Exchange Server cmdlets that are in the basic Windows PowerShell shell design. Exchange Management Shell is more than just a command-line interface that you can use to manage Exchange Server 2010. Exchange Management Shell is a complete management shell that offers a complex and extensible scripting engine that has sophisticated looping functions, variables, and other programmatic features so that you can create powerful administrative scripts quickly.
2-7
The Benefits of Remote Windows PowerShell
Key Points
Exchange Server 2010 builds on the success of Microsoft Exchange Server 2007 usage of Windows PowerShell 1.0 by leveraging its remote Windows PowerShell functionality within Windows PowerShell 2.0. By using the remote Windows PowerShell feature, Exchange Server 2010 includes many new features.
New Features in Exchange Server 2010

Exchange Server 2010 contains the following new features: Role Based Access Control (RBAC). RBAC enables you to assign granular permissions to administrators, and more closely align the roles that you assign users and administrators to the actual roles they hold within your organization. In Exchange Server 2007, the server-permissions model applied only to the administrators that managed the Exchange Server 2007 infrastructure. However, RBAC now controls both the administrative tasks that you can perform and the extent to which users can perform their own administrative tasks. RBAC controls who can access what, and where, through management roles, assignments, and scopes. Using remote Windows PowerShell allows you to run the cmdlets on the server while controlling how they execute. Client/server management model. All cmdlets run remotely from an Exchange server rather than from the management client. This allows the server to process the client requests, thereby reducing their impact. Since the cmdlets run on the remote server, and not the client, you only need to install Windows PowerShell 2.0 on the management machine if you do not need the graphical user interface (GUI) tools. Standard protocols that allow easier management through firewalls. Remote Windows PowerShell leverages Windows Remote Management (WinRM) for connectivity through standard HTTPS connections. Since corporate firewalls often allow HTTPS by default, using Windows PowerShell requires no additional firewall configuration.
These new features enable scenarios such as simplified cross-domain management, management from workstations that do not have installed management tools, management through firewalls, and the ability to throttle resources that management tasks consume.
2-8
Exchange Management Shell Cmdlets
Key Points
All shell cmdlets present as verb-noun pairs. A hyphen (-) without spaces separate the verb-noun pair, and the cmdlet nouns are always singular. Verbs refer to the action that the cmdlet takes. Nouns refer to the object on which the cmdlet takes action. For example, in the Get-User cmdlet, the verb is Get, and the noun is User. All cmdlets that manage a particular feature share the same noun. For detailed information about using cmdlets, refer to the CD content.
Using Cmdlets Together

Pipelining is the process of using multiple cmdlets simultaneously to gather information, which you then can pass to other cmdlets for additional processing. Pipelining allows you to chain one cmdlet to another so that the previous cmdlets results act as input to the next cmdlet. To pipeline information from one cmdlet to another, specify the pipe character between the cmdlets. The pipe character is a vertical bar (|). You can pipeline more than two cmdlets. In fact, you can use as many as necessary to achieve the results you desire.
2-9
Demonstration: Working with the Exchange Management Shell
Key Points
In this demonstration, you will review how to create a mailbox, and how to use Windows PowerShell scripting and pipelining to change the address on multiple mailboxes. The instructor also will describe basic cmdlet aliases.
Demonstration Steps
The instructor will run the following cmdlets: Get-Mailbox Get-Mailbox | Format-List Get-Mailbox | fl Get-Mailbox | Format-Table Get-Mailbox | ft Name, Database, IssueWarningQuota Get-Help New-Mailbox Get-Help New-Mailbox -detailed Get-Help New-Mailbox -examples $Temp = Text $Temp $password = Read-Host Enter password AsSecureString New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris -Database Mailbox Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName Chris Ashton -ResetPasswordOnNextLogon $true
2-10
Note: Assign a password to a new user by specifying the Read-Host cmdlet with the -AsSecureString switch, because passwords cannot be stored as simple strings.
2-11
Exchange Management Shell Examples
Key Points
One of the best ways to become proficient with Windows PowerShell is to review cmdlets that administrators use the most often. The following example retrieves a list of all the users, filters only users that are located in the Sales organizational unit (OU), and then mail-enables the users:
Get-User | Where-Object {$_.distinguishedname -ilike "*ou=sales,dc=contoso,dc=com"} | Enable-Mailbox -database "Mailbox Database 1"
The following example returns all members in the RemoteUsers distribution group, and then sets the MaxReceiveSize on each of the members mailboxes:
Get-DistributionGroup "RemoteUsers" | Get-DistributionGroupMember | Set-Mailbox MaxReceiveSize 10MB
The following example retrieves a list of all mailboxes on VAN-EX1, and then moves these mailboxes to Mailbox Store 2:
Get-Mailbox -server VAN-EX1 | New-MoveRequest -Local -targetDatabase " "Mailbox Store 2"
The following example removes all messages from addresses that start with the word Tom from the message queue:
Get-Message -Filter {FromAddress -like "Tom*" } | Remove-Message
The following example returns the status of all mailbox copies from the local server:
Get-MailboxDatabaseCopyStatus
2-12
Introducing the Exchange Control Panel
Key Points
The ECP is a new feature in Exchange Server 2010. It enables end users and Exchange Server specialists to manage many aspects of the messaging environment from a secure Web page that includes inbox rules, public groups, account information, call-answering rules, and retention policies. You can assign permissions to ECP users by assigning and customizing one of the preconfigured RBAC groups. The ECP runs on the Client Access servers, and you access it either from the Options menu in Outlook Web App.
2-13
Lesson 2
Configuring Mailbox Server Roles
This module describes how to configure the Mailbox server after you install it. Since the Mailbox server stores all of the mailbox and public folder data, it is a critical component in an Exchange Server messaging system. You also will learn about databases, database storage considerations, and managing the number and size of databases. After completing this lesson, you will be able to: Describe your initial mailbox configuration tasks. Configure the Mailbox server role. Describe mailbox and public folder databases. Describe database file types. Describe the process for updating mailbox databases. Configure database options. Identify Exchange Server 2010 storage improvements. Describe your database storage options. Describe direct attached storage. Describe storage area networks. Manage mailbox size limits. Identify the criteria to consider when implementing databases.
2-14
Initial Mailbox Configuration Tasks
Key Points
Complete the following steps after deploying the Mailbox server role: Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the server, which includes configuring permissions at the organizational and server levels. This reduces the Exchange Servers attack surface. Create and configure databases. Exchange Server 2010 uses mailbox databases or public folder databases to store messages. As a result, before creating mailboxes on the server, you need to create the required databases. Configure public folders. Although recent Exchange Server versions de-emphasize the role of public folders, Microsoft continues to support public folders fully, and you must configure them if you have Outlook 2003 or earlier clients. However, if you are using Office Outlook 2007 or later clients, public folders are not required to support offline address-book distribution or calendar information. During the installation of the first Exchange Server 2010 into a new Active Directory Domain Service (AD DS) or Active Directory directory service forest, you have the option to support older Office Outlook and Entourage clients. Exchange Server creates a public folder database if you choose this option. You also can create public folders after installation if you do not configure them during setup. Configure recipients, including resource mailboxes. The Mailbox server role manages all user mailboxes, so deploying the Mailbox server role includes configuring recipients. Configure the offline address book. Outlook 2007 (and higher) clients support retrieving offline address books with HTTP, rather than only with public folders, as in previous Office Outlook versions.
2-15
Demonstration: How to Configure Mailbox Server Role Configuration Options
Key Points
In this demonstration, you will review how to configure the Mailbox server role with the Exchange Management Console.
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. In the Console Tree, expand Server Configuration, and then click Mailbox. Note the available options in the Actions pane: Manage Diagnostic Logging Properties, Enter Product Key, and Properties. View the properties of the server and review the options on the General, System Settings, Messaging Records Management, and Customer Feedback Options tabs. View the Manage Diagnostic Logging options.
Question: What additional tasks do you need to perform on the Mailbox server role after the Exchange Server 2010 installation occurs?
2-16
What Are Mailbox and Public Folder Databases?
Key Points
To manage Mailbox servers properly, you need to know how they store mailbox and public folder contents. Exchange Server 2010 stores mailbox and public folder contents in databases, which enhances performance and reduces storage utilization. Mailbox servers can maintain mailbox databases and public folder databases, and each database consists of a single rich-text database (.edb) file. Exchange Server 2010 mailbox servers store all messages in this database regardless of which type of client sends or reads the messages. Mailbox databases store the messages for mailbox-enabled users. Users cannot have a mailbox without a mailbox database. Public folder databases store the contents of public folders. Unlike previous Exchange Server versions that required unique database names only within a storage group, Exchange Server 2010 requires unique database names across the entire Exchange Server organization. In Exchange Server 2010, each database has a single set of transaction logs, which store database changes. Database changes include all messages sent to or from the database. Transaction logs are an essential part of disaster recovery if you need to restore a mailbox or public folder database. By default, all databases and transaction logs are stored in one folder within the Exchange Server directory (C:\Program Files\Microsoft\Exchange Server\v14 \Mailbox). Each database has its own folder. Although Exchange Server 2010 does not require separating databases and transaction logs, given the appropriate redundancy, performing this separation increases recoverability. You should consider it if your organization does not employ other availability options. If the disk storing a database fails, you will need the transaction logs to recover activity since your last backup. If your transaction logs also are lost, along with the database, you can recover only to the point of your last back up. The Exchange Server 2010 database schema was changed significantly to improve its performance over previous Exchange Server versions. The new database schema now performs larger and more-sequential input/output (I/O) transactions, optimizes performance on lower end disk systems, and reduces
2-17
the database maintenance that you must perform. These improvements were accomplished by removing single-instance storage and increasing the page size from 8 kilobytes (KB) to 32 KB. In Microsoft Exchange 2000 Server and Exchange Server 2003, there was an option to create multiple databases and have them share a set of transaction logs. This was called a storage group. In Exchange Server 2007, having multiple databases in a storage group was available only for databases that did not have high availability features enabled. In Exchange Server 2010, there is no option to have multiple databases to share a single set of transaction logs.
2-18
What Are the Database File Types?
Key Points
A database consists of a collection of file types, each of which performs different functions. <Log Prefix>.chk. This checkpoint file determines which transactions require processing to move the checkpoint file from the transaction log file to the database. Each databases log prefix determines its checkpoint file name. For example, the checkpoint file name for a database with prefix E00 would be E00.chk. This checkpoint file is several kilobytes in size, and does not grow. <Log Prefix>.log. This is the databases current transaction log file. An example is E00.log. The maximum amount of data storage for this file is 1 megabyte (MB). When this file reaches its maximum storage of 1 MB, Exchange Server renames it and creates a new current transaction log. <Log Prefix>xxxxxxxx.log. Exchange Server renames and files this transaction log file. Log files use sequential hexadecimal names. For example, the first log file for the first database on a server would be E0000000001.log. Each transaction log file is always 1 MB. <Log Prefix>res00001.jrs and <Log Prefix>res00002.jrs. These are the reserved transaction logs for the database. Exchange Server 2010 uses these only as emergency storage when the disk becomes full and it can write no new transactions to disk. An example is E00res00001.jrs. When Exchange Server 2010 runs out of disk space, it writes the current transaction to disk, and then dismounts the database. The reserved transaction logs ensure minimal loss of data that is in transit to the database. The reserved transaction logs always are 1 MB each. Tmp.edb. This temporary workspace is for processing transactions. Exchange Server 2010 deletes the contents of this file when it dismounts the database or when the Microsoft Exchange Information Store service stops. This file typically is a few megabytes in size. <Log Prefix>tmp.log. This is the transaction log file for the temporary workspace. An example is E00tmp.log. This file does not exceed 1 MB. <File Name>.edb. This is the rich-text database file that stores content for mailbox and public folder databases. An example is Database.edb. Each mailbox or public folder database is contained in a single file. Database files can grow very large, depending on the content that the database stores.
2-19
Mailbox Database Update Process
Key Points
The following process takes place when a Mailbox server receives a message: 1. 2. The Mailbox server receives the message. The Mailbox server writes the message to the current transaction log and memory cache simultaneously. Note: If the current transaction log reaches 1 MB of storage, Exchange Server 2010 renames it and creates a new current transaction log. 3. 4. 5. The Mailbox server writes the transaction from memory cache to the appropriate database. The Mailbox server updates the checkpoint file to indicate that the transaction was committed successfully to the database. Clients can access and read the message in the database.
2-20
Demonstration: Configuring Database Options
Key Points
Several configuration options are set at the database level. Three key management tabs contain these options: Maintenance, Limits, and Client Settings. In this demonstration, you will review these tabs, and explain how you can use them to configure your database options.
The Maintenance Tab

Use the Maintenance tab to specify a journal recipient when you are using database journaling. However, we recommend using journaling rules for journaling in Exchange Server 2010. The maintenance schedule is the period of time in which Exchange Server performs database maintenance. In Exchange Server 2010, online defragmentation occurs continually, so you use the maintenance window primarily to remove deleted items and mailboxes. The Maintenance tab has a checkbox that you can select to keep the database from mounting at startup. You typically use this checkbox, and another that allows the database to be overwritten by a restore, during recovery or database-maintenance tasks. The checkbox for enabling circular logging sets the transaction-logging mode so that Exchange Server 2010 overwrites the transaction logs after they are committed to the database. Circular logging does not allow you to recover a database to a point in time other than when the last full backup was completed. We recommend circular logging only in test environments or in high availability configurations in which adequate redundancy negates the need for this type of recovery.
The Limits Tab

Use the Limits tab to set the maximum size for mailboxes that the database stores, and to specify the notification schedule for sending messages to users who are approaching these limits. The deletion settings specify how long the database stores deleted items and mailboxes after the user deletes them. You can use the dumpster to recover items that users have deleted and purged from their Deleted Items folder, without having to perform a restore from a backup.
2-21
The Client Settings Tab

Use the Client Settings tab to configure the default public folder, if necessary, and the default offline address book for all mailboxes in the database.
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. Select the Database Management tab, and then view the properties of a mailbox database. View the properties on the General, Maintenance, Limits, and Client Settings tabs. Run the Move Database Path Wizard to move the database files.
Question: When would you need to move the path of the transaction logs or databases? Question: When might you use circular logging?
2-22
Exchange Server 2010 Storage Improvements
Key Points
Exchange Server 2010 introduces several significant changes that reduce storage costs and improve performance, including changes to the database schema, the use of compression, and the change to 32 KB database pages. Additionally, further improvements minimize database fragmentation by writing data sequentially on disk, which also improves disk performance. Lastly, when you combine the reduced storage input/output (I/O) requirements with the new database high availability features, you may be able to leverage inexpensive direct-attached storage for larger Exchange Server deployments. Since the storage I/O requirements are lower in Exchange Server 2010, more storage options are available. Still, you should ensure that your storage method meets the business and technical requirements for the Exchange Server deployment. Tools such as Load Simulator and JetStress are available to approximate usage patterns, and you can use these tools to test various hardware configurations in your environment.
2-23
Options for Database Storage
Key Points
Exchange Server 2010 now supports several disk storage options, including Serial Advanced Technology Attachment (SATA), Solid-state disk (SSD), and Serial Attached small computer system interface (SCSI), or SAS. When selecting which storage solution to use, the goal is to ensure that the storage will provide the performance that your environment requires.
JBOD (Just a Bunch Of Disks)

JBOD is a collection of disks that have no redundancy or fault tolerance. Usually, JBOD solutions are lower cost than solutions that use redundant array of independent disks (RAID). JBOD adds fault tolerance by using multiple copies of the databases on separate disks.
RAID
RAID increases disk-access performance and fault tolerance. The most common RAID options are: RAID 0 (striping). Increases read and write performance by spreading data across multiple disks. However, it offers no fault tolerance. Performance increases as you add more disks. You add fault tolerance by using multiple copies of the databases on separate RAID sets. RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Read performance is faster than a single disk, but write performance is slower than RAID 0. Half of the disks are used for data redundancy. RAID 5 (striping with parity). Increases fault tolerance by spreading data and parity information across three or more disks. If one disk fails, the missing data is calculated based on the remaining disks. Read and write performance for RAID 5 is slower than RAID 0. At most, only one third of the disks are used to store parity information. RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This provides very fast read and write performance, and excellent fault tolerance.
2-24
RAID 6 (striping with double parity). Increases fault tolerance by spreading data and parity information across four or more disks. If up to two disks fail, RAID 6 calculates the missing data based on data and parity information stored on the remaining disks. Read and write performance for RAID 6 typically is slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID 6 is the ability to rebuild missing data if you have two failures per RAID group, and to reduce the impact of rebuilding the RAID set when a disk fails. RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved performance, but increases complexity. The difference between RAID 0+1 and RAID 1+0 is that RAID 1+0 creates a striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0 performs better and is more fault tolerant than RAID 0+1.
2-25
Data Storage Options: Direct Attached Storage
Key Points
Direct attached storage is any disk system that connects physically to your server. This includes hard disks inside the server or those that connect by using an external enclosure. Some external enclosures include hardware-based RAID. For example, external disk enclosures can combine multiple disks in a RAID 5 set that appears to the server as a single large disk. In general, direct attached storage provides good performance, but it provides limited scalability because of the units physical size. You must manage direct attached storage on a per-server basis. Exchange Server 2010 performs well with the scalability and performance characteristics of direct attached storage. Direct attached storage provides the following benefits: Lower cost Exchange Server solution. Direct attached storage usually provides a substantially lower purchase cost than other technologies. Easy implementation. Direct attached storage typically is easy to manage, and requires very little training. Distributed failure points. Each Exchange server has separate disk systems, so the failure of a single system does not affect the entire Exchange messaging system negatively, assuming that you configure your Exchange servers for high availability.
2-26
Data Storage Options: Storage Area Networks
Key Points
A storage area network (SAN) is a network dedicated to providing servers with access to storage devices. A SAN provides advanced storage and management capabilities, such as data snapshots, and high performance. SANs use either Fibre Channel switching or Internet SCSI (iSCSI) to provide fast and reliable connectivity between storage and applications. Fibre Channel switching or iSCSI allows many servers to connect to a single SAN. Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Because Fibre Channel is specifically for SANs, it is the fastest architecture available, and most SANs use it. SANs are complex and require specialized knowledge to design, operate, and maintain. Most SANs also are more expensive than direct attached storage. SANs provide the following benefits: A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requirements of Exchange Server 2010 make it more likely that an iSCSI-based SAN will meet your requirements in small and medium-sized deployments. However, you should test all hardware configurations thoroughly before deployment to ensure that they meet your organizations required performance characteristics. Highly scalable storage solutions. Messaging systems are growing continually, and require larger storage over time. As your needs expand, a SAN allows you to add disks to your storage. Most SANs incorporate storage virtualization, which allows you to add disks and allocate the new disks to your Exchange server. Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers running Exchange Server, and then divide the storage among them.
2-27
Enhanced backup, recovery, and availability. SANs use volume mirroring and snapshot backups. Because SANs allow multiple connections, you can connect high performance back-up devices to the SAN. SANs also allow you to designate different RAID levels to different storage partitions.
For cost-conscious SAN implementations, iSCSI may be a viable option. An iSCSI network encapsulates SCSI commands in TCP/IP packets over standard Ethernet cabling and switches. You should implement this technology only on dedicated storage networks that are 1 gigabit per second (Gbps) or faster.
2-28
Demonstration: How to Manage Mailbox Size Limits
Key Points
In this demonstration, you will review how to use the Exchange Management Console to configure storage quotas, and how to use the Exchange Management Shell to configure storage quotas in bulk or simultaneously. You can enforce size limits either on a specific mailbox or on a database, which applies the settings on all mailboxes in the database, by default. The three options available to set a limit on mailboxes and on the database are: Issue warning at (KB). When a mailbox reaches the size you specify, at a predetermined schedule (daily by default), mailbox-enabled users receive a message indicating that their mailboxes have become too large. Prohibit send at (KB). When a mailbox reaches the size you specify, the user no longer can send messages and receives a warning message that the mailbox is too large. The mailbox can still receive messages. Prohibit send and receive at (KB). When a mailbox reaches the size you specify, the user can no longer send or receive messages, and receives a warning message that the mailbox is too large. If the organization uses a Unified Messaging server, prohibiting e-mail reception can result in lost e-mail messages, voice-mail messages, and faxes. Most organizations elect not to use this option.
You also can use mailbox database defaults to set limits on the database. Exchange Server 2010 enables this by default, and if you use it, the mailbox inherits any settings that you assign to the database that stores the mailbox. Deleted item retention settings work similarly to size limits in that you can assign them either on the mailbox or database. By default, all mailboxes also inherit deleted time retention from the database.
2-29
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox. Right-click a user mailbox, and click Properties. Click the Mailbox Settings tab, and double-click Storage Quotas. Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at (MB). Open Exchange Management Shell. Configure the database limits with the Get-MailboxDatabase cmdlet. Configure just the user mailboxes that are contained in the Marketing department with the GetMailbox.
2-30
Discussion: Considerations for Implementing Databases
Key Points
It is important to plan properly for any changes you want to make in the Exchange Server environment. When considering which sort of storage to use for new databases, note the following: Give each set of transaction logs its own hard disk. You likely will achieve the best performance when transaction logs do not share disks with any other data. However, if you do not require high performance, and there are enough copies of the data, you may not require this. Use RAID 5 to enhance performance and fault tolerance for databases. RAID 5 increases read and write performance for random disk access and fault tolerance. Use RAID 1 to provide fault tolerance for transaction logs. RAID 1 keeps two complete copies of transaction logs for fault tolerance, and it provides good write performance for data that is written serially. Use a SAN, which provides excellent scalability and manageability for storage in large Exchange Server organizations. A Fibre Channel SAN provides the best performance, but this high level of performance may be more than you need to support your organizations requirements. SANs also add considerable cost and complexity. Use the prohibit send at storage limit to manage storage growth. This storage limit forces users to address the size of their mailbox before sending additional messages. Halting message reception is risky, because important business data might get lost. However, a warning may not be enough encouragement for users to lower their mailbox size.
Question: What should you consider when naming databases? Question: When would you want or need to create multiple databases Question: Why would you want to reduce the number of databases?
2-31
Question: What should you consider when planning to build additional Mailbox servers?
2-32
Lesson 3
Configuring Public Folders
This lesson covers public folders, and details how you can configure them. Although public folders have been deemphasized since Exchange Server 2007, they remain a useful feature of Exchange Server 2010. It is essential to understand when to use public folders and how to configure them properly. After completing this lesson, you will be able to: Describe public folders. Configure public folder replication. Describe how clients access public folders. Configure public folders. Identify when to use SharePoint instead of public folders.
2-33
What Are Public Folders?
Key Points
A public folder is a repository for different information types, such as e-mail messages, text documents, and multimedia files. A public folder database stores public folder contents, which you can share with Exchange Server organization users. Organizations typically use public folders as: A location to store contacts for the entire organization. Centralized calendars for tracking events. Discussion groups. A location in which to receive and store messages for a workgroup, such as the Help desk. A storage location for custom applications.
Additionally, system public folders support legacy Office Outlook versions for free/busy information, custom forms, and offline address books. One alternative to public folders is Windows SharePoint Services, which is a Web-based platform that stores data centrally for the enterprise, workgroups, and individuals. You can create multiple SharePoint sites for specific tasks, including: Team collaboration Project management Help-desk management Expense reimbursement Vacation scheduling
2-34
For collaboration, Windows SharePoint Services goes beyond the capabilities that public folders offer. Some of the features that a SharePoint site offers are: Document collaboration, including checking in, checking out, and version control. This feature allows you to track changes to documents and prevent team members from editing multiple versions of a single document. Alerts sent out when content changes. Alerts enable you to monitor content and act when that content changes. For example, a project team could be alerted automatically when the project schedule changes. Extensibility by developers for building applications. In some cases, you can use public folders to manage application data, but SharePoint sites can perform many of the same tasks.
One area in which SharePoint services does not provide similar functionality to Exchange Server is in the ability to perform multimaster replication. Because Windows SharePoint Services is tied to Microsoft SQL Server, only one writable copy of the data is available at a time, whereas public folders can have multiple readable and writable copies of a public folder available around the globe. The next topic details public folder replication.
2-35
Configuring Public Folder Replication
Key Points
Public folder content replication is an e-mail-based process for copying public folder content between computers running Exchange Server. When you modify a public folder or its contents, the public folder database that contains the replica of the public folder that you change sends a descriptive e-mail message to the other public folder databases that host a replica of the public folder. To reduce network traffic, Exchange Server includes information about multiple changes in one e-mail message. If any message exceeds the specified size limit, that message is sent as a separate replication message. Exchange Server routes these replication messages the same way that it routes other e-mail messages. By default, public folder content replicates every 15 minutes, and you cannot set replication to less than every minute. Because AD DS and Active Directory store the public folder configuration objects, AD DS and Active Directory replication must be working correctly to ensure that the configuration is available to all Exchange servers. When you create a public folder, only one replica of that public folder exists within the Exchange Server organization. Using multiple replicas allows you to place public folder content in the physical server locations where users are located. This results in faster access to public folder content and reduced communication across wide area network (WAN) links between physical locations. Public folder replication also provides fault tolerance for public folders. Note: You also need to replicate the public folder tree.
2-36
How Clients Access Public Folders
Key Points
The public folder connection process for Messaging Application Programming Interface (MAPI)-based clients is: 1. 2. If the public folder is located on the user accounts default public folder database, Exchange Server directs the client to this database for the public folder contents. If the public folder contents are not stored in the user accounts default public folder database, Exchange Server redirects the client to a public folder database on a computer running Exchange Server 2010 in the local Active Directory site. If no computer running Exchange Server 2010 or Exchange Server 2007 on the local Active Directory site has a copy of the public folder contents, Exchange Server redirects the client to the Active Directory site with the lowest cost site link that does have a copy of the public folder contents. If there is no computer running Exchange Server 2010 or Exchange Server 2007 that has a copy of the public folder contents, Exchange Server redirects the client to a computer running Microsoft Exchange Server 2003 that has a copy of the public folder contents, using the cost assigned to the routing group connector(s). Exchange Server 2010 does not enable this by default. Rather, you must enable it with the Set-RoutingGroupConnector cmdlet. If no public folder replica exists on the local Active Directory site, a remote Active Directory site, or on a computer running Exchange Server 2003, the client cannot access the contents of the requested public folder. Note: For Outlook Web App clients to view public folders, a replica of the public folder must be available on an Exchange Server 2010 mailbox server.
3.
4.
5.
2-37
Demonstration: How to Configure Public Folders
Key Points
In this demonstration, you will review how to use the PFMC, Exchange Management Shell, and Office Outlook to configure public folders. You will see how to: Use the PFMC to add replicas and set permissions on a public folder. Use Exchange Management Shell to add permissions to a public folder. Open Outlook, and then view the permissions for the public folder.
Demonstration Steps
Use the PFMC to add replicas and set permissions on a public folder
1. 2. 3. 4. 5. Open the Exchange Management Console. Open the PFMC, and then connect to a Mailbox server. Create a new public folder named Sales. View the properties of the Sales public folder, and then view the options on the General, Statistics, Limits, and Replication tabs. Add a replica to the Sales public folder.
Use the Exchange Management Shell to add permissions to a public folder

The instructor will run the following cmdlets:
Get-PublicFolderClientPermission \Sales Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason
2-38
Use Outlook to view and edit public folder permissions

1. 2. 3. Logon to VAN-CL1 as Adatum\Administrator. Open Outlook. View the permissions for the Sales public folder.
2-39
When to Use SharePoint Instead of Public Folders
Key Points
Exchange Server 2010 fully supports public folders. However, there are several reasons that another complementary technology may be a better solution. You need to move custom applications that use Exchange Server event sinks or organizational forms to a supported platform, such as SharePoint, by using the InfoPath information-gathering program. If you are using public folders to share documents, consider moving these documents to SharePoint for additional features, such as versioning and file locking. Depending on its scope, a new Exchange Server deployment that includes calendar sharing, contact sharing, discussion forums, or distribution group archives, can use Exchange Server public folders or SharePoint. Additionally, when deploying new custom applications, use Exchange Web Services and/or SharePoint, depending on the applications scope. Question: For what does your company currently use public folders and SharePoint?
2-40
Lab: Configuring Mailbox Servers
Lab Setup
Important: If required, start the 10135A-VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX3 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a new messaging administrator at A. Datum Corporation, and your manager has left instructions indicating that you need to create and configure a database for the executive group, and then move the existing database for the accounting group to a new location. Additionally, you need to add an additional public folder database, and then replicate data to it.
2-41
Exercise 1: Configuring Mailbox Databases

Scenario
You must configure the executives database so that the mailbox does not send or receive messages after the mailbox size reaches 1,024 MB. Additionally, you should ensure that a warning is sent to users if their mailbox reaches 850 MB. The main tasks for this exercise are: 1. 2. 3. Create a new database for the Executive mailboxes. Configure the Executive mailbox database with appropriate limits. Move the existing Accounting database to a new location.
Task 1: Create a new database for the Executive mailboxes

1. 2. 3. 4. On VAN-EX1, open the Exchange Management Console. Create a new database named Executive on VAN-EX1. Store database files in C:\Mailbox\Executive. Store log files in C:\Mailbox\Executive.
Task 2: Configure the Executive mailbox database with appropriate limits

1. Configure the limits on the Executive database: Prohibit send and receive: 1024000 Issue warning: 850000
Task 3: Move the existing Accounting database to a new location

1. 2. 3. Move the Accounting database files. Store database files in C:\Mailbox\Accounting. Store log files in C:\Mailbox\Accounting. Results: After this exercise, you should have created a new database, set the specified limits, and moved the existing Accounting database to a new folder.
2-42
Exercise 2: Configuring Public Folders

Scenario
Before creating a new public folder database and replicating it, you must check the numbers of items and size in the Executive public folder so that you can later verify that the replication was successful. The main tasks for this exercise are as follows: 1. 2. 3. 4. Check Executives public folder statistics. Create a public folder database on VAN-EX3. Add a replica of the Executives public folder on VAN-EX3. Verify replication between VAN-EX1 and VAN-EX3.
Task 1: Check Executives public folder statistics

1. 2. On VAN-EX3, open the Exchange Management Console, and in the Toolbox node, open the Public Folder Management Console. In the Public Folder Management Console, connect to VAN-EX1, and view the number of items and size in the Executives public folder on VAN-EX1. Write down Total Items ______________________ Write down Size (KB) ________________________
Task 2: Create a public folder database on VAN-EX3

Create a new public folder database on VAN-EX3 named PF-VAN-EX3. Store database files in C:\Mailbox\PF-VAN-EX3\PF-VAN-EX3.edb. Store log files in C:\Mailbox\PF-VAN-EX3.
Task 3: Add a replica of the Executives public folder on VAN-EX3

Add PF-VAN-EX3 as a replica for the Executives public folders, and then wait for replication to complete. Note: It can take up to 15 minutes for replication to complete.
Task 4: Verify replication between VAN-EX1 and VAN-EX3

Verify the number and size of items in the Executives public folder on VAN-EX3. Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added replicas for each public folder.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
2-43
3.
To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
4. 5.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
2-44
Review Questions
1. 2. 3. Which tools can you use to manage Exchange Server 2010? What customizations can you make on mailbox databases? When can you use public folders?
Common Issues Related to Designing Mailbox Databases

Identify the causes for the following common issues related to designing and implementing Exchange Server mailbox databases and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue You are planning to deploy a new Mailbox server on a different server and storage platform. After applying limits on each of the mailbox databases, some of the users are exceeding these limits. You are migrating from Exchange Server 2003, and none of the users with Exchange Server 2010 mailboxes can access legacy public folders via Outlook Web App. Troubleshooting tip Use performance-testing tools, such as Exchange Load Generator or Jet Stress, to ensure the Mailbox server will perform adequately. Verify that the mailboxes are set to inherit limit settings from the database, rather than having to be set separately. Verify that a replica of the required public folders exists on an Exchange Server 2010 server.
2-45

1. 2. 3. Your organization needs to determine which storage solution to deploy for the new Exchange Server 2010 messaging environment. What information should you consider when selecting the hardware? Your organization would like to automate creation of user mailboxes for employees based on their status in your organizations human-resources system. What can you use to perform this automation? Your organization wants to reduce administrative costs. One suggestion is to give department heads and administrative assistants the necessary access to manage departmental and project-based groups. What can you use to accomplish this task?
Best Practices Related to Public Folder Deployment Planning

Supplement or modify the following best practices for your own work situations: Determine the public folder features that your organization needs, such as multiple master replications. Determine whether other solutions, such as SharePoint or InfoPath, meet user needs better. Define specific age and size limits, so that public folder data does not grow uncontrolled and outdated.
Tools
Tool Exchange Management Console Exchange Management Shell Use for Where to find it Start menu
Configuring the Exchange

Server organization, its servers, and its recipients
Configuring the Exchange

Server organization, its servers, and its recipients Completing bulkmanagement tasks
Start menu
Exchange Control Panel
Managing recipients
Outlook Web App
2-46
Managing Recipient Objects
3-1
Module 3
Contents:
Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-Mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Lab: Managing Exchange Recipients 3-3 3-19 3-26 3-31 3-37 3-41
3-2
Module Overview
In any messaging system, you need to create recipients and configure them to send and receive e-mail. As a Microsoft Exchange Server messaging administrator, you often must create, modify, or delete recipient objects. Therefore, it is important to have a good understanding of recipient management. In Exchange Server 2010, you can easily perform bulk management of Exchange Server recipient objects by using the Exchange Management Shell. This module describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. After completing this module, you will be able to: Manage mailboxes in Exchange Server 2010. Manage other recipients in Exchange Server 2010. Configure e-mail address policies. Configure address lists. Perform bulk recipient management tasks.
3-3
Lesson 1
Managing Mailboxes
Apart from creating mailboxes, you may need to modify mailbox options to meet the needs of users and ensure optimal performance of the messaging environment. Based on your organizations requirements, and its users, you also may have to move mailboxes to different servers or databases, and configure resources. This lesson provides an overview of Exchange Server recipient objects and the available configuration options. Additionally, this lesson covers the reasons and procedures for moving mailboxes, and explains how to configure resource mailboxes. After completing this lesson, you will be able to: Identify the different recipient object types in Exchange Server 2010. Manage mailbox user accounts. Describe how to configure mailbox settings. Configure mailbox permissions. Describe the reasons for moving mailboxes. Move mailboxes by using the Exchange Management Console. Describe the purpose and functionality of resource mailboxes. Describe how to design resource booking policies. Manage resource mailboxes.
3-4
Discussion: Types of Exchange Server Recipients
Key Points
In Microsoft Exchange Server 2003, you can use the Active Directory Users and Computers functionality to perform all individual recipient management tasks. However, in Microsoft Exchange Server 2007, and subsequently in Exchange Server 2010, you cannot use Active Directory Users and Computers to manage Exchange Server recipients. You must configure all Exchange Server-specific recipient settings in the Exchange Management Console or the Exchange Management Shell. Exchange Server recipients are mail-enabled when they have associated e-mail addresses, but do not have Exchange mailboxes. For example, a contact that has been mail-enabled becomes a mail contact. Exchange Server 2010 supports the following recipient types: User mailboxes. A mailbox that you can assign to an individual user in your Exchange Server organization. It typically contains messages, calendar items, contacts, tasks, documents, and other important business data. Mail users or mail-enabled Active Directory users. These are users outside the Exchange Server organization that have an external e-mail address. All messages sent to the mail user are routed to this external e-mail address. A mail user is similar to a mail contact, except that a mail user has Active Directory logon credentials and can access resources. Resource mailboxes (Room mailboxes and Equipment mailboxes). A resource mailbox that you can assign to a meeting location, or to a resource such as a projector. You can include resource mailboxes as resources in meeting requests, which provides a simple and efficient way of scheduling resource usage. Mail contact or mail-enabled contacts. These contacts contain information about people or organizations that exist outside an Exchange Server organization and that have an external e-mail address. Exchange Server routes all messages sent to the mail contact to this external e-mail address. Mail-enabled security and distribution groups. You can use a mail-enabled Active Directory security group object to grant access permissions to Active Directory resources, and you also can use it to
3-5
distribute messages. You can use a mail-enabled Active Directory distribution group object to distribute messages to a group of recipients. Dynamic distribution groups. A distribution group that uses recipient filters and conditions to derive its membership at the time messages are sent. Linked mailboxes. You can assign a linked mailbox to an individual user in a separate, trusted forest.
You can use a mail-enabled user when Exchange Server 2010 is not responsible for sending and receiving mail for an Active Directory user, but you want that user to appear in the global address list (GAL). You might do this for remote sales people that prefer to use e-mail based on their own Internet service providers (ISP). You can only mail-enable universal security groups and universal distribution groups in Exchange Server 2010, similar to Exchange Server 2007. Question: How is a mail-enabled contact different from a mail-enabled user?
3-6
Demonstration: How to Manage Mailboxes
Key Points
In this demonstration, you will see how to manage mailboxes by performing common operations such as creating, deleting, and removing mailbox user accounts.
Demonstration Steps
Use the Exchange Management shell to mail-enable an existing user: 1. 2. Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users container. Open Exchange Management Shell, and run the following cmdlets: 3. Enable-MailUser Daniel Brunner externalemailaddress Daniel@contoso.com Disable-MailUser Daniel Brunner
In Active Directory Users and Computers, verify that the Daniel Brunner user still exists.
Create a new mail-enabled user with the Exchange Management Console. 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Run the New Mailbox Wizard, and create a new user account and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database. Note: Remove-mailbox deletes the specified user account and mailbox, and disable-mailbox removes the mailbox, but leaves the user account enabled. Question: What tools do you prefer to use for managing mailbox users?
3-7
Question: How does your organization delegate Exchange and Active Directory management tasks?
3-8
Configuring Mailbox Settings
Key Points
Exchange Server 2010 provides several options for configuring a single mailbox. Many of these options are similar to those available for managing an Active Directory domain services environment. Mailbox configuration options include: General User Information Address and Phone Organization Account Member Of
However, some configuration options are unique to Exchange Server such as: Mail Flow Settings. There are three mail-flow settings: delivery options, message-size restrictions, and message-delivery restrictions: Use the delivery options to set: Who can send an e-mail message from that mailbox. A recipient to whom all messages are forwarded. The maximum number of recipients to which the mailbox can send a single message.
Use the message-size restrictions options to specify the maximum size for the messages that the mailbox sends or receives. Use the message delivery restrictions options to control the recipients that can send messages to the mailbox.
3-9
Mailbox Features. Use these options to configure the mailboxs specific features, such as Microsoft Outlook Web App, Exchange ActiveSync, Unified Messaging, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4), and the Archive mailbox. Calendar Settings. Use this option to configure how a mailbox processes meeting requests. Mailbox Settings. There are four mailbox settings: messaging records management, federated sharing, storage quotas, and archive quota. E-Mail Addresses. Use this option to configure the e-mail addresses assigned to the mailbox.
Question: Why would you configure mailbox size limits on individual mailboxes?
3-10
Demonstration: How to Configure Mailbox Permissions
Key Points
In this demonstration, you will see how to assign Full Access and Send As permissions to a mailbox.
Demonstration Steps
Assign Wei Yu send as permissions on Kim Akerss mailbox: 1. 2. 3. 4. 5. 6. 7. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission. In the Manage Send As Permission Wizard, click . In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage. Click Finish.
Assign Wei Yu full access to Kim Akerss mailbox: 1. 2. 3. 4. Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission. In the Manage Full Access Permission Wizard, click Add. In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage, and then click Finish.
Question: When would more than one user need to access the same mailbox? Question: What is the difference between Send on behalf of permissions and Send As permissions?
3-11
Reasons for Moving Mailboxes
Key Points
You might need to move your organizations mailboxes. The following scenarios list the common reasons for moving mailboxes: Transition. When you transition an existing Exchange Server 2007 or Exchange Server 2003 organization to Exchange Server 2010, you need to move mailboxes from the existing Exchange servers to an Exchange Server 2010 Mailbox server. Realignment. You can move mailboxes to realign based on specific values. For example, you may want to move a mailbox from one database to another that has a larger mailbox size limit. Investigating an issue. If you need to investigate an issue with a mailbox, you can move that mailbox to a different server. For example, you can move all mailboxes that have corrupted messages to one server. Corrupted mailboxes. If you encounter corrupted mailboxes, you can move the mailboxes to a different server or database to fix the corruption. Physical location changes. You can move mailboxes to a server that is in a different Active Directory site. For example, if a user moves to a different physical location, you can move that users mailbox to a server that is in a site closer to the new location. Separation of administrative roles. A company may want to separate the administration of Microsoft Exchange from administration of Microsoft Windows accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest. Outsourcing e-mail administration. A company may want to outsource the administration of e-mail and retain the administration of Windows user accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest.
3-12
Integrating e-mail and user-account administration. A company might want to change from a separated or outsourced e-mail administration model to a model in which e-mail and user accounts are managed from the same forest. To do this, you can move mailboxes from a resource forest scenario to a single forest, in which the Microsoft Exchange mailboxes and Windows user accounts reside in the same forest. Reducing Database size. In cases where data has been removed from a database and there is a lot of white-space, rather than performing an offline defragmentation on the database, you can move the contained mailboxes online to a new database and delete the original database.
While a move request is in progress, the mailbox stays online, allowing the user to continue sending and receiving e-mail. You can view the move request status in the Exchange Management Console and Exchange Management Shell. The request can have one of the following statuses: Queued for move Move in progress Ready to complete Completing
3-13
Demonstration: How to Move Mailboxes
Key Points
In this demonstration, you will see how to move mailboxes by using the Exchange Management Console.
Demonstration Steps
Move Kim Akerss mailbox to Mailbox Database 1: 1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request Wizard, click Browse. Select Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New. Click Finish.
Question: What is the benefit of scheduling mailbox moves?
3-14
What Are Resource Mailboxes?
Key Points
Resource mailboxes are specific types of mailboxes that you can use to represent meeting rooms or shared equipment, and you can include them as resources in meeting requests. The Active Directory user that is associated with a resource mailbox is a disabled account. Room mailboxes. These are resource mailboxes that you can assign to meeting locations, such as conference rooms, auditoriums, and training rooms. Equipment mailboxes. These are resource mailboxes that you can assign to non-location-specific resources, such as portable computer projectors, microphones, or company cars.
You can include both types of resource mailboxes as resources in meeting requests, and thus provide a simple and efficient way to utilize resources for your users. You can configure resource mailboxes to automatically process incoming meeting requests based on the resource booking policies that are defined by the resource owners. For example, you can configure a conference room to automatically accept incoming meeting requests except recurring meetings, which can be subject to approval by the resource owner. You can create a resource mailbox as a room or as equipment. After creating the resource mail box, you must configure properties such as location and size. Then, you must define the resource booking policy and enable the resource booking attendant.
3-15
Designing Resource Booking Policies
Key Points
A resource booking policy specifies: Who can schedule a resource. When the resource can be scheduled. What meeting information will be visible on the resources calendar. The response message that meeting organizers will receive.
Exchange Server 2010 provides various resource mailboxes, such as meeting rooms and equipment. You can invite these resources to meetings as a way of reserving the meeting room or equipment. Exchange Server 2010 provides several options for managing users who can book meetings using resource mailboxes.
Options for Configuring Automate Processing Settings

Exchange Server 2010 provides several options that you can use for configuring resource mailbox settings and to customize it to meet most business needs. There are three values for Automate Processing: None, Booking Attendant (AutoAccept), and Calendar Attendant (AutoUpdate). By default, the Calendar Attendant is enabled on each resource mailbox. For the resource mailbox to process and accept meeting requests, you must enable the Booking Attendant. In Exchange Server 2010, both the Exchange Management Console and Exchange Management Shell can be used to configure resource mailboxes. Three common scheduling scenarios used are automatic booking, manual approval by delegates, and manual approval from the resources. To enable automatic booking, the booking attendant should be enabled and the policy should be configured.
3-16
To enable manual approval by delegates, the booking attendant should be enabled, and then All Book In Policy should be disabled. Next the All Request In Policy should be enabled, and the delegates should be specified. To enable manual approval from the mailbox, the booking attendant should be left disabled.
Considerations for Developing a Resource Booking Policy

When designing the resource booking policy, you must consider: Who can schedule a resource and whether all users should be able to book a resource for a meeting. You might accept the default settings for most resources in the organization, but consider restricting who can book heavily used or important resources. For example, if you use a resource room mailbox to manage the schedule for a large conference room, you may want to restrict who can book meetings in the conference room. When users can schedule the resource. You may want to set restrictions on the time of day when meetings can be booked with a resource, or restrict the meeting length or meeting recurrence. The automatic acceptance policy for the meeting resource. By default, all resource mailboxes are configured to accept all new appointment requests as tentative, until a user approves the request. Because the meeting is set to tentative, this also enables other users to book the meeting resource for the same time. By changing the Automate Processing attribute for the resource mailbox, you can modify the default behavior. The default value is configured as Auto Update. If you set the value to Auto Accept, the resource mailbox accepts all meetings from authorized users automatically, and prevents other users from booking the resource at the same time.
Question: How will you use resource mailboxes in your environment?
3-17
Demonstration: How to Manage Resource Mailboxes
Key Points
In this demonstration, you will use Exchange Management Console to create a resource mailbox, and then configure it to accept appointments and create a delegate for the resource.
Demonstration Steps
1. 2. 3. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Create a new room mailbox with the following information: 4. 5. Name: Conference Room 1 User logon name (User Principal Name): ConferenceRoom1 Password: Pa$$w0rd Alias: ConferenceRoom1
After creating the room mailbox, modify the properties, and enable the resource booking attendant. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd. 6. In Outlook Web App, create a new Meeting Request. 7. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant tab. 8. Select a Start time and an End time. 9. Click the down arrow next to Select Rooms, and then click More. 10. In the Address Book window, double-click Conference Room 1, and then click OK. 11. Send the meeting request and verify that the resource accepted the invitation.
3-18
Question: How does your organization use resource mailboxes? Question: Which attributes are useful for your resource mailboxes?
3-19
Lesson 2
Managing Other Recipients
Exchange Server also includes other recipient types that provide additional functionality, such as sending e-mail to an entire company department or sharing e-mail addresses between users, for recipients outside your company. In this lesson, you will be introduced to the other recipient types in Exchange Server 2010 such as contacts and distribution groups. After completing this lesson, you will be able to: Describe the functionality of mail contacts and mail users. Describe the purpose of a distribution group. Explain the options for configuring distribution groups. Manage distribution groups by using the Exchange Control Panel.
3-20
What Are Mail Contacts and Mail Users?
Key Points
Mail contacts are mail-enabled Active Directory contacts. These contacts contain information about people or organizations that exist outside your Exchange Server organization. You can view mail contacts in the GAL and other address lists, and you can add them as members to distribution groups. Each contact has an external e-mail address, and all e-mail messages that are sent to a contact are automatically forwarded to that address. If multiple people within your organization contact a trusted external person, you can create a mail contact with the persons e-mail address. This allows Exchange Server users to select that person from the GAL for sending e-mail. Mail users are similar to mail contacts. Both have external e-mail addresses, they contain information about people outside your Exchange Server organization, and you can display them in the GAL and other address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can access resources to which they are granted permission. If a person external to your organization requires access to resources on your network, you should create a mail user instead of a mail contact. For example, you may want to create mail users for short-term consultants who require access to your server infrastructure, but who will use their own external e-mail addresses. In another scenario, you can create mail users for whom you do not want to maintain an Exchange Server mailbox. For example, after an acquisition, the acquired company may maintain its own messaging infrastructure, but it may also need access to your networks resources. For those users, you might want to create mail users instead of mailbox users. Question: When would you use mail-enabled contacts? Question: Why would you use a mail-enabled contact rather than a mail-enabled user?
3-21
What Are Distribution Groups?
Key Point
You can use mail-enabled groups to allow end users to send e-mail to multiple recipients. Mail-enabled groups also allow you to assign permissions simultaneously to multiple users for Exchange Server objects, such as private mailboxes and public folders. In Exchange Server 2010, mail-enabled groups belong to one of the following four categories: Universal Security groups. Can be mail-enabled and can be assigned permissions outside of Exchange Server. Distribution groups. Are mail-enabled and can only be assigned Exchange Server permissions for things such as Public folders. The two types of distribution groups are: Static Dynamic
Public groups. End users can manage these distribution groups through the Exchange Control Panel. Within Exchange Control Panel, the end user can add or remove group members, moderate the group, or even request access to other public groups. Moderated groups. These are distribution groups that allow the group manager to approve or reject either all messages sent to the group or from specific users. You can use moderated groups to restrict the conversations that occur between group members.
Question: When would your organization use distribution groups? Question: When would your organization use public and moderated groups?
3-22
Options for Configuring Distribution Groups
Key Points
Similar to the options available for configuring mailboxes, there are a number of options available for configuring mail-enabled groups. You can configure several options for Exchange Server distribution groups, including: Group membership. These are the objects that are in the distribution group. Maximum message size. Use this option to set the maximum size for messages that can be sent to the distribution group. Message delivery options. Use these options to configure which users can send messages to the group. Address list visibility. Use this option to hide the group from the address list. You can use this option when the distribution group is used mainly for receiving e-mail from the Internet, and internal users do not need it. Delivery of out-of-office messages. Enable this option to send out-of-office messages back to the message sender, if one of the distribution group recipients has enabled out-of-office notifications. Non-delivery reports. Use this option to configure non-delivery reports (NDR). You can choose to send an NDR or specify whether they are sent to the distribution lists manager or to the message originator. E-mail addresses for the group. Use this option to configure the distribution groups e-mail address. Message moderation. Use these options to assign moderators permissions to review all messages that are sent to the distribution list. You also can configure a list of users that do not require moderation. Additionally, you can configure notifications to alert the message originators if their message is approved or not. Membership approval. Use these options to control if and how users can join or leave the group:
3-23
Choose whether owner approval is required to join the group. If you choose Open, users can join this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can add members to the group. Requests to join this distribution group will be rejected automatically. If you choose owner approval, users can request membership on this distribution group. The distribution group owner must approve requests to join the group before the user can join. Choose whether the group is open to leave. If you choose Open, users can leave this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can remove members from this distribution group. Requests to leave this distribution group will be rejected automatically.
Question: What is the advantage of enforcing a naming convention for distribution groups?
3-24
Demonstration: How to Manage Groups by Using the Exchange Control Panel
Key Points
Public groups is a new feature that enables users that have the requisite permissions to add distribution groups, manage membership, and moderate content.
Demonstration Steps
Add Kim Akers to the Recipient Management role group: 1. 2. 3. 4. 5. On VAN-EX1, in Active Directory Users and Computers, add Kim Akers to the Recipient Management role group. Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd. Select Public Groups, and create a new Public Group. In the New Group window, configure the following information: 6. Display name: Sales Alias: Sales Description: Sales Department
Add the following members: Manoj Syamala Rohinton Wadia Paul West
7. 8. 9.
Expand Membership Approval, and select Owner Approval. Click Save. Sign out of Exchange Control Panel.
3-25
Log on to ECP as Wei Yu, and ask to join the Sales group: 1. 2. 3. 4. 5. 6. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd. In the left pane, select Groups. In the Public Groups I Belong to section, click Join. In the All Groups window, select Sales, and then click Join. Click Close. Sign out of Exchange Control Panel.
Approve Wei Yus request to be added to the Sales Group: 1. 2. 3. 4. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd. Double-click the Request to Join Distribution Group message in the inbox. In the Request to Join Distribution Group message pane, click Approve. Close Outlook Web App.
Question: When would you use public groups?
3-26
Lesson 3
Configuring E-Mail Address Policies
In many messaging systems, you might host multiple Single Mail Transfer Protocol (SMTP) domains, and thus you would need to manage the e-mail addresses assigned to the Exchange recipients. To ensure that recipients have appropriate e-mail addresses, you can create and apply e-mail address policies. In this lesson, you will learn about e-mail address policies and how to configure them. After completing this lesson, you will be able to: Describe the purpose and functionality of e-mail address policies. Configure e-mail address policies.
3-27
What Are E-Mail Address Policies?
Key Points
For a recipient to send or receive e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients so they can receive and send e-mail. You must create an accepted domain so that a domain in an e-mail address policy functions properly. An accepted domain is an SMTP namespace that you can configure Exchange servers to send messages to, or from which they can receive messages. By default, Exchange Server contains an e-mail address policy for every mail-enabled user. This default policy specifies the recipients alias as the local part of the e-mail address and uses the default accepted domain. The local part of an e-mail address is the name that appears before the @ symbol. However, you can configure how your recipients e-mail addresses display. To specify additional e-mail addresses for all recipients or just a subset, you can modify the default policy or create additional e-mail address policies.
Creating an E-mail Address Policy

Exchange Server applies an e-mail address policy to recipient group based upon an OPATH filter. OPATH is a querying language designed to query object-data sources. The filter defines the search scope in the Active Directory forest and the attributes to match. The New E-mail Address Policy Wizard provides a standard list of recipient scope filters. These include: All recipient types. Select this check box if you do not want to filter recipient type. Users with Exchange mailboxes. Select this check box if you want your e-mail address policy to apply to users who have Exchange Server 2010, Exchange Server 2007, and Exchange Server 2003 mailboxes. Users with Exchange mailboxes are those that have a user domain account and a mailbox in the Exchange organization. Users with external e-mail addresses. Select this check box if you want your e-mail address policy to apply to users who have external e-mail addresses. Users with external e-mail accounts have user domain accounts in the Active Directory directory service, but use e-mail accounts that are external to the organization. This enables them to be included in the GAL and added to distribution lists.
3-28
Resource mailboxes. Select this check box if you want your e-mail address policy to apply to Exchange resource mailboxes. Resource mailboxes let you administer company resources, such as a conference room or company vehicle, through a mailbox. Contacts with external e-mail addresses. Select this check box if you want your e-mail address policy to apply to contacts with external e-mail addresses. Mail-enabled groups resemble distribution groups, as messages sent to a mail-enabled group account will go to several recipients. Mail-enabled groups. Select this check box if you want your e-mail address policy to apply to security groups or distribution groups that have been mail-enabled.
The second part of the E-mail Address Policy filter has conditions in one of the following categories: Recipient is in a State or Province. Select this check box if you want the e-mail address policy to include only recipients from specific states or provinces. The Address and Phone tabs in the recipients properties contains this information. Recipient is in a Department. Select this check box if you want the e-mail address policy to include only recipients in specific departments. The Organization tab in the recipients properties contains this information. Recipient is in a Company. Select this check box if you want the e-mail address policy to include only recipients in specific companies. The Organization tab in the recipients properties contains this information. Custom Attribute equals Value. There are 15 custom attributes for each recipient. There is a separate condition for each custom attribute. If you want the e-mail address policy to include only recipients that have a specific value set for a specific custom attribute, select the check box that corresponds to that custom attribute.
When creating an e-mail address policy, you can use the following e-mail address types: Precanned SMTP e-mail address. Precanned SMTP e-mail addresses are commonly used e-mail address types that Exchange Server provides for you. Custom SMTP e-mail address. If you do not want to use one of the precanned SMTP e-mail addresses, you can specify a custom SMTP e-mail address. NonSMTP e-mail address. Exchange Server 2010 supports a number of nonSMTP address types.
3-29
Demonstration: How to Configure E-Mail Address Policies
Key Points
In this demonstration, you will see how to modify existing e-mail address policies, create new policies, and configure an alias.
Demonstration Steps
Create a new e-mail address policy for Fourth Coffee recipients: 1. 2. 3. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport. Create a new e-mail address policy named with these attributes: 4. 5. 6. Name: Fourth Coffee Display Name: Fourth Coffee Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
Use the user Alias as the local part of the e-mail address. Select fourthcoffee.com as the accepted domain. Apply the e-mail address policy immediately.
Verify that the e-mail address policy has been applied: 1. 2. 3. 4. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, double-click Jane Dow. View the current E-Mail addresses that have been assigned. Change the Company attribute to Fourth Coffee.
3-30
5.
View the current e-mail addresses that have been assigned.
3-31
Lesson 4
Configuring Address Lists
Address lists are similar to a telephone book in that they provide a clearinghouse in which users can locate, send e-mail to, and find information about, other users. In larger or specialized organizations, you may need to modify the lists organization. In this lesson, you will learn about address lists and how to manage them. After completing this lesson, you will be able to: Explain the functionality of address lists. Explain the reasons for configuring address lists. Configure address lists. Describe how to configure offline address books. Describe the options for deploying offline address books.
3-32
What Are Address Lists?
Key Points
Address lists are recipient objects that are grouped together based on a Lightweight Directory Access Protocol (LDAP) query for specific Active Directory attributes. You can use address lists to sort the GAL into multiple views, which makes it easier to locate recipients. This is especially helpful for very large or highly segmented organizations. Similar to configuring e-mail address policies, you can configure address lists with recipient filters that determine which objects belong in each address list. Address lists are evaluated every time a mail-enabled account is modified to determine on which address lists it should appear.
3-33
Discussion: Reasons for Configuring Address Lists
Key Points
For most small or medium organizations, you would not need to make changes to the default address lists. However, in large organizations, you might need to modify the default configuration. Question: What are the reasons for creating multiple address lists? Geographic organization. Departmental organization. Recipient type organization.
Question: How do you use address lists in your organization? Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts?
3-34
Demonstration: How to Configure Address Lists
Key Points
In this demonstration, you will see how to create and configure address lists.
Demonstration Steps
Create a new E-mail Address list for Fourth Coffee recipients: 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Mailbox. Create a new address list with the following attributes. 4. 5. 6. Name: Fourth Coffee Display Name: Fourth Coffee Container: \ Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth Coffee for their company attribute. Preview the address list. Apply the e-mail address list immediately.
Verify the new address list is working: 1. 2. 3. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd. Open the Address book, and view the members of the Fourth Coffee address list. Close Outlook Web App.
3-35
Configuring Offline Address Books
Key Points
Exchange Server 2010 provides several configuration options for deploying offline address books offline address books. Outlook uses the offline address book when you configure it to use a cached mode Outlook profile or when it is in offline mode. The default offline address book contains the entire GAL, but does not include any additional GALs that have been created. By default, the offline address book is generated only once each day. This means that any additions, deletions, or changes made to mail-enabled recipients are only committed to the offline address book once each day, unless you modify the schedule to generate the offline address book more often. In many environments, you would need to modify the offline address book generation schedule to accommodate the rate of change in a particular Exchange Server organization. As a best practice, whether you use a single offline address book or multiple offline address books, consider the following factors as you plan and implement your offline address book strategy: Size of each offline address book in your organization. Number of offline address book downloads. How many clients will you need to download the offline address book? Overall number of changes made to the directory. If a large number of changes are made, the size of the differential offline address book downloads also will be large.
3-36
Options for Deploying Offline Address Books
Key Points
Public folder distribution is the distribution method by which Outlook 2003, or clients that are working offline or through a dial-up connection, access the offline address book. With public folder distribution, the generation process for the offline address book places the files directly in one of the public folders, and then Exchange Server store replication copies the data to other public folder distribution points. Outlook 2007 and newer clients that are working in cached mode, offline or through a dial-up connection, use Web-based distribution to access the offline address book. Web-based distribution does not require the use of public folders. With Web-based distribution, after the offline address book generates, the Client Access server replicates the files. Web-based distribution uses HTTPS and BITS. If you require redundancy, you can use multiple Client Access servers as publishing points.
3-37
Lesson 5
Performing Bulk Recipient Management Tasks
Managing a large number of recipients can be time consuming. Manual changes also are also prone to error. You can use the Exchange Management Shell to create scripts that automate these management tasks. In this lesson, you will be introduced to bulk management of recipients and using Exchange Management Shell to manage multiple recipients. After completing this lesson, you will be able to: Describe the benefits of managing recipients in bulk. Manage multiple recipients.
3-38
Discussion: Benefits of Managing Recipients in Bulk
Key Points
Exchange Management Shell cmdlets are powerful tools that you can use for managing multiple recipients simultaneously. The cmdlets use features such as pipelining and filtering to sort the results of one cmdlet and apply the result to another cmdlet. Exchange Management Shell also is a very powerful scripting tool for managing multiple recipients in bulk. In small organizations, you might not need to manage multiple recipients at the same time. However, in medium or large organizations, you may often need to manage multiple users at the same time, and it is useful to know how to use Exchange Management Shell to do that. Question: Describe situations where you need to create multiple recipients. Question: Describe situations where multiple recipients need to be modified.
3-39
Demonstration: How to Manage Multiple Recipients
Key Points
Exchange Management Shell provides several features that you can use to perform bulk recipient management. For relatively simple tasks, you can pipe output between cmdlets to retrieve a list of appropriate objects, and then you can modify them. You can use scripting for complex tasks, such as creating users from a .csv file.
Demonstration Steps
1. The instructor will run the following cmdlets:
Get-User filter {Company eq "Fourth Coffee"} Disable-mailbox Jane Get-User filter {Company eq "Fourth Coffee"} | Enable-Mailbox database "Mailbox Database 1"
2.
The instructor will run the following script. The script will create mailboxes based on information provided in a .csv file.
## Section 1 ## Define Database for new mailboxes $db="Mailbox Database 1" ## Define User Principal name $upndom="Adatum.com" ## Section 2 ## Import csv file into variable $users $users = import-csv $args[0] ## Section 3 ## Function to convert password string to secure string function SecurePassword([string]$plainPassword) { $secPassword = new-object System.Security.SecureString
3-40
Foreach($char in $plainPassword.ToCharArray()) { $secPassword.AppendChar($char) } } $secPassword
## Section 4 ## Create new mailboxes and users foreach ($i in $users) { $sp = SecurePassword $i.password $upn = $i.FirstName + "@" + $upndom $display = $i.FirstName + " " + $i.LastName New-Mailbox -Password $sp -Database $db DisplayName $display -UserPrincipalName $upn -Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName OrganizationalUnit $i.OU }
3.
In Exchange Management Console, verify that the users listed in the .csv file have been created.
Question: Which tasks will you automate with PowerShell scripts?
3-41
Lab: Managing Exchange Recipients
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-CL1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Windows 7 client computer in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your company is purchasing a new company called Adventure Works. Adventure Works recipients will need to maintain a separate e-mail domain and address list. You also must create new mailboxes for the new departments employees.
3-42
Exercise 1: Managing Recipients

Scenario
Your manager wants you to complete several tasks in preparation for the Adventure Works acquisition project. The main tasks for this exercise are: 1. 2. 3. 4. 5. Create and configure a mailbox for called Adventure Works Questions. Create a resource mailbox and configure auto-accept settings for the Adventure Works Project Room. Move George Schallers mailbox to VAN-EX1\Mailbox Database 1. Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank. Create a moderated distribution list for Adventure Works Project, and delegate an administrator.
Task 1: Create and configure a mailbox called Adventure Works Questions

1. 2. 3. On VAN-EX1, open the Exchange Management Console. Create a new mailbox named Adventure Works Questions in the Mailbox Database 1 database. Configure a user logon name of AdventureWksQ, and a password of Pa$$w0rd. Assign George Schaller full access to the Adventure Works Questions mailbox.
Task 2: Create a resource mailbox, and configure auto-accept settings for the
ProjectRoom
1. 2. In Exchange Management Console, create a new room mailbox named ProjectRoom in the Mailbox Database 1 database. Configure a user logon name of ProjectRoom, and a password of Pa$$w0rd. Enable the Booking Attendant on ProjectRoom.
Task 3: Move George Schallers mailbox to VAN-EX1\Mailbox Database 1

In Exchange Management Console, create a new local move request to move George Schallers mailbox to VAN-EX1\Mailbox Database 1.
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank
In Exchange Management Console, create a new mail-enabled contact for Ian Palangio, using an alias of IanPalangioWB and an e-mail address of ian.palangio@woodgrovebank.com.
Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1. 2. In Exchange Management Console, create a new Distribution group called Adventure Works Project with an alias of AdventureWorksProject. Add the following recipients to the Adventure Works Project group: 3. George Schaller Ian Palangio Wei Yu Paul West
Specify George Schaller as the group moderator, and enable moderation of all messages.
Task 6: Verify that changes were completed successfully

1. Log on to VAN-CL1 as Administrator, and open Outlook.
3-43
2. 3.
Create and send a new meeting request. Invite the Adventure Works Project group, and specify ProjectRoom as the room. On VAN-EX1, open Outlook Web App, log on as Adatum\George, using the password Pa$$w0rd, and accept the meeting request message. Send the response now. Results: After this exercise, you should have completed all of the assigned tasks, which include creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
3-44
Exercise 2: Configuring E-Mail Address Policies

Scenario
Adventure Works maintains a distinct identity for customers, but some functions, such as accounting, are integrated with A. Datum Corporation. To ensure that users receive all e-mail properly, they must be able to receive e-mail at all domains, but use their own domain as the reply-to address. The main tasks for this exercise are: 1. 2. Create an e-mail address policy for Adventure Works users. Verify that addresses were applied to A. Datum users.
Task 1: Create an e-mail address policy for Adventure Works users

3. 4. On VAN-EX1, open the Exchange Management Console. Create a new e-mail address policy with the following configuration: a. b. c. Apply to all recipients with a company attribute of Adventure Works the Adatum.com domain. SMTP address: first name.last name@adventure-works.com. Accepted domain: Adventure-works.com.
Task 2: Verify that addresses are applied correctly

1. 2. In the Exchange Management Console, view the properties for George Schaller, and modify his company description to Adventure Works. Confirm that George Schaller has an e-mail address using the adventure-works.com domain. Results: After this exercise, you should have created an e-mail address policy for Adventure Works users.
3-45
Exercise 3: Configuring Address Lists

Scenario
New address lists and offline address books are necessary to organize the address books for users in the combined A. Datum and Adventure Works organization. However, each organization requires a separate address to make it easier to find users. You also must create a new offline address book that includes those address lists to support sales people with portable computers. The main tasks for this exercise are: 1. 2. 3. 4. 5. Create an empty container address list named Companies. Create a new address list for Adventure Works recipients. Create a new address list for A. Datum recipients. Verify the new address list is available in Outlook. Create a new offline address book for the Adventure Works address list.
Task 1: Create an empty container address list named Companies

1. 2. On VAN-EX1, open the Exchange Management Console. In the Mailbox node of the Organization Configuration work center, create a new address list named Companies with no recipients.
Task 2: Create a new address list for Adventure Works recipients

Create a new address list Adventure Works in Companies for all recipients with the Company Adventure Works.
Task 3: Create a new address list for A. Datum Corporation recipients

Create a new address list A Datum in Companies for all recipients with the Company A. Datum.
Task 4: Verify the new address list is available in Outlook

1. 2. 3. Log on to VAN-CL1 as Administrator, and open Outlook. Verify that the address book contains the address lists for A. Datum and Adventure Works. Log off VAN-CL1.
Task 5: Create a new offline address book for the Adventure Works address list to
support both Office Outlook 2003 and Outlook 2007 clients
1. 2. On VAN-EX1, open Exchange Management Console. Create a new offline address book named Companies with the Adventure Works and A. Datum address lists, and enable distributions through Web-based distribution and public folders. Use the OAB folder on VAN-EX1 for Web-based distribution. Close the Exchange Management Console. Results: After this exercise, you should have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
3.
3-46
Exercise 4: Performing Bulk Recipient Management Tasks

Scenario
Your manager left you a number of recipient management tasks to complete for the new Adventure Works users: Add a header line to the .csv file exported from the Human Resources (HR) system. Modify the CreateUsersLab.ps1 script, and import Adventure Works users from a .csv file. Define mailbox limits for all users in the Adventure Works company.
The main tasks for this exercise are: 1. 2. 3. 4. 5. Add a header line to the .csv file exported from the Human Resources (HR) system. Modify the CreateUsersLab.ps1 script to Adventure Works users from a .csv file. Create the AdventureWorks OU in the Adatum.com domain Run CreateUsersLab.ps1 to Adventure Works users from a .csv file. Define mailbox limits for all Adventure Works company users.
Task 1: Add a header to the .csv file exported from the HR system
1. 2. On VAN-EX1, open D:\Labfiles\Users.csv in Notepad. Add a header line that defines each column: 3. FirstName LastName Password
Save the changes to Users.csv, and close Notepad.
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a
.csv file
1. 2. Open D:\Labfiles\CreateUsersLab.ps1 in Notepad. Modify CreateUsersLab.ps1 as required to: 3. Configure the database to create users as Mailbox Database 1. Configure the user principal name to be adatum.com. Place users in the AdventureWorks OU. Configure the .csv import file to be D:\Labfiles\Users.csv. Configure the $pwd to be based on the password field in the Users.csv. Configure the first and last name. Configure the user principal name (UPN) as first name@adatum.com. Configure the alias to be the first name and last name, with no space between the names. Configure the display name to be the first name and last name, with a space between the names.
Save the changes to CreateUsersLab.ps1, and close Notepad.
Task 3: Create the AdventureWorks Organizational Unit

1. 2. Open Active Directory Users and Computers. Create an OU named AdventureWorks.
3-47
Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users

1. 2. Open the Exchange Management Shell. Run D:\Labfiles\CreateUsersLab.ps1.
Task 5: Set mailbox limits for all Adventure Works users

1. Run Get-Mailbox cmdlet to retrieve a list of all Adventure Works users: 2. OrganizationalUnit: AdventureWorks
Set mailbox limits by piping the list of mailboxes to the Set-Mailbox cmdlet: IssueWarningQuota 100MB ProhibitSendQuota 150MB
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script, and then have set the storage quota.
To Prepare for the Next Module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine. Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. 8. Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
3-48
Review Questions
1. 2. 3. How would you ensure that meeting requests to room mailboxes are validated manually before being approved? How would you give access to allow a user to send messages from another mailbox, without giving them access to the mailbox contents? What should you consider when configuring offline address book distribution?
Common Issues Related to Configuring Offline Address Books

Identify the causes for the following common issues related to configuring offline address books, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Troubleshooting tip
The offline address book is not up- Check to make sure that the offline address book is scheduled to be to-date with changes made during generated more than one time each day. the day. Outlook 2003 clients are not able to download the offline address book. Check to make sure the offline address book is being distributed in a public folder.

1. A company that has two large divisions and one Exchange Server organization. Employees in each division rarely communicate with each other. What can you do to reduce the number of recipients the employees of each division see when they open the Exchange address list?
3-49
2.
An organization has a large number of projects that leverage distribution groups. Managing group members takes considerable time. You need to reduce the time the help desk spends managing groups so that they can work on other issues. You employ contractors that need an e-mail address from your company. The company needs to enable the contracts to receive these messages in their current third-party mailboxes.
3.
Best Practices Related to Managing Recipient Objects

Supplement or modify the following best practices for your own work situations: Define clear naming conventions and adhere to them. Naming conventions help identify location and purpose of recipient objects, and helps both end users and administrators locate recipients easily. Test global changes prior to making them in production. Changes to global settings, like e-mail address policies, should be tested in a lab environment before you make changes in production. This avoids configuration errors.
3-50
Managing Client Access
4-1
Module 4
Contents:
Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lab A: Configuring Client Access Servers for Outlook Anywhere Access Lesson 3: Configuring Outlook Web App Lesson 4: Configuring Mobile Messaging Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync 4-3 4-18 4-37 4-43 4-53 4-61
4-2
Module Overview
Microsoft Exchange Server 2010 provides access to user mailboxes for many different clients. All messaging clients access Exchange Server mailboxes through a Client Access server. Because of the importance of this server role, you must understand how to configure it to support all different client types. This module provides details on how to implement the Client Access server role in Exchange Server 2010. After completing this module, you will be able to: Configure the Client Access server role. Configure Client Access services for Outlook Clients. Configure Microsoft Office Outlook Web App. Configure mobile messaging.
4-3
Lesson 1
Configuring the Client Access Server Role
You can implement the Client Access server role on an Exchange server that has other roles except the Edge Transport server role. Alternately, you can deploy the Client Access server role on one or more dedicated servers. In many organizations, the Client Access server is accessible from the Internet, thus securing the Client Access servers is an important part of deployment. This lesson describes the process for deploying and securing a Client Access server. After completing this lesson, you will be able to: Describe how client access works in Exchange Server 2010. Describe how client access works with multiple sites. Describe the Client Access server deployment options. Configure a Client Access server. Secure a Client Access server. Explain Client Access server deployment considerations. Configure Client Access server certificates. Describe the configuration options for Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) client access. Describe how to configure the Client Access server for secure Internet access.
4-4
How Client Access Works
Key Points
In Exchange Server 2010, all messaging clients connect to a Client Access server when accessing an Exchange Server mailbox. For users to access their mailbox, you must deploy a Client Access server in the same site as the Mailbox server. Important: In Exchange Server 2007 or earlier Exchange server versions, MAPI clients such as Microsoft Office Outlook, connect directly to Mailbox servers. In Exchange Server 2010, with the introduction of the Remote Procedure Call (RPC) Client Access service, MAPI clients no longer connect directly to the Mailbox servers for mailbox access.
How Client Access Servers Work

The following steps describe what happens when a messaging client connects to the Client Access server: 1. If the client connects from the Internet using a non-MAPI connection, then the client connects to the Client Access server using the client protocol. Only the protocol ports for client connections must be available on the external firewall. If the client connects from the internal network using Office Outlook configured as a MAPI client, then the client connects to the Client Access server using MAPI RPC connections. The Client Access server connects to a Microsoft Active Directory directory service domain controller by using Kerberos to authenticate the user. Internet Information Services (IIS) or the RPC Client Access service on the Client Access server performs the authentication. The Client Access server uses a Lightweight Directory Access Protocol (LDAP) request to a global catalog server to locate the Mailbox server that manages the users mailbox. The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to the mailbox database, or to read messages.
2. 3.
4.
4-5
How Client Access Works with Multiple Sites
Key Points
Deploying Client Access servers in an environment with multiple Active Directory sites adds complexity to deployment planning, particularly when you consider the options for providing Internet access to those Client Access servers.
How Client Access Works with Multiple Internet Access Points

If you have multiple Active Directory sites, you can provide Internet access to each sites Client Access servers. To enable this option, you must configure an external URL for each Client Access server. You also must ensure that clients can resolve the URL name in the Domain Name System (DNS) and can connect to the Client Access server using the appropriate protocol. When an Internet client connects to the Client Access server from the Internet in this scenario, the Client Access server authenticates the user, and then queries a global catalog server for the user mailbox location. At this point, the Client Access server has two options: 1. 2. If the users mailbox is located in the same site as the Client Access server, then the Client Access server connects to the mailbox server to fulfill the client request. If the users mailbox is located in a different site from the Client Access server, the Client Access server contacts a domain controller to locate the Client Access server in the site where the user mailbox is located. If you configure the Client Access server with an external URL, then the Client Access server redirects the client request to the Client Access server in the site that contains the user mailbox. If you do not configure an external URL for the Client Access server in the site that contains the user mailbox, the Client Access server receiving the request proxies the client request to the Client Access server in the appropriate site.
4-6
Note: Exchange Server 2010 can redirect only Outlook Web App clients to another Client Access server in a different site. It proxies all other Client Access server client requests to a Client Access server in the same site as the user mailbox. To optimize access for non-Outlook Web App clients, you must configure the clients to connect directly to a Client Access server in the users home site.
How Client Access Works with a Single Internet Access Point

The Client Access server in the site containing the user mailbox might not be accessible from the Internet, or it might not have an external URL configured. In this scenario, when the user connects to a Client Access server in a site that does not contain the user mailbox, the Client Access server proxies the client request to the Client Access server in the site where the users mailbox is located. This proxy process uses the same protocol as the client. In the destination site, the Client Access server then uses RPC to connect to the Mailbox server managing the user mailbox. For the Client Access server to proxy the client request, you must configure the Client Access servers that are not accessible from the Internet to use Integrated Windows authentication. Exchange Server supports proxying for clients that use Outlook Web App, Microsoft Exchange ActiveSync, and Exchange Web Services. Best Practice: To optimize user mailbox access, you should enable Internet access to the Client Access servers in each site. This access is particularly important if you have slow network connections between Active Directory site locations.
4-7
Deployment Options for a Client Access Server
Key Points
When planning your Client Access server deployment, you must meet certain requirements to ensure a successful deployment. Additionally, there are options for deploying Client Access servers in scenarios where servers require higher availability, or you have multiple sites.
Requirements for Client Access Server Deployment

When you deploy Client Access servers, you must meet the following requirements: You must have at least one Client Access server in each Active Directory site where you have Mailbox servers deployed. Client Access servers should have a fast network connection to Mailbox servers, to support RPC connectivity. Client Access servers should have a fast network connection to domain controllers and global catalog servers. If users need to access their mailboxes from the Internet through the Client Access server, then the server must be accessible from the Internet using HTTP or HTTPS, IMAP4, or POP3. Best Practice: Because the server running the Client Access server role must be a member server in an Active Directory domain, you cannot deploy the Client Access server role in a perimeter network. Instead, use an application layer firewall, such as Microsoft Forefront Threat Management Gateway, to publish the Client Access server services to the Internet.
Options for Client Access Server Deployment

The Client Access server role performs a critical function in your Exchange Server organization. You have the following options when deploying the Client Access server role:
4-8
You can deploy the Client Access server role on the same computer as all other Exchange Server 2010 server rolesexcept for the Edge Transport server role. Installing all server roles on a single server does not provide additional availability, and does offer limited scalability. You can deploy the Client Access server role on a dedicated server. This deployment provides additional scalability and performance benefits. You also can deploy multiple servers running the Client Access server role. To provide high availability for Client Access servers, you can deploy Network Load Balancing, or deploy a hardware network load balancer to manage connections to the Client Access servers. In Exchange Server 2010, you also can configure Client Access arrays to provide failover and redundancy. A Client Access array is a container object used by Exchange Server 2010 Client Access servers. When you deploy database availability groups (DAGs) Exchange Server 2010 uses Client Access arrays to track which mailbox databases are located in each Active Directory site, and to manage the client connection failovers to the local mailbox databases.
Note: You can install Client Access servers on Mailbox servers that are DAG members. However, just adding the Client Access server to a DAG member does not provide high availability for the Client Access server. To provide high availability for Client Access servers, you need to implement a Client Access array, and deploy a network load balancing solution. For more information on Client Access arrays, see Module 7, Implementing High Availability.
4-9
Demonstration: How to Configure a Client Access Server
Key Points
In this demonstration, you will see how to configure the global Client Access server settings, as well as the settings for each Client Access server in the organization.
Demonstration Steps
1. 2. Open the Exchange Management Console. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Client Access. You apply settings to all Client Access servers and mailboxes while in the Organization Configuration node. Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync Mailbox Policies tabs. In the left pane, expand Server Configuration, and then click Client Access. Examine the properties of one of the listed Client Access servers. These properties display information only, and cannot be used to configure the server settings. In the results pane, review the settings available on each of the tabs. These settings configure the Client Access server settings for the Client Access server virtual directories.
3. 4. 5. 6.
Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the default policies? Question: Why would you modify the server settings on one Client Access server to be different from those on another Client Access server?
4-10
Securing a Client Access Server
Key Points
In many organizations, the Client Access server is accessible from the Internet for Outlook Anywhere, Outlook Web App, or Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client Access server that faces the Internet is as secure as possible.
Securing Communications Between Clients and Client Access Servers

To encrypt the network traffic between messaging clients and the Client Access server, you must secure the network traffic using Secure Sockets Layer (SSL). To configure the Client Access server to use SSL, complete the following steps: 1. Obtain and install a server certificate on the Client Access server. Ensure that the certificate name exactly matches the server name that users will use to access the Client Access server. Also ensure that the certificate that the Certification Authority (CA) issues is trusted by all of the client computers and mobile devices that will be accessing the server. Configure the Client Access server virtual directories in IIS to require SSL.
2.
Configuring Secure Authentication

Exchange Server 2010 provides several authentication options for clients communicating with the Client Access server. If the server has multiple authentication options enabled, it negotiates with the client to determine the most secure authentication method that both support. Standard Authentication Options The following standard authentication options are available on the Client Access server: Integrated Windows authentication. Integrated Windows authentication is the most secure standard authentication option.
4-11
Important: When using a single Internet-accessible Client Access server for all sites, you must enable Windows Integrated authentication on all of the Client Access servers that are not Internet accessible. For example, the outward-facing Outlook Web App server can use forms-based authentication, but the internal Client Access servers must be configured to allow Integrated Windows authentication. Digest authentication. Digest authentication secures the password by transmitting it as a hash value over the network. Basic authentication. Basic authentication transmits passwords in clear text over the network: therefore, you should always secure Basic authentication by using SSL encryption. Basic authentication is the authentication option that is most widely supported by clients.
Forms-Based Authentication Forms-based authentication is available only for Outlook Web App and ECP. When you use this option, it replaces the other authentication methods. This is the preferred authentication option for Outlook Web App because it provides enhanced security. When you use forms-based authentication, Exchange Server uses cookies to encrypt the user logon credentials in the client computer's Web browser. Tracking the use of this cookie allows Exchange Server to time-out inactive sessions. The time required before an inactive session times out varies depending on the computer type selected during logon. If you choose a public or shared computer, the session times out after 15 minutes of inactivity. If you choose a private computer, the session times out after 12 hours of inactivity. Note: You can configure the time-out values for public and private computers by modifying the Client Access server registry. You can do this by using the Regedit utility, or the Set-ItemProperty cmdlet. For more information about how to configure these settings, see the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value topic in Exchange Server 2010 Help. Forms-based authentication is enabled by default for Outlook Web App, and for ECP.
Protecting the Client Access Server with an Application Layer Firewall

To provide an additional layer of security for network traffic and to protect the Client Access server, deploy an application-layer firewall or reverse proxy, such as Microsoft Internet Security and Acceleration (ISA) Server 2006 or Forefront Threat Management Gateway, between the Internet and the Client Access server. Application layer firewalls provide the following benefits: You can configure the firewall as the endpoint for the client SSL connection. You can offload SSL decryption to the firewall. If you use ISA Server 2006 or Forefront Threat Management Gateway as the application layer firewall, you can configure the firewall to pre-authenticate all client connections using forms-based authentication. Note: If you use certificate-based authentication for Exchange ActiveSync, you must configure a server-publishing rule that forwards the client traffic to the Exchange Server computer without decrypting the packets on the ISA Server computer.
4-12
Considerations for Implementing Client Access Server Certificates
Key Points
Because of the importance of using SSL secure network traffic between Client Access servers and messaging clients, you must ensure that you deploy the appropriate certificates on the Client Access servers. You can secure all client connections to the Client Access server using SSL. Note: By default, the Client Access server is configured with a self-signed certificate that is not trusted by clients. You should remove this certificate and install a certificate from a trusted CA.
Choosing a Certification Authority

One of the most important considerations when planning the use of certificates is identifying the source of the certificates. Exchange Server 2010 can use self-signed certificates, certificates issued by a public CA, or certificates issued by a private CA. In an Exchange Server 2010 environment, you can use the self-signed certificates for internal communication, such as for securing Simple Mail Transfer Protocol (SMTP) connections between Hub Transport servers. You also can use these certificates to secure client connections to Client Access servers. However, because none of the client computers trusts this certificate, we do not recommend this solution. Rather, you should consider obtaining a certificate from a public CA or internal CA for all Client Access servers. In most cases, you should deploy a certificate issued by a public CA if users access the Client Access server from the Internet. If users access the Client Access server from the Internet, it is important that the clients trust this certificate, and that they have access to certificate revocation lists from any location. If only computers that are members of the internal domain access the Client Access server, you could consider using an internal, or private, CA. By deploying an Enterprise CA, you can automate the process of distributing and managing certificates and certificate revocation lists.
4-13
Note: If you are planning to enable Federated Sharing, you must obtain a certificate for your Internet-accessible Client Access servers from a public, trusted CA.
Identifying the Client Protocols Required

As you plan the certificate deployment, you need to determine the client protocols that are used to connect to the Client Access server, and ensure that your certificate is configured for each certificate type.
Planning the Certificate Names

For clients to connect to the Client Access server using SSL without receiving an error message, the names on the certificate must match the names that the clients use to connect to the server. You can implement this configuration by using the following options: Obtain a separate certificate for each client protocol that requires a unique name. This may require multiple certificates for all Client Access servers. This may also require multiple Web sites in IIS. This is the most complicated option to configure. Configure all clients to use the same server name. For example, you could configure all clients to use the server name mail.contoso.com, and obtain a certificate for just that one name. Obtain a certificate with multiple subject alternative names. Most public CAs support the use of multiple names in the certificates subject alternative name extension. When you use one of these certificates, clients can connect to the Client Access server using any of the names listed in the subject alternative name. Use a certificate with a wildcard name. Most public CAs also support the use of wildcards in the certificate request. For example, you could request a certificate using the subject of *.contoso.com, and use that certificate for client connections. Note: Not all clients support wildcard certificates. Microsoft Outlook, Microsoft Internet Explorer, and Window Mobile 6 or newer clients support wildcard certificates, but you need to verify this functionality for all messaging clients that are used in your organization before deploying these certificates. Deploying wildcard certificates is also considered a security risk in many organizations because the certificate can be used for any server name in the domain. If this certificate is compromised, all hosts names for the organization are also compromised.
4-14
Demonstration: How to Configure Certificates for Client Access Servers
Key Points
In this demonstration, you will see how to configure a Windows Server 2008 Certification Authority to support certificate requests with multiple subject alternative names. You will then see how to use the New Exchange Certificate Wizard to request a certificate for a Client Access server, and how to install that certificate.
Demonstration Steps
By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple subject alternative names, so you will need to modify the server configuration. To enable the CA to issue these certificates, perform the following steps: 1. 2. 3. 4. 5. 6. 7. 8. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and then restart the Certificate Services. In the Exchange Server, open the Exchange Management Console, select Server Configuration, and then click Client Access. Click Configure External Client Access Domain, and configure the external domain name for Client Access servers in the organization. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, enter a user-friendly name for your certificate. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box. On the Exchange Configuration page, configure the certificate request to include Outlook Web App on the Internet and Intranet, Exchange ActiveSync and Autodiscover. On the Certificate Domains page, accept the names that will be added to the certificate request.
4-15
9.
On the Organization and Location page, enter information about your Exchange organization. Click the Browse button to select a location for the certificate request file, and enter the desired file name.
10. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click the New button. 11. On the Completion page, click Finish. 12. Provide the certificate request file to your CA. After the certificate has been issued, complete the certificate installation process. 13. In the Exchange Management Console, select Server Configuration. 14. In the Actions pane, click Complete Pending Request. 15. Import the certnew.cer file. 16. In the Actions pane, click Assign Services to Certificate. 17. Assign the certificate to Internet Information Services on VAN-EX1. Question: What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4? Question: How would this process change if you were requesting a certificate from an external, public CA?
4-16
Options for Configuring POP3 and IMAP4 Client Access
Key Points
By default, Exchange Server 2010 supports POP3 and IMAP4 client connections, but the services are set to start manually. If you want to enable user access for these protocols, you must start the services and configure them to start automatically.
Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following settings. Option Bindings Authentication Description Enables the configuration of the local server addresses that will be used for unencrypted TLS or SSL connections. Enables the configuration of supported authentication options. Support options include basic authentication, Integrated Windows authentication, and secure logon requiring TLS. The default setting is secure logon. Enables the configuration of server settings, such as time-out settings, connection limits, and the command relay or proxy target port (used for connections to an Exchange Server 2003 back-end server). Enables the configuration of the message formats used for these protocols, and for configuring how clients will retrieve calendar requests. On each user account, you can enable or disable access for the POP3 and IMAP4 protocols. By default, all users are enabled for access.
Connection settings
Retrieval settings User access
4-17
Configuring the Client Access Server for Internet Access
Key Points
To enable access to the Client Access server from the Internet, you need to complete the following steps: 1. Configure the external URLs for each of the required client options. You can configure all of the Client Access server Web server-based features with an external URL. This URL is used to access the Web site from external locations. By default, the external URL is blank. For Internet-facing Client Access servers, the external URL should be configured to use the name published in DNS for that Active Directory site. The external URL should also use the same name as the one used for the server certificate. For Client Access servers that will not have an Internet presence, the setting should remain blank. Configure external DNS name resolution. For each Client Access server that you are exposing to the Internet, you need to verify that the host name can be resolved on the Internet. Configure access to the Client Access server virtual directories. Each of the client access methods uses a different virtual directory. If you are using a standard firewall or application layer firewall that filters client requests based on the virtual directory, you need to ensure that all virtual directories are accessible through the firewall. Implement SSL certificates with multiple subject alternative names. If you are using multiple host names for the Client Access services, or if you are publishing Autodiscover to the Internet, then ensure that the SSL certificates that you deploy on each Client Access server have the required server names listed in the subject alternative name extension. Plan for Client Access server access with multiple sites. If your organization has multiple locations and Active Directory sites, and you are deploying Exchange servers in each site, your first decision is whether you will make the Client Access servers in each site accessible from the Internet. If you choose not to make the Client Access server accessible, you should not configure an external URL for it. All client requests to that server will then be proxied from an Internet-accessible Client Access server.
2. 3.
4.
5.
4-18
Lesson 2
Configuring Client Access Services for Outlook Clients
The Client Access servers in Exchange Server 2010 provide several services for Office Outlook clients. For the most part, these services are enabled by default for Outlook clients on the internal network, but you may need to modify some of the settings. Additionally, you can make some of these services available to Outlook clients connecting the Exchange servers from outside the environment. In this case, you need to enable these features, and ensure that they are configured correctly. After completing this lesson, you will be able to: Describe the services provided by a Client Access server for Outlook clients. Describe the RPC client access services feature. Describe Autodiscover functionality. Configure Autodiscover. Describe the Availability Service, and its purpose. Explain the MailTips purpose and functionality. Configure MailTips. Describe the Outlook Anywhere functionality. Configure Outlook Anywhere. Explain how to troubleshoot Outlook client connectivity.
4-19
Services Provided by a Client Access Server for Outlook Clients
Key Points
In Exchange Server 2010, the Client Access server role provides critical services for all messaging clients, including Office Outlook clients. The following table lists the services provided for Outlook clients: Service RPC Client Access services Autodiscover Description Enables MAPI clients such as Outlook to connect to user mailboxes. The client connects to the Client Access server using a MAPI connection. The Autodiscover service configures client computers that are running Outlook 2007 or later, or supported mobile devices. The Autodiscover process configures the Outlook client profile, including the mailbox server, Availability service, and offline address book download locations. The Availability service is used to make free/busy information available for Outlook 2007 and Outlook Web App clients. The Availability service retrieves free/busy information from Mailbox servers or Public folders, and presents the information to the clients. The MailTips feature provides notifications for users regarding potential issues with sending a message, before they send the message. The Client Access server makes offline address book available through a Web service. Only Microsoft Office Outlook 2007 or later clients are capable of retrieving OABs from a Web service. The ECP is a Webbased management interface that can be used to enable self service for mailbox users, and enables users to perform specific management tasks without having access to the entire Exchange management interface. Exchange Web Services enables client applications to communicate with the Exchange server. You also can access Exchange Web Services programmatically. It
Availability
MailTips Offline Address Book download ECP
Exchange Web
4-20
Service Services
Description provides access to much of the same data made available through Office Outlook. Exchange Web Services clients can integrate Outlook data into line-of-business (LOB) applications. Outlook Anywhere enables Outlook 2003 or later clients to access the user mailbox by using RPCs encapsulated in an HTTP or HTTPS packet. This enables secure access to user mailboxes from clients located on the Internet.
Outlook Anywhere
4-21
What Is RPC Client Access Services?
Key Points
One the most significant architectural changes in Exchange Server 2010 is that the Client Access server now supports all client connections, including MAPI client connections from Outlook clients. In previous Exchange Server versions, Outlook configured as a MAPI client always connects to the Mailbox server directly, rather than connecting to a front-end or Client Access server. In Exchange Server 2010, all clients connect to the Client Access server role, regardless of the client protocol used.
How RPC Client Access Services Works

Because of the change in the messaging architecture, the client communication with the mailbox server has changed in the following way: In Exchange Server 2010, when a MAPI client starts, it connects to a Client Access server. The client protocol has not changed, and it remains compatible with older Outlook versions, up to Outlook 2003 SP2. When the client connects to the Client Access server, the Client Access server uses a MAPI RPC connection to communicate with the Mailbox server. When the client such as an Outlook Web App client requests the Global Address List (GAL), the Client Access server role now provides a Name Service Provider Interface (NSPI) service, and it queries the GAL on behalf of the client. This means that all client connections for address book lookups are now sent to the Client Access server rather than a Global Catalog server.
RPC Client Access Services Benefits

RPC Client Access services provide a number of benefits: All clients now use the same mailbox access architecture. For organizations that deploy highly available Mailbox servers, client outages have been reduced in situations where a mailbox database fails over to another server. When a mailbox fails over to another server, the Client Access server is notified, and the client connections are redirected to the new server
4-22
within seconds. In a failover scenario, clients in Exchange Server 2007 would be disconnected for one to 15 minutes. In Exchange Server 2010, if one Client Access server in a Client Access server array fails, the client will immediately reconnect to another Client Access server in the array. If a mailbox server fails, the client is disconnected for 30 seconds. Mailboxes can now be moved from one Mailbox server to another, even while the user is online and connected to the mailbox. The new architecture supports more concurrent client connections to the mailbox server. In Exchange Server 2007, each mailbox server can handle 64,000 connections. That number increases to 250,000 RPC context handle limit in Exchange 2010.
4-23
What Is Autodiscover?
Key Points
The Autodiscover service in Exchange Server 2010 simplifies Office Outlook 2007 or later client configuration. Autodiscover provides configuration information that Outlook requires to create a profile for the client. Outlook clients can also use the Autodiscover service to repair Exchange Server connection settings if a profile is corrupted, or if the user mailbox is moved to a different server. The Autodiscover service uses a users e-mail address and password to provide profile settings to Outlook 2007 or later clients, and supported mobile devices.
How Autodiscover Works

Outlook 2010 connects to Exchange Server 2010 in the following manner: 1. When you install the Client Access server role, a service connection point (SCP) is configured automatically in Active Directory for the Client Access server. This SCP includes the Client Access server URL. When Outlook 2010 starts for the first time, Outlook uses the user name or the users e-mail address and password to configure the MAPI profile automatically. Exchange Server uses configuration information from the Active Directory directory service to build an Outlook configuration template. The configuration template includes information about Active Directory and the Exchange Server 2010 organization and topology. Outlook also uses the SCP to locate the Autodiscover service on an Exchange Server 2010 computer with the Client Access server role installed. The information includes the download location for the Availability Web service, and the Offline Address Book. Outlook downloads the required configuration information from the Autodiscover service. Outlook then uses the appropriate configuration settings to connect to Exchange Server 2010.
2.
3.
4. 5.
Supported Clients and Protocols

Autodiscover supports the following clients and protocols:
4-24
Client application
Office Outlook 2010 Outlook Anywhere Exchange ActiveSync Entourage 2008, Exchange Web Services Edition
Protocol
RPC over TCP/IP RPC over HTTP Exchange ActiveSync over HTTP Exchange Web Services (HTTPS)
Note: Exchange Server 2010 supports Autodiscover for Exchange ActiveSync Service clients. However, the Exchange ActiveSync Service client must be running Windows Mobile 6 to support this feature.
4-25
Configuring Autodiscover
Key Points
By default, the Autodiscover settings for internal clients are automatically configured, and Outlook 2007 or later clients are automatically configured to use the appropriate services. In some cases, you may want to modify the default settings. For external clients, you need to configure the appropriate DNS settings to ensure that external clients can locate the Client Access server that is accessible from the Internet.
Configuring the Autodiscover Settings

To enable Autodiscover, you must have at least one Client Access server that is running the Autodiscover service. When you install the Client Access server role, the Autodiscover virtual directory is created automatically in IIS. To manage Autodiscover settings, you must use the following Exchange Management Shell cmdlets.
Task
Configure the Autodiscover SCP Create a new Autodiscover virtual directory Remove an Autodiscover virtual directory Configure an Office Outlook provider Locate an Office Outlook provider or providers on the virtual directory
Exchange Management Shell cmdlet

Set-ClientAccessServer New-AutodiscoverVirtualDirectory RemoveAutodiscoverVirtualDirectory Set-OutlookProvider Get-OutlookProvider
4-26
Configuring Autodiscover for Multiple Sites

If your organization has deployed Exchange servers in multiple Active Directory sites, you should consider configuring site affinity for the Autodiscover service. To use site affinity, you specify which Active Directory sites are preferred for clients to connect to a particular Autodiscover service instance. To configure site affinity, use a cmdlet as shown in the following example:
Set-ClientAccessServer -Identity "ServerName" -AutodiscoverServiceInternalURI "https://VAN-EX1/autodiscover/autodiscover.xml" AutodiscoverSiteScope "HeadOffice"
This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to use the VAN-EX1 server.
Configuring DNS to Support Autodiscover

For external clients to be able to locate the appropriate Client Access servers, you must configure DNS with the correct information. When the Outlook client attempts to locate the Client Access server, it first tries to locate the SCP information in the Active Directory directory service. If the client is outside the network, Active Directory is not available. Therefore, the client queries DNS for a server name based on the SMTP address that the user provides. Office Outlook queries DNS for the following URLs: https://autodiscover.e-maildomain/autodiscover/autodiscover.xml https://<e-maildomain/autodiscover/autodiscover.xml
To enable Autodiscover, you must configure a DNS record on the DNS server that the client uses to provide name resolution for that request. The DNS record should point to a Client Access server that is accessible from the Internet.
Using the Test E-mail AutoConfiguration Feature in Outlook 2010

You can use the Test E-mail AutoConfiguration feature in Outlook 2010 to test whether Autodiscover is working correctly. Note: You also can use the Exchange Management Shell cmdlet Test-OutlookWebServices to test the Autodiscover settings on a Client Access server.
4-27
What Is the Availability Service?
Key Points
Exchange Server 2010 makes free/busy information available to both Outlook 2007 or later, and Outlook Web App clients, by using the Availability service. The Availability service replaces the public folder used to store free/busy information in previous Exchange Server versions. Note: Only Outlook 2007 or later and Outlook Web App use the Availability service. Outlook 2003 clients continue to use the Schedule+ Free Busy Information public folder. This folder must be available on an Exchange server for these clients to function. How Availability Service Works Availability service provides free/busy information by using the following process: 1. When you start the Scheduling Assistant in Outlook 2007 or Outlook Web App, the client sends a request to the URL provided to the client during Autodiscover. The request includes all invited users, including resource mailboxes. The Client Access server Availability service queries Active Directory to determine the user mailbox location. For any mailbox in the same site as the Client Access server, the request is sent directly to the Mailbox server to retrieve the users current free/busy information. If the mailbox is in a different site than the Client Access server, the request is sent by proxy to a Client Access server in the site where the user mailbox is located. The Client Access server in the destination site extracts the availability information from the Mailbox server, and replies to the requesting Client Access server. If the mailbox for one of the invited users is on a computer running Exchange Server 2003, Availability service queries the public folder that contains the free/busy information for the user.
2.
3.
4.
4-28
5.
Availability service combines the free/busy information for all invited users, and presents it to the Outlook 2007 or Outlook Web App client.
Deploying Availability Service

Availability service is deployed by default on all Client Access servers and does not need configuration except in scenarios where you are integrating the free/busy information from multiple forests. Autodiscover delivers the service location for Availability service to Outlook 2007 clients. Availability service is located at the URL http://servername/EWS.
4-29
What Are MailTips?
Key Points
MailTips are informative messages displayed to users before they send a message. MailTips inform a user about issues or limitations with the message the user intends to send. Exchange Server 2010 analyzes the message, including the list of recipients to which it is addressed. If it detects a potential problem, it notifies the user with MailTips prior to sending the message. With the help of the information provided by MailTips, senders can adjust the message they compose to avoid undesirable situations or nondelivery reports (NDRs).
Types of MailTips
Exchange Server 2010 provides several default MailTips, including the following examples: Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if your organization has implemented a Prohibit Receive restriction for mailboxes over a specified size. Recipient Out of Office. This MailTip displays the first 250 characters of the out-of-office reply configured by the recipient, if a recipient has configured an out-of-office rule. Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrictions are configured, and prohibits this sender from sending the message. External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a distribution group that contains external recipients. Large Audience. This MailTip displays if the sender adds a distribution group that has more than the large audience size configured in your organization. By default, Exchange Server displays this MailTip for messages to distribution groups that have more than 25 members.
You can also configure custom MailTips in the Exchange Management Shell. A custom MailTip can be assigned to any recipient. For example, you could configure a custom MailTip for a recipient who is on an extended leave, or for a distribution group where all members of the group will be out of the office. Alternately, you can create a custom MailTip for a distribution group that explains the purpose of the
4-30
group and thus reduces its misuse. When you configure a custom MailTip, it displays when a user composes a message for a specified recipient. Note: MailTips are available only in Exchange Server 2010 Outlook Web App, or when using Microsoft Office Outlook 2010 or later. MailTips are not available in Outlook 2007.
How MailTips Work

MailTips are implemented as a Web service in Exchange Server 2010. When a sender composes a message, the client software makes an Exchange Web service call to Exchange Server 2010 server with the Client Access server role installed, to get the list of MailTips. The Exchange Server 2010 server responds with the list of MailTips that apply to that message, and the client software displays the MailTips to the sender. The Client Access server uses the following process to compile MailTips for a specific message: 1. 2. The mail client queries the Web service on the Client Access server for MailTips that apply to the recipients in the message. The Client Access server gathers MailTip data: The Client Access server queries the Active Directory Domain Service (AD DS) and reads group metrics data. The Client Access server queries the Mailbox server to gather the Recipient Out-of-Office and Mailbox Full MailTips. If the recipient's mailbox is on another site, then the Client Access server requests MailTips information from the Client Access server in the remote site.
3.
The Client Access server returns MailTips data back to the client. Note: Several MailTips are available when the Outlook client is offline. To enable this functionality, the redesign of the structure of the offline address book now includes some of the information that MailTips requires. MailTips that require current information from Active Directory or the user mailbox, are the only MailTips that will not work while the Outlook client is offline. MailTips that will not work offline are the Invalid Internal Recipient, the Mailbox Full, and the Recipient Out-of-Office MailTips.
4-31
Demonstration: How to Configure MailTips
Key Points
In this demonstration, you will see how to review and configure default MailTips for an Exchange Server 2010 organization, and how to configure custom MailTips. You will also confirm that the MailTips functions as expected.
Demonstration Steps
1. 2. 3. 4. In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default configuration for MailTips. Use the Set-OrganizationConfig MailTipsLargeAudienceThreshold 10 cmdlet to modify the large distribution group threshold setting. Use the Set-DistributionGroup Marketing MailTip The marketing team will be at a conference till next week. cmdlet to configure a custom MailTip. Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips work as expected.
Question: Will you leave MailTips enabled in your organization? How will you modify the default configuration?
4-32
What Is Outlook Anywhere?
Key Points
When you enable Outlook Anywhere, an Outlook 2003 or later client can connect to a server running Exchange Server 2010 or Exchange Server 2007 using RPCs encapsulated in an HTTP or HTTPS packet. This feature is a secure option for connecting to the Exchange server from the Internet while using a MAPI client. How Does Outlook Anywhere Work? To deploy Outlook Anywhere, you need to deploy the Outlook 2007 or Outlook 2003 client and the RPC proxy service running on Windows Server 2008. The following is a description of the communication process between all components in an RPC-over-HTTP configuration: 1. All communication between the Outlook client and the Client Access server is sent using HTTPS. The client establishes a connection to the Client Access server for each RPC request that it sends, and then establishes a second connection for responses from the Client Access server. When the client connects, the Client Access server authenticates the user by forwarding the authentication request to a domain controller. After the user is authenticated, the Client Access server uses an RPC connection to communicate with the Mailbox server hosting the user mailbox. If the client requests a Global Address List lookup, the NSPI component on the Client Access server will send a Lightweight Directory Access Protocol (LDAP) query to a global catalog server.
2. 3. 4.
4-33
Demonstration: How to Configure Outlook Anywhere
Key Points
When configuring Outlook Anywhere, you must configure the Exchange Client Access server, and then configure the Outlook clients.
Implementing Outlook Anywhere

To configure Outlook Anywhere on Exchange Server 2010, you must perform the following high-level steps: 1. Configure a computer running Windows Server 2008 as the RPC proxy server by installing the RPC over HTTP Proxy feature in Server Manager. When you select this feature, the required Web Server (IIS) role services are installed on the server. You should install the RPC over HTTP Proxy feature on the Client Access server. Install a server certificate on the RPC proxy server. By default, Outlook Anywhere requires SSL encryption. Configure the RPC virtual directory to require SSL. Enable Outlook Anywhere in the Exchange Management Console. When you enable RPC over HTTP, you must configure both an external host name and authentication method. Configure the Outlook 2007 or Outlook 2003 profile on the client to use RPC over HTTP to connect to the Client Access server.
2. 3. 4.
Demonstration Steps
1. On the Client Access server, use the following cmdlet to review the Autodiscover configuration:
Get-ClientAccessServer id VAN-EX1 | FL
2. 3.
On the Client Access server, verify that the RPC over HTTP Proxy feature is installed. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere, using a host name that is resolvable from the Internet.
4-34
4.
On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual directory is configured to use SSL and that it is configured to accept Basic and Windows Authentication. On the client computer, configure the Outlook account properties to Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use the URL (https://): external host name for the Client Access server. Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
5. 6.
7. 8.
From the client, open Outlook and connect to the server. Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Press and hold CTRL, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.
9.
10. Click Test. View the information displayed on both the Results and Log tabs.
4-35
Troubleshooting Outlook Client Connectivity
Key Points
To troubleshoot Outlook with MAPI connectivity to an Exchange server, use the following steps: 1. Identify network connectivity issues. If the Outlook client or the Exchange server experiences problems connecting to the network, Outlook shows a status of Disconnected, and no new messages can be transferred between the client and the server. Identify name resolution issues. Outlook clients must be able to resolve the name of the Exchange server to which they are connecting. By default, Outlook 2007 clients use DNS host-name resolution to resolve the name of the Exchange server to its IP address. Identify client configuration issues. A client configuration issue can occur in Outlook or Windows configurations. An improperly configured client can prevent the computer from connecting to the Exchange server, or create intermittent connectivity problems. Identify server configuration or service-availability issues. A configuration error can prevent some or all users from connecting to the Exchange server. Based on the symptom that the user is experiencing, you can verify configuration by using the Exchange Server Best Practices Analyzer Tool, or examine server properties by using the Exchange Management Console. If the client computer is using Outlook Anywhere to connect to the Client Access server, it may be a Client Access server certificate issue. Outlook Anywhere relies on valid server certificates to provide secure communication with the server. Invalid names on certificates, expired certificates, or nontrusted certificates can cause connectivity issues between these clients and a Client Access server. Tip: To ensure that a valid server certificate is trusted and can be used for connecting with Outlook Anywhere, you should connect from a Web browser to the RPC virtual directory on the Exchange server. If the user receives a prompt with a warning message about the certificate authenticity, then there is an issue with the certificate configuration. This will lead to problems with Outlook Anywhere, Autodiscover, and Exchange ActiveSync.
2.
3.
4.
5.
4-36
6.
You can use the Test E-Mail AutoConfiguration Wizard in Outlook 2007 to test whether Autodiscover is configured correctly. When you run the wizard, it will provide information whether the client could connect to the Autodiscover service on a Client Access server, and it will display the information that it received through the Autoconfiguration process.
4-37
Lab A: Configuring Client Access Servers for Outlook Anywhere Access
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain 10135A-VAN-CL1: Client computer in the Adatum.com domain
Important: If you are using Windows Server 2008 R2 as the host operating system, you must complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. 3. If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
4-38
Lab Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to deploy Client Access servers so that the servers are accessible from the Internet for a variety of messaging clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server, and configure a certificate on the server that will support the messaging client connections. You also need to configure the server to support Outlook Anywhere connections.
4-39
Exercise 1: Configuring Client Access Servers

Scenario
As a messaging administrator in A. Datum Corporation, you have deployed the Exchange Server environment, and you are now working on configuring the Client Access servers. The organization has decided to use a certificate from the internal CA to secure all client connections to the server. You need to enable this configuration, and then you need to ensure that Outlook clients can still connect to the server. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names. Configure an External Client Access Domain for VAN-EX2. Prepare a Server Certificate request for VAN-EX2. Request the certificate from the CA. Import and assign the IIS Exchange service to the new certificate. Verify Outlook connectivity to the Exchange Server.
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple subject
alternative names
1. 2. On VAN-DC1, open a command prompt and use the certutil -setreg policy \EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA policy. Restart the Certificate Services.
Task 2: Configure an External Client Access Domain for VAN-EX2

1. 2. 3. On VAN-EX2, open the Exchange Management Console and configure an External Client Access Domain named mail.Adatum.com. Apply the external domain name just to VAN-EX2. Verify that the External Client Access Domain was applied to the owa (Default Web Site) virtual directory.
Task 3: Prepare a Server Certificate request for VAN-EX2

1. On VAN-EX2, run the New Exchange Certificate Wizard using the following configuration options: Friendly name: ADatum Mail Certificate Outlook Web App is on the intranet mail.adatum.com as the server name for all services Outlook Web App is on the Internet Exchange ActiveSync is enabled Autodiscover is used on the Internet Long URL is used for AutoDiscover Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver
4-40
2.
State/province: BC
Save the file using the name CertRequest.req.
Task 4: Request the certificate from the CA

1. 2. Copy the text of the certificate request file to the clipboard. Connect to http://van-dc1/certsrv, and create a new certificate request using the contents of the certificate request file. Use an advanced certificate request using a base-64-encoded CMC or PKCS#10 file. Copy and paste the contents of the CertRequest.req file into the Saved Request field. Request a Web server certificate. Download the certificate and save it. View the certificate. Verify that the certificate includes several subject alternative names, and then click OK.
3. 4.
Task 5: Assign the IIS Exchange Service to the new certificate

1. 2. In the Exchange Management console, use the Complete Pending Request Wizard to import the Adatum Mail certificate. In the Exchange Management console, use the Assign Services to Certificate Wizard to assign the Adatum Mail certificate to the Internet Information Services service.
Task 6: Verify Outlook connectivity to the Exchange Server

1. 2. 3. On VAN-CL1, log on as Molly using the password Pa$$w0rd. Open Microsoft Office Outlook 2007, and verify that a profile is automatically created for Molly. In Office Outlook, click Tools, and then click Account Settings. Verify that the Outlook profile is configured to use VAN-EX2 as the mailbox server. Results: After this exercise, you should have configured the security settings for VAN-EX2 by using the Security Configuration Wizard, and installed a server certificate from the internal CA on the server. You should have also verified Outlook client connectivity to the Exchange server.
4-41
Exercise 2: Configuring Outlook Anywhere

Scenario
A. Datum Corporation has several users who are frequently out of the office. These users all have laptop computers, and they want to use Office Outlook to connect to their Exchange Server mailboxes while in the office or out of the office. You need to configure the Client Access server to enable Outlook Anywhere, and then configure a client to connect to the server using RPC over HTTPS. Finally, you need to verify that the connection works. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a DNS record for Mail.Adatum.com. Configure Outlook Anywhere on VAN-EX2. Configure the Outlook profile to use Outlook Anywhere. Verify Outlook Anywhere connectivity.
Task 1: Configure a DNS record for Mail.Adatum.com

On VAN-DC1, create a new host record for Mail.adatum.com using an IP address of 10.10.0.21.
Task 2: Configure Outlook Anywhere on VAN-EX2

1. 2. 3. 4. On VAN-EX2, verify that the RPC over HTTP Proxy feature is installed. In the Exchange Management Console, enable Outlook Anywhere for VAN-EX2. Configure an external host name of Mail.adatum.com, and choose NTLM authentication. Restart VAN-EX2.
Task 3: Configure the Outlook profile to use Outlook Anywhere

1. 2. 3. On VAN-CL1, ensure that you are logged on as Adatum\Molly. Modify the profile for Molly to connect to Microsoft Exchange using HTTP. Configure the Exchange Proxy server settings as follows: 4. Use this URL (https://): mail.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
Close Outlook.
Task 4: Verify Outlook Anywhere connectivity

1. 2. On VAN-CL1, open Outlook and verify that you are connected to the Exchange server. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area. Confirm that the Conn column lists HTTPS as the connection method. You may need to click the up arrow in the Windows 7 notification area to view the Office Outlook icon. Use the E-mail AutoConfiguration tool to review the settings Autodiscover provided to the client. Log off VAN-CL1.
3. 4.
4-42
Results: After this exercise, you should have enabled Outlook Anywhere on VAN-EX2, and configured a client profile to use Outlook Anywhere. You also verified the Outlook Anywhere functionality.
To prepare for the next lab

Do not shut down the virtual machines and revert them back to their initial state when you finish this lab. The virtual machines are required to complete the last lab in this module.
4-43
Lesson 3
Configuring Outlook Web App
Exchange Server 2010 uses Outlook Web App to provide access to user mailboxes through a Web browser. Many organizations provide users with access to Outlook Web App from the Internet. Some organizations also use Outlook Web App internally. In both scenarios, deploying Outlook Web App is quite easy because only a Web browser is required as a client. This lesson describes how to configure Outlook Web App for Exchange Server 2010. After completing this lesson, you will be able to: Describe Outlook Web App features. Identify Outlook Web App configuration options. Describe the file and data access options in Outlook Web App. Configure Outlook Web App. Configure Outlook Web App policies. Configure user options using the ECP.
4-44
What Is Outlook Web App?
Key Points
Outlook Web App allows users to access their mailboxes through a Web browser. The feature set in Outlook Web App closely mimics features available in Outlook 2010, and may provide features that are not available in previous Outlook versions. In some cases, it may be possible to use Outlook Web App in place of Outlook 2010. Outlook Web App has been redesigned in Exchange Server 2010 to include features such as chat, text messaging, mobile phone integration, and enhanced conversation view. In Exchange Server 2010, these features are accessible from an expanded set of Web browsers, including Microsoft Internet Explorer 6.0 or later, Firefox, Safari, and Google's Chrome.
Benefits of Outlook Web App

Outlook Web App provides many important benefits for an organization. These include: All communication between the Outlook Web App client and the Client Access server is sent using HTTP. You can easily secure this information using SSL. This also means that it is easy to configure firewalls or reverse proxies to enable Internet access to Outlook Web App, as only a single port is required. Outlook Web App does not require that you deploy or configure a messaging client; all client computers, including computers that run Linux or Macintosh, have a Web browser available. This means that users can access their mailbox from any client that can access the Client Access servers URL. Outlook Web App in Exchange Server 2010 also provides access to some features that are only available through Outlook Web App or Outlook 2010. For example, features such as the archive mailbox or conversation view can be accessed through Outlook Web App without deploying Outlook 2010.
4-45
Limitations of Outlook Web App

Outlook Web App cannot provide offline access to mailboxes. If the Exchange server hosting Outlook Web App is offline, users cannot read or send messages. If offline access to files is required, you must select another remote-access method to the Exchange server. Outlook 2007 using Outlook Anywhere, POP3, and IMAP clients can cache messages to provide offline access. Question: What is Outlook Web App for Exchange Server 2010? Question: What are the benefits of Outlook Web App? Question: When would you use Outlook Web App instead of Outlook or Windows Mail?
4-46
Configuration Options for Outlook Web App
Key Points
Although Outlook Web App is available automatically on Client Access servers, you must configure Outlook Web App to support your users specific requirements.
Outlook Web App Configuration Tasks

When configuring Outlook Web App, you need to complete the following tasks: Install and configure a server certificate to enable SSL for all client connections. Configure the Outlook Web App virtual directory. When you install the Client Access server role, an Outlook Web App virtual directory is configured in the default IIS Web site on the Client Access server. In most cases, you might not need to modify the Outlook Web App virtual directory settings, other than configuring the default Web site to use a CA certificate for SSL, and to set the authentication options. Configure segmentation settings. You can enable or disable specific Outlook Web App features for Exchange Server 2010 Outlook Web App users. Access the Outlook Web App virtual directory properties in the Exchange Management Console to configure the segmentation settings. Modify the attachment handling settings. You can configure the attachment settings by configuring the WebReady Document Viewing settings on the Outlook Web App virtual directory. Configure Gzip compression settings. Gzip enables data compression, which is optimal for slow network connections. Configure Web beacon settings. A Web beacon is a file objectsuch as a transparent graphic or an imagethat is put on a Web site or in an e-mail message. Web beacons are typically used together with HTML cookies to monitor user behavior on a Web site, or to validate a recipient's e-mail address when an e-mail message containing a Web beacon is opened. Web beacons and HTML forms also can contain harmful code, and can be used to circumvent e-mail filters. By default, Web beacons and HTML forms are set to UserFilterChoice. This blocks all Web beacons and HTML forms, but lets the user unblock them on individual messages. You can use the Exchange Management Shell to
4-47
change the type of filtering that is used for Web beacon and HTML form content in Outlook Web App. If you change the setting to ForceFilter, this blocks all Web beacons and HTML forms. If you change the setting to DisableFilter, this allows all Web beacons and HTML forms.
4-48
What Is File and Data Access for Outlook Web App?
Key Points
File and data access provide Outlook Web App users different levels of access to files that are attached to messages or that are located in Microsoft Windows SharePoint Services document libraries, and shared folders on the internal network. When using the Windows SharePoint Services and Windows file shares integration option, users can access documents from a link embedded in an e-mail message.
Configuring File and Data Access

You can configure the following settings when configuring file and data access for Outlook Web App users: Enable WebReady Document Viewing or force WebReady Document Viewing. When you enable WebReady Document Viewing, and a user attempts to open a file in the message window, the file is converted to HTML, and then displayed in the Web browser. This enables users to view the files on the local computer even if the native application for the file is not installed on the computer. If only WebReady Document Viewing is enabled, users cannot save the document to the local hard disk or view the document in its native application. By default, only a limited number of file types can be viewed through WebReady Document Viewing. Direct file access. Direct file access lets users open files that are attached to e-mail messages and files that are stored in Windows SharePoint Services document libraries and in Windows file shares. Configure different settings for public or private computers. When users connect to Outlook Web App, they can choose whether they are connecting from public or private computers. You can configure different direct file access and WebReady Document Viewing settings for each option. Configure access to Windows SharePoint Services document libraries or Windows file shares. By default, if you enable direct file access, users can access files on both Windows SharePoint Services document libraries or Windows file shares. You can configure access to these features by using the Set-OwaVirtualDirectory cmdlet. For example, to disable access to file shares from public
4-49
computers, use the Set-OwaVirtualDirector -Identity owa (default web site) UNCAccessOnPublicComputersEnabled $false cmdlet. Restrict or enable access. You can configure how users interact with files by using the Allow, Block, or Force Save options for direct file access and by configuring the file extensions for WebReady Document Viewing. You can also configure which servers will be accessible through Outlook Web App.
4-50
Demonstration: How to Configure Outlook Web App
Key Points
In this demonstration, you will see how to configure several different Outlook Web App aspects. As you will see in this demonstration, you may need to use several different tools to configure Outlook Web App.
Demonstration Steps
1. 2. 3. On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use SSL, and is using the correct server certificate. In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the external URL with the required authentication and segmentation settings. In the Exchange Management Shell, use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk before they can be opened. Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, cmdlet to disable Gzip compression for Outlook Web App. Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.
4. 5.
4-51
Demonstration: How to Configure Outlook Web App Policies
Key Points
One of the new features in Exchange Server 2010 is the option to configure multiple Outlook Web App policies for users. In previous Exchange Server versions, all users receive the same settings when they connect to Outlook Web App. With Exchange Server 2010 Outlook Web App policies, you can configure unique policies and assign them to users.
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, in the Organization Configuration node, click Client Access. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the policy settings. After creating the policy, you can configure additional settings by accessing the policy properties. Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox Features tab. Log on to Outlook Web App as the user, and test the policy application.
4-52
Demonstration: How to Configure User Options Using the ECP
Key Points
Another new feature in Exchange Server 2010 is the ECP. You can use the ECP to perform several different administrative functions, but users also can use the ECP to modify their mailbox settings. In this demonstration, you will see how you can configure the ECP virtual directory and view some of the available ECP configuration options.
Demonstration Steps
1. 2. 3. 4. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual directory on each Client Access server. As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp. Log on to the ECP, and review the settings that can be modified by the user.
4-53
Lesson 4
Configuring Mobile Messaging
Exchange Server 2010 supports mobile devices as a messaging client. With Exchange Server 2010, you can synchronize mailbox content and perform most of the same tasks with mobile devices as you can with other messaging clients. Exchange Server 2010 also provides administrative options for managing mobile devices. This lesson describes how to implement and manage mobile access for Exchange Server 2010. After completing this lesson, you will be able to: Describe the purpose and functionality of Exchange ActiveSync. Configure Exchange ActiveSync. Identify security options for Exchange ActiveSync. Configure Exchange ActiveSync policies. Manage mobile devices.
4-54
What Is Exchange ActiveSync?
Key Points
Exchange ActiveSync provides mobile devices with access to Exchange Server 2010 mailboxes. The Exchange ActiveSync communication process is optimized to function over high-latency and lowbandwidth networks. By default, Exchange ActiveSync is available for all users after you install a Client Access server. Note: Exchange ActiveSync has been licensed to many different mobile device manufacturers that produce devices that run Windows Mobile or another operating system. Exchange ActiveSync features are dependent on the mobile device and the operating system version running on the mobile device. You will need to verify which features are supported on your mobile device.
How Exchange ActiveSync Works

When users connect to the Client Access server with a mobile device, the following process occurs: 1. 2. The Exchange ActiveSync client connects using HTTPS, to the Microsoft Server ActiveSync virtual directory on the Client Access server. The Client Access server authenticates the client. If the users mailbox is on a Mailbox server in the same site as the Client Access server, then the Client Access server connects to the users Mailbox server using an RPC connection. If the Mailbox server is in a different site, then the Client Access server proxies the client request to a Client Access server in the appropriate site. If the mobile client is running the Messaging and Security Feature Pack for Microsoft Windows Mobile 5.0 or later, or is a non-Windows Mobile device that is Direct Push-capable, Exchange ActiveSync can use Direct Push technology to ensure that messages are delivered to the mobile client when they connect to the Exchange server. With Direct Push technology, the mobile device maintains a constant HTTPS connection to the Client Access server, resulting in instant message retrieval and real-time access to e-mail.
3.
4-55
Demonstration: How to Configure Exchange ActiveSync
Key Points
In this demonstration, you will see how to configure the Exchange ActiveSync settings on a Client Access server and how to configure a Windows Mobile device to use ActiveSync to synchronize with the Exchange server.
Demonstration Steps
1. On the Client Access server, in IIS Manager, clear the option to require SSL for the Exchange ActiveSync virtual directory. Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate. 2. 3. 4. 5. 6. In Exchange Management Console, configure authentication and remote file server settings on the Microsoft-Server-ActiveSync virtual directory. On the mobile device emulator, configure the network settings so that the emulator can communicate with the Client Access server. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the Client Access server using an account that is enabled for Exchange ActiveSync. Synchronize the device. Test ActiveSync by sending a message from another user to the user logged on to the mobile device. Verify that the message arrives, and respond to the message.
4-56
Options for Securing Exchange ActiveSync
Mobile clients such as Exchange ActiveSync clients, are difficult to secure. Because the devices are small and portable, they are susceptible to being lost or stolen. At the same time, they may contain highly confidential information. The storage cards that fit into mobile device expansion slots can store increasingly large amounts of data. While this data-storage capacity is important to the mobile-device user, it also heightens the concern about data falling into the wrong hands. Mobile clients also are difficult to manage using centralized policies because the devices might rarely, or never, connect to the internal network. The devices also do not require Active Directory accounts, so you cannot use Group Policy Objects (GPOs) to manage the client settings. Note: System Center Mobile Device Manager 2008 is a System Center products available from Microsoft is. If you deploy this product, Windows Mobile 6.1 devices can be listed in Active Directory, and managed through Active Directory and Mobile Device Manager policies.
Implementing Exchange ActiveSync Policies

Exchange ActiveSync policies provide one option for securing mobile devices. When you apply the policy to a user, the mobile device automatically downloads the policy the next time the device connects to the Client Access server. To ensure that mobile devices are as secure as possible, you should configure Exchange ActiveSync policies that require device passwords, and encrypt the data stored on the mobile device.
Managing Mobile Devices

You can manage mobile devices using either the Exchange Management Console or the Exchange Management Shell. With these tools, you can perform the following tasks: View a list of all mobile devices that any enterprise user is using. Send or cancel remote wipe commands to mobile devices.
4-57
View the status of pending remote-wipe requests for each mobile device. View a transaction log that indicates which administrators have issued remote-wipe commands, and the mobile devices to which those commands pertain. Delete an old or unused partnership between devices and users. Note: The option to manage a mobile device for a user mailbox in the Exchange Management Console is available only after the user has synchronized with the Exchange Server from a mobile device. You also can manage mobile devices in the Exchange Management Shell by using the Remove-ActiveSyncDevice and the Clear-ActiveSyncDevice cmdlets.
Configuring Self-Service Mobile Device Management

Users also can manage their own mobile devices by accessing the ECP. One of the options available is the Phone tab. From this tab, users can wipe a device that they have configured, and can delete partnerships for devices that they no longer use. Self-service management is enabled by default for all users who are assigned to a Microsoft Exchange ActiveSync mailbox policy.
Enabling SSL for the Mobile Device Connections

To ensure that the communication between the mobile device and the Client Access server is secure, you should ensure that the Microsoft Server ActiveSync virtual directory is configured to require SSL.
Installing CA Root Certificates on Mobile Devices

Just like desktop computers, mobile devices are configured to trust the root certificates for most public CAs. However, if you choose to use an internal CA to provide certificates for your Client Access servers, you must configure the mobile devices to trust the root CAs by installing the root certificates on the device. To install a CA certificate on a Windows Mobile phone, you might need to copy the root certificate directly to the mobile device, and then install the certificate. You can use an ActiveSync connection between the device and a desktop or portable computer to copy the certificate file to the device, or transfer the file using a storage card. If you do not enable SSL for the Exchange ActiveSync connection, you also can e-mail a root certificate to the device. After copying the certificate to the device, you can install the certificate manually by double-clicking the .cer file. If you use Windows Mobile 2003 or older devices, you can use a tool such as SmartPhoneAddcert.exe to install the certificate.
4-58
Demonstration: How to Configure Exchange ActiveSync Policies
Key Points
One of the features in Exchange Server 2010 is that you can manage mobile users and devices with Exchange ActiveSync mailbox policies. When you create a policy, you can configure the following options: Allow or block nonprovisionable devices. This option permits you to specify whether devices that do not fully support the device security settings can synchronize with the Exchange Server computer. Enable, disable, or limit attachment downloads. This option allows you to enable or disable attachment downloads, and configure a maximum attachment download size. Configure devices to require passwords. If you choose to require passwords, you also can configure the following attributes: Minimum password length. A requirement for alphanumeric passwords. Inactivity time before the password is required. The option to enable password recovery. A requirement for device encryption. Number of failed attempts allowed. This option specifies whether you want the device memory wiped after a specific number of failed logon attempts.
Options for disabling removable storage, cameras, Wi-Fi, or Bluetooth. Options for configuring synchronization settings such as message size limits. Options for enabling additional mobile device applications such as Web browsers, unsigned applications, or for defining allowed and blocked applications.
4-59
Note: Some of these features were implemented with Windows Mobile 5.0 devices. Some features, such as encryption on the local device, and Windows SharePoint Services and Windows File Shares integration, are available only with Windows Mobile 6 or later. Some settings also require an Enterprise Client Access License for each mailbox. In this demonstration, you will see how to configure Exchange ActiveSync policies.
Demonstration Steps
1. 2. 3. 4. 5. In the Exchange Management Console, access the Organization Configuration node, and then click Client Access. Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings. After creating the policy, access the policy properties and configure the additional settings. Access a user mailboxs properties. On the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. Assign the appropriate Exchange ActiveSync policy. Confirm that the policy is being applied to the user.
4-60
Demonstration: How to Manage Mobile Devices
Key Points
In this demonstration, you will view the options that a user has for managing their mobile devices, using ECP. You will then see how an administrator can also manage the user's mobile device.
Demonstration Steps
1. 2. 3. As a user, connect to the ECP site on a Client Access server. Log on and access the Phone tab on the user Properties page. As an Exchange administrator, access the user in the Exchange Management Console Mailbox container, and then click OK. 4. 5. In the Actions pane, click Manage Mobile Device. On the Manage Mobile Device page, view the options available to manage the mobile device, including wiping the device.
4-61
Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
Lab Scenario
To enable client access to the server, your organization has decided to enable both Outlook Web App and Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you need to enable the security features for both Outlook Web App and Exchange ActiveSync.
4-62
Exercise 1: Configuring Outlook Web App

Scenario
A. Datum Corporation has several users who work regularly from outside the office. These users should be able to check their e-mail from any client computer, including client computers located in public areas. To provide this functionality, you must configure the server settings for Outlook Web App, and configure Outlook Web App policies. You also need to verify that the settings have been successfully applied. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure IIS to use the Internal CA certificate. Configure Outlook Web App settings for all users. Configure an Outlook Web App Mailbox Policy for the Branch Managers. Verify the Outlook Web App configuration.
Task 1: Configure IIS to use the Internal CA certificate

1. 2. On VAN-EX2, in Internet Information Services (IIS) Manager, verify that the owa virtual directory under the Default Web Site is configured to require SSL Verify that the Default Web Site is configured to use the Adatum Mail Certificate. .
Task 2: Configure Outlook Web App settings for all users

1. On VAN-EX2, in Exchange Management Console, verify that the owa virtual directory is configured to use forms-based authentication. Modify the forms-based authentication to use the user name only and to use the Adatum.com domain automatically. Disable the Tasks and Rules display for all users. Use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .doc cmdlet to force all users to save Word documents before opening them. Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off cmdlet to disable GZip compression. Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons and HTML forms. Use the IISReset /noforce command to restart IIS.
2. 3. 4. 5. 6.
Task 3: Configure an Outlook Web App Mailbox Policy for the branch managers
1. 2. 3. Create a new Outlook Web App Mailbox policy, and configure the policy with the name Branch Managers Policy. Configure the policy to prevent branch managers from changing their password. Apply the policy to all users in the Branch Managers organizational unit (OU).
Task 4: Verify the Outlook Web App configuration

1. 2. 3. On VAN-EX1, connect to https://mail.Adatum.com/owa. Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the Branch Managers OU. Verify that the Tasks folder is not displayed in the user mailbox, and that Sharon cannot configure a new Inbox rule in the ECP.
4-63
4. 5.
Connect to OWA again, and log on as Adatum\Johnson using the password Pa$$w0rd. Johnson is in the Branch Managers OU. Verify that the Tasks folder is listed in the user mailbox, but that Johnson is not able to change his password. Results: After this exercise, you should have configured Outlook Web App on VAN-EX2. This configuration includes assigning the internal CA certificate to the Default Web Site, and configuring Outlook Web App settings for all users, as well as for specific users. You also should have verified the Outlook Web App settings.
4-64
Exercise 2: Configuring Exchange ActiveSync

Scenario
A. Datum Corporation has several users who use Windows Mobile devices to access their mail. You need ensure that these users can access their mailboxes using Exchange ActiveSync. To ensure that the client connection is secure, you must configure an Exchange ActiveSync policy, and apply it to a user account. You will also install a root certificate on the mobile device, and configure SSL security. Lastly, you need to manage the mobile device as both an administrator and a user using ECP. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Disable SSL for Exchange ActiveSync. Verify the Exchange ActiveSync virtual directory configuration. Connect to the server using Exchange ActiveSync. Create a new Exchange ActiveSync mailbox policy. Validate the Exchange ActiveSync mailbox policy. Install a root CA on the mobile device. Wipe the mobile device.
Task 1: Disable SSL for Exchange ActiveSync

On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-ServerActiveSync virtual directory so that it does not require SSL. You are configuring this setting just for the initial testing.
Task 2: Verify the Exchange ActiveSync virtual directory configuration

On VAN-EX2, in Exchange Management Console, review the configuration for the Microsoft Server ActiveSync virtual directory on VAN-EX2.
Task 3: Connect to the server using Exchange ActiveSync

1. On VAN-CL1, log on as Adatum\Administrator. Start the Windows Mobile 6.1.4 Professional emulator. 2. On the emulator properties, enable NE2000 PCMIA network adapter, and configure it to bind to the connected network card. 3. 4. In Windows Mobile 6 Professional, click Start, and then click Settings. On the Connections tab, configure the network adapter settings to connect to the Internet using the NE2000 Compatible Ethernet Driver. 5. Configure the network adapter to use the following settings: 6. IP address: 10.10.0.51 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1 DNS server: 10.10.0.10
In Windows Mobile 6 Professional, start ActiveSync, and start the process for setting up the device to sync with Exchange Server.
7.
Use the following information to configure the client:
4-65
8. 9.
E-mail address: ScottMacdonald@adatum.com User name: Scott Password: Pa$$w0rd Domain: Adatum Server address: VAN-EX2.adatum.com SSL: Disabled Synchronize all Calendar and E-mail items
Verify that the synchronization succeeds. On VAN-CL1, connect to https://mail.adatum.com/owa, and log on as adatum\Wei using the password Pa$$w0rd.
10. Send a test message to Scott. 11. On the mobile device, verify that Scott received the message, and reply to it. 12. In Outlook Web App, verify that the reply message was received.
Task 4: Create a new Exchange ActiveSync mailbox policy

1. On VAN-EX2, in Exchange Management Console, create a new Exchange ActiveSync Mailbox policy with the following configuration: 2. 3. Name: EAS Policy 1 Enable non-provisionable devices Enable attachments to be downloaded to the device Require passwords Enable password recovery
Review the other Exchange ActiveSync Mailbox policy settings. Apply the Exchange ActiveSync Mailbox policy to Scott MacDonald.
Task 5: Validate the Exchange ActiveSync mailbox policy

1. 2. On VAN-CL1, synchronize the mobile client. Verify that the new policy is applied, and provide a password of 12345.
Task 6: Install a root CA on the mobile device

1. 2. 3. 4. 5. 6. On VAN-CL1, open Internet Explorer, and connect to http://van-dc1/certsrv. Download the CA certificate chain from the CA, and save the file. Open Outlook Web App, and send a message to Scott. Attach the certificate file to the message. In Windows Mobile device, synchronize the mailbox. Open the message with the certificate and double-click the file. Accept the certificate installation. On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-ServerActiveSync virtual directory to require SSL.
4-66
7. 8.
On VAN-CL1, in the Windows Professional emulator, modify the ActiveSync settings to use SSL. Verify that the client can synchronize successfully.
Task 7: Wipe the mobile device

1. 2. 3. 4. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Scott, and verify that you can manage the mobile device. On VAN-EX2, in the Exchange Management Console, perform a remote wipe of Scott's device. On VAN-CL1, verify that the mobile device restarts the next time it synchronizes. Results: After this exercise, you should have configured the Exchange server environment to support Exchange ActiveSync. You first verified that Exchange ActiveSync worked, and then enhanced the security configuration by creating a more secure Exchange ActiveSync Mailbox policy, and by enabling SSL for all Exchange ActiveSync connections.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
4-67
Review Questions
1. You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server? You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do? You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes on the Exchange Server 2003 servers?
2. 3.
Common Issues Related to Client Connectivity to the Client Access Server

Identify the causes for the following common issues related to client connectivity to the Client Access server, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Users using Web browsers other than Internet Explorer may have trouble authenticating. Clients receive certificaterelated errors when they connect to the Client Access server. Users from the Internet are not able to connect to the Troubleshooting tip Although Exchange Server 2010 supports most Web browsers, your Web browser may not support forms-based authentication or Windows Integrated Authentication. As a last resort, you can use Basic Authentication with SSL. Ensure that the certificate configured on the Client Access server is trusted by all clients. The best way to do this is to obtain a certificate from a trusted Public CA. Use a tool such as Microsoft Exchange Server Remote Connectivity Anaylzer to identify the issue. Many components must be functioning to
4-68
Issue Client Access server.
Troubleshooting tip enable connectivity. The Remote Connectivity Anaylzer tool will check information such as DNS records, authentication, certificate issues, and Autodiscover.

1. Your organization has two locations with an Internet connection in each location. You need to ensure that when users access their e-mail using Outlook Web App from the Internet, they will always connect to the Client Access server in their home office. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receives errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request? You have deployed two Client Access servers in the same Active Directory site. When one of the Client Access servers shuts down, users can no longer access their e-mail. What should you do?
2.
3.
Best Practices Related to Planning the Client Access Server Deployment

Supplement or modify the following best practices for your own work situations. When designing the Client Access server configuration, consider the following recommendations: The recommended processor configuration for Client Access servers is eight processor cores, and the maximum recommended number of processor cores is 12. You should deploy at least two processor cores for Client Access serverseven in small organizationsbecause of the addition of the RPC Client Access service on the Client Access server. As a general guideline, you should deploy three Client Access server processor cores in an Active Directory site for every four Mailbox server processor cores. The recommended memory configuration for Client Access server is 2 gigabytes (GB) per processor core, with a maximum of 8 GB. Deploying Client Access servers on a perimeter network is not a supported scenario. The Client Access server must be deployed on the internal network. The Client Access server role must be installed on a member server, and it must have access to a domain controller and global catalog server, as well as the Mailbox servers inside the organization.
Tools
Tool Use for Where to find it http://go.microsoft.com/fwlink /?LinkId=179969 Open Outlook, press and hold CTRL, right-click the Outlook connection object, and then click Test E-Mail AutoConfiguration. Administrative Tools
Microsoft Exchange Server Troubleshooting Internet Remote Connectivity Anaylzer connectivity for messaging clients. Test E-Mail AutoConfiguration
Troubleshooting Outlook
Connectivity to the Client Access server.
Internet Information Server
Configuring SSL settings for
4-69
Tool (IIS) Manager
Use for Client Access server virtual directories.
Where to find it
4-70
Managing Message Transport
5-1
Module 5
Contents:
Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Lab: Managing Message Transport 5-3 5-16 5-32
5-2
Module Overview
This module details how to manage message transport in Microsoft Exchange Server 2010. To implement message transport in Exchange Server 2010, it is important to understand the components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot messagetransport issues. This module also provides details on deploying the Exchange Server 2010 Hub Transport server, and the options that you can configure. After completing this module, you will be able to: Describe message transport in Exchange Server 2010. Configure message transport.
5-3
Lesson 1
Overview of Message Transport
In this lesson, you will review message flow and the components that message transport requires, especially when you implement multiple Exchange Server 2010 Hub Transport servers. To understand message flow, you should know how message routing works within an Exchange Server organization, and how Exchange Server routes messages between Active Directory Domain Services (AD DS) sites or outside the Exchange Server organization. Exchange Server 2010 provides several tools for troubleshooting Simple Mail Transfer Protocol (SMTP) message delivery, and this lesson describes how you can use these troubleshooting tools. After completing this lesson, you will be able to: Describe message flow. Describe the components of message transport. Describe how an Exchange Server organization routes messages. Describe message routing between Active Directory sites. Describe options for modifying the default message flow. Describe the tools for troubleshooting SMTP message delivery. Troubleshoot SMTP message delivery.
5-4
Discussion: Overview of Message Flow
Key Points
Exchange Server 2010 uses the SMTP message protocol standard. Therefore, it is important to understand how SMTP works. Exchange Server 2010 also supports several message-flow scenarios. Based on your organizations messaging environment, you can implement a suitable message-flow scenario.
Discussion Questions
Based on your experience, consider the following questions: Question: What is SMTP? Question: What are the various message-flow scenarios? Question: What type of message-flow scenarios do most organizations implement?
5-5
Components of Message Transport
Key Points
The message transport pipeline in Exchange Server 2010 consists of several components that work together to route messages. Messages from outside the organization enter the transport pipeline through an SMTP Receive connector on an Edge Transport server, a Hub Transport server, or another SMTP server. Messages inside the organization enter the transport pipeline through the SMTP connector on a Hub Transport server, through agent submission, from the Pickup or Replay directory, or by direct placement by the store driver in the Submission queue.
Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one Submission queue on each Edge Transport server and Hub Transport server. The Submission queue stores all messages on disk until the categorizer processes them for further delivery. The categorizer cannot process a message unless a server promotes it to the Submission queue. While the categorizer processes a message, it remains in the Submission queue. After the categorizer categorizes a message successfully, it removes it from the Submission queue.
Store Driver
Messages sent by mailbox users enter the message-transport pipeline from the senders Outbox. The store driver on the Hub Transport server retrieves messages from the senders Outbox, and submits them to a Submission queue.
Microsoft Exchange Mail Submission Service

The Microsoft Exchange Mail Submission service is a notification service running on Mailbox servers. It notifies a Hub Transport server role in the local Active Directory site when a message is available for retrieval from a senders Outbox. The store driver on the notified Hub Transport server role picks up the message from the senders Outbox.
5-6
Categorizer
The categorizer retrieves one message at a time from the Submission queue, and always picks the oldest message first. On an Edge Transport server, categorization of an inbound message is a short process in which the categorizer verifies the recipient SMTP address and places the message directly into the delivery queue. From the delivery queue, it routes the message to a Hub Transport server.
Pickup Directory
Most messages enter the message transport pipeline through SMTP Receive connectors or by submission through the store driver. However, messages also can enter the message transport pipeline by being placed in the Pickup directory on a Hub Transport server or an Edge Transport server.
5-7
How Are Messages Routed in an Exchange Server Organization?
Key Points
In an Exchange Server messaging environment, you must deploy a Hub Transport server role in each Active Directory site where a Mailbox server role or a Unified Messaging server is installed. Hub Transport servers deliver all messages in an Exchange Server 2010 organization, including messages sent between two recipients with mailboxes located in the same Mailbox database, on the same site, and between Active Directory sites. The following process describes how a Hub Transport server delivers mail within a single Active Directory site: 1. 2. The message flow begins when a message is submitted to the message store on an Exchange Server 2010 Mailbox server role. When the Microsoft Exchange Mail Submission service detects that a message is available and waiting in an Outbox, it picks an available Hub Transport server and submits a new message notification to the store driver. The store driver retrieves the message from the Mailbox server role. The store driver uses MAPI to connect to the users Outbox and collect any messages that are awaiting delivery. The store driver submits the messages to the categorizer submission queue, for processing, and also moves a copy of the message from the users Outbox to the users Sent Items folder. Note: While the message is passing through the Hub Transport server role, the server can use transport agents to modify the message or the message flow. For example, transport agents can apply custom routing or journaling rules, or perform antivirus filtering. 4. For messages destined to arrive at a Mailbox server on the same Active Directory site, the store driver places the message in a local delivery queue and delivers the message through MAPI to the Mailbox server role.
3.
5-8
5.
6.
For messages destined to arrive at a Mailbox server on another Active Directory site, the Hub Transport server uses the Active Directory site-link information to determine the route to the destination site. After determining the path, the Hub Transport server connects directly to the server on the remote site. If no Hub Transport server on the destination site is available, the store driver routes the message to a Hub Transport server that is closer to the destination site. For messages destined for the Internet, the Hub Transport server delivers the message to an Edge Transport server, which delivers the message to the appropriate Internet e-mail server. If the organization does not use an Edge Transport server, a Hub Transport server delivers the message directly to the appropriate Internet e-mail server using SMTP.
5-9
How Are Messages Routed Between Active Directory Sites?
Key Points
For remote mail-flow scenarios, the initial steps, in which the message passes from the Mailbox server to the Hub Transport server, are identical to those of the local mail-flow scenario.
Understanding Remote Mail Flow

When a message is addressed to a recipient in the same Exchange Server organization, but in a different Active Directory site, the following process takes place: 1. The local Mailbox server uses Active Directory site-membership information to determine which Hub Transport servers are located in the same Active Directory site as the Mailbox server. The Mailbox server submits the message to the local Hub Transport server. If more than one Hub Transport server exists in the site, the Mailbox server will load-balance message delivery to all available Hub Transport servers.
5-10
2.
3.
4.
The Hub Transport server performs recipient resolution and queries AD DS to match the recipient email address to a recipient account. The recipient account information includes the fully qualified domain name (FQDN) of the users Mailbox server. The FQDN determines the Active Directory site of the users Mailbox server. In a default configuration, the local Hub Transport server opens an SMTP connection to the remote Hub Transport server in the destination site, and then delivers the message. After a Hub Transport server in the destination Active Directory site receives the message, it forwards the message to the appropriate Mailbox server in the destination Active Directory site. If the message has multiple recipients whose mailboxes are in different Active Directory sites, Exchange Server uses delayed fan-out to optimize message delivery. If the recipients share a portion of the path, or the entire path, then Exchange Server sends a single copy of the message with these recipients until the bifurcation point. Exchange Server then bifurcates and sends a separate copy to each recipient. For example, if the least-cost routes from Site1 to Site3 and Site4 both pass through Site2, then Exchange Server sends a single copy of a message intended for recipients in Site3 and Site4 to a Hub Transport server in Site2. Then, the Hub Transport server in Site2 sends two copies of the message: one each to a Hub Transport server in Site3 and Site4.
How Exchange Server 2010 Deals with Message-Delivery Failure

If a Hub Transport server cannot deliver a message to a Hub Transport server in the destination site, the Hub Transport server uses the least-cost routing path to deliver the message as close as possible to the destination site. The source Hub Transport server attempts to deliver the message to a Hub Transport server in the last site before the destination site, along the least-cost routing path. The Hub Transport server continues to trace the path backward until it makes a connection to a Hub Transport server. The Hub Transport server queues the messages in that Active Directory site, and the queue is in a retry state. If Hub Transport servers are not available in any site along the least-cost route, the message is queued on the local Hub Transport server. This behavior is called queue at point of failure.
5-11
Options for Modifying the Default Message Flow
Key Points
In some cases, you may want to modify the default message routing configuration. You can do this by configuring specific Active Directory sites as Hub sites, and by assigning Exchange Server-specific routing costs to Active Directory site links. Hub sites are central sites that you define to route messages. By default, Hub Transport servers in one site will try to deliver messages to a recipient in another site by establishing a direct connection to a Hub Transport server in the remote Active Directory site. However, you can modify the default message-routing topology in three ways.
Configuring Hub Sites

You can configure one or more Active Directory sites in your organization as hub sites. When a hub site exists along the least-cost routing path between two Hub Transport servers, the messages are routed to a Hub Transport server in the hub site for processing before they are relayed to the destination server. Important: The Hub Transport server routes a message through a hub site only if it exists along the least-cost routing path. The originating Hub Transport server always calculates the lowest cost route first, and then checks if any of the sites on the route are hub sites. If the lowest cost route does not include a hub site, the Hub Transport server will attempt a direct connection. Use the Set-ADSite Identity sitename HubSiteEnabled $true cmdlet to configure a site as hub site.
Configuring Exchange-Specific Routing Costs

You also can modify the default message-routing topology by configuring an Exchange-specific cost to an Active Directory IP site link. If you assign an Exchange-specific cost to the site link, the Hub Transport server determines the least-cost routing path by using this attribute rather than the Active Directoryassigned cost.
5-12
Note: Use the Set-AdSiteLink Identity ADsitelinkname ExchangeCost value cmdlet to assign Exchange specific routing costs. You also can use the Set-AdSiteLink Identity ADsitelinkname MaxMessageSize value cmdlet to assign a maximum message size limit for messages sent between Active Directory sites.
Configuring Expansion Servers for Distribution Groups

You also can modify the default routing topology by assigning expansion servers for distribution groups. By default, when a message is sent to a distribution group, the first Hub Transport server that receives the message expands the distribution list and calculates how to route the messages to each recipient in the list. If you configure an expansion server for the distribution list, all messages sent to the distribution list are sent to the specified Hub Transport server, which then expands the list and distributes the messages. For example, you can use expansion servers for location-based distribution groups to ensure that the local Hub Transport server resolves them. Best Practice: You might need to review the Active Directory site design when you deploy Exchange Server 2010, to adjust the IP site links and site-link costs so that you optimize delayed fan-out and instead queue at the point of failure.
5-13
Tools for Troubleshooting SMTP Message Delivery
Key Points
Similar to Exchange Server 2007, Exchange Server 2010 also provides several tools for troubleshooting SMTP message delivery. Tip: Exchange Server 2010 relies on the Active Directory site configuration for message routing. Therefore, to troubleshoot a message-routing issue, you might need to use Active Directory tools to validate or modify site, site link, or IP subnet information, and to verify Active Directory replication. You can use the Active Directory Sites and Services tool to view IP subnets and site links.
Using Exchange Server Best Practices Analyzer

The Exchange Server Best Practices Analyzer is a tool that you can use to check the Exchange server configuration and the health of your Exchange server topology. This tool automatically examines an Exchange server deployment and determines whether the configuration is in line with Microsoft best practices. You should run the Best Practices Analyzer after you install a new Exchange server, upgrade an existing Exchange server, or make configuration changes.
Using the Mail Flow Troubleshooter

The Mail Flow Troubleshooter tool assists Exchange Server administrators in troubleshooting common mail-flow problems.
Using the Queue Viewer

Like previous Exchange Server versions, messages waiting to be processed or delivered reside in message queues on the Exchange Server Hub Transport servers. However, unlike Exchange Server versions before 2007, all message queues reside in a local Exchange Server database on the server. The message queues provide a very useful diagnostic tool to locate and identify messages that have not been delivered.
5-14
Note: For more information on the queues that Exchange Server 2010 uses, and the process for troubleshooting message flow, see the Managing Queues page on the Microsoft Technet Web site.
Using Message Tracking and Tracking Log Explorer

You also can use message tracking to troubleshoot message flow. By default, message tracking is enabled on Hub Transport servers, and all message-tracking logs are stored in the C:\Program Files\Microsoft\Exchange Server \TransportRoles\Logs\MessageTracking folder. Note: To view the message-tracking logs, use the Message Tracking and Tracking Log Explorer tools available in the Exchange Management Console Toolbox. In Exchange Server 2010, users also can track their messages using the Exchange Control Panel (ECP). The Message Tracking tool does not provide the level of detail that the Tracking Log Explorer provides. For example, sending a message between two Exchange servers that are in the same Active Directory site does not show the Exchange server names in Message Tracking whereas Tracking Log Explorer provides you with this information.
Using the Routing Log Viewer

You can use the routing log viewer to open a routing log file that contains information about how the routing topology appears to the server. You can use this information when you troubleshoot message routing within the organization or to the Internet.
Using Protocol Logging

You also can configure protocol logging to provide detailed information for troubleshooting message flow. Protocol logging is enabled on the SMTP Send connector or SMTP Receive connector properties, and the log files are stored in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog folder.
Using Telnet
You can use Telnet to check if the SMTP port responds, or to directly send a SMTP mail to a connector to see if the connector accepts it. Telnet is a Windows Server 2008 feature, and you use it from the command line using the following syntax: telnet <servername> SMTP or Port #. For example, you can use either TELNET VAN-EX1 SMTP or TELNET VAN-EX1 25, both being basically the same.
5-15
Demonstration: How to Troubleshoot SMTP Message Delivery
Key Points
In this demonstration, you will see how to use Telnet and Queue Viewer to troubleshoot SMTP message delivery.
Demonstration Steps
1. 2. 3. 4. 5. Open the Command Prompt window. To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail using Telnet. In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start the Queue Viewer tool. Suspend and resume the Submission queue. Close Queue Viewer.
5-16
Lesson 2
Configuring Message Transport
To configure message transport in an Exchange Server organization, you must first configure the Hub Transport servers. It is important to understand the various message-transport concepts and components, such as accepted and remote domains and SMTP connectors. This lesson also describes the various tasks of configuring a Hub Transport server and message routing. After completing this lesson, you will be able to: Describe the process for configuring Hub Transport Servers. Configure Hub Transport Servers. Describe the options for configuring message transport. Describe accepted domains. Describe remote domains. Configure accepted and remote domains. Describe an SMTP connector. Configure SMTP Send and Receive connectors. Describe the purpose and functionality of back pressure.
5-17
Process for Configuring Hub Transport Servers
Key Points
By default, when you install a Hub Transport server in an Exchange Server 2010 organization, this enables message routing within the organization. However, you might need to configure additional options on the Hub Transport server role. To configure a Hub Transport server, use the following process: 1. 2. Configure server-specific settings. These settings include internal Domain Name System (DNS) configuration and connection limits. Configure authoritative domains and e-mail address policies. An authoritative domain is one for which the Exchange Server organization accepts messages and has mailboxes. You first must configure an authoritative domain before you can configure e-mail address policies to apply e-mail addresses to recipients and accept inbound SMTP messages for those recipients.
5-18
3.
4.
Configure a postmaster mailbox. For each accepted domain, you must configure a postmaster mailbox. The postmaster mailbox must meet the requirements of RFC 2822, and to receive NDRs and DSNs. You can create a new mailbox, or you can add the postmaster alias to an existing mailbox user. Configure Internet message flow. If you are not deploying an Edge Transport server, you will need to configure the Hub Transport server to enable inbound and outbound mail flow. To enable inbound mail flow, configure an SMTP Receive connector to accept anonymous connections on port 25 using a network interface that is accessible from the Internet. To enable outbound e-mail flow, configure an SMTP Send connector with an address space of *that can use DNS or a smart host to send messages to the Internet. If you are using the Hub Transport server to send and receive e-mail from the Internet, you should configure antivirus and anti-spam agents on the Hub Transport server. Note: We strongly recommend that you use an Edge Transport server role or some other SMTP relay server to send and receive messages from the Internet. If you are using an SMTP gateway server other than an Exchange Server 2010 Edge Transport server role, you still will need to configure the SMTP Send connector and SMTP Receive connector. The only difference is that you should configure the SMTP gateway server as the smart host on the SMTP Send connector and accept only connections from the SMTP gateway server on the SMTP Receive connector. As an alternative to managing your own Edge Transport server role, you should also consider Exchange Hosted Services.
5.
6.
Configure messaging policies. By default, messaging policies are not applied to messages passing through the Hub Transport server role. As part of the Hub Transport server role deployment, you must configure your organizations transport and journaling rules. Configure administrative permissions. As part of the Hub Transport server role deployment, you can choose to delegate permissions to configure and monitor the server.
5-19
Demonstration: How to Configure Hub Transport Servers
Key Points
In this demonstration, you will review the options for configuring Hub Transport servers.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. On the Global Settings tab, double-click Transport Settings and review the options on the Message Delivery tab. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Open Hub Transport server properties and review the options on the Log Settings tab and Limits tab. At the Exchange Management Shell command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.
5.
5-20
Options for Configuring Message Transport
Key Points
Exchange Server 2010 supports various additional options that you can configure on the message transport. These options include transport rules, Rights Protection using transport protection rules, journaling, enhanced disclaimers, and moderated transport. Note: This module provides a high-level overview of these options. Module 8 provides more details on these options.
Transport Rules
Transport Rules inspect messages for conditions that the rule specifies, and then applies the rules to messages that meet the conditions, and none of the exceptions. Exchange Server 2010 includes several new predicates and actions, and provides additional flexibility in creating rules and additional options for actions that you can apply to messages.
Rights Protection Using Transport Protection Rules

You can use transport protection rules to protect messaging content by rights-protecting e-mail messages and attachments of supported file types, such as Microsoft Office Word or Microsoft Office Excel. Transport protection rules apply Rights Management Services (RMS) templates to messages in transport, which restrict the recipients that can access a message, and specify the actions that can be performed by recipients of the message, such as printing a message or an attachment, and forwarding a message. You can use the Active Directory Rights Management Services (AD RMS component of Exchange Server 2010 to protect messaging content.
Journaling
Journaling is the ability to record all communications, including e-mail communications, in an organization for use in the organizations e-mail retention or archival strategy.
5-21
Enhanced Disclaimers
Exchange 2010 lets you add disclaimers that can include hyperlinks, images, and HTML-formatted text. You also can insert Active Directory attributes that are substituted for the senders attributes when a message triggers a disclaimer rule.
Moderated Transport
Using the moderated transport feature in Exchange Server 2010, you can make it mandatory that a moderator approves all e-mail messages that are sent to specific recipients. You can configure any type of recipient as a moderated recipient, and Exchange 2010 Hub Transport servers ensures that all messages sent to those recipients go through an approval process.
Anti-Spam and Antivirus Protection

The built-in protection features in Exchange Server 2010 provide anti-spam and antivirus protection for messages. Although these built-in protection features are for use in the perimeter network on the Edge Transport server role, you also can configure the Edge Transport agents on the Hub Transport server. Although, Exchange Server 2010 includes some antivirus protection features, such as transport rules that you can configure to prevent a virus attack, it does not include any virus-scanning software. Therefore, you should consider a third-party virus scanning software, such as Microsoft Forefront Security for Exchange to provide additional antivirus protection.
5-22
What Are Accepted Domains?
Key Points
As part of the Hub Transport server-configuration process, you should configure the domains for which the Hub Transport server will accept e-mail, and configure users with alternate e-mail addresses.
Configuring Accepted Domains

The accepted domain property specifies one or more SMTP domain names for which the Exchange server receives mail. If an SMTP Receive connector on the Exchange Server 2010 Hub Transport server receives a message that is addressed to a domain that is not on the accepted domain list, it rejects the message and sends an NDR. To configure an accepted domain, access the Organization Configuration node, and then click Hub Transport. You can view the current accepted domains in the Accepted Domains tab, and you can create additional domains by clicking New Accepted Domain in the Actions pane. When you create a new accepted domain, you have three options for the domain type you want to create: Authoritative Domain. Select this option if the recipients using this domain name have mailboxes in the Exchange Server organization. Internal Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept the e-mail, but relay it to another messaging organization in another Active Directory forest. The recipients in an internal relay domain do not have mailboxes in this Exchange organization, but do have contacts in the global address list (GAL). When messages are sent to the contacts, the Hub Transport server or Edge Transport server forwards them to another SMTP server. External Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept the e-mail, but relay it to an alternate SMTP server. In this scenario, the transport server receives the messages for recipients in the external relay domain, and then routes the messages to the e-mail system for the external relay domain. This requires a Send connector from the transport server to the external relay domain.
5-23
Note: To configure accepted domains using the Exchange Management Shell, use the NewAcceptedDomain or Set-AcceptedDomain cmdlet.
5-24
What Are Remote Domains?
Key Points
Remote domains define SMTP domains that are external to your Exchange organization. You can create remote domain entries to define the settings for message transfer between the Exchange Server 2010 organization and domains outside your AD DS forest. When you create a remote domain entry, you control the types of messages that are sent to that domain. You also can apply message-format policies and acceptable character sets for messages that are sent from your organizations users to the remote domain. The settings for remote domains determine the Exchange organizations global configuration settings.
Creating Remote Domain Entries

You can create remote domain entries to define the mail-transfer settings between the Exchange Server 2010 organization and a domain that is outside your Active Directory forest. When you create a domain entry, you provide a name to help the administrator identify the entrys purpose when they view configuration settings.
Configuring Remote Domain Settings

The configuration for a remote domain determines the out-of-office message settings for e-mail that is sent to the remote domain and the message format settings for e-mail that is sent to the remote domain.
Out-of-Office Message Settings

The out-of-office message settings control the messages that are sent to recipients in the remote domain. The types of out-of-office messages that are available in your organization depend on both the Microsoft Office Outlook client version and the Exchange Server version on which the users mailbox is located. An out-of-office message is set on the Outlook client but is sent by the Exchange server. Exchange Server 2010 supports three out-of-office message classifications: external, internal, and legacy.
5-25
Message Format Options Including Acceptable Character Sets

You can configure multiple message format options to specify message delivery and formatting policies for the messages that are sent to recipients in the remote domain. The first set of options on the Message Format tab apply restrictions to the types of messages that can be sent to the remote domain, how the senders name displays to the recipient, and the column width for message text. These options include: Allow automatic replies. Allow automatic forward. Allow delivery reports. Allow nondelivery reports. Display senders name on messages. Use message text line-wrap at column. Meeting forward notification enabled.
Message Format Options

Use the Exchange rich-text format settings to determine whether e-mail messages from your organization to the remote domain are sent by using Exchange Rich Text Format (RTF).
Character Sets
The Characters Sets options let you select a MIME character set and a non-MIME character set to use when you send messages to a remote domain.
5-26
Demonstration: How to Configure Accepted and Remote Domains
Key Points
In this demonstration, you will review the default accepted domain configuration, and then see how to configure accepted and remote domains.
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Accepted Domains tab, and then double-click Adatum.com. Click OK. Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay Domain. Click the Remote Domains tab, and review the default remote domain settings. Click OK. Click New Remote Domain, and create a remote domain for contoso.com.
5-27
What Is an SMTP Connector?
Key Points
For a Hub Transport server to send or receive messages using SMTP, at least two SMTP connectors must be available on the server. An SMTP connector is an Exchange Server component that supports one-way SMTP connections that route mail between Hub Transport and Edge Transport servers or between the transport servers and the Internet. You create and manage SMTP connectors from the Exchange Management Console or the Exchange Management Shell. Exchange Server 2010 provides two types of SMTP connectors: SMTP Receive connectors and SMTP Send connectors. Note: Exchange Server 2010 automatically creates the Send and Receive connectors that intraorganization mail flow requires. These are implicit connectors that are not visible in the Exchange management tools, and you cannot modify them.
What Are SMTP Receive Connectors?

An Exchange Server 2010 computer requires an SMTP Receive connector to accept any SMTP e-mail. An SMTP Receive connector enables an Exchange Hub Transport or Edge Transport server to receive mail from any other SMTP sources, including SMTP mail programs, such as Windows Mail and SMTP servers on the Internet, Edge Transport servers, or other Exchange Server SMTP servers. You create SMTP Receive connectors on each server running the Hub Transport server role. Use the following naming protocol for the SMTP Receive connectors: Client SERVERNAME Receive connector, which you configure to receive connections from SMTP clients such as Windows Mail; and Default SERVERNAME Receive connector, which you configure to receive authenticated connections from other SMTP servers. The default configuration for the two connectors is almost identical, but with one important difference: you configure the Client SERVERNAME Receive connector to listen on port 587 rather than port 25. As described in RFC 2476, port 587 has been proposed to be used only for message submission from e-mail clients that require message relay.
5-28
What Are SMTP Send Connectors?

An Exchange Server 2010 computer requires an SMTP Send connector to send any SMTP e-mail, and to send e-mail to any SMTP server on the Internet or to any SMTP servers in the same Exchange Server organization. Note: By default, no SMTP Send connectors are configured on Hub Transport servers, except for the implicit SMTP Send connectors. These are created dynamically to communicate with Hub Transport servers in other sites.
How to Manage SMTP Connectors

You can use the Exchange Management Console or the Exchange Management Shell to create, configure, or view SMTP connectors. Note: Incorrect configuration of SMTP Receive connectors can lead to opened relay on the mail server. Therefore, you must carefully test the configuration.
5-29
Demonstration: How to Configure SMTP Send and Receive Connectors
Key Points
In this demonstration, you will see how to configure SMTP Send and Receive connectors.
Demonstration Steps
1. 2. 3. 4. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab and create a New Send Connector. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Click New Receive Connector and create a Receive connector that allows the anonymous group to send messages.
5-30
What Is Back Pressure?
Key Points
Back pressure is a system-resource monitoring feature of the Microsoft Exchange Transport service that exists on computers that have the Hub Transport server role or Edge Transport server role installed. Back pressure monitors important system resources, such as available hard-disk drive space and available memory. If utilization of a system resource exceeds the specified limit, the Exchange server stops accepting new connections and messages. This prevents the system resources from being completely overwhelmed, and enables the Exchange server to deliver the existing messages. When utilization of the system resource returns to a normal level, the Exchange server accepts new connections and messages. Back pressure can be used to: Monitor system resources, such as available hard disk drive space and memory. Restrict new connections and messages if a system resource exceeds a specified level. Prevent the server from being completely overwhelmed.
For each monitored system resource on a Hub Transport server or Edge Transport server, the following three levels of resource utilization are applied: Normal. The resource is not overused. The server accepts new connections and messages. Medium. The resource is slightly overused. Back pressure is applied to the server in a limited manner. Mail from senders in the authoritative domain can flow. However, the server rejects new connections and messages from other sources. High. The resource is severely overused. Full back pressure is applied. All message flow stops, and the server rejects all new connections and messages.
Options for Configuring Back Pressure

All configuration options for back pressure are available in the EdgeTransport.exe.config application configuration file that is located in the C:\Program Files\Microsoft\Exchange Server\Bin directory.
5-31
The EdgeTransport.exe.config file is an XML application configuration file that is associated with the EdgeTransport.exe file. The Microsoft Exchange Transport service uses the EdgeTransport.exe and MSExchangeTransport.exe executable files. This service runs on every Hub Transport server or Edge Transport server. Exchange Server applies the changes that are saved to the EdgeTransport.exe.config file after the Microsoft Exchange Transport service is restarted.
5-32
Lab: Managing Message Transport
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1 and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a messaging administrator in A Datum Corporation., which is a large multinational organization that has offices in London, Tokyo, and Vancouver, which is its headquarters. Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the main site in Vancouver. As part of your job responsibilities, you need to set up the message transport to and from the Internet and also ensure that the message flow works within and between the various sites.
5-33
Exercise 1: Configuring Internet Message Transport

Scenario
Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the main site. As part of your job responsibilities, you need to set up the message transport to and from the Internet. You also want to configure the Hub Transport server for anti-spam. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a Send connector to the Internet. Configure a Receive connector to accept Internet messages. Enable anti-spam functionality on the Hub Transport server. Verify that Internet message delivery works.
To prepare for this lab

1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, right-click Network, and click Properties. Click Change adapter settings. Right-click Local Area Connection 2, and click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and click Properties. Change the IP address to 10.10.11.21, and then click OK. Click Close. Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then click OK. After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd. Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.
Task 1: Configure a Send connector to the Internet

1. 2. On VAN-EX1, open Exchange Management Console. Create a new Send Connector with the following configuration: Name: Internet Send Connector Use: Internet Address space: * Route all messages through VAN-DC1.adatum.com
Task 2: Configure a Receive connector to accept Internet messages

1. 2. On VAN-EX1, create a new Receive Connector with the following configuration: Name: Internet Receive Connector Use: Custom Local Network Settings: 10.10.0.10 Change the configuration on the Internet Receive Connector to enable anonymous users to send email and to enable verbose logging.
Task 3: Enable anti-spam functionality on the Hub Transport server

1. On VAN-EX1, open the Exchange Management Shell.
5-34
2. 3. 4.
Switch to the c:\Program Files\Microsoft\Exchange Server\v14\scripts directory and use the install-AntispamAgents.ps1 cmdlet to install the anti-spam agents on the Hub Transport server Restart the Microsoft Exchange Transport Verify that anti-spam configuration options are now available on VAN-EX1 and at the organization level.
Task 4: Verify that Internet message delivery works

1. 2. 3. On VAN-EX1, log on to Outlook Web App as Wei, and send a message to Info@Internet.com. From the Toolbox node in the Exchange Management Console, open the Queue Viewer. Check the queues on VAN-EX1 to verify that the message was delivered. On VAN-DC1, use Telnet to verify that VAN-EX1 accepts anonymous messages. Use Telnet to send a message as Info@internet.com to WeiYu@adatum.com. Results: After this exercise, you should have configured message transport to send and receive messages to and from the Internet using a smart host. You also should have configured anti-spam functionality on a Hub Transport server.
5-35
Exercise 2: Troubleshooting Message Transport

Scenario
You have successfully installed Exchange Server 2010 in two sites. You now need to make sure that mail flow is working correctly. The main tasks for this exercise are as follows: 1. 2. Check the routing log, and verify that mail delivery works correctly. Troubleshoot message transport.
Task 1: Check the routing log, and verify that mail delivery works correctly
1. 2. On VAN-EX1, use the Routing Log Viewer to verify that VAN-EX1 is located in the Default-First-SiteName site, and the VAN-EX2 is located in the Site2 site. Log on to Outlook Web App as Wei, and send an email to Anna, whose mailbox is on VAN-EX2. Verify that the mail is received and that Anna can respond to the e-mail.
Task 2: Troubleshoot message transport

1. 2. 3. 4. 5. 6. 7. On VAN-EX1, in Exchange Management Shell, run the d:\ labfiles\Lab05Prep1.ps1 script. Send another e-mail from Wei to Anna. Verify that the message is not delivered. Use Queue Viewer to investigate mail flow problems. Use Telnet to check connectivity from VAN-EX1 to VAN-EX2 Re-create the receive connector to make mail flow work correctly. Use Queue Viewer to force an immediate retry of message delivery. Verify that Anna received the message. Results: After this exercise, you should have used the Routing Log Viewer to get an overview of your routing topology. For troubleshooting, you should have used the Queue Viewer and Telnet to investigate the mail-flow problem.
5-36
Exercise 3: Troubleshooting Internet Message Delivery

Scenario
Your users complain that messages are not sent correctly to the internet. As part of your job responsibilties, you need to track messages to find out why message flow to the Internet is not working correctly. The main tasks for this exercise are as follows: 1. 2. 3. Send a message to the Internet, and track it. Implement user-based message tracking to verify mail delivery. Troubleshoot Internet message delivery.
Task 1: Send a message to the Internet, and track it

On VAN-EX2, log on to Outlook Web App as Anna and send a message to Info@Internet.com.
Task 2: Implement user-based message tracking to verify mail delivery

Connect to the Exchange Control Panel as Anna, and use the Delivery Reports page to track the message she sent. Search for messages sent to Info@Internet.com.
Task 3: Troubleshoot Internet message delivery

1. 2. 3. 4. 5. On VAN-EX1, in Exchange Management Shell, verify that the shell is focused on c:\Program Files\Microsof\Exchange Server\v14\scripts, and run d:\10135\labfiles\Lab05Prep2.ps1. On VAN-EX2, send a second message from Anna to Info@Internet.com. On VAN-EX1, in the Exchange Management Console, in the Toolbox node, access Message Tracking. Log on to Exchange Control Panel as Administrator, and track the message that Anna sent. Verify that the message state is pending. Use Mail Flow Troubleshooter to troubleshoot mail problems. When starting the Mail Flow Troubleshooter, choose the option to troubleshoot the Messages are backing up in on one or more queues on a server. Choose VAN-EX1 as the Exchange Server. Review the information on each wizard page, and identify the proposed root cause for the issue. On VAN-DC1, use nslookup to try to locate the MX records for internet.com. Configure a smart host in your Send connector. Verify that the messages are now delivered. Results: After this exercise, you should have used tools like Mail Flow Troubleshooter, Queue Viewer, Message Tracking, and nslookup to investigate why messages are not delivered to the Internet.
6. 7. 8.

When you finish the lab, revert the virtual machines back to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5-37
5.
To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
7. 8.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
5-38
Common Issues Related to Managing Message Transport

Identify the causes for the following common issues related to Managing Message Transport, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue You configure a Send Connector to the Internet, but messages cannot be transferred over it. You want to understand over what hops the message has been transferred. Your Exchange Server does not accept messages for the domain adatuminfo.com. Troubleshooting tip Use Telnet on the Hub Transport server that is trying to send the mail, and connect to the target SMTP server in the internet to see what the issue is. Many times you cannot reach it because of DNS resolution or firewall settings. Use Message Tracking or view the header of the message in Outlook Web App. Verify that this domain is part of the Accepted Domains in Organization Configuration under Hub Transport.
Implementing Messaging Security
6-1
Module 6
Contents:
Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions 6-3 6-19 6-27 6-31 6-44 6-57
6-2
Module Overview
The Edge Transport server role is designed to be placed directly in a perimeter network, therefore directly in the Internet. Placing a server directly in the Internet can be the cause of numerous security concerns. This module describes how to plan for and deploy a Microsoft Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. This module describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security, a feature available in Exchange Server 2007 and later versions. The Edge Transport role provides powerful anti-spam functionalities, and some antivirus features. As the Edge Transport role does not include a virus scanner, you can integrate additional antivirus products such as Microsoft Forefront Protection for Exchange Server. After completing this module, you will be able to: Deploy Edge Transport servers. Deploy an antivirus solution. Configure an anti-spam solution. Configure secure SMTP messaging.
6-3
Lesson 1
Deploying Edge Transport Servers
In any Exchange Server deployment, it is important that you do not expose too much information to the Internet. You must ensure critical data such as e-mail messages are protected from unauthorized access from the Internet. The Edge Transport server role provides functionalities that secure this data from unauthorized Internet access. If you are planning to place a server in your perimeter network, you should plan to use an Edge Transport server. This lesson describes features and functionalities of the Edge Transport server role, and explains how you can configure data synchronization between Active Directory directory service and the Edge Transport server. After completing this lesson, you will be able to: Describe the Edge Transport server role. Identify the infrastructure requirements for the Edge Transport server role. Describe the functionality of Active Directory Lightweight Directory Services (AD LDS). Configure Edge Transport servers. Describe the purpose and functionality of Edge Synchronization. Explain how Internet message flow works in Exchange Server 2010. Describe the concept of cloned configuration. Configure Edge synchronization. Describe how to secure Edge Transport servers.
6-4
What Is the Edge Transport Server Role?
Key Points
The Edge Transport server role in Exchange Server 2010 provides a secure SMTP gateway for all incoming and outgoing e-mail in an organization. As an SMTP gateway, the Edge Transport servers primary role is to maintain message hygiene, which includes anti-spam and antivirus filtering. You also can use the Edge Transport server to apply messaging policies to messages that are sent to the Internet.
Edge Transport Server Role Functionality

The Edge Transport server role provides the following functionalities. Feature Internet message delivery Description The Edge Transport server role accepts all e-mail coming into the Exchange Server 2010 organization from the Internet, and from servers in external organizations. The Exchange Server 2010 Edge Transport server role helps prevent spam messages and viruses from reaching your organizations users by using a collection of agents that provide different layers of spam filtering and virus protection. Edge transport rules control the flow of messages that are sent to, or received from the Internet. Edge transport rules apply actions to messages that meet specified conditions. Address rewriting enables SMTP address modification for any of your organizations message senders or recipients.
Antivirus and anti-spam protection
Edge transport rules
Address rewriting
Edge Transport Servers Deployment Considerations

When planning to deploy Edge Transport servers, consider the following factors:
6-5
You cannot combine the Edge Transport server role with any other Exchange Server 2010 server role. To provide increased security, you must install the Edge Transport server role on a separate computer, which can be virtual or physical. The computer should not be a member of an Active Directory domain. Note: You should not install the Edge Transport server role on a computer that is a member of the internal Active Directory domain, but you can install it in a perimeter network forest. Even if you install the Edge Transport server role on a member server, the server still uses Active Directory Application Mode (ADAM) or AD LDS to store its configuration and recipient information.
You should deploy the Edge Transport server role in a perimeter network to ensure network isolation from both the internal network and the internal Exchange servers.
6-6
Edge Transport Server Role Infrastructure Requirements
Key Points
The Edge Transport server role is different from any other Exchange Server 2010 server role, because you can install it on servers running the Windows Server 2008 operating system that are not members of the internal Active Directory Domain Services (AD DS). This configuration makes it much easier and more secure to deploy Edge Transport servers in a perimeter network. When deploying Edge Transport servers, consider the following infrastructure requirements: You can install Edge Transport servers either on standalone servers, or on servers that are members of an extranet domain. The computer running the Edge Transport server role must have a fully qualified domain name (FQDN) configured. You must deploy Edge Transport servers in a perimeter network. This configuration provides the highest level of security. The firewall configuration required for Edge Transport servers is greatly simplified, because the server does not need to be an internal domain member. The following table describes the firewall configuration requirements. Firewall External Firewall rule Allow port 25 from all external IP addresses to the Edge Transport server. Allow port 25 to all external IP addresses from the Edge Transport server. Allow port 53 to all external IP addresses from the Edge Transport server. Explanation This rule enables SMTP hosts on the Internet to send e-mail. This rule enables the Edge Transport server to send e-mail to SMTP hosts on the Internet. This rule enables the Edge Transport server to resolve Domain Name System (DNS) names on the Internet.
External
External
6-7
Firewall Internal
Firewall rule Allow port 25 from the Edge Transport server to specified Hub Transport servers. Allow port 25 from specified Hub Transport servers to the Edge Transport server. Allow port 50636 for secure Lightweight Directory Access Protocol (LDAP) from specified Hub Transport servers to the Edge Transport server. Allow port 3389 for Remote Desktop Protocol (RDP) from the internal network to the Edge Transport server.
Explanation This rule enables the Edge Transport server to send inbound SMTP e-mail to Hub Transport servers. This rule enables the Hub Transport servers to send e-mail to the Edge Transport server. This rule enables the Hub Transport server to replicate information to the Edge Transport servers using Edge Synchronization. This port is not the default Secure LDAP port, but it is used specifically for the Edge Synchronization process. This rule is used for optional remote desktop administration of the Edge Transport server.
Internal
Internal
Internal
If the Edge Transport server directly routes e-mail to the Internet, you must configure the server with the IP addresses for Domain Name System (DNS) servers that can resolve DNS names on the Internet.
6-8
What Is AD LDS?
Key Points
The Edge Transport server does not use the Active Directory directory service to store its configuration information; instead, Edge Transport servers use AD LDS to store this data. Note: AD LDS runs only on Windows Server 2008 computers, while the ADAM service can run on Windows Server 2003 computers. AD LDS is an update of ADAM.
What Is AD LDS?
AD LDS is a special mode of the AD DS that stores information for directory-enabled applications. AD LDS is an LDAP-compatible directory service that runs on servers running the Windows Server 2008 operating system. AD LDS is designed to be a standalone directory service. It does not require the deployment of DNS, domains, or domain controllers; instead, it stores and replicates only application-related information.
How AD LDS Works with Exchange Server 2010 Edge Transport Servers
AD LDS stores configuration and recipient data for the Exchange Server 2010 Edge Transport server role. Before you can install the Edge Transport server role, you must install the AD LDS server role on a Windows Server 2008 computer. AD LDS is then configured automatically when you install the Edge Transport server role. The following types of information are stored in AD LDS: Schema Configuration Recipient information
6-9
Managing AD LDS
The AD LDS database is stored in the %programfiles%\Microsoft\Exchange Server\TransportRoles\data\Adam directory. The primary database is adamntds.dit, which is similar to the databases that Exchange Server uses for mailbox stores and mail queue databases. In general, minimal administration is required for the AD LDS instance running on an Edge Transport server. You can make most changes to the AD LDS directory information using Exchange Server 2010 management tools. Note: Before installing the Edge Transport server role, you must install AD LDS on the computer. However, you do not need to perform any configuration steps in AD LDS before installing the Edge Transport server role.
6-10
Demonstration: How to Configure Edge Transport Servers
Key Points
In this demonstration, you will review the Edge Transport server role default configuration before implementing Edge Synchronization.
Demonstration Steps
1. 2. Open the Exchange Management Console. Review the Edge Transport server roles default configuration settings including the default anti-spam settings, Send and Receive Connectors and Accepted Domains.
6-11
What Is Edge Synchronization?
Key Points
Edge synchronization is a process that replicates information from Active Directory directory service to AD LDS on Edge Transport servers. Because Edge Transport servers are not joined to the internal Active Directory domain, they cannot directly access the Exchange Server organization configuration or recipient information that is stored in Active Directory. EdgeSync enables the shared information to be replicated from Active Directory directory service to AD LDS. You can deploy Edge Transport servers without using EdgeSync, but using EdgeSync can decrease the effort needed to administer the Edge Transport servers. The Active Directory contains much of the configuration information required by the Edge Transport server. For example, if you configure accepted domains on the Hub Transport servers, these accepted domains can be replicated automatically to the Edge Transport servers. To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to replicate the recipient information to AD LDS. Best Practice: When you deploy Edge Transport servers, it is strongly recommended that you also deploy Edge Synchronization.
Information Replicated by Edge Synchronization

After you enable Edge Synchronization, the Edge Synchronization process establishes connections between a Hub Transport server and the Edge Transport server, and synchronizes configuration and recipient information between Active Directory and AD LDS. Important: The internal Hub Transport servers, and not the Edge Transport servers, always initiate EdgeSync replication. EdgeSync replication traffic is always encrypted using Secure LDAP.
6-12
During synchronization, EdgeSync replicates the following data from Active Directory directory service to AD LDS: Accepted domains Recipients (hashed) Safe senders (hashed) Send connectors Hub Transport server list (for dynamic connector generation) Note: The recipient and the safe senders are hashed using a one-way hash, which prevents an attacker from retrieving recipient information from the Edge Transport server.
6-13
How Internet Message Flow Works
Key Points
The primary function of the Edge Transport server is to secure both inbound and outbound Internet email. After you configure an Edge subscription between your organizations Hub Transport servers and the Edge Transport servers in the perimeter network, both inbound and outbound Internet e-mail is enabled.
Default Message Transfer

After you enable EdgeSync, e-mail flows through the Exchange server organization using the following steps: 1. A user submits a message through a Client Access server to the Mailbox server. The Hub Transport server retrieves the message from the Mailbox server, and categorizes it for delivery. In this scenario, the message recipient is outside the organization. The Hub Transport server determines that it must use the EdgeSync sitename to Internet Send connector to send e-mail to the Internet. It locates the Edge Transport server that is configured as the bridgehead server for the connector. The Hub Transport server forwards the message to the Edge Transport server, which sends the e-mail message to the Internet using the EdgeSync sitename to Internet Send Connector. For inbound messages, the sending SMTP connector connects to the Edge Transport server. The Edge Transport server accepts this connection using the Default internal receive connector SERVERNAME, which is configured to accept anonymous connections on port 25 from all IP addresses. The Edge Transport server applies all virus and spam-filtering rules. If the message is accepted, the Edge Transport server uses the EdgeSync Inbound to sitename connector to forward the message to a Hub Transport server configured to accept Internet messages. The Hub Transport server uses the Default SERVERNAME connector to receive the message, and then forwards the message to the appropriate Mailbox server.
2.
3. 4.
5. 6.
6-14
Note: You can modify the default message flow by creating additional SMTP connectors. For example, you may need to create a new SMTP send connector to send e-mail to a specific destination domain. You can do this by creating a new send connector, and then configuring the destination domain name as the address space for the connector. Finally, configure the connector to support the unique message-routing requirements for messages sent to the domain.
6-15
Demonstration: How to Configure Edge Synchronization
Key Points
In this demonstration, you will see how to enable Edge synchronization and test its working. You also will see how to configure address rewriting.
Demonstration Steps
1. 2. 3. 4. 5. On the Edge Transport server, in the Exchange Management Shell, run the New-EdgeSubscription FileName c:\van-edge.xml command on the Edge Transport server. Import the Edge subscription file using the Exchange Management Console on the Hub Transport server. Use Start-EdgeSynchronization and Test-EdgeSynchronization to test Edge synchronization. Review the changes made to the Edge Transport server after Edge Synchronization. Configure address rewriting using the New-addressRewriteEntry command.
6-16
What Is Cloned Configuration?
Key Points
Cloned configuration is the process of configuring multiple Edge Transport servers with identical configurations. The Exchange Server transport services running on Edge Transport servers do not support Windows Failover Clustering. A failover cluster provides high availability by making application software and data available on several servers that are linked together in a cluster configuration. But since failover clustering is not available with Exchange Server transport services, to achieve high availability for messaging transport, you should ensure that multiple Edge Transport servers are available at all times. You can use cloned configuration to ensure that all the Edge Transport servers have the same configuration. You only configure one server, and export the configuration to an XML file that is then imported to the target servers. Note: Although AD LDS supports directory replication, Exchange Server 2010 does not provide an option to use directory replication for configuring multiple Edge Transport servers. You must use cloned configuration if you want to automate this process, and you must repeat the edge-cloning steps each time you make a configuration change on one of the servers.
Configuring Cloned Configuration

To configure cloned configuration, use the ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 scripts to export configuration information from one Edge Transport server to an identically configured Edge Transport server. You can also use the tool to test configuration changes and offer rollback assistance or to assist in disaster recovery when you deploy a new Edge Transport server, or replace a failed server. To configure cloned configuration, you must perform the following three steps: 1. During the export configuration phase, export the configuration information from an existing Edge Transport server into an XML file. Use the ExportEdgeConfig.ps1 script to export the information.
6-17
2.
3.
Validate the configuration on the target server. In this step, you run the ImportEdgeConfig.ps1 script. This script checks the existing information in the intermediate XML file to see whether the exported settings are valid for the target server, and then it creates an answer file. The answer file specifies the server-specific information used during the next step when you import the configuration on the target server. The answer file contains entries for each source server setting that is not valid for the target server. You can modify these settings so that they are valid for the target server. If all settings are valid, the answer file contains no entries. During the import-configuration phase, use the ImportEdgeConfig.ps1 script to import the information from both the intermediate XML file and the answer file, into a new Edge Transport server.
The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell scripts, not individual cmdlets. The scripts are located in the %programfiles%\Microsoft\Exchange\v14\Scripts folder on all servers running Exchange Server 2010.
6-18
Discussion: Securing Edge Transport Servers
Key Points
The Edge Transport servers in an organization directly face the Internet, and consequently are most susceptible to unauthorized security attacks. Therefore, it is critical that you secure the Edge Transport servers. You can use the various options available in Exchange Server 2010 to secure Edge Transport servers based on your organizational requirements. Discussion Questions Based on your experience, consider the following questions: Question: Why is it important to secure Edge transport servers? Question: What factors should you consider at the operating system level? Question: How do you secure an Edge Transport server?
6-19
Lesson 2
Deploying an Antivirus Solution
Although Exchange Server 2010 already provides some basic antivirus features, it is important to implement a separate antivirus product such as Forefront Protection 2010 for Exchange Server. This lesson describes the importance of protecting your Exchange Server organization from virus attacks, and also describes the Forefront features Security. After completing this lesson, you will be able to: Describe antivirus solution features. Describe the Forefront Protection 2010 for Exchange Server features. Explain the Forefront Protection 2010 deployment options. Explain the best practices for deploying an antivirus solution. Install and configure Forefront Protection 2010 for Exchange Server.
6-20
Antivirus Solution Features in Exchange Server 2010
Key Points
E-mail is one of the most common ways to spread viruses from one organization to another. One of the primary tasks in protecting your Exchange Server organization is to ensure that all messages containing viruses are stopped at the messaging environments perimeter. Exchange Server 2010 includes the following virus protection features: Continuing support of the Virus Scanning application programming interface (VSAPI). In Exchange Server 2010, Microsoft maintains support for the same VSAPI used in Exchange Server 2003 and Exchange Server 2007. Transport agents that filter and scan messages. Exchange Server 2010 introduces the concept of transport agentssuch as the attachment filtering agentto reduce spam and viruses. By enabling attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, third-party vendors can create transport agents that specifically scan for viruses. Because all messages must pass through a Hub Transport server, this is an efficient and effective means to scan all messages in transit. Antivirus stamping. Antivirus stamping reduces how often a message is scanned as it proceeds through an organization. It does this by stamping scanned messages with the version of the antivirus software that performed the scan and the scan results. This antivirus stamp travels with the message as it is routed through the organization, and determines whether additional virus scanning must be performed on a message. Integration with Forefront Protection 2010 for Exchange Server. Forefront Protection 2010 for Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2010 to provide advanced protection, optimized performance, and centralized management. This helps customers deploy and maintain a secure messaging environment. Forefront Protection 2010 for Exchange Server provides: Advanced protection against viruses, worms, phishing, and other threats by using up to five antivirus engines simultaneously at each layer of the messaging infrastructure.
6-21
Optimized performance through coordinated scanning across Edge Transport servers, Hub Transport servers, and Mailbox servers and features, such as in-memory scanning, multithreaded scanning processes, and performance bias settings. Centralized management of remote installation, engine and signature updating, and reporting and alerts through the Forefront Online Server Security Management Console.
6-22
What Is Forefront Protection 2010 for Exchange Server?
Key Points
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that you can integrate with Exchange Server 2010 to provide antivirus protection for the Exchange environment. The following table lists the benefits of implementing Forefront Protection 2010 for Exchange Server. Service Antivirus scan with multiple engines Full support for VSAPI Microsoft IP Reputation Service Description You can automatically scan messages using multiple virus pattern engines, not just a single one. Forefront Protection 2010 for Exchange Server fully supports the Exchange VSAPI. Provides sender reputation information about IP addresses that are known to send spam. This is an IP-block list offered exclusively to Exchange Server. Identifies the most recent spam campaigns. The signature updates are available on a need basis, up to several times a day. Includes automated updates for this filter, available on an as-needed basis, up to several times a day. Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates.
Spam Signature updates
Premium spam protection Automated content filtering updates
6-23
Forefront Protection 2010 Deployment Options
Key Points
When you implement Forefront Protection 2010 for Exchange Server, you must consider the various deployment options.
Install Forefront Protection 2010

First, you need to determine the servers on which you plan to install Forefront Protection 2010. The number of servers you install Forefront Protection 2010 on will also depend on financial considerations as you will need to buy as many server licenses. As a baseline, you should at least deploy Forefront Protection 2010 for Exchange Server on all Edge and Hub Transport servers. For full protection, you should deploy Forefront Protection 2010 for Exchange Server on all Edge Transport, Hub Transport, and Mailbox servers.
You do not need to install Forefront Protection 2010 on the Client Access server role, because Forefront is only needed on the Mailbox, Edge or Hub Transport server roles. As previously mentioned, Forefront Protection 2010 for Exchange scans each e-mail only once, and then stamps it with a special AV Stamp so that other servers do not scan that message again. This also means that you do not need to scan the Mailbox servers, as any message that comes in or leaves the system is eventually scanned by Forefront Protection 2010 when you install it on the Edge and Hub Transport servers. However, it is up to your security team to decide on this matter.
Forefront Protection 2010 Scanning Considerations

After you decide the servers on which you want to deploy Forefront Protection 2010, you must consider how many scan engines you should use to scan a message, and the types of scan engines that you should use.
6-24
As a best practice, you should use five scanners as this provides an optimum combination with third-party virus scanners. You can also change the selection of the virus scanners later.
6-25
Best Practices for Deploying an Antivirus Solution
Key Points
Although implementing an antivirus solution in Exchange Server is straightforward, there are some factors that you should keep in mind when choosing and configuring an antivirus solution.
Implementing Multiple Antivirus Layers

To provide enhanced security against viruses, you should implement multiple layers of antivirus protection. A virus can enter your organization from the Internet through an e-mail, or from a nonprotected client within your company. Thus, it is a best practice to implement several layers of antivirus protection such as a firewall, Edge Transport server, and at the client-computer level.
Maintaining Regular Antivirus Updates

Installing the antivirus product does not automatically mean that your organization is fully protected. Regular antivirus pattern updates are critical to a well-implemented antivirus solution. You should also monitor that your antivirus patterns are up-to-date frequently. If you have a Microsoft System Center Operations Manager 2007 environment in your organization, you can also use the Forefront Server Security Management Pack to monitor Forefront Protection 2010.
6-26
Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
Key Points
In this demonstration, you will see how to install and configure Forefront Protection 2010 for Exchange Server, and how to manage Forefront Protection 2010.
Demonstration Steps
1. 2. 3. 4. 5. Install Forefront Protection 2010 for Exchange Server. Open the Forefront Protection 2010 administration console. Configure Antimalware - Edge Transport settings. Configure Antispam - Content Filter settings. Configure Global Settings.
6-27
Lab A: Configuring Edge Transport Servers and Forefront Protection 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running: 3. 4. 5. 6. 7. 8. 9. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd. On the host computer, in Hyper-V Manager, click VANSVR1, and in the Actions pane, click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then click Open. Click OK. On VAN-SVR1, dismiss the Autoplay dialog box.
6-28
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. Your organization has deployed Exchange Server 2010 internally, and now must extend it so that everyone within the corporation can send and receive Internet e-mail. As part of your job responsibilities, you need to set up an Edge Transport server, and then install an antivirus solution to scan all mail.
6-29
Exercise 1: Configuring Edge Transport Servers

Scenario
Your organization has internally deployed Exchange Server 2010, and now wants to use the Edge Transport server role to replace an existing smart host. You need to deploy the Edge Transport server role, and verify that Internet message flow is working. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the Edge Transport Server role. Configure Edge Synchronization. Verify that EdgeSync is working and that AD LDS contains data. Verify that Internet message delivery works.
Task 1: Install the Edge Transport Server role

On VAN-SVR1, install the Edge Transport Server role using the Exchange Management Shell.
Task 2: Configure Edge Synchronization

1. 2. 3. Create a new Edge Subscription on the Edge Transport server by using the New-EdgeSubscription FileName c:\VAN-SVR1.xml cmdlet. Copy the xml file to the C: drive on VAN-EX1. On VAN-EX1, in the Exchange Management Console, add the edge subscription to the Hub Transport server.
Task 3: Verify EdgeSync is working, and that AD LDS contains data

1. 2. 3. 4. 5. On VAN-EX1, use the Start-EdgeSynchronization cmdlet to force an immediate Edge Synchronization. Use the Test-EdgeSynchronization cmdlet to test Edge Synchronization. Run the Get-User -Identity Wei | ft Name, GUID cmdlet to obtain the globally unique identifier (GUID) for Wei Yu. On VAN-SVR1, open LDP and connect to VAN-SVR1 using port 50389. Open the CN=Recipients,OU=MSExchangeGateway container and verify that Wei Yus GUID is listed.

1. 2. Configure EdgeSync Send Connector to use 10.10. 0.10 as a smart host for e-mail delivery. Log on to Microsoft Outlook Web App as Wei, and send a test message to the Internet to verify it is working. If you do not receive a non-delivery report, the message has been sent outside the organization. Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge Synchronization between a Hub Transport and an Edge Transport server.
6-30
Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers

Scenario
Virus prevention is critical to your organizations security. As the messaging administrator, you are required to install virus scanning software to scan every message and automatically remove viruses. To implement this functionality, you must install antivirus software and configure it accordingly. The main tasks for this exercise are as follows: 1. 2. 3. Install Forefront Protection 2010 for Exchange Server. Configure Forefront Security for Exchange Server. Verify antivirus functionality.
Task 1: Install Forefront Protection 2010 for Exchange Server

1. On host computer, attach the c:\Program Files\Microsoft Learning \10135\Drives\ForeFrontInstall.iso file to the 10135A-VAN-SVR1 virtual machine. Close the Autoplay dialog box. On VAN-SVR1, install Forefront Protection 2010 for Exchange Server. Accept all defaults, except choose to enable anti-spam later.
2.
Task 2: Configure Forefront Protection 2010 for Exchange Server

1. 2. 3. Open the Microsoft Forefront Server Security Administration Console. Configure the following antimalware settings: Scan messages with all engines. Delete messages with viruses. On the Policy Management pane, expand Global Settings, and then click Advanced Options. Configure the following global settings: Increase the value of Maximum nested depth compressed files to 10 and Maximum nested attachments to 50. Configure the Intelligent Engine management as manual. Change the update schedule for Norman Virus Control to update at 00:30 every day. Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for Exchange.

Do not shut down the virtual machines and revert them back to their initial state when you finish this lab. The virtual machines are required to complete this modules last lab.
6-31
Lesson 3
Deploying an Anti-Spam Solution
Spam messages can adversely impact the messaging environment of an organization. Therefore, implementing an anti-spam solution is a critical component of maintaining your organizations messaging environment hygiene. Exchange Server 2010 includes several features that you can use to implement antispam protection in your organization. This lesson provides an overview of the options available for anti-spam filtering, and describes how you can configure your Edge Transport servers to reduce spam in your organization. After completing this lesson, you will be able to: Describe the spam-filtering features available in Exchange Server 2010. Explain how Exchange Server 2010 applies spam filters. Describe the concept of Sender ID filtering. Describe the concept of Sender Reputation filtering. Describe the concept of content filtering. Configure anti-spam options.
6-32
Overview of Spam-Filtering Features
Key Points
The spam-filtering functionality available on the Edge Transport server has a primary advantage when you install it to route all e-mail to and from the Internet. You can implement this anti-spam functionality using a series of Edge Transport server transport agents. Note: Forefront Protection 2010 for Exchange Server does provide more frequent updates for the anti-spam patterns than Exchange Server 2010 built-in anti-spam features. Typically, the built-in anti spam pattern is updated daily, whereas in Forefront Protection 2010, you can configure the updates to update multiple times a day.
Edge Transport Server Anti-Spam Agents

The following table lists the anti-spam agents implemented during the default installation of an Edge Transport server: Agent Connection Filtering Content Filtering Sender ID Sender Default status Enabled Description Filters messages based on the IP address of the remote server that is trying to send the message. Connection filtering uses IP Block lists and IP Allow lists. Filters messages based on the message contents. This agent uses SmartScreen technology to assess the message contents. It also supports safelist aggregation. Filters messages by verifying the IP address of the sending SMTP server against the purported owner of the sending domain. Filters messages based on the sender in the MAIL FROM: SMTP
Enabled
Enabled Enabled
6-33
Agent Filtering Recipient Filtering Sender Reputation Filtering Attachment Filter
Default status
Description header in the message.
Enabled Enabled
Filters messages based on the recipients in the RCPT TO: SMTP header in the message. Filters messages based on many characteristics of the sender accumulated over a specific period. Filters messages based on attachment file name, file name extension, or file Multipurpose Internet Mail Extensions (MIME) content type.
Enabled
Note: You can view all the agents installed on the Edge Transport server by using the GetTransportAgent cmdlet on the Edge Transport server. The default Edge Transport server installation also includes other transport agents, such as the Address Rewriting Inbound Agent, the Address Rewriting Outbound Agent, and the Edge Rule Agent. You cannot use these agents for spam filtering.
Safelist Aggregation
In Exchange Server 2010, the Content Filter agent on the Edge Transport server uses the Microsoft Office Outlook Safe Senders Lists, Safe Recipients Lists, and trusted contacts to optimize spam filtering. Safelist aggregation is a set of anti-spam functionality that Outlook and Exchange Server 2010 share. This antispam functionality collects data from the anti-spam safe lists that Outlook users configure, and makes this data available to the anti-spam agents on the Edge Transport server. You must use the Update-Safelist cmdlet to configure safelist aggregation.
6-34
How Exchange Server 2010 Applies Spam Filters
Key Points
The Edge Transport server role in Exchange Server 2010 uses spam-filtering agents to examine each SMTP connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge Transport server and initiates an SMTP session, the Edge Transport server examines each message using the following sequence: 1. When the SMTP session is initiated, the Edge Transport server applies connection filtering using the following criteria: Connection filtering examines the administrator-defined IP Allow list. Administrators might include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP address is on the administrator-defined IP Allow list, the server does not apply any other filtering and accepts the message. Connection filtering examines the local IP Block list. Administrators might include the IP addresses for the SMTP servers of known spam writers, or other servers from which the organization does not want to receive e-mail, in the IP Block list. If the connection filtering agent finds the IP address of the sending server on the local IP Block list, the server rejects the message automatically, and other filters are not applied. Connection filtering examines the real-time block list (RBL) of any IP Block List Providers that you have configured. If the agent finds the sending servers IP address on an RBL, the server rejects the message, and other filters are not applied.
2.
The Edge Transport server compares the senders e-mail address with the list of senders configured in sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the connection, and no other filters are applied. Additionally, you can configure the server to accept the message from the blocked sender, but stamp the message with the blocked sender information and continue processing. The blocked sender information is included as one of the criteria when content filtering processes the message.
6-35
3.
4.
5. 6.
The Edge Transport server examines the recipient against the Recipient Block list configured in recipient filtering. If Edge Synchronization is enabled, the Edge Transport server can use the information about recipient filtering from Active Directory. If the intended recipient matches a filtered e-mail address, the Edge Transport server rejects the message for that particular recipient. If multiple recipients are listed on the message, and some are not on the Recipient Block list, further processing is done on the message. Exchange Server 2010 applies Sender ID filtering. Depending on how the Sender ID is configured, the server might delete, reject, or accept the message. If the message is accepted, the server adds the Sender ID validation failure to the message properties. The failed Sender ID status is included as one of the criteria when content filtering processes the message. The Edge Transport server applies content filtering and performs one of the following actions: Content filtering compares the sender to the senders in the Safelist aggregation data from Office Outlook users. If the sender is on the recipients Safe Senders List, the message is sent to the users mailbox store. If the sender is not on the recipients Safe Senders List, the message is assigned a spam confidence level (SCL) rating. If the SCL rating is higher than one of the configured Edge Transport server thresholds, content filtering takes the appropriate action of deleting, rejecting, or quarantining the message. If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed to a Hub Transport server for distribution to the Exchange Mailbox server containing the users mailbox.
Tip: You can bypass spam filtering for a specific recipient by setting the AntispamBypassEnabled property to True on the users mailbox. This causes the message to bypass filtering and be delivered directly to the recipients mailbox.
6-36
What Is Sender ID Filtering?
Key Points
The Sender ID Framework is an industry standard that verifies the Internet domain from which each e-mail message originates, based on the senders server IP address. The Sender ID Framework provides protection against e-mail domain spoofing and phishing schemes. By using the Sender ID Framework, email senders can register all e-mail servers that send e-mail from their SMTP domain, and then e-mail recipients can filter e-mail from that domain that does not come from the specified servers.
Sender Policy Framework (SPF) records

To enable Sender ID filtering, each e-mail sender must create a Sender Policy Framework (SPF) record and add it to their domains DNS records. The SPF record is a single text (TXT) record in the DNS database that identifies each domains e-mail servers. SPF records can use several formats, including those in the following examples: Adatum.com. IN TXT v=spf1 mx -all. This record specifies that any server that has an MX record for the Adatum.com domain can send e-mail for the domain. Mail IN TXT v=spf1 a -all. This record indicates that any host with an A record can send mail. Adatum.com IN TXT v=spf1 ip4:10.10.0.20 all. This record indicates that a server with the IP address 10.10.0.20 can send mail for the Adatum.com domain. For more information: Microsoft provides the Sender ID Framework SPF Record Wizard to create your organizations SPF records. You can access the wizard on the Sender ID Framework SPF Record Wizard page on the Microsoft Web site.
Sender ID Configuration
After you configure the SPF records, any destination messaging servers that use the Sender ID features can identify your server using Sender ID.
6-37
After you enable Sender ID filtering, the following process shows how all e-mail messages are filtered: 1. 2. The sender transmits an e-mail message to the recipient organization. The destination mail server receives the e-mail. The destination server checks the domain that claims to have sent the message, and checks DNS for that domains SPF record. The destination server determines if the IP address of the sending e-mail server matches any of the IP addresses that are in the SPF record. The IP address of the server authorized to send e-mail for that domain is called the purported responsible address (PRA). If the IP addresses match, the destination server authenticates the mail and delivers it to the destination recipient. However, other anti-spam scanners such as content filtering are still applied. If the addresses do not match, the mail fails authentication. Depending on the e-mail server configuration, the destination server might delete the message or forward it with additional information added to its header indicating that it failed authentication.
3. 4.
6-38
What Is Sender Reputation Filtering?
Key Points
The Exchange Server 2010 Sender Reputation feature makes message filtering decisions based on information about recent e-mail messages received from specific senders. The Sender Reputation agent analyzes various statistics about the sender and the e-mail message, to create a Sender Reputation Level (SRL). This SRL is a number between 0 and 9, where a value of 0 indicates that there is less than a 1 percent chance that the sender is a spammer, and a value of 9 indicates that there is more than a 99 percent chance of it. If a sender appears to be the spam source, then the Sender Reputation agent automatically adds the IP address for the SMTP server that is sending the message to the list of blocked IP addresses.
How Sender Reputation Filtering Works

When the Edge Transport server receives the first message from a specific sender, the SMTP sender is assigned an SRL of 0. As more messages arrive from the same source, the Sender Reputation agent evaluates the messages and begins to adjust the senders rating. The Sender Reputation agent uses the following criteria to evaluate each sender: Sender open proxy test. An open proxy is a proxy server that accepts connection requests from any SMTP server, and then forwards messages as if they originated from the local host. This also is known as an open relay server. When the Sender Reputation agent calculates an SRL, it does so by formatting an SMTP request in an attempt to connect back to the Edge Transport server from the open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that the proxy is an open proxy and updates that senders open proxy test statistic. HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the receiving server with the domain name, such as Contoso.com, or the IP address of the sending SMTP server. Spammers frequently modify the HELO/EHLO statement to use an IP address that does not match the IP address from which the connection originated, or to use a domain name that is different from the actual originating domain name. If the same sender uses multiple domain names or IP addresses in the HELO or EHLO commands, there is an increased chance that the sender is a spammer.
6-39
Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from which the sender transmitted the message matches the registered domain name that the sender submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS query by submitting the originating IP address to DNS. If the domain names do not match, the sender is more likely to be a spammer, and the overall SRL rating for the sender is adjusted upward. SCL ratings analysis on a particular senders messages. When the Content Filter agent processes a message, it assigns an SCL rating to the message. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. The Sender Reputation agent analyzes data about each senders SCL ratings, and uses it to calculate SRL ratings. More information on SCL ratings +can be found in the next topic, What is Content Filtering?.
The Sender Reputation agent calculates the SRL for each unique sender over a specific time. When the SRL rating exceeds the configured limit, the IP address for the sending SMTP server is added to the IP Block list for a specific time.
Sender Reputation Configuration

You can configure the Sender Reputation settings on the Edge Transport server. By using the Exchange Management Console, you can configure the Sender Reputation block threshold, and configure the timeout period for how long a sender will remain on the IP Block list. By default, the IP addresses are blocked for 24 hours.
6-40
What Is Content Filtering?
Key Points
The Content Filter agent uses SmartScreen technology to analyze the content of every e-mail message, to evaluate whether it is spam. The Content Filter agent is similar to the Exchange Server 2003 Intelligent Message Filter feature. When the Edge Transport server receives a message, the Content Filter agent evaluates the messages content for recognizable patterns, and then assigns a rating based on the probability that the message is spam. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. A rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that the message is very likely to be spam. This rating persists with the message when it is sent to other servers running Exchange Server. Depending on how you configure the content filter, if a messages SCL score is greater than or equal to the threshold you configure, then the Content Filter agent rejects, silently deletes, or quarantines the message.
Content Filtering Configuration

Content filtering is enabled by default on Exchange Server 2010 Edge Transport servers, and is configured to reject all messages with an SCL higher than 7. You can modify the default content filtering settings by using the Exchange Management Console or the Exchange Management Shell. You can modify the following settings in the Exchange Management Console: Configure custom words. You can specify a list of key words or phrases to prevent blocking any message containing those words. This feature is useful if your organization must receive e-mail that contains words that the Content Filter agent normally would block. You also can specify key words or phrases that will cause the Content Filter agent to block a message containing those words. Specify exceptions. You can configure exceptions to exclude any messages to recipients on the exceptions list, from content filtering.
6-41
Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the Content Filter agent to delete, reject, or quarantine messages with an SCL higher than the value you specify. Note: When the Content Filter agent rejects a message, it uses the default response of 550 5.7.1 Message rejected due to content restrictions. You can customize this message using the setContentFilterConfig cmdlet in the Exchange Management Shell.
Configuring the Quarantine Mailbox

When the SCL value for a specific message exceeds the SCL quarantine threshold, the Content Filter agent sends the message to a quarantine mailbox. Before you can configure this option on the Edge Transport server, you must configure a mailbox as the quarantine mailbox by configuring the quarantinemailbox parameter of the set-contentfilterconfig cmdlet. As a messaging administrator, you should regularly check the quarantine mailbox to ensure that the content filter is not filtering legitimate e-mails. Note: Messages are sent to the quarantine mailbox only when the SCL threshold exceeds the value that you configured on the content filter. To see details on all actions that transport agents perform on an Edge Server, use the scripts located in the %programfiles%\Microsoft\Exchange Server\Scripts folder. The Get-AgentLog.ps1 script produces a raw listing of all actions that transport agents perform. The folder contains several other scripts that produce formatted reports listing information such as the top blocked sender domains, the top blocked senders, and the top blocked recipients. By default, the transport agent logs are located at %programfiles%\Microsoft\ExchangeServer\TransportRoles \Logs\AgentLog.
The SCL Junk E-Mail Folder Threshold

If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, then the Mailbox server places the message in the Outlook users Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, then the Mailbox server puts the message in the users Inbox.
6-42
Demonstration: How to Configure Anti-Spam Options
Key Points
In this demonstration, you will see how to configure the various anti-spam options available in Exchange Server 2010, such as Connection filters, Sender filters, and Recipient filters. You will also see how to configure the Sender ID, Sender Reputation, and content filtering features.
Demonstration Steps
1. 2. Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab. Configure the following Connection filters: IP Allow List IP Block List IP Block List Providers
6-43
3. 4.
Add the zen.spamhaus.org domain to the IP Block List Providers list. Configure the following filtering features: Sender filtering Recipient filtering Sender ID Sender Reputation Content filtering
5.
Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.
6-44
Lesson 4
Configuring Secure SMTP Messaging
To configure secure SMTP messaging, you can use Transport Layer Security (TLS) in Exchange server or Domain security, which is a new feature in Exchange Server 2007 and Exchange Server 2010. This lesson describes how to secure SMTP messaging by using the available options. After completing this lesson, you will be able to: Describe the common SMTP security issues. Describe the options for securing SMTP e-mail. Configure SMTP security. Explain the concept of Domain Security. Explain how Domain Security works. Describe the Domain Security configuration process. Configure Domain Security. Explain how Secure MIME works.
6-45
Discussion: SMTP Security Issues
Key Points
Although SMTP messaging is common in many organizations, there are a few security issues that you must consider. Question: What are the security issues with SMTP? Question: How do you currently secure SMTP?
6-46
SMTP E-Mail Security Options
Key Points
Exchange Server 2010 offers several options to secure SMTP messaging traffic. All these options rely on certificates to encrypt the traffic. The following methods for securing SMTP require that you implement the option both on the source and the target side. Since you most likely will not have access to the target side, the methods listed here have limitations.
IPSec
IPSec provides a set of extensions to the basic IP protocol, and is used to encrypt server-to-server communication. IPSec can be used to tunnel traffic, or peer- to-peer, to secure natively all IP communications. Because IPSec operates on the transport layer and is network-based, applications running on Exchange Server 2010 do not need to be aware of IPSec. You use IPSec normally to secure server-to-server or client-to-server communication. You do not need another encryption method when using IPSec.
VPN
Virtual private network (VPN) also operates on the transport layer, and very often uses IPSec as the underlying protocol. VPN is used for site-to-site or client-to-site connections. Both operate on the transport layer, which can be an advantage over application-layer protocols such as Secure MIME (S/MIME) which does not require the application on both ends to know about the protocol.
TLS
The TLS protocol is the default protocol that is used in an Exchange Server 2010 organization to encrypt server communication. It is a standard protocol that you can use to provide secure Web communications on the Internet or intranet. TLS enables clients to authenticate servers, or optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the SSL protocol.
6-47
Exchange Server 2010s Domain Security feature uses TLS with mutual authenticationalso known as mutual TLSto provide session-based authentication and encryption. Standard TLS is used to provide confidentiality by encrypting but not authenticating the communication partners. This is typical of SSL, which is the HTTP implementation of TLS.
S/MIME
S/MIME is a standard that you can use to implement public-key encryption, and e-mail message signatures. You can use encryption to protect message contents so that only the intended recipients can read it. If a message is signed, the recipient can verify whether the message has been changed on the way from the sender to the recipient. S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the transport layer (such as TLS) the message also remains encrypted and signed within the mailbox. Even administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing S/MIME, you can perform the following tasks: Use digital signatures as a way to prove to your communication partners that the content was not altered. Authenticate messages, especially for crucial functions, such as when your employer approves your travel requests. Encrypt messages to prevent accidental content disclosure.
By default, Exchange Server 2010 fully supports S/MIME for message encryption and signatures. Unlike in previous versions, where you must configure every mailbox database, you do not need to configure any server-side setting to support S/MIME. Because S/MIME provides end-to-end security, it is important that the e-mail application you use to read and write S/MIME messages meets the following two requirements: The application must support S/MIME encryption and signatures. You must configure the digital signature in the e-mail application. Note: When using S/MIME, you can send digitally signed messages to anyone, but you can only encrypt messages to recipients whose certificates are available in the Global Address List (GAL) or in contacts.
Alternate Options for Securing SMTP Traffic

Besides the mentioned options, you can also implement authentication and authorization on SMTP connectors for security. This does not enforce traffic encryption, but can prevent unauthorized users from sending SMTP messages to users in your organization, or relaying SMTP messages to the Internet. Authentication and authorization can be configured based on user login, or on IP addresses or IP ranges.
6-48
Demonstration: How to Configure SMTP Security
Key Points
In this demonstration, you will see how to configure an externally secured SMTP Connector and how to configure an SMTP Connector that requires TLS and authentication.
Demonstration Steps
1. 2. 3. 4. 5. Use the Exchange Management Console to create a new Receive Connector. Configure the Receive Connector to be externally secured. Use Telnet to connect to Receive Connector. Configure the Receive Connector to use TLS and authentication. Use Telnet again to connect to Receive Connector.
6-49
What Is Domain Security?
Key Points
Exchange Server 2010 can use TLS to provide security for SMTP e-mail. In most cases, you cannot use TLS when sending or receiving e-mail because SMTP servers are not configured to use TLS. However, by requiring TLS for all SMTP e-mail sent between your organization and other specified organizations, you can enable a high security level for SMTP e-mail.
What Is Domain Security?

The Domain Security feature in Exchange Server 2010 provides a relatively low-cost alternative to S/MIME or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity of the other server by validating the certificate that is provided by the other server. It is an easy way for administrators to manage secured message paths between domains over the Internet. This means that all connections between the partner organizations are authenticated, and all messages are encrypted while in transit on the Internet. TLS with mutual authentication differs from TLS in its usual implementation. Typically, when you implement TLS, the client verifies a secure connection to the intended server by validating the servers certificate, which it receives during TLS negotiation. With mutual TLS, each server verifies the connection with the other server by validating a certificate that the other server provides.
6-50
How Domain Security Works
Key Points
Domain Security works in a manner similar to establishing a TLS connection to an SMTP Receive connector. However, as mutual TLS is used, both the sender and the receiver authenticate one another before they send data. The message takes the following route from one organization to the other when using Domain Security: 1. 2. The Edge Transport server receives the e-mail message from a source Hub Transport server. The Edge Transport server initiates a mutual TLS session to the target Edge Transport server by exchanging and verifying their certificates. This is only established when both the sending and receiving SMTP connector can identify the sending domain. You must set the domain information on the sending side by using the Set-TransportConfig -TLSSendDomainSecureList <domain name> cmdlet. On the receiving side, use the: Set-TransportConfig -TLSReceiveDomainSecureList <domain name> cmdlet to set the domain information.
6-51
3. 4.
The message is encrypted and transferred to the target Edge Transport server. The Edge Transport server delivers the e-mail to the target Hub Transport for local delivery. The message is marked as Domain Secure, which will display in Outlook 2007 or later, and in Outlook Web App.
6-52
Process for Configuring Domain Security
Key Points
To configure Domain Security, you need to perform the following process: 1. On the Edge Transport server, generate a certificate request for TLS certificates. You can request the certificate from an internal, private certification authority (CA) or from a commercial CA. The SMTP server in the partner organization must trust the certificate. When you request the certificate, ensure that the certificate request includes the domain name for all internal SMTP domains in your organization, as well as the FQDN of the Edge Server name as Subject Alternative Name (SAN). Import and enable the certificate on the Edge Transport server. After you request the certificate, you must import the certificate on the Edge Transport server, and then enable the certificate for use by the SMTP connectors that are used to send and receive domain-secured e-mail. Configure outbound Domain Security. To configure outbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will send domain-secured e-mail, and then configure the SMTP Send connector to use domain-secured e-mail. Configure inbound Domain Security. To configure inbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will receive domain-secured e-mail, and then configure the SMTP Receive connector to use domain-secured e-mail. Notify partner to configure Domain Security Domain Security must be configured on both sides (on the sending and receiving side) thus you also need to contact your partners administrator to configure your domain for Domain Security. Test message flow. Finally, send a message to the partner and vice-versa to verify that domain security is working correctly. You can see an extra icon in Outlook and Outlook Web App.
2.
3.
4.
5.
6.
6-53
Note: When you install the Edge Transport server role, a self-signed certificate is issued to the server. No others computers trust this certificate. When you require that the partner organization trust the certificate, you should purchase a certificate from a commercial CA. You also can make cross-forest trust, or import a CAs certificate in the Trusted Root CA store on both sides, if you do not want to purchase a certificate from a commercial CA.
6-54
Demonstration: How to Configure Domain Security
Key Points
In this demonstration, you will see how to configure Domain Security.
Demonstration Steps
1. 2. 3. 4. 5. Verify a computer certificate in the certificate store. Enable Domain Security on the Receive connector. Enable Domain Security on the Send connector. Run Set-TransportConfig -TLSSendDomainSecureList and Set-TransportConfig TLSReceiveDomainSecureList to configure Domain Security partnership. Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.
6-55
How S/MIME Works
Key Points
S/MIME is a messaging client-based solution for securing SMTP e-mail. With S/MIME, each client computer must have a certificate, and the user is responsible for signing or encrypting each e-mail.
How S/MIME Secures E-Mail

S/MIME provides e-mail security by using the following options: Digital signatures. When a user chooses to add a digital signature to a message, the senders private key calculates and encrypts the messages hash value, and then appends the encrypted hash value to the message as a digital signature. The users certificate and public key are sent to the recipient. When the recipient receives the message, the senders public key decrypts the hash value and checks it against the message. Digital signatures provide: Authentication. If the public key can decrypt the hash value attached to the message, then the recipient knows that the person or organization who claims to have sent the message did indeed send it. Nonrepudiation. Only the private key associated with the public key could be used to encrypt the hash value, so a message that is digitally signed helps to prevent its sender from disowning the message. Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a message that takes place will invalidate the digital signature.
Message encryption. When a user chooses to encrypt a message using S/MIME, the messaging client generates a one-time symmetric session key, and encrypts the entire message using the session key. The session key then is encrypted using the recipients public key, and the encrypted session key is combined with the encrypted message when the message is sent. When the message arrives at the recipient, the recipients private key decrypts the message.
6-56
Message encryption enhances confidentiality. You can decrypt a message using only the private key associated with the public key that was used to encrypt it. Therefore, only the intended recipient can view the contents.
6-57
Lab B: Implementing Anti-Spam Solutions
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. After configuring the Edge Transport server and installing an antivirus solution, you must implement an anti-spam solution.
6-58
Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers

Scenario
In your organization, users complain that they receive too many spam messages in their inbox, and they want these spam messages automatically moved to the Junk e-mail folder. To limit the number of spam messages received by your organization, you need to increase the SCL junk threshold value for the organization and ensure that junk e-mail above a certain rating is rejected. You also want to configure a Block List Provider. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure global SCL for junk mail delivery. Configure content filtering to reject junk messages. Configure an IP Allow List. Configure a Block List Provider.
Task 1: Configure DNS for Internet message delivery

1. 2. On VAN-DC1, start DNS Manager In the Adatum.com zone, create an MX record for VAN-SVR1.adatum.com.
Task 2: Configure global SCL for junk mail delivery

1. 2. On VAN-SVR1, configure the content filtering settings to not reject any messages based on SCL values On VAN-EX1, in Exchange Management Shell, use the Set-OrganizationConfig -SCLJunkThreshold 6 cmdlet to configure the global SCL levels..
6-59
3.
On VAN-EX1, in the Exchange Management Shell, run d:\labfiles\Lab6Prep.ps1. This script will send 11 messages from VAN-SVR1 with the following SCL ratings: Mail Sender Msg1@contoso.com Msg2@contoso.com Msg3@contoso.com Msg4@contoso.com Msg5@contoso.com Msg6@contoso.com Msg7@contoso.com Msg8@contoso.com Msg9@contoso.com Msg10@contoso.com Msg11@contoso.com SCL Level 7 8 7 7 8 6 8 7 6 6 8
4. 5.
Log on to Outlook Web App as Wei and verify that three messages were sent to the user mailbox, and that eight messages were sent to the Junk E-Mail folder. View the message details for one of the messages to verify the SCL value assigned to the message.
Task 3: Configure content filtering to reject junk messages

1. 2. 3. On VAN-SVR1, configure content filtering to reject messages that have a SCL rating greater than or equal to 7. On VAN-EX1, run the D:\labfiles\Lab6Prep.ps1 script to send the test messages again. Log on to Outlook Web App on VAN-EX1 as Wei. Verify that three messages are delivered to the Inbox and no messages are delivered to the junk e-mail folder in Weis mailbox. Delete the messages in the Inbox.
Task 4: Configure an IP Allow List

1. 2. 3. On VAN-SVR1, configure the IP Allow List to accept connections from 10.10.0.10. Run the script to send the test messages again. Verify that all messages are delivered to the Inbox in Weis mailbox. The SCL rating should be -1.
Task 5: Configure a Block List Provider

Configure an IP Block List Provider named Spamhaus that uses zen.spamhaus.org as the lookup domain, Results: After this exercise, you should have configured different SCL levels, and verified the behavior of junk mail in user mailboxes. You should also have configured a Block List Provider.
6-60

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. 8. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine. Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.
6-61
Review Questions
1. 2. 3. Is Edge Synchronization a mandatory requirement? Which Exchange Server versions support the Domain Security feature? Does the Edge Transport server role in Exchange Server 2010 include virus-scanning capabilities?
Common Issues Related to Edge Synchronization and Domain Security

Identify the causes for the following common issues related to implementing messaging security. For answers, refer to relevant lessons in the module. Issue Troubleshooting tip
You configured Domain Security Ensure both domains trust each others CA. Also, Domain Security with a partner domain, but must be configured on both the local side and the partner side. messages only use TLS for message encryption, not mutual TLS or Domain Security. Edge Synchronization is not working anymore. Youre logged on to your Windows Server 2008 machine using your own account. When you run TestEdgeSynchronization, it shows that the connection is broken. Use Test-EdgeSychronization to verify that the connection is established. If that does not work, try to reestablish the Edge Synchronization. When you use your own account instead of an administrator account to log on to a Windows Server 2008 system, ensure that you always start the Exchange Management Shell in Administrator mode. You sometimes need full access to run a cmdlet.
6-62
Implementing High Availability
7-1
Module 7
Contents:
Lesson 1: Overview of High Availability Options Lesson 2: Configuring Highly Available Mailbox Databases Lesson 3: Deploying Highly Available Non-Mailbox Servers Lab: Implementing High Availability 7-3 7-8 7-21 7-26
7-2
Module Overview
Many people rely on messaging environments so that they can perform critical business tasks, and it is extremely important for your messaging solution to be available for an extended time. Thus, many organizations place strict availability requirements on e-mail and other critical applications. As the Microsoft Exchange Server product has improved over the last decade, it has become very stable and resilient, even in standalone configurations. To be a truly high availability solution, however, further designing and configuration was required. Not only are technology and configuration crucial, but also the processes and procedures that you use to maintain the messaging system. This module describes the high availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions. After completing this module, you will be able to: Describe high availability options. Configure highly available mailbox databases. Deploy highly available non-Mailbox servers.
7-3
Lesson 1
Overview of High Availability Options
High availability is a commonly used term that refers to a specific technology or configuration that promotes service availability. Although many technologies and configurations can lead to highly available configurations, they are not by themselves truly highly available. Much more effort is required to provide a high availability solution. In this lesson, you will review high availability, and some of the factors that go into designing and deploying a highly available solution. After completing this lesson, you will be able to: Describe high availability. Identify the components of a high availability solution. Implement a high availability solution for Mailbox servers. Implement a high availability solution for non-Mailbox servers.
7-4
What Is High Availability?
Key Points
High availability is a system design implementation that ensures a high level of operational continuity over a specific time. Although many people attribute high availability to a specific technology, such as failover clustering or load balancing, you can truly achieve high availability only with good design, testing, training, and operational processes. There are two types of downtime: planned and unplanned. Planned downtime is the result of events you schedule, such as maintenance. By contrast, unplanned downtime is the result of events not within direct control of information technology (IT) administrators. These events can be minor, such as a buggy hardware driver or a processor that fails, or catastrophic, such as flood, fire, or earthquake.
Measuring Availability
Availability often is expressed as the percentage of time that a service is available for use. For example, a requirement for 99.9 percent availability over a one-year period allows 8.75 hours of downtime. In complex environments, organizations typically specify availability for a specific service, such as Exchange messaging, which in turn may have availability goals tied to specific features such as Microsoft Outlook Web App, Simple Mail Transfer Protocol (SMTP) message delivery, and Outlook Anywhere. For more information on high availability, refer to the CD content.
7-5
Discussion: Components of a High Availability Solution
Key Points
Numerous components can comprise a messaging solution, and you should scrutinize them to ensure that failures will not affect the entire solutions availability. Once you identify these components, you can mitigate failures. Question: Which components are important for running a high availability solution? Question: What are some common single points of failure in a messaging solution?
7-6
High Availability Solution for Mailbox Servers
Key Points
Exchange Server 2010 provides a number of improvements for mailbox availability. Although mailbox high availability implementation differs in Exchange Server 2007, the basic concepts are the same. Exchange Server 2010 improves upon many of the Exchange Server 2007 mailbox availability features. For example, one database can have as many as 16 copies on 16 servers, and you can activate it on any of the servers without disconnecting clients. Additionally, to provide increased insurance against corruption, you can set these database copies to not apply transaction logs for up to 14 days. With the appropriate tools, you can use these lag copies to recover database information from a point up to 14 days previously. Details about how mailbox high availability works appears later in this module. There are no changes to public folder high availability in Exchange Server 2010. Although you should consider the location of the public folder servers, create a high availability environment by adding replicas to multiple servers. Since this requires no additional configuration, this module does not discuss public folder high availability.
7-7
High Availability Solution for Non-Mailbox Servers
Key Points
It is as important to have high availability solutions for non-Mailbox server roles as for the Mailbox server roles, because not having them affects connectivity with the Mailbox server. For each of the non-Mailbox server roles, adding redundancy starts with adding multiple servers, and ends with configuring load balancing, whether with configuration, or software or hardware load balancing. If you are familiar with the high availability solutions for non-Mailbox server roles in Exchange Server 2007, these concepts largely hold true in Exchange Server 2010. This module provides details about making each of the non-Mailbox server roles highly available.
7-8
Lesson 2
Configuring Highly Available Mailbox Databases
Historically, the Mailbox server role was the most complex and critical component in a highly available Exchange Server deployment. Although this remains true, to a degree, Exchange Server 2010 reduces the complexity of deploying a highly available Mailbox server. In doing so, it also reduces the likelihood that administrators will configure an Mailbox server cluster improperly. After completing this lesson, you will be able to: Describe database availability group (DAG). Describe Active Manager. Describe continuous replication. Describe how DAGs protect databases. Identify the differences between Exchange Server 2010 and Exchange Server 2007 mailbox availability options. Configure databases for high availability. Create and configure a DAG. Describe the transport dumpster. Describe the failover process. Monitor replication health.
7-9
What Is a Database Availability Group?
Key Points
A DAG is a collection of servers that provides the infrastructure for replicating and activating database copies. The DAG leverages continuous transaction log replication to each of the passive database copies within the DAG, which: Requires the failover clustering feature, although all installation and configuration tasks occur with the Exchange Server management tools. Although a DAG requires the failover clustering feature, Exchange Server does not use Windows failover clustering to handle database failover. Instead, it uses Active Manager to control failover. Uses an enhanced version of the continuous replication technology that was in Exchange Server 2007. The best continuous replication pieces from Exchange Server 2007 were improved. Can be created after you install the Mailbox server. You can set up a Mailbox server to host active mailboxes, and then add it to the DAG later. Allows you to move a single database between servers in the group without affecting other databases. Failover clustering occurs per mailbox database, not for an entire server, which makes Exchange Server 2010 more flexible than previous Exchange Server versions. Allows up to 16 copies of a single database on separate servers. You can add up to 16 servers to a DAG, which allows you to create up to 16 copies of a database. The database copies must be stored in the same path on all servers. For example, if you store Mailbox Database 1 in D:\Mailbox\DB\Mailbox Database 1\ on VAN-EX1, then you must also store it in D:\Mailbox\DB \Mailbox Database 1\ on all other servers that host Mailbox Database 1 copies. Defines the boundary for replication since only servers within the DAG can host database copies. You cannot replicate database information to Mailbox servers outside the DAG.
7-10
What Is Active Manager?
Key Points
Exchange Server 2010 includes a new component called Active Manager. Active Manager replaces the resource model and failover management features that previous Exchange Server versions provided during integration with the cluster service. Exchange Server no longer uses the cluster resource model for high availability. Exchange Server uses a Windows failover cluster, but there are no cluster groups for Exchange Server, and the cluster has no storage resources. In the Failover Cluster Management Console, you will see only the core cluster resources (IP Address and Network Name). The Active Manager runs on all Mailbox servers that are DAG members and runs as either the primary active manager (PAM) or a standby active manager (SAM). The PAM is the Active Manager in a DAG that decides which copies will be active and passive, and it is responsible for processing topology change notifications and reacting to server failures. Far from having a passive role, the SAM provides information about which server hosts the active copy of a mailbox database to other components of Exchange Server, such as the RPC Client Access service and the Hub Transport server. The SAM detects local database and local Information Store failures. It reacts to failures by asking the PAM to initiate a failover (if the database is replicated).
7-11
What Is Continuous Replication?
Key Points
Continuous replication was introduced for Mailbox servers in Exchange Server 2007. This feature creates a passive database copy on another Exchange Server computer in the DAG, and then uses asynchronous log shipping to maintain the copies. The continuous replication process is as follows: 1. 2. 3. The active log is written, and then closed. The Replication Service replicates the closed log to servers hosting the passive databases. Since each copy of the database is identical, the transaction logs are inspected and then replayed or applied to the database copies. The databases remain in sync.
Question: What other technologies use continuous replication?
7-12
How Are Databases Protected in a DAG?
Key Points
The active database copy uses continuous replication to keep the passive copies in sync based on their lag-time setting. A DAG leverages the Windows Server operating system failover clustering feature. However, it relies on the Active Manager server to maintain the status of all of the DAGs hosted databases. You can switch or fail over a single database between DAG servers. However, it is only active on one node at a time. At any given time, a copy is either the replication source or the replication target, but not both. A server may not host more than one copy of a given database. Not all databases need to have the same number of copies. In a 16-node DAG, one database can have 16 copies, while another database is not redundant and contains only the one active copy.
Database failovers occur when failures cause the active database to go offline. Either a single server failure or something specific to a database may cause the failure. A switchover occurs when an administrator intentionally coordinates moving the active database from one server to another.
7-13
Comparing Exchange Server 2010 to Exchange Server 2007 Mailbox Availability Options
Key Points
Exchange Server 2010 extends and improves upon the continuous replication technology that Exchange Server 2007 used. The new high availability model using the DAG is a more flexible and resilient solution than previous high availability solutions. The Exchange Server 2010 database high availability model: Has no single point of failure. Supports backups. Allows up to 16 copies of a database with a 14-day lag time. Can have multiple servers roles run on the same server as the mailbox server. Allows you to move a single database between servers.
7-14
Configuring Databases for High Availability
Key Points
Creating a DAG is only the first step to providing database availability. You must create and configure additional database copies. Not only can you create a database copy initially, but an administrator also can create one at any time. You can distribute database copies across Mailbox servers in a flexible and granular way. You can replicate one, some, or all mailbox databases on a server in several ways. Specify the following information when creating a mailbox database copy: The name of the database you are copying. The name of the Mailbox server that will host the database copy. The amount of time (in minutes) for log replay delay. This is as the replay lag time, which sets how long to wait before the logs are committed to the database copy. Setting the value for replay lag time to 0 turns off log replay delay. The amount of time (in minutes) for log truncation delay. This is truncation lag time, which sets how long to wait before truncating committed transaction logs. Setting the value for truncation lag time to 0 turns off log truncation delay. An activation preference number. This is referred to as a preferred list sequence number, and it represents the activation preference order of a database copy after a failure or outage of the active copy.
DAG Networks
A DAG network is a collection of one or more subnets that Exchange Server uses for either replication traffic or MAPI traffic. Although Exchange Server supports one network adapter and path, we recommend a minimum of two DAG networks. In a two-network configuration, you typically dedicate one network to replication traffic and the other network to MAPI traffic. You can create additional networks in a DAG and configure them as replication networks for redundancy. We recommend that you do not use Internet SCSI (iSCSI) networks for DAG replication.
7-15
Question: How do you plan to use the preferred list sequence number?
7-16
Demonstration: How to Create and Configure a DAG
Key Points
In this demonstration, you will review how to create a new database availability group, add member servers to it, and create a copy of a mailbox database.
Demonstration Steps
1. 2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Use the New-DatabaseAvailabilityGroup cmdlet to create a Database Availability Group named DAG1 with a WitnessServer on VAN-DC1, and a WitnessDirectory of C:\FSWDAG1. Assign the DAG an IP Address of 10.10.0.25. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. Use the Manage Database Availability Group Membership Wizard to add VAN-EX2 as a member of DAG1. Use the Add Mailbox Database Copy Wizard to add a copy of Mailbox Database 1 to the second Mailbox server. Note: Once you create a DAG, you then can create and configure DAG networks for replication or for MAPI traffic. Add additional networks for redundancy or improved throughput. Question: What information do you need before you can configure a DAG?
3. 4. 5. 6.
7-17
What Is the Transport Dumpster?
Key Points
If a failure occurs and some transaction logs are not replicated to the passive copy, you can use the transport dumpster to redeliver any recently delivered e-mail. The transport dumpster operates on the Hub Transport servers within Active Directory Domain Services (AD DS) or Active Directory directory service. When a database failover occurs, a request will be made to the Hub Transport servers to redeliver the lost e-mail messages. The next section details database failovers. The transport dumpster only holds e-mail that has been delivered. The local submission queue holds any pending e-mail. Once the transaction logs are replicated to each DAG server, the transport dumpster purges the message.
7-18
Understanding the Failover Process
Key Points
A failover occurs when the server hosting the active database goes offline or something causes the active database to dismount. A switchover occurs when an administrator moves the active database from one server to another. When a failure affecting the active database occurs, Active Manager uses several sets of selection criteria to determine which database copy to activate. In the process for selecting the best copy to activate, Active Manager: 1. 2. 3. 4. Enumerates the available copies. Ignores all unreachable servers. Sorts available copies by how current they are. The factors considered include the content index, copy queue length, and replay queue length. Uses the activation preference, if a tie breaker is necessary.
Database Failovers
Before using the previously mentioned criteria to locate the best copy to activate, a process called attempt copy last logs (ACLL) occurs. ACLL makes parallel remote procedure calls to each DAG Mailbox server that hosts a copy of the mailbox database. This call checks if the server is available and healthy, and to examine the LogInspectorGeneration value for the database copy. The mailbox database copy with the highest LogInspectorGeneration value is the best source for copying log files. After the ACLL process is complete, and if all missing log files were copied from the selected best source, the database mounts without any data loss. This is known as a lossless failure. If the ACLL process fails, then the configured AutoDatabaseMountDial value is consulted. If the number of lost logs is within the configured AutoDatabaseMountDial value, then Exchange Server mounts the database. If the number of lost logs falls outside the configured AutoDatabaseMountDial value, then Exchange Server does not mount the database until either missing log files are recovered, or an administrator explicitly mounts the database and accepts the larger data loss.
7-19
Use the Set-MailboxServer cmdlet to configure the AutoDatabaseMountDial setting for each DAG Mailbox server.
7-20
Demonstration: How to Monitor Replication Health
Key Points
In this demonstration, you will review how to use the Exchange Management Console and Exchange Management Shell to review the available information regarding database-replication health.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox. Review the status of each of the Mailbox Database 1 database. Close Exchange Management Console.
Question: Why is monitoring these statistics important?
7-21
Lesson 3
Deploying Highly Available Non-Mailbox Servers
Other Exchange Server roles now handle some functionality that was handled by the Mailbox server in previous Exchange Server versions. For example, Microsoft Office Outlook clients no longer directly connect to the Mailbox server, but rather connect to the Client Access server for MAPI-based communication. Additionally, the Mailbox server no longer processes mailbox. The Hub Transport server now performs this task. With the other server roles performing more tasks, they become more important to the messaging environments overall health. In this lesson, you will consider providing high availability for these non-mailbox servers. After completing this lesson, you will be able to: Describe and configure high availability for Client Access servers. Describe and configure high availability for Hub Transport servers. Describe and configure high availability for Edge Transport servers.
7-22
How High Availability Works for Client Access Servers
Key Points
A client access array is a load-balanced collection of Client Access servers that is in a single site. Since all client connections, including MAPI, rely on connections to Client Access servers, it is important to provide a redundant server array to improve availability. To create a client access array, you first must deploy multiple Client Access servers. Next, you need to use either hardware or software-based network load balancing to create a cluster. Then, add the name for the network load-balanced cluster into the Domain Name System (DNS). For example, you could add an A record for caa1.contoso.com that points to 10.10.10.25. After adding the DNS record, you can create the client access array and assign it to an Active Directory site using the New-ClientAccessArray cmdlet. Finally, you must assign the client access array to each of the mailbox databases in the site using the Set-MailboxDatabase cmdlet with the RpcClientAccess parameter. A client access array can exist only in a single Active Directory site. Therefore, you would need to create a client access array in each Active Directory site that needs to load balance client access servers.
7-23
How Shadow Redundancy Provides High Availability for Hub Transport Servers
Key Points
Exchange Server 2010 includes the shadow redundancy feature, which provides redundancy for messages for the entire time they are in transit. This is in addition to the transport dumpster. With shadow redundancy, the message deletion from the transport databases is delayed until the transport server verifies that all of the next hops for that message have completed delivery. If any of the next hops fail before reporting successful delivery, the transport server resubmits the message for delivery to that next hop. In the shadow redundancy scenario, the message flow follows these stages: 1. Hub delivers message to Edge. a. Hub opens SMTP session with Edge. b. Edge advertises shadow redundancy support. c. Hub notifies Edge to track discard status. d. Hub submits message to Edge. e. Edge acknowledges the receipt of message and records the Hubs name for sending discard information for the message. f. Hub moves the message to the shadow queue for Edge and marks Edge as the primary server. Hub becomes the shadow server. Edge delivers message to the next hop: a. Edge submits message to third-party mail server. b. Third-party mail server acknowledges the messages receipt. c. Edge updates the discard status for the message as delivery complete. Hub queries Edge for discard status (success case): a. At end of each SMTP session with Edge, Hub queries Edge for discard status on messages previously submitted. If Hub has not opened any SMTP sessions with Edge after the initial
2.
3.
7-24
message submission, it will open an SMTP session with Edge to query for discard status after a specific time. b. Edge checks local discard status and sends back the list of messages that have been delivered, and removes the discard information. c. Hub server deletes the list of messages from its shadow queue. 4. Hub queries Edge for discard status and resubmits the message (failure case): a. If Hub cannot contact Edge, Hub resumes the primary server role and resubmits the messages in the shadow queue. b. Resubmitted messages are delivered to another Edge server, and the workflow starts from step 1. Within Exchange Server 2010, the Shadow Redundancy Manager (SRM) is the core component of a Transport server that is responsible for managing shadow redundancy. The SRM is responsible for maintaining the following information for all the primary messages that a server is currently processing: The shadow server for each primary message being processed. The discard status to be sent to shadow servers. The SRM is responsible for the following, for all the shadow messages that a server has in its shadow queues: Maintaining the list and checking primary server availability for each shadow message. Processing discard notifications from primary servers. Removing the shadow messages from the database once it receives all expected discard notifications. Deciding when the shadow server should take ownership of shadow messages, thus making it the primary server.
7-25
How High Availability Works for Edge Transport Servers
Key Points
Edge Transport servers provide both inbound and outbound e-mail delivery. For outbound delivery, providing high availability is as simple as deploying multiple Edge Transport servers and creating an Edge subscription. If you have deployed Exchange servers in multiple Active Directory sites, you may need additional redundant Edge Transport servers.
Multiple DNS MX Records

The SMTP protocol was created with delivery redundancy in mind. It uses special DNS records called mail exchanger (MX) resource records to locate the authoritative SMTP server for a domain. These records point to the SMTPs fully qualified domain name, which in this case are the Edge Transport servers. You can create multiple MX records and assign them weights. The protocol uses the lower-weighted records before the higher-weighted records. MX records with the same weight are load balanced in round-robin load fashion. If one of the hosts fails to respond, Exchange Server attempts the next host on the list.
Hardware-Based Load Balancing

High availability for inbound e-mail delivery requires multiple load-balanced Edge Transport servers. You can achieve load balancing either with a hardware load balancer or by using multiple DNS records. Using a hardware load balancer balances inbound communication between Edge Transport servers and provides redundancy in case of a server failure. Like Hub Transport servers, Edge Transport servers also support shadow redundancy. However, shadow redundancy does not cover all scenarios, because most of the messaging servers that the Edge Transport role communicates with do not support shadow redundancy.
7-26
Lab: Implementing High Availability
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-EX3 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the virtual machines as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. You have completed the basic installation for three Exchange servers. Now you must complete the configuration so that they are highly available.
7-27
Exercise 1: Deploying a DAG

Scenario
You must complete the Mailbox server high availability configuration by creating a DAG and making the Accounting database highly available. The main tasks for this exercise are: 1. 2. 3. 4. Create a DAG named DAG1 using the Exchange Management Shell. Create a mailbox database copy of the Accounting database. Verify successful completion of database copying. Suspend the database copy on VAN-EX2.
Task 1: Create a DAG named DAG1 using the Exchange Management Shell
1. 2. On VAN-EX1, open the Exchange Management Shell. Use the New-DatabaseAvailabilityGroup cmdlet to create a DAG with the following information: 3. 4. 5. Name: DAG1 WitnessServer: \\VAN-DC1\FSWDAG1 WitnessDirectory: C:\FSWDAG1 IP Address: 10.10.0.80
Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member of DAG1. On VAN-EX2, open the Exchange Management Console. On the Database Availability Groups tab, add VAN-EX2 as a member of DAG1.
Task 2: Create a mailbox database copy of the Accounting database

1. 2. On VAN-EX1, open the Exchange Management Console. On the Database Management tab, add a mailbox database copy of Accounting to VAN-EX2.
Task 3: Verify successful completion of database copying

On VAN-EX1, view the properties of the Accounting database, and ensure its status is Healthy.
Task 4: Suspend the Accounting database copy on VAN-EX2

On VAN-EX1, suspend the Accounting database copy on VAN-EX2. Results: After this exercise, you should have created a DAG and a mailbox database copy of the Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.
7-28
Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers
Scenario
The network team used a hardware load balancer to load balance VAN-EX1 and VAN-EX2 for Client Access connections. They have assigned a load balanced IP address of 10.10.0.30, and have created a DNS record for the name CASArray.adatum.com. Now you must complete the Client Access configuration. The main tasks for this exercise are: 1. 2. Create and configure a client access array for CASArray.adatum.com. Assign the client access array to the databases.
Task 1: Create and configure a client access array for CASArray.adatum.com

1. 2. On VAN-EX1, open Exchange Management Shell. Use the New-ClientAccessArray cmdlet to create a new client access array named CasArray.adatum.com for the Default-First-Site-Name Active Directory site.
Task 2: Assign the client access array to the databases

1. 2. On VAN-EX1, use the Exchange Management Shell to retrieve a list of all of the databases on VANEX1 and VAN-EX2. Use the Set-MailboxDatabase cmdlet to assign each database on VAN-EX1 and VAN-EX2 the CasArray.adatum.com client access array as the RpcClientAccessServer. Results: At the end of this exercise, you should have created a client access array and assigned it to the databases.
7-29
Exercise 3: Testing the High Availability Configuration

Scenario
You have completed the high availability configuration. You now must verify that the high availability configuration is working properly. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create a SMTP connector associated with VAN-EX1 and VAN-EX2. Stop the SMTP service on VAN-DC1. Send an e-mail to an internal user and an external SMTP address. Use Queue Viewer to locate the message in the queue. Start SMTP service on VAN-DC1 to allow queued message delivery. Verify that the messages were removed from the shadow redundancy queue. Verify the copy status of the Accounting database copy and resume the database copy. Perform a switchover on the Accounting database to make the VAN-EX2 copy active. Simulate a server failure.
Task 1: Create a SMTP connector associated with VAN-EX1 and

VAN-EX2
1. 2. 3. On VAN-EX2, if required, open Exchange Management Console. Create an SMTP send connector named Internet Mail, and then configure an address space of * for the connector. Add VAN-DC1.adatum.com as the Smart host for the connector, and VAN-EX1 and VAN-EX2 as the source servers.
Task 2: Stop the SMTP server on VAN-DC1

On VAN-DC1, stop the Simple Mail Transfer Protocol (SMTP) service.
Task 3: Send an e-mail to an internal user and an external SMTP address

1. 2. On VAN-EX1, log on to Outlook Web App as Adatum\Jason with a password of Pa$$w0rd. Create and send a new e-mail addressed to terry@contoso.com and janedow@adatum.com.
Task 4: Use Queue Viewer to locate the message in the queue

1. 2. 3. 4. On VAN-EX2, open Queue Viewer. Connect to VAN-EX1 and VAN-EX2 to locate which server queues the e-mail sent from Jason. Make note of the server where the message is queued. Examine the shadow redundancy queue on VAN-EX3.
Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1. 2. On VAN-DC1, open Server Manager. Start the SMTP service.
Task 6: Verify that the messages were removed from the shadow redundancy queue
1. 2. On VAN-EX2, open Queue Viewer. Connect to VAN-EX3, where the message was queued in the shadow redundancy queue, and then verify that it is no longer queued.
7-30
Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1. 2. 3. On VAN-EX2, open the Exchange Management Console. View the database copy health on the Suspended copy on VAN-EX2. Resume the database copy on VAN-EX2, and wait until the copy status is Healthy.
Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy
active
1. 2. 3. On VAN-EX2, open the Exchange Management Console. Verify that the active Accounting database is on VAN-EX1. Select the Accounting database on VAN-EX2, and then activate the copy.
Task 9: Simulate a server failure

1. 2. 3. On VAN-EX1, open the Exchange Management Console, and view the status of the Accounting database. In Hyper-V Manager, revert 10135A-VAN-EX2. Verify the Accounting database is now active on VAN-EX1. Results: After this exercise, you should have verified that the mailbox databases could fail over and switch between DAG servers, and that Hub Transport shadow redundancy is working properly.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
7-31
Review Questions
1. 2. Besides planning for Exchanger Server failures, what other failures should you consider? In which scenarios might you use hardware load balancing with Edge Transport servers?
Common Issues Related to Creating High Availability Edge Transport Solutions

Identify the causes for the following common issues related to high availability Edge Transport servers, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Inbound e-mail is not being delivered evenly across all of the Edge Transport servers. After deploying highly available Edge Transport servers, outbound e-mail is being returned as possible spam. Troubleshooting tip Ensure that the DNS MX records have the same value. If the values are not the same, only the records with the lowest value will be used. Verify that your outbound mail servers are configured with a host name that is resolvable on the Internet. Many servers reject e-mail from servers that do not have a name or an IP address that can be resolved on the Internet.

1. An organization has several branch offices with a small number of employees. However, the organization needs to deploy a high availability solution in the remote offices. What configuration can it deploy to meet it business needs? An organization uses a variety of service-level agreements for database availability for different business units. It wants to minimize the number of mailbox servers it deploys. How can it do this?
2.
7-32
Best Practices Related to Designing a High Availability Solution

Supplement or modify the following best practices for your own work situations: Identify all possible failure points before designing a solution. Even the most elaborate and expensive designs can have a simple and crippling failure point. Document all of the components to the solutions so that everyone involved in the deployment understands the solutions configuration how the solution is configured. Follow change-management procedures. In some environments, it may be tempting to skip these steps. However, not following proper change-management procedures often leads to extended, unplanned downtime.
Implementing Backup and Recovery
8-1
Module 8
Contents:
Lesson 1: Planning Backup and Recovery Lesson 2: Backing Up Exchange Server 2010 Lesson 3: Restoring Exchange Server 2010 Lab: Implementing Backup and Recovery 8-3 8-14 8-25 8-37
8-2
Module Overview
Your Exchange Server databases contain the messages for all of your users. Thus, these databases contain the data that is most important for you to ensure is retained and backing up the databases that contain these messages is one of your key concerns regarding your messaging system. Sometimes users accidentally delete their e-mails, and you, as the administrator, must restore their messages. This can take a long time. Microsoft Exchange Server 2010 contains new backup and restore features that you should consider before using the traditional backup-to-tape approach that most organizations use. This module describes the backup and restore features of Exchange Server 2010, and details what you need to consider when you create a backup plan. After completing this module, you will be able to: Plan backup and recovery. Backup Exchange Server 2010. Restore Exchange Server 2010.
8-3
Lesson 1
Planning Backup and Recovery
Before deciding on which backup type you want to use and which software to buy, you first need to consider your available options. Exchange Server 2010 provides many new options for backing up your databases and restoring single items. In this lesson, you will learn the important considerations for backing up and restoring Exchange Server 2010, so that you can create a good plan for your organization. After completing this lesson, you will be able to: Describe the importance of planning for disaster recovery. Integrate high availability and disaster recovery. Identify and mitigate potential Exchange Server 2010 disasters. Recover deleted items. Describe the disaster-recovery options for Mailbox servers. Create a point-in-time database snapshot. Describe backup and restore scenarios.
8-4
Discussion: The Importance of Planning for Disaster Recovery
Key Points
This discussion details the importance of disaster-recovery planning and of having an understanding of the options that Exchange Server has available should a disaster occur. Question: Why is it important to plan for a disaster? Question: What current plan does your organization have for disaster recovery?
8-5
Integrating High Availability and Disaster Recovery
Key Points
You can integrate your high availability deployment with disaster recovery, especially if you consider the Exchange Server 2010 high availability features sufficient to satisfy your backup requirements.
Link Between High Availability and Disaster Recovery

Using Exchange Server 2010 high availability features, such as database availability groups (DAGs), allow you to maintain 16 copies of a message database. Maintaining so many database copies lessens the need for using backup for disaster recovery. You can spread database copies across multiple sites, which allows you to address data-center failures and maintain an off-site copy of a database. In Exchange Server 2010, high availability and disaster recovery go hand-in-hand. DAGs are the basis of high availability, but you also can use them to recover from a disaster in a quick and reliable way.
High Availability Provides Options Beyond Traditional Backup and Restore

Using DAGs to configure a lagged, or point-in-time, copy of a database allows you to delay committing changes to the database for 14 days. Thus, you always maintain a database at the state of the previous day or week. Therefore, should a logical corruption of your current database occur, you can revert to a lagged database copy and commit the transaction logs to a specific time that you decide. The point-in-time database feature, together with maintaining many database copies across multiple sites, means that organizations do not have to perform nightly backups. This is particularly true for medium and large-size organizations.
Large Mailbox Considerations

Mailboxes that are more than 1 gigabyte (GB) in size require a more flexible backup and restore method, because the amount of data they contain is dramatically more than those with which Exchange Server administrators typically deal. Even though the Exchange Server 2010 database structure handles large
8-6
mailboxes better than previous versions, you should be aware of the additional data requirements for backup. The time it takes to restore a backup during disaster recovery skyrockets when you have large mailboxes. When you implement large mailboxes, consider using backup-less Exchange Server and the recoverable items folder in Exchange Server 2010 to recover data. These features provide you with two viable options to move away from traditional backups.
Backup and Restore Requirements in a Highly Available Deployment

Even though it may appear that highly available deployments no longer require traditional backups, they are still important. You may want to use existing backup strategies that provide offsite data storage at secure locations. Sometimes backups also serve an archival purpose, and typically, organizations use tape to preserve point-in-time data for extended periods, as compliance requirements mandate. Additionally, remember that integrating high availability features as an alternative to backups only works for the mailbox database, not for other Exchange Server resources, such as the Hub Transport configuration. You still need to consider using traditional backup for the Hub Transport server. Question: Why should you back up Exchange Server databases?
8-7
Disaster Mitigation Options in Exchange Server 2010
Key Points
As you prepare to implement disaster-recovery solutions in Exchange Server 2010, you first must identify the potential risks to the Exchange Server environment, and then identify the options for mitigating those risks. The following table lists potential risks and the Exchange Server 2010 options for mitigating the risks:
Risks
Loss of a single message Loss of a single mailbox
Risk mitigation strategies
Configure recoverable items folder and deleted item retention settings Recover messages from backup by using the recovery database Configure mailbox-retention settings to ensure that you can recover most
deleted mailboxes before they are deleted permanently Configure hold policy, and recover it from there using a discovery mailbox Recover mailbox using the recovery database
Loss of a database or server
Create a DAG on another server Back up the Exchange Server data, and recover lost mailbox databases from
backup
Install Exchange Server 2010 with /m:RecoverServer

Loss or corruption of a mailbox database Loss of a public folder database
Create a lagged database copy in a DAG environment Back up the Exchange Server data, and recover lost mailbox databases from
backup
Implement public folder replicas on other computers running Exchange Server
Loss of an Exchange Implement redundant computers running Exchange Server for each role Server computer Back up all information on the computer running Exchange Server, and running the Hub
8-8
Risks
Transport, Client Access, or the Unified Messaging server roles
Risk mitigation strategies

recover the server from backup Install Exchange Server 2010 on a new computer in Recover Server mode
Loss of an Exchange Implement redundant databases using DAGs Server computer Implement a dial-tone recovery running the Mailbox Back up all information on the computer running Exchange Server, and server role recover the server from backup Install Exchange Server 2010 on a new server in Recover Server mode Loss of an Exchange Implement redundant Exchange servers for each role Server computer Back up all information on the computer running Exchange Server, and restore running the Edge the server from backup Transport server role Back up the Edge Transport server configuration using ExportEdgeConfig, and restore from backup Loss of a supporting Implement redundant servers for each of the required services service, such as DNS Implement a disaster-recovery plan for restoring Active Directory Domain or the Active Services (AD DS) or Active Directory directory service from backup Directory
8-9
Demonstration: Recovering Deleted Items
Key Points
In this demonstration, you will review how to configure the global hold policy for recoverable items, so that you can recover a deleted folder using the Discovery Search Mailbox.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald SingleItemRecoveryEnabled:$true, and then press ENTER. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role Mailbox Import Export -User adatum\administrator, and then press ENTER. In the Exchange Management Console, assign the Administrator account full access permissions to the Discovery Search Mailbox. In Scott MacDonalds mailbox, create a new folder, populate that folder with messages, and then delete the folder. Login to Microsoft Outlook Web App as Administrator to define a Mailbox Search. Open the Discovery Search Mailbox, and verify that it contains the deleted message. Use the Export-Mailbox cmdlet to recover the folder to its original mailbox. Verify that the message was recovered by accessing Scott MacDonalds mailbox.
Question: What is the benefit of using this feature to recover mailboxes compared to existing brick-level backup solutions?
8-10
Disaster-Recovery Options for Mailbox Servers
Key Points
Exchange Server 2010 includes new recovery options for mailbox servers.
Disaster Recovery with DAGs

The ability to create up to 16 database copies, even on off-site servers, allows you to recover a copy quickly and easily if one is destroyed or unavailable. Failover in the DAG is configured automatically, so the clients should not encounter much disturbance.
Mailbox Servers in a DAG Can Host Other Server Roles

Unlike previous Exchange Server versions, each Mailbox server that hosts a DAG also can host other server roles, such as Hub Transport and Client Access servers. Thus, you can deploy all server roles, including the DAG, at a branch office or a remote site that does not have the budget to implement an expensive server environment. All an organization needs is one Exchange server to support both its server and disasterrecovery needs.
Point-in-Time Database Snapshot with Lagged Copy of DAG

If your organization requires a point-in time copy of mailbox data, use Exchange Server 2010 to create a lagged copy in a DAG environment. You can use lagged database copies in the rare event that a logical corruption replicates across the DAG databases, resulting in a need to return to a previous point in time. For example, you can configure the lagged database to commit log files to a maximum of two weeks. You also can place this database copy on a server at another site.
Recovery Database to Recover Mailboxes, Folders, or Items

In Exchange Server 2010, the recovery database replaces the Recovery Storage Group (RSG) found in Exchange Server 2007. The recovery database is an additional database that you mount on your server to recover single messages, folders, or entire mailboxes from an offline or online backup of your Exchange database.
8-11
Lower Cost of DAG Backup Compared to Traditional Backup

Evaluate the cost of your current backup infrastructure, including hardware, installation, and license costs, as well as the management cost associated with recovering data and maintaining the backups. Depending on your organizations requirements, a DAG environment may provide lower total cost of ownership (TCO) than a traditional backup environment.
8-12
Demonstration: How to Create a Point-in-Time Database Snapshot
Key Points
In this demonstration, you will review how to configure a database copy on a remote server, and how to configure a database copy to be a lagged database. Additionally, you also will see how to disable an active server to prevent accidental activation.
Demonstration Steps
1. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup Name DAG1 WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER. Note: You can only place the witness directory on a Hub Transport server when you are using the Exchange Management Console. However, when using the Exchange Management Shell, you can place the witness directory on any server, including a server that is not running the Exchange server role. 2. 3. On the Exchange Management Console, add VAN-EX1 and VAN-EX2 to DAG1, and then add a copy of the Accounting database to VAN-EX2 with a replay lag time of 7 days. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER.
8-13
Backup and Restore Scenarios
Key Points
Even though Exchange Server 2010 supports backup-less scenarios, there are cases in which your organization may want to maintain its traditional backup methods.
No Available DAGs
Organizations that do not use DAGs need to consider traditional ways to back up their databases.
Single Exchange Server Implementation

Single Exchange Server implementations are not conducive to DAG usage because it requires adding more server hardware. Traditional backups to disks or tapes are the option to follow here.
Utilize an Existing Backup Environment

Your companys backup strategy might force you to follow other applications if you have an existing backup environment available in which all other applications will back up their data. So even when you maintain multiple copies of your database, you are required to have a copy of it in your backup environment.
Backups Are Governed by Compliance Requirements

You typically use tape backups if there is an archival reason to preserve data for an extended time, as governed by compliance requirements. Especially if the storage is long-term, sometimes up to 10 years, you also need to ensure that you can access the data in the future.
8-14
Lesson 2
Backing Up Exchange Server 2010
Backing up your companys data is the most serious task in your Exchange Server installation. You cannot recover necessary data if you have not backed it up correctly. In this lesson you will learn the different ways that you can back up data with Exchange Server 2010. After completing this lesson, you will be able to: Describe the backup changes in Exchange Server 2010. Describe the backup requirements for Exchange Server 2010. Describe backup strategies. Describe how a Volume Shadow Copy Service (VSS) backup works. Select an Exchange Server backup solution. Back up Exchange Server 2010.
8-15
Changes to Backup in Exchange Server 2010
Key Points
Exchange Server 2010 changes to the backup application-programming interface (API) and the underlying database structure affects how you backup the Exchange Server database.
Removal of ESE Streaming APIs for Backup and Restore

Previously, Exchange Server used Extensible Storage Engine (ESE) streaming APIs for backup and restore. Now, Exchange Server 2010 supports only VSS-based backups. To back up and restore Exchange Server 2010, you must use an Exchange Server-aware application that supports the VSS writer, such as Microsoft System Center Data Protection Manager or a third-party Exchange Server-aware, VSS-based application.
Storage Group Removal

One significant change in Exchange Server 2010 is the removal of storage groups. In Exchange Server 2010, each database is associated with a single log stream as represented by a series of 1 megabyte (MB) log files. Each Mailbox server can host up to 100 active and passive databases.
Database Not Closely Linked to a Specific Mailbox Server

Another significant change for Exchange Server 2010 is that databases no longer link closely to a specific Mailbox server. Database mobility expands the systems use of continuous replication, by replicating a database to multiple servers. This provides better database protection and increases availability. If failures occur, the other servers with database copies can mount the database.
Use DAGs for Backup-Less Exchange Server

Because you can have multiple database copies hosted on multiple servers, you can also consider maintaining a backup-less Exchange Server organization in which you enable circular logging on your databases. This removes the transaction log files so they do not pile up. Transaction log files are removed when you do a full Exchange Server backup. Circular logging accomplishes the same task in a backup-less environment.
8-16
Backup Requirements for Exchange Server 2010
Key Points
The backup requirements for Exchange Server 2010 computers differ depending on the Exchange server roles that you install on the computers. The following table lists the information that you need to back up for each Exchange server role:
Exchange server role Backed-up data

All roles System State of server and Active Directory database on domain controllers
Purpose
System State includes the local configuration data of the machine AD DS and Active Directory store most Exchange server configuration information, which is required to rebuild the server using Recover Server mode
Mailbox server Client Access server
Databases and transaction logs Restore data if a database or storage group is lost Server certificates used for Secure Sockets Layer (SSL) Specific Internet Information Server (IIS) configuration Message-tracking logs Restore the server certificate on a new Client Access server Restore IIS configuration Restore tracking information for analysis
Hub Transport server, Edge Transport server Edge Transport server
Content-filtering database
Restore the content-filtering configuration Restore the Edge Transport server configuration by enabling edge synchronization Restore audio prompts
Unified
Custom audio prompts
8-17
Exchange server role Backed-up data

Messaging server
Purpose
The Exchange Server environment includes additional information, such as the Offline Address Book, availability data that a local folder stores, and other configuration data. This information is rebuilt automatically when you rebuild the Exchange Server environment. AD DS and Active Directory store much of the configuration information, which you can restore only if an Active Directory domain controller is available. You must ensure that your disaster-recovery planning includes backing up and restoring AD DS and Active Directory.
8-18
Backup Strategies
Key Points
You can use Windows Server Backup in Windows Server 2008 or a third-party Exchange Server-aware backup tool to implement different backup strategies. The backup strategies from which you can choose include full, full plus incremental, full plus differential, copy, and brick-level backup. Each backup strategy has advantages and disadvantages in terms of storage requirements and performance. The backup strategy you select can affect how the restore process occurs.
Full Backups
A full backup performs an online backup of both the database files and transaction logs. After successful completion of a full database backup, transaction logs that have been committed to the Exchange Server database are deleted. Note: If a backup is not functioning properly, transaction logs on a server can grow quickly and cause a partition to run out of space. When the partition holding the transaction logs is out of space, the databases will dismount and be unavailable for use. A full backup each day is the preferred strategy. Restoring a full backup is simple, and it requires only one backup set.
Full Plus Incremental Backups

An incremental backup captures only the data that changed since the last full or incremental backup. Transaction logs are the only data included in this backup, and committed transaction logs are deleted after a successful incremental backup. If you enable circular logging, this backup option is not available.
8-19
Full Plus Differential Backups

A differential backup captures only the data that has changed since the last full backup. This backup strategy only backs up the transaction logs. A differential backup never removes the transaction logs. If you enable circular logging, this backup option is not available.
Copy Backups
A copy backup is equivalent to a full backup of the databases. However, the transaction logs are not backed up, deleted, or marked in any way. This ensures that the copy does not affect scheduled incremental or differential backups.
Brick-Level Backups
Brick-level backups copy every message in all mailboxes. As a result, identical messages stored in several mailboxes all are backed up. This type of backup requires much more storage capacity and time than standard backup strategies, and it results in a backup that is significantly larger than the Exchange Server database. For a brick-level backup, you need specific third-party backup software that is capable of storing the backed-up data so you have single-item recovery. You use this when a user requests single-item recovery, even though the item is not available in the Deleted Items folder anymore.
8-20
How Does a VSS Backup Work?
Key Points
Exchange Server 2007 and Exchange Server 2003 include two different options for data backup and recovery: ESE streaming backup APIs and support for the VSS backup APIs. ESE streaming APIs are not available in Exchange Server 2010, thus you must back up Exchange Server with VSS backup APIs.
What Is VSS?
VSS provides the backup infrastructure for Windows Server 2008, as well as a mechanism for creating consistent point-in-time data copies, which are known as shadow copies. VSS produces consistent shadow copies by coordinating with business applications, file-system services, backup applications, fast-recovery solutions, and storage hardware. It includes the following components: Writer. The VSS writer that is included with Exchange Server 2010 and that coordinates Exchange Server 2010s input/output (I/O) with VSS. Requestor. Backup or restore application, such as Windows Server Backup. Provider. Low-level system or hardware interfaces, such as Storage Area Networks (SANs).
How VSS Backup Works

Backup solutions that use VSS create a shadow copy of the disk as the backup process begins. Then, Exchange Server creates the backup with the shadow copy rather than the working disk, so that backup does not interrupt normal operations. This method offers the following advantages: It produces a backup of a volume that reflects that volumes state when the backup begins, even if the data changes while the backup is in progress. All the data in the backup is internally consistent, and it reflects the volumes state at a single point in time.
8-21
It notifies applications and services that a backup is about to occur. The services and applications, such as Exchange Server, therefore can prepare for the backup by cleaning up on-disk structures and flushing caches.
Exchange Server Support for VSS Backup

To perform a VSS backup, you must enable the VSS on the Exchange server, and the third-party backup solution must support the VSS backup and restore APIs. Exchange Server 2010 support for VSS has the following limitations: VSS support is at the database level. VSS support is for normal backups and copy backups, but not for incremental or differential backups.
8-22
Considerations for Selecting an Exchange Server Backup Solution
Key Points
When selecting a backup solution for Exchange Server, you must consider your systems characteristics and those of the software and hardware. System characteristics to consider include: The amount of data you are backing up. The time window in which the backup can occur. The type of backup you are performing. Recovery time requirements. Archiving requirements.
Backup Software Selection Criteria

The following table provides some basic criteria for selecting backup software. Select the software that best meets the needs of your Exchange Server deployment and disaster-recovery requirements.
Selection criteria
Backup architecture
Explanation
Your backup software should provide support for any operating systems that you have. Additionally, the backup software should be able to back up Exchange Server to your desired media, either on the local computer or over the network. Windows Server Backup is not capable of backing up to a remote tape drive. Your backup software should support the ability to schedule backups that you require for your organization. Most backup software allows you to schedule jobs at any time you require. However, it is easier to configure in some software packages.
Scheduling
8-23
Selection criteria
Brick-level backup support Exchange Server VSS API support Tape management
Explanation
If desired, ensure that your software supports brick-level backups. Your backup software must support the Exchange Server Backup VSS API to perform online backups successfully. Different backup software has varying degrees of flexibility for tape management. This includes automated naming of blank tapes and preventing existing tapes from being overwritten accidentally. Vendor support is essential if you experience any problems during disaster recovery. Ensure that vendor support is available for your backup software. Some backup software has a disaster-recovery option that provides complete disaster recovery for a failed server, including Exchange Server. Your backup software must support the technologies that your company uses, including clustering or SANs.
Vendor support Disaster-recovery support Hardware support
Windows Server Backup

When you install the Exchange Management Console on a server running Windows Server 2008, it updates Windows Server Backup to support Exchange Server 2010. Windows Server 2008 enables you to perform VSS-based backups of Exchange Server data. For many smaller organizations, Windows Server Backup provides a sufficient solution. However, larger organizations may require a more robust backup strategy. Windows Server Backup limitations include: Backups only performed at volume level. You can only perform full backups, not incremental or differential backups. Backup support for active databases but not passive databases. Only available for Windows Server 2008 or Windows Server 2008 R2. Windows Server Backup command-line tools are not compatible with Exchange Server 2010.
Backup Hardware Selection Criteria

The two most common types of backup hardware are tape and disk. Which you use depends on your requirements. The following table lists the characteristics of using either a tape or disk for backup:
Characteristic
Speed Capacity
Tape
Slower Up to 400 GB per tape (Tape libraries allow the use of multiple tapes.) Yes
Disk server Portable disk

Faster Large Faster 1+ terabyte (typical) per disk
Off-site storage
Typically no Yes Excellent OK
Media durability Excellent
Many organizations use disk-based backup as the first tier, and then utilize tape as a second tier. This allows you to perform primary backups quickly to disk. Typically, any data that you need to archive off site is backed up to tape from the disk backup.
8-24
Demonstration: How to Back Up Exchange Server 2010
Key Points
In this demonstration, you will review how to install the Windows Server Backup program and how to use Windows Server Backup to back up Exchange Server 2010. You will also use the Event Viewer to verify that the Exchange Server databases were backed up correctly.
Demonstration Steps
1. 2. 3. In Server Manager, add the Windows Server Backup feature. In Windows Server Backup, create a backup set to back up the C: drive and run the backup. In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have been backed up successfully.
Question: Do you plan to can use Windows Server Backup as your primary Exchange Server backup solution?
8-25
Lesson 3
Restoring Exchange Server 2010
Another important component in ensuring availability of e-mail services is planning for recovery. Organizations that implement high availability solutions still need to plan for scenarios in which the high availability solutions are not enough. These scenarios might include something as minor as needing to recover a single mailbox or message, to something as catastrophic as losing an entire data center. This lesson discusses how to restore Exchange Server 2010. After completing this lesson, you will be able to: Describe restore strategies. Recover data using the recovery database. Recover data by using the recovery database. Describe dial-tone recovery. Implement dial-tone recovery. Describe database mobility. Recover computers that run Exchange Server.
8-26
Restore Strategies
Key Points
You can use several strategies to restore Exchange Server data. The strategy that you select depends upon the data that you need to recover.
Hold Policy and Single Item Recovery

This is a new Exchange Server 2010 feature. When you enable the Single Item Recovery feature for a mailbox, it keeps items that are purged from the Deleted Items folder in a new dumpster folder for a specific time. This folder is not accessible to the end user, but it is accessible to administrators assigned to the Discovery Management role. Essentially, you can ensure that items are not deleted for the duration that you typically keep backups.
Deleted Mailbox Retention

By default, the mailbox database stores deleted mailboxes for 30 days. Within those 30 days, you can reconnect the mailbox to another account and access its messages. After you connect the mailbox to an account, the deleted mailbox retention period restarts if the mailbox is deleted again. You can extend the deleted mailbox retention period on mailbox databases. However, extending the deleted mailbox retention period causes the mailbox database to grow to hold the additional deleted mailboxes.
Database Restores
Restoring a database overwrites the existing database with a restored copy of the database. After you restore the database, you can replay the current transaction logs to bring the database to its current state. You typically restore a database when it becomes corrupt or a disk fails.
Recovery Database
The recovery database restores databases without affecting current mailboxes. After you restore a database to the recovery database, you can copy messages to a folder or merge them into user mailboxes.
8-27
Dial-Tone Recovery
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. This module discusses dial-tone recovery in more depth later.
Recovery Server
A recovery server is a dedicated server for restoring Exchange Server databases. This can be useful to test backups to ensure they are capturing functions properly. However, improvements in recovery-database performance has reduced the requirement to use a recovery server for data recovery.
8-28
Process for Recovering Data Using the Recovery Database
Key Points
The recovery database is a recovered database that can coexist on the same server that hosts the original database. Users cannot access it directly. Only administrators can access it to recover single items, folders, mailboxes, or complete databases from the recovery database. The recovery database replaces the recovery storage group from previous Exchange Server versions. You can use the Exchange Management Shell to create a recovery database.
Recovering Data Using the Recovery Database

To recover data using the recovery database, complete the following steps: 1. 2. 3. Use the Exchange Management Shell to create a new recovery database. Restore the database that you want to recover. Mount the recovery database, and merge the data from the recovery database mailbox into the production mailbox. You can use the Exchange Management Shell restore-mailbox cmdlet to perform this task.
When to Use the Recovery Database

You can use the recovery database in the following scenarios: Dial-tone recovery. When you implement dial-tone recovery, you set up a dial-tone mailbox database on the same server or on an alternate server to provide temporary access to e-mail services. You then use the recovery database to restore the temporary data into the production database after you recover the original database from backup. Individual mailbox recovery. You can recover individual mailboxes by restoring the database that holds the mailbox to the recovery database. Then you can extract the data from the deleted mailbox, and copy it to a target folder or mailbox in the production database.
8-29
Specific item recovery. If a message no longer exists in the production database, you can recover the database that held the message to the recovery database. Then you can extract the data from the mailbox and copy it to a target folder or mailbox in the production database. However, you also should consider using hold policy for this situation, as recovering the database might be time consuming.
8-30
Demonstration: How to Recover Data by Using the Recovery Database
Key Points
In this demonstration, you will review how to create a recovery database and how to restore data to the recovery database.
Demonstration Steps
1. 2. Use Windows Server Backup to restore the Exchange Server databases to C:\DBBackup. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup \C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting \Accounting.edb -Logfolderpath c:\DBBackup\C_\Program Files \Microsoft\Exchange Server\V14\Mailbox\Accounting -Recovery, and then press ENTER. This command creates the recovery database using the recovered Accounting database. Use the eseutil /p c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb command to repair the recovered database. At the Exchange Management Shell prompt, type Mount-Database RecoverDB, and then press ENTER. Use the Get-MailboxStatistics -Database RecoverDB command to display the mailboxes in the recovery database. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato RecoveryDatabase RecoverDB, and then press ENTER.
3. 4. 5. 6.
Question: What is the difference between using Single Item Recovery and performing a restore by using the recovery database?
8-31
What Is Dial-Tone Recovery?
Key Points
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. Users can send and receive e-mail messages, but they do not have access to the historical mailbox data. You then can recover the database or server, and restore the historical mailbox data. After you bring the recovered database back online, you can merge the dial-tone database and the recovered database into a single up-to-date mailbox database.
When to Use Dial-Tone Recovery

Use the dial-tone recovery method when it is critical for users to regain messaging functionality quickly after a mailbox server or database fails, and when you cannot restore historical data from a backup quickly enough. The loss may result from hardware failure or database corruption. If the server fails, it will take significant time to rebuild the server and restore the databases. If you have a large database that fails, it may take several hours to restore the database from backup. If the original mailbox server remains functional, or if you have an alternative mailbox server available, you can restore messaging functionality within minutes using dial-tone recovery. This enables continued email use while you recover the failed server or database.
8-32
Process for Implementing Dial-Tone Recovery
Key Points
There are several dial-tone recovery scenarios. However, all scenarios follow the same general steps.
Implementing Dial-Tone Recovery

Follow these general steps to implement dial-tone recovery: 1. Create the dial-tone database. For messaging client computers to regain functionality as quickly as possible, create a new database for the client computers. There are two methods for creating the dialtone database: 2. Create the dial-tone database on the same server as the failed database. Use this method if the drive that contained the database failed or if the database is corrupt. Create the dial-tone database on a different server than the failed database. Use this method to utilize a different server as a recovery server or if the original server fails.
3.
If necessary, configure the mailboxes that were on the failed database to use the new dial-tone database. You must configure the mailboxes to use the new database if you create the dial-tone database on a different server. If necessary, configure the Microsoft Office Outlook client profiles: If the server with the failed database is operational, you do not need to reconfigure Office Outlook client computers to use the new mailbox database. When the Outlook client computer tries to connect to the mailbox, the client profile reconfigures automatically to use the mailbox database on the original or new Mailbox server. If the original server is not available, and you are using AutoDiscover for Outlook 2007 client computers, the user profile updates automatically. If you are using previous Outlook client computers, you need to reconfigure the user profiles manually to use the new server.
8-33
If users are using Outlook Web App, they will connect automatically to their mailboxes when they access Outlook Web App on a Client Access server.
Note: At this point, users can connect to their mailboxes in the dial-tone database. The dial-tone database does not contain any data, so the mailboxes will be empty. Additionally, the database does not retain user-specific settings, such as folder hierarchy, Inbox rules, meetings, and contacts. However, users should have messaging functionality. If the client computers are running Outlook 2007 or Outlook 2003, and you configure the client computers to run in cached mode, users receive a prompt to connect or work offline when they connect to the dial-tone database. If users choose to connect to the server, they will see an empty mailbox (local cached copy is replaced with the empty mailbox). If they choose to work offline, they will see all of the historical data stored in the offline folders (.ost) file. 4. Restore the failed databases from backup. After the dial-tone database is operational and you reconfigure the client computers to use the new database, if necessary, you can work on restoring the failed database. If the original server is operational, you can restore the database on the failed server using a recovery database. If the original server is not operational, you can recreate the failed database on another server, and then restore both to the new server. Merge the data in the two databases. Because you have restored messaging functionality by implementing the dial-tone database, users will be sending and receiving e-mail while you are restoring the original databases. When the recovery is complete, users should be able to access both the original and the dial-tone data. This means that you must merge the contents of the dial-tone database with those of the original database. To do this, you will use the recovery database.
5.
8-34
What Is Database Mobility?
Key Points
Database mobility disconnects databases from servers, adds support for up to 16 copies of a single database, and provides a native experience for adding database copies to a database. Additionally, DAGs use database mobility to enable database copying between servers. In Exchange Server 2007, the database portability feature enabled you to move a mailbox database between servers. A key distinction between database portability and database mobility, however, is that all copies of a database have the same globally unique identifier (GUID). Other key characteristics of database mobility are: Because Exchange Server 2010 does not use storage groups, continuous replication now operates at the database level. Transaction logs replicate to one or more other Mailbox servers, and replay into a copy of a mailbox database that those servers store. A failover or switchover can occur at the database or server level. Database names for Exchange Server 2010 must be unique within the Exchange Server organization. When you configure a mailbox database with one or more database copies, the full path for all database copies must be identical on all Mailbox servers that host a copy. You can back up any mailbox database copy (the active or any passive copy) by using an Exchange Server-aware, VSS-based backup application. Note: Only mailbox databases are mobile. Public folder databases are not portable because replication between public folder databases is controlled by each database being linked to, and accessed through, a specific server.
8-35
Process for Recovering Computers That Run Exchange Server
Key Points
When recovering a failed Exchange Server, you have several options. The option you choose determines the process that you use to restore the server.
Exchange Server Recovery Options

When you need to replace a failed server, you have the following options: Restore the server. You can restore the server from a full computer backup set, and then restore your Exchange Server information. When you restore a server, you are reproducing the server configuration, including the server security identifier. This option is feasible only if you have a full server backup, including the System State backup, and you have replacement hardware that is very similar to the failed server. Rebuild the server. This option involves performing a new installation of Windows Server and an Exchange Server 2010 installation in Recover Server mode, which gathers the previous settings from AD DS and Active Directory, and then restores your Exchange Server databases. Use a standby server. You can use a standby recovery server as part of the Mailbox server recovery strategy. This option involves keeping recovery servers available with the operating system and other software installed. Having available standby recovery servers reduces the time you need to rebuild a damaged server.
What Is Recover Server Mode?

If an Exchange server fails, and is unrecoverable and needs replacement, you can perform a server recovery operation. Exchange Server 2010 Setup includes a switch called /m:RecoverServer that you can use to perform the server recovery operation. Running Exchange Server Setup with the /m:RecoverServer switch causes Setup to read configuration information from AD DS and Active Directory for the server with the same name as that from which you are running Setup. Once you gather the servers configuration information from AD DS and Active
8-36
Directory, the original Exchange Server files and services then are installed on the server, and the Exchange server roles and settings that AD DS and Active Directory stored then are applied to the server. Important: When you run Exchange Server Setup in Recover Server mode, it must be able to connect to AD DS and Active Directory, and read the Exchange Server configuration information that links to the name of the computer that is running Exchange Server. This means that the computer account still must exist in AD DS and Active Directory. If you delete the computer account, you will not be able to restore the Exchange Server.
8-37
Lab: Implementing Backup and Recovery
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running. 3. 4. 5. 6. 7. 8. 9. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd. In Microsoft Hyper-V Manager, click VANSVR1, and, in the Actions pane, click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso and click Open. Click OK. On VAN-SVR1, close the AutoPlay dialog box.
Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. You now want to ensure that all Exchange Server-related data is backed up and that you can restore not only the full server or database, but also a mailbox or mailbox folder.
8-38
Exercise 1: Backing Up Exchange Server 2010

Scenario
You must create a backup of your Exchange Server 2010 mailbox database to ensure that you can restore it when necessary. The main tasks for this exercise are: 1. 2. 3. Populate a mailbox. Perform a backup of the mailbox database using Windows Server Backup. Delete a message and a mailbox.
Task 1: Populate a mailbox

1. 2. 3. On VAN-EX1, log on to Parnas mailbox by using Outlook Web App. Use the logon name Adatum\Parna and the password Pa$$w0rd. Send a message to George with the subject Message before Backup. Restart the Microsoft Exchange Information Store service.
Task 2: Perform a backup of the mailbox database using Windows Server Backup
1. 2. Use Server Manager to install Windows Server Backup. Perform a custom backup of the C:\ drive using a VSS full backup. Store the backup files on \\VANDC1\Backup.
Task 3: Delete messages in mailboxes

1. 2. Log on to Georges mailbox using the logon name Adatum\George and the password Pa$$w0rd, and then delete the message from Parna. Log on to Parnas mailbox using the logon name Adatum\Parna and the password Pa$$w0rd, and then delete all messages from the Sent Items folder. Results: After this exercise, you should have created a backup of an Exchange Server database, and deleted messages.
8-39
Exercise 2: Restoring Exchange Server Data

Scenario
Some of your users complain that they are missing messages from their mailboxes. You now need to use the backup you created to recover their messages. The main tasks for this exercise are: 1. 2. 3. Restore the database using Windows Backup. Create a recovery database by using the backup files. Recover a mailbox from the recovery database.
Task 1: Restore the database using Windows Backup

On VAN-EX1, using Windows Server Backup, recover the Exchange Server databases to an alternate location: C:\DBBackup.
Task 2: Create a recovery database by using the backup files

1. On VAN-EX1, create a recovery database using the restored database in C:\DBBackup. Use the following command to create the recover database: New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14 \Mailbox\Accounting\Accounting.edb -Logfolderpath c:\DBBackup \C_\Program Files\Microsoft\Exchange Server\V14\Mailbox \Accounting-Recovery 2. In Exchange Management Shell, switch to the c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting directory, enter the following command in the PS prompt, and then press ENTER: eseutil /R E02 /i /d 3. 4. Mount the recovery database using the Mount-Database RecoverDB command. List all mailboxes that are in the recovery database by using the Get-MailboxStatistics -Database RecoverDB command.
Task 3: Recover a mailbox from the recovery database

1. 2. 3. On VAN-EX1, recover a mailbox using the Restore-Mailbox -Identity ParnaKhot RecoveryDatabase RecoverDB cmdlet. Verify that you restored the message in the Sent Items folder by logging onto Parnas mailbox. Use the Remove-Mailboxdatabase -Identity RecoverDB command to remove the RecoverDB database. Results: After this exercise, you should have created a recovery database, and restored a complete mailbox from the recovery database to their original locations.
8-40
Exercise 3: Restoring Exchange Servers (optional)

Scenario
After a hard-disk malfunction, one of your Exchange servers no longer is operational. You have a full backup of the computer and the mailbox databases, so you need to restore everything to a newly installed computer. The main tasks for this exercise are: 1. 2. 3. 4. 5. Shutdown VAN-EX1 and reset the computer account. Prepare VAN-SVR1 as VAN-EX1. Install Exchange Server 2010 with the RecoverServer mode. Recover the mailbox databases from backup. Test the recovery.
Task 1: Shutdown VAN-EX1 and reset the computer account

1. 2. In Hyper-V Manager, revert VAN-EX1 to the previous snapshot. Using Active Directory Users and Computers, reset the VAN-EX1 computer account.
Task 2: Prepare VAN-SVR1 as VAN-EX1

1. 2. Rename VAN-SRV1 to VAN-EX1. Join the computer to ADATUM domain.
Task 3: Install Exchange Server 2010 with the RecoverServer mode

1. 2. On the new VAN-EX1 server, run d:\setup /m:RecoverServer. In Exchange Management Console, change Database Properties to This database can be overwritten by a restore for all databases on the VAN-EX1.
Task 4: Recover the mailbox databases from backup

Use Windows Server Backup to recover the Exchange Server databases.
Task 5: Test the recovery

1. 2. On the restored VAN-EX1, in the Exchange Management Console, mount the mailbox databases and public folder database. On VAN-DC1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Parna with a password of Pa$$w0rd, and then verify that the mailbox is accessible and that all messages have been restored. Results: After this exercise, you should have recovered a complete Exchange server by using a different Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and recovering the Exchange Server database from a backup. You have also tested the recovery.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
8-41
4. 5.
In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
6. 7.
8-42
Review Questions
1. 2. What kind of backup options for Exchange Server 2010 do you find suitable for your organization? What options does Exchange Server 2010 include for restoring a single item from a mailbox?
Common Issues Related to Recovering Messages

Identify the causes for the following common issues related to recovering messages, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Recover single mailbox items quickly Restore fails when it is urgent Troubleshooting tip Try using Multi-Mailbox Search before you recover a database. You should try to restore a database regularly, as a practice session, and verify that your backups work as you expect.
Best Practices Related to Backup and Restore

Supplement or modify the following best practices for your own work situations: Utilize your existing backup solution for Exchange Server backups, as you are already experienced and familiar with it. Try always to perform a full backup of your Exchange Server databases if you use a VSS-aware backup solution. This reduces the time you need to recover the database to its most current state. If you plan to follow the backup-less method, create one more database copy on cheap hard drives at a different site. This guarantees that you have an additional backup of your database available.
Configuring Messaging Policy and Compliance
9-1
Module 9
Contents:
Lesson 1: Introducing Messaging Policy and Compliance Lesson 2: Configuring Transport Rules Lesson 3: Configuring Journaling and Multi-Mailbox Search Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search Lesson 4: Configuring Messaging Records Management Lesson 5: Configuring Personal Archives Lab B: Configuring Messaging Records Management and Personal Archives 9-3 9-7 9-27 9-37 9-43 9-56 9-62
9-2
Module Overview
Microsoft Exchange Server 2010 provides new tools for coping with a growing number of legal, regulatory, and internal policy and compliance requirements that relate to e-mail. Most organizations must be able to filter e-mail delivery based on several criteria, and to manage e-mail retention and deletion. This module describes how to configure the Exchange Server 2010 messaging policy and compliance features. After completing this module, you will be able to: Describe messaging policy and compliance. Configure transport rules. Configure journaling and Multi-Mailbox Search. Configure Messaging Records Management (MRM). Configure Personal Archives.
9-3
Lesson 1
Introducing Messaging Policy and Compliance
In most countries, governments have implemented legislation that restricts the storage and movement of certain information. Additionally, many organizations have implemented corporate security policies that limit how to share information within the organization. Because e-mail is a critical business tools in most organizations, it is important that you configure your organizations messaging system so that it is compliant with government legislation and corporate policies. Messaging policies in Exchange Server 2010 enable messaging administrators to manage e-mail messages that are in transit and at rest, and ensure that your organization meets compliance requirements. This lesson provides an overview of messaging policies and their use. After completing this lesson, you will be able to: Describe messaging policy and compliance. Identify compliance requirements. Implement messaging policy and compliance.
9-4
What Is Messaging Policy and Compliance?
Key Points
Messaging compliance features in Exchange Server 2010 consist of a set of rules and settings that restrict message flow and storage. You can use these features to apply rules to messages as your organizations users send and receive them. You can use the messaging policy and compliance features to regulate how users store messages, and to search all user mailboxes for messages based on a variety of criteria. You can apply these features to Exchange Server computers running the Edge Transport, Hub Transport, and Mailbox server roles.
Types of Messaging Compliance Features

Exchange Server 2010 provides several options for implementing message policies and compliance: Transport policies are rules and settings that you apply as messages pass through the Exchange Server transport components. Transport policies restrict message flow or modify message contents based on organizational requirements. Exchange Server applies MRM policies to folders in users inboxes to automate and simplify message retention. For example, you can configure a policy that retains messages in user mailbox folders for a specific time, or you can configure a policy that automatically deletes messages within a specific folder or within all the mailbox folders. Exchange Server 2010 also provides retention tags and autotagging that simplify the process for users who want to apply message retention or deletion policies. Journaling policies are rules and settings that enable you to save a copy of all messages that meet specific criteria. For example, you can journal messages sent by a particular user or messages sent to a particular distribution group. You can journal messages that recipients send or receive inside and outside the organization. Mailbox searching may be required for audit purposes to determine whether user mailboxes contain specific types of content. With Exchange Server 2010, you can use the Exchange Control Panel (ECP) to search all user mailboxes for messages based on many different criteria.
9-5
Discussion: Compliance Requirements
Key Points
E-mail is a primary means of communication in many organizations, and users typically send a great deal of business information by e-mail. This information may include confidential information, such as customer data or business intelligence. One use of Exchange Server 2010 messaging policies is to provide features that help you comply with legal requirements and corporate messaging policies regarding e-mail messages. Question: What type of business does your organization conduct? What are some legislated compliance requirements for your organization? Question: What additional compliance requirements does your organization have? Question: How are you currently meeting these compliance requirements?
9-6
Options for Enforcing Messaging Policy and Compliance
Key Points
Exchange Server 2010 provides many options for implementing messaging policies, including the following: Transport rules. You can define transport rules on both the Edge Transport and Hub Transport servers. On Edge Transport servers, you can restrict message flow based on message data, such as specific words or text patterns in the message subject, body, header, or From address; the spam confidence level (SCL); and attachment type. On Hub Transport servers, you configure rules that support an extended set of conditions, which allows you to control message flow based on distribution groups, internal or external recipients, message classifications, and message importance. Rights management integration. Exchange Server 2010 enables integration with Active Directory Rights Management Service (AD RMS) to apply policies that restrict what recipients can do with their received messages. Message journaling. Exchange Server 2010 provides several options for saving copies of messages. For example, you can configure journal rules on Hub Transport servers. You can journal messages according to the messages distribution scope, and you can define the conditions that trigger the journaling action by specifying as criteria an individual user, the sender, or the recipients distributionlist membership. You also can configure message journaling for specific mailbox databases, or implement message journaling as part of a Messaging Records Management deployment. Mailbox searching. The Multi-Mailbox Search feature enables users with the appropriate permissions to search all mailboxes for specific content. In Exchange Server 2010, the mailbox search functionality is available through the Multi-Mailbox Search interface in the ECP. Message retention and deletion. Administrators can use the MRM features to retain messages that organizations require for business or legal reasons, and to delete unnecessary messages. Personal Archives. Exchange Server 2010 allows you to create archive mailboxes for users so they can store the contents of .pst folders and old messages that they want to retain. You can search and manage archive mailboxes like any other mailboxes on the Exchange servers.
9-7
Lesson 2
Configuring Transport Rules
You can implement messaging policies and compliance by applying transport rules to messages as users send them within the organization. By implementing transport rules, you ensure that all e-mail messages sent within the organization or to external recipients meet your organizations compliance requirements. You also can apply rights management policies to messages by using transport rules. This lesson describes how to implement transport rules in Exchange Server 2010. After completing this lesson, you will be able to: Describe transport rules. Describe transport rule components. Configure transport rules. Identify message classifications. Describe AD RMS. Describe how AD RMS components work together. Describe AD RMS interaction. Configure AD RMS integration. Describe options for moderated transport. Configure moderated transport.
9-8
What Are Transport Rules?
Key Points
Exchange Server applies transport rules to messages as they pass through Edge Transport or Hub Transport servers. The Transport Rule agent applies transport rules on Hub Transport servers, and the Edge Rule agent applies them on Edge Transport servers. Transport rules restrict message flow or content modification while messages are in transit.
Transport Rules on Hub Transport Servers

Transport rules configured on one Hub Transport server automatically apply to all other Hub Transport servers in the organization. Exchange Server stores the transport rules in the Configuration container in Active Directory Domain Services (AD DS) or Active Directory directory service, and replicates them throughout the Active Directory forest so that they are accessible to all other Hub Transport servers. This means that Exchange Server applies the same transport rules to all e-mail messages that users send or receive in the organization.
Transport Rules on Edge Transport Servers

Exchange Server applies transport rules that you configure on an Edge Transport server only to e-mail messages that pass through that specific Edge Transport server. The transport rules are stored in Active Directory Lightweight Directory Services (AD LDS), and Exchange Server does not replicate them to other Edge Transport servers. Therefore, you can configure Edge Transport servers to apply distinct transport rules depending on the e-mail messaging traffic that they manage. If you have more than one Edge Transport server and you want to apply a consistent set of rules across all Edge Transport servers, you must configure each server manually, or export the transport rules from one server and import them into all other Edge Transport servers.
9-9
Transport Rule Components
Key Points
All transport rules, whether they apply to Hub Transport or Edge Transport servers, have similar configurations.
Transport Rule Components

When configuring transport rules, consider the following components: Conditions. Transport rule conditions indicate which e-mail message attributes, headers, recipients, senders, or other parts of the message Exchange Server uses to identify the e-mail messages to which it applies a transport rule action. If the data of the e-mail message that the condition is inspecting matches the conditions value, Exchange Server applies the rule as long as the condition does not match an exception. You can configure multiple transport rule conditions to narrow the rules scope to very specific criteria. You also can decide not to apply any conditions, which means that the transport rule then applies to all messages. There is no limit to how many conditions you can apply to a single transport rule. Actions. Exchange Server applies actions to e-mail messages that match the conditions and for which no exceptions are present. Each action affects e-mail messages in a different way, such as redirecting the e-mail message to another address or dropping the message. Exceptions. Exceptions determine which e-mail messages to exclude from an action. Transport rule exceptions are based on the same predicates that you use to create transport rule conditions. Transport rule exceptions override conditions and prevent Exchange Server from applying a transport rule action to an e-mail message, even if the message matches all configured transport rule conditions. You can configure multiple exceptions on a transport rule to expand the criteria for which Exchange Server should not apply a transport rule action.
9-10
Predicates. Conditions and exceptions use predicates to define which part of an e-mail message the conditions and exceptions examine to determine whether Exchange Server should apply the transport rule to that message. Some predicates examine the To: or From: fields, whereas other predicates examine the subject, body, or attachment size. To determine whether Exchange Server should apply a transport rule to a message, most predicates require that you specify a value that the predicates use to test against the message.
9-11
Demonstration: How to Configure Transport Rules
Key Points
In this demonstration, you will review how to configure transport rules. You can configure transport rules by using either the Exchange Management Console or the Exchange Management Shell. If you are using the Exchange Management Console on a Hub Transport server, access the Hub Transport container in the Organization Configuration work area. To configure transport rules using the Exchange Management Shell, run the following cmdlets: The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule, Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport rules. The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions. The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates. The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and export a set of transport rules configured on a Hub Transport server or Edge Transport server. Note: Implementing transport rules with security features, such as digital signatures or encryption, can result in potential issues. For example, if you add a disclaimer to digitally signed messages, the signature becomes invalid. When users open the message, the original message displays as an attachment and only the signature that the transport rule adds is visible in plain text. If users encrypt messages using Secure Multipurpose Internet Mail Extensions (S/MIME) or another encryption tool, the transport rules can access the message envelope headers and process messages based on unencrypted information. Transport rules that require inspection of message content, or actions that may modify content, cannot process with encrypted messages.
Demonstration Steps
1. Open the Exchange Management Console.
9-12
2.
Under Organization Configuration, in the Hub Transport node, create a new transport rule with the following configuration: Name: Type Company Disclaimer HTML. Condition: Choose sent to users that are inside the organization. Action: Choose append disclaimer text and fallback to action if unable to apply. Disclaimer text: Type the following:
<html> <body> &nbsp &nbsp This e-mail and attachments are intended for the individual or group addressed. </body> </html>
3. 4.
Open the Exchange Management Shell. Type the following cmdlet: New-TransportRule -Name Social Insurance Number Block Rule SubjectOrBodyMatchesPatterns \d\d\d-\d\d\d-\d\d\d -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText This message has been rejected because of content restrictions
5.
To test the transport rules: Send a message from one internal user to another. Verify that the HTML disclaimer is attached. Send a message from one internal user to another with the string 111-111-111 in the message body. Verify that the sender receives a non-delivery report (NDR).
Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a variety of pattern strings to search the message contents for a consistent pattern. For example, you can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information about configuring regular expressions in a transport rule, see the topic Regular Expressions in Transport Rules in Exchange Online Help. Question: What transport policies will you need to implement in your organization?
9-13
What Are Message Classifications?
Key Points
Message classifications are Exchange Server 2007 or later and Outlook 2007 (or later) features that enable users or transport rules to mark a message with a label. When a message is classified, the message contains metadata that describes some information about the recipient or sender of the message, or some other information about the message. Outlook 2007 and Outlook Web App then act on this metadata and display the classifications description to the messages senders and receivers. In Exchange Server 2010, you also can configure a transport rule that acts on the metadata by applying an action based on the classification.
Managing Message Classifications

As an Exchange Server administrator, you can manage message classifications in the following ways: Review the message classifications configured on the server. Use the Get-MessageClassification cmdlet to view the message classifications. Modify the default message classifications. Exchange Server administrators can customize the sender description for each message classification and locale. Use the Set-MessageClassification cmdlet to configure the message classification on the Exchange server. Create new message classifications. Use the New-MessageClassification cmdlet to create new message classifications. Enable message classifications for Outlook 2007 clients. By default, Outlook 2007 does not support message classifications. To enable message classifications, you must: Export the message classifications to an .xml file. To do this, run the ExportOutlookClassification.ps1 script in the Scripts folder on an Exchange server. The output of this script is an xml file describing all of the classifications available on the server.
9-14
Deploy the .xml file that contains definitions of the message classifications to each client computer that uses these classifications. You must recreate and redeploy this file whenever you update the message classification list on an Exchange server. Create a new registry key that enables message classification and references the Classifications.xml file on the client computer.
Note: For detailed information about deploying message classifications for Outlook 2007, see the topic Deploy Message Classification for Outlook 2007 in Exchange Server Help file.
Using Message Classifications

There are two options for using message classifications: Users can add a message classification to an e-mail when they create it. When using Outlook Web App or Outlook 2007 with the appropriate configuration, users can classify any message. Administrators can add a message classification as the result of a transport rule. For example, when the Attachment Filter agent removes an attachment from a message, the Attachment Removed message classification attaches to the message. You also can create a transport rule that adds a message classification to a message based on any conditions in the e-mail message.
9-15
What Is AD RMS?
Key Points
AD RMS is an information-protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use.
Restrict Access to an Organizations Intellectual Property

Use AD RMS to restrict access to digital information so that users can view, change, or print documentation only. This protects data by preventing users from forwarding, copying, or otherwise transporting sensitive data outside the company network.
Limit the Actions Users Can Perform on Content

Enforce restrictions that limit the specific actions that a user can perform on a document or e-mail message. You can use Microsoft Office Word, Office Excel, and PowerPoint as AD RMS-enabled applications. These applications allow you to set rights for viewing, changing, saving, and printing documents, and to set the length of time a particular right is active. AD RMS used with Outlook helps you protect e-mail content. You can prevent users from forwarding sensitive e-mail messages to other e-mail users, printing e-mail messages, using messages offsite, and giving the messages to unauthorized users.
Limit the Risk of Content Exposure Outside the Organization

You can set rights so that users do not have permission to print or forward e-mail content. This means that users cannot forward the messages to recipients outside the organization. These options help reduce the likelihood that an employee will disclose company information either maliciously or accidentally.
AD RMS Components
Several components interact with AD RMS. It is important to understand each of these components: Author. The user or service that generates the rights-protected document.
9-16
AD RMS-enabled applications. Specific applications are enabled for, and can interact with, AD RMS. Authors can use these applications to create and protect content, and recipients can use them to read protected content and apply the appropriate rights to them. Recipient. The user or service that accesses the rights-protected document. AD RMS server. The server with an installed AD RMS server role. This server is responsible for providing the licenses that control access to content. When you install the first AD RMS server, Exchange Server creates an AD RMS root cluster. You can add other AD RMS servers to the cluster. Database server. AD RMS requires a database service. The Windows Internal Database feature deployed on the same server as the AD RMS server provides this service, as does the Microsoft SQL Server installed on another computer. The database stores configuration and other AD RMS-related information. AD DS and Active Directory. These services authenticate authors and recipients so that Exchange Server applies the appropriate rights to the content.
9-17
How AD RMS Works
Key Points
The AD RMS components work together to enable secure creation, distribution, and consumption of protected data.
How AD RMS Works

The following steps describe how AD RMS components interact to generate and protect rights-protected content: 1. The first time a user tries to rights-protect content using AD RMS, the client application requests a rights account certificate (RAC) and client licensor certificate (CLC) from the AD RMS server. This request only occurs once for each user. It enables the user to publish online or offline, and to consume rights-protected content. The author then creates content using an AD RMS-enabled application. The author can create the file, and then specify user rights. Additionally, the AD RMS server generates the policy license containing the user policies. The author sends the rights-protected content to the recipient. The recipient receives the file and opens it using an AD RMS-enabled application or browser. If the recipients computer does not contain an account certificate, the client application requests a certificate, and the AD RMS cluster issues one. If this is the first time the recipient has tried to access rights-protected content on the computer, the AD RMS server also issues a RAC. The application sends a request for a use license to the AD RMS cluster that issued the publishing license. However, if the file was published offline, the application also sends a request to the server that issued the CLC. The request includes both the RAC and the publishing license for the file. The AD RMS cluster confirms or denies the recipients authorization. If the AD RMS cluster denies the users authorization, the cluster checks for a named user and then creates a use license for the user. The cluster decrypts the content key using the clusters private key and re-encrypts the content key
2.
3. 4.
9-18
with the recipients public key. It then adds the encrypted session key to the use license. This ensures that only the intended recipient can access the file. 5. The AD RMS cluster sends the generated use license to the recipients computer. The application examines both the license and the recipients account certificate. Exchange Server then grants the user access per the content authors specifications.
9-19
How AD RMS Integration Works
Key Points
Exchange Server 2010 integrates with AD RMS to provide several options for ensuring content protection as users send messages through e-mail. To use any of these features in an onsite Exchange Server deployment, Exchange Server 2010 requires an on-premise Windows Server2008 AD RMS deployment.
Enable Users to Protect Content

After deploying AD RMS in an organization, Outlook users can control who reads, copies, or forwards messages regardless of where the messages are stored. When users create e-mails, they can set limits on what the message recipients can do with the messages. This functionality does not require any Exchange Server components other than those used for message delivery. Exchange Server 2010 provides additional functionality, and expands the scenarios by which users and administrators can apply protection to e-mailboth inside and outside the organization.
Implement AD RMS Prelicensing

One of the issues with using the Rights Management Service (RMS) to protect e-mail is that the recipient needs to be able to connect to the AD RMS server to read protected e-mail. This is an issue when users access their e-mail while offline using Outlook Anywhere, read mail using an Exchange ActiveSync device, or access e-mail through Outlook Web App. AD RMS prelicensing enables offline access to protected mail, and makes it faster to open protected mail from Outlook and other mobile clients. In this scenario, protected messages already contain the recipients end-user license, which Exchange Server requires to decrypt and view the message upon delivery. In Exchange Server 2010, the RMS Prelicensing built-in agent is on all Hub Transport servers, and is enabled by default for the Exchange Server organization. You can disable the prelicensing agent with the Set-IRMConfiguration -PrelicensingEnabled $false cmdlet.
9-20
Implement Outlook Protection Rules

Outlook Protection Rules allow you to rights-protect messages by applying a RMS template before the message is sent. Outlook Protection Rules automatically trigger the client to apply an RMS template (based on sender/receiver) to mail before it sends it. This feature also enables administrators to allow users to manually add or remove protection policies from a message. Note: Outlook Protection Rules are only available for Office Outlook 2010 or later clients.
Implement Transport Protection Rules

This feature allows you to use transport rules to apply rights protection to messages. Transport Protection Rules help organizations implement messaging policies by encrypting sensitive email content and using rights-management to control access to the content. AD RMS uses XML-based policy templates to allow compatible information rights management (IRM)enabled applications to apply consistent protection policies. In Windows Server 2008, the AD RMS server is accessible through a Web service that you can use to enumerate and acquire templates. Exchange Server 2010 includes just the Do Not Forward template. When you apply the Do Not Forward template to a message, only the specified recipients can decrypt the message. The recipients cannot forward the message to anyone else, copy content from the message, or print the message. You can create additional RMS templates in the on-premise AD RMS deployment to meet rightsprotection requirements in your organization.
Enable Journal Report Decryption

When you enable Journal Report Decryption, you grant permission for the Journaling agent to attach a decrypted copy of a rights-protected message to the journal report. If the rights-protected message contains supported attachments that have been protected by the AD RMS cluster in your organization, the attachments are also decrypted. The Journal Report Decryption agent performs decryption.
Enable Transport Decryption

When you enable Transport Decryption, Hub Transport servers can decrypt rights-protected messages to enforce messaging policies. The first Hub Transport server to handle a message in an Active Directory forest performs transport decryption. After decryption, unencrypted content becomes available to other transport agents on that server. For example, the Transport Rule agent on a Hub Transport server can inspect message content and apply transport rules. Any actions specified in the rule, such as applying a disclaimer or modifying the message, can be applied to the unencrypted message. After other transport agents have inspected the message and possibly made modifications to it, the message is encrypted again with the same user rights that it had before being decrypted by the Decryption agent. The message is not decrypted again by other Hub Transport servers in the organization.
Enable IRM in Outlook Web App

After you enable IRM in Outlook Web App, users can use Outlook Web App to: Send IRM-protected messages. Outlook Web App users can use the permissions feature when composing a new message and select an applicable policy template to apply to the message. This allows users to send IRM-protected messages from within Outlook Web App. The Client Access server applies IRM protection to messages and message attachments. Read IRM-protected messages. Messages protected by senders using your organizations AD RMS cluster display in the Outlook Web App preview pane, without requiring additional add-ons or that
9-21
the users computer is enrolled in the AD RMS deployment. When you open or view a message in the preview pane, the message is decrypted using the use license added to message by the pre-licensing agent. Once decrypted, the message displays in the preview pane. If a pre-license is not available, Outlook Web App requests one from the AD RMS server before displaying the message. Important: Before configuring Journal Report Decryption, Transport Decryption, or IRM for Outlook Web App, you must provide Exchange servers with the right to decrypt IRM-protected content .Do this by adding the Federated Delivery Mailbox to the super users group configured on the AD RMS cluster. You must also use the Set-IRMConfiguration cmdlet to enable the required features.
9-22
Demonstration: How to Configure AD RMS Integration
Key Points
In this demonstration, you will review how to configure and test AD RMS and Exchange Server 2010 integration. The first part of the demonstration will show you how to protect e-mail messages by using AD RMS. This feature does not require any special Exchange Server functionality. The second part of the demonstration will show you how to configure a transport rule that applies AD RMS protection to a message based on message properties.
Demonstration Steps
Open Outlook 2007 and create a new message for an internal recipient. In the Message ribbon, click the Permission icon. In the Windows Security dialog box, log on as the mailbox user. In the Permission dialog box, select the Restrict permission to this document check box. When the message appears, verify that the message now contains the Do Not Forward header. Send the message. 6. Log on as the message recipient, open Outlook 2007, open the restricted message, and then log on using the user credentials. Verify that you do not have permission to forward the message. 7. On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot \_wmcs\certification\servercertification.asmx file to grant Read and Execute access to the Exchange Servers group and the anonymous Internet Information Services (IIS) user account. 8. Restart the IIS. 9. On an Exchange server, at the PS prompt, type the following cmdlet, and press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server: set-irmconfiguration InternalLicensingEnabled:$true. 10. Use the test-irmconfiguration cmdlet to test the IRM configuration. 11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent between two specified users. 1. 2. 3. 4. 5.
9-23
12. Send a message from one of the specified users to the other. Verify that the Do Not Forward template is applied to the message. Question: Does your organization have AD RMS deployed? Are you planning to deploy AD RMS? Question: How will Exchange Server 2010 make it easier to deploy AD RMS?
9-24
Options for Configuring Moderated Transport
Key Points
The Exchange Server 2010 moderated transport feature enables you to require moderator approval for all e-mail messages sent to specific recipients, and you can specify any type of recipient as a moderator. The Hub Transport servers ensure that all messages sent to those recipients go through an approval process. You can also use transport rules to enforce moderation. For example, you could configure a transport rule that sends a message for moderation based on any of the available criteria.
How Moderated Transport Works

When you configure a recipient as a moderated recipient, all messages sent to the recipient go through the following process: 1. 2. 3. 4. 5. 6. The sender creates a new message and sends it to the moderated recipient. The categorizer intercepts the message, marks it for moderation, and then reroutes it to the arbitration mailbox. The store driver stores the message in the arbitration mailbox and sends an approval request to the moderator. The moderator uses the buttons in the approval request to either accept or reject the message. The store driver marks the moderators decision on the original message stored in the arbitration mailbox. The Information Assistant reads the approval status on the message stored in the arbitration mailbox, and then processes the message based upon the moderators decision: If the moderator approves the message, the Information Assistant resubmits the message to the submission queue, and the message is delivered to the recipient. If the moderator rejects the message, the Information Assistant deletes the message from the arbitration mailbox, and then notifies the sender that the moderator rejected the message.
9-25
Note: Previous Exchange Server versions do not support moderated recipients. If a message sent to a moderated distribution group is expanded on a Hub Transport server that is running Exchange Server 2007, it will be delivered to all members of that distribution group, and bypass the moderation process. If you have Exchange Server 2007 Hub Transport servers in your Exchange Server 2010 organization, and you want to use moderated distribution groups, you must designate an Exchange Server 2010 Hub Transport server as the expansion server for the moderated distribution groups. Doing this ensures that all messages sent to the distribution group are moderated. For more information about moderation, refer to the CD content.
9-26
Demonstration: How to Configure Moderated Transport
Key Points
In this demonstration, you will review how to configure a distribution list for moderation and how to configure a transport rule that enforces moderation for all messages sent to a distribution list. Note: In this demonstration, you will configure a distribution list by using the Exchange Management Console. If you need to enable a mailbox or contact for moderation, you will need to use the setmailbox cmdlet with the moderationenabled:$true and moderationedby parameters.
Demonstration Steps
1. 2. 3. 4. In the Exchange Management Console, under Recipient Configuration, click Distribution Group. In the middle pane, right-click a distribution list, and then click Properties. On the Mail Flow Settings tab, double-click Message Moderation. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Add the group moderators and add any users who do not require moderation to send to the group. Create a new transport rule that forwards any message sent to a distribution list for moderation. Choose a moderator for the rule, and then configure any exceptions that are required. Send a message to the distribution group configured for moderation. Send a message to the distribution group configured for moderation in the transport rule. Open the mailbox of a moderator configured for both the distribution group and transport rule. Approve both messages.
5. 6. 7. 8.
Question: Will you deploy moderated transport in your organization? If so, where would you use it?
9-27
Lesson 3
Configuring Journaling and Multi-Mailbox Search
Message journaling and Multi-Mailbox Search, second only to transport rules, are important components for enforcing messaging compliance. Message journaling allows you to archive all messages automatically that meet criteria that you specify. You can archive journaled messages to any SMTP address, including an Exchange mailbox, Microsoft SharePoint document library, or a third-party archiving solution. In addition to message journaling, Exchange Server 2010 also includes the Multi-Mailbox Search feature, which enables an authorized user to search all of the organizations mailboxes based on specific criteria. This lesson describes how to configure and manage message journaling and Multi-Mailbox Search in Exchange Server 2010. After completing this lesson, you will be able to: Describe message journaling options. Configure message journaling. Manage the message journal mailbox. Describe Multi-Mailbox Search. Configure Multi-Mailbox Search.
9-28
Message Journaling Options
Key Points
Journaling enables you to save copies of all e-mail messages in a collection mailbox when they are sent to, or from, specified mailboxes, contacts, or distribution-group members. You also can configure journaling based on messages sent to, or received from, mailboxes in a mailbox database, or configure journaling as part of a messaging-records management rule. Messages that meet the journaling criteria are sent to the collection mailbox as a journal report. This report includes detailed information such as the recipients address, the senders address, and the messages subject.
How Journal Rules Work

When you create a journal rule, the Journaling agent, which runs only on Hub Transport servers, monitors all messages sent through the server. When a message matches the journal rule criteria, the server forwards a copy of the message to a journal mailbox. You can configure the journal mailbox using any Exchange Server recipient. The recipient address can refer to another mailbox in the Exchange Server organization, a document library on a Microsoft Windows SharePoint Services site, or an address used by other third-party message-archival solutions. Journal rules are based on message recipients and message senders. When you configure a journal rule, you can choose any Exchange Server recipient including mailbox users, contacts, or distribution groups. The Journaling agent sends to the journal mailbox a copy of all messages that the recipient sends or receives. You also can configure the following three journal rule scopes to limit which messages the Journaling agent sends to the journal mailbox.
Scope
Internal
Description
Rules with this scope process messages sent and received by recipients inside the
9-29
Scope
Description
organization.
External Rules with this scope process messages sent to recipients or from senders outside the organization. Global Rules with this scope process all messages that pass through a computer that has a Hub Transport server. These include messages that journal rules processed previously in the Internal and External scopes.
Journal rules configured on a Hub Transport server apply to the entire Exchange Server organization.
How Mailbox Database Journaling Works

You can also configure a journal mailbox for a mailbox database. When you assign a journal recipient for a mailbox database, all messages sent to or received from recipients with mailboxes in the database also are sent to the journal recipient.
How Messaging Records Management Journaling Works

When you configure MRM, you can configure managed content settings that apply policies that are located in user mailboxes. These managed content settings can specify retention or deletion time limits and specify actions to take when you reach the time limit. When you configure managed content settings, you can also configure a journal recipient so that all messages that match the criteria specified in the managed content settings also are sent to the journal mailbox. Note: Mailbox database journaling is a standard journaling option and is the only option available for organizations with an Exchange Standard Client Access Licenses (CAL). Journaling rules and MRM journaling are premium journaling options. To use premium journaling, you must have the Exchange Enterprise CALs.
Journal Reports
When a message meets the journal criteria, a journal report is sent to the SMTP address that the rule lists. The journal report is a new e-mail message that includes the original message, unaltered, as an attachment. The information that the journal report contains is organized so that every value in each header field has its own line. The Journaling agent captures as much detail as possible about the original message. This information is important in determining the messages intent, its recipients, and its senders. For example, how the message identifies recipients (directly addressed in the To field or the Cc field, or included in a distribution list) may determine how the recipient is involved in the discussion occurring in the message. For more information about the journal report, refer to the CD content.
9-30
Demonstration: How to Configure Message Journaling
Key Points
In this demonstration, you will review how to configure a message journaling rule using the Exchange Management Console. You can configure journaling rules by using either the Exchange Management Console or the Exchange Management Shell. To configure transport rules with the Exchange Management Shell, use the following commands: Enable-JournalRule Disable-JournalRule Get-JournalRule Set-JournalRule New-JournalRule Remove-JournalRule
Demonstration Steps
1. 2. 3. 4. 5. In Exchange Management Console, under Organization Configuration, click Hub Transport. Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages that the rule affects will be sent to the journal mailbox. Specify the journal rule scope and recipients. The scope defines whether only internal or only external messages, or both, will be journaled. All messages that the recipient sends or receives are journaled. Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to the message. Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both the sent message and the reply message.
9-31
Question: What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature?
9-32
Considerations for Managing the Message Journal Mailbox
Key Points
In a large organization or if you configure journaling for a large number of users, the journal mailbox can grow very rapidly. Additionally, the journal mailbox may contain highly confidential information that should not be accessible to most users. This means that you will need to develop policies for managing the journal mailbox.
Using a SharePoint Document Library for Journaling

You can configure SharePoint document libraries with SMTP addresses that will accept e-mail messages. In Exchange Server, you can configure a custom recipient using the SharePoint document library e-mail address, and then configure journaling to use the custom recipient as the journal recipient.
Considerations for Managing the Journal Mailbox Size

When configuring a journaling mailbox to accept journal reports, you must determine the maximum size of the journaling mailbox. As with any other mailbox, the maximum size depends on the data that the mailbox will store, the hardware resources that are available, and the disaster-recovery capabilities for the server that contains the journaling mailbox. Additionally, you also must consider what will occur if a journaling mailbox exceeds the configured mailbox quota. Avoid using the Prohibit send and receive at (KB) option to set the journaling mailboxs storage limit. When the mailbox exceeds the specified quota, it stops accepting journaling reports. When this happens, NDRs are not sent to users or administrators, but rather are queued on Hub Transport servers. To reduce the possibility that your journaling mailbox will reject journal reports because it has reached the configured storage quota, either avoid configuring this option or configure your journaling mailboxs storage quota to the maximum size allowable for your hardware resources and disaster-recovery capabilities. If you are backing up the mailbox on a daily basis, consider specifying a MRM rule to remove backed-up messages regularly.
9-33
Considerations for Managing Journal Mailbox Security

Security is an important consideration when managing the journal mailbox. Journaling mailboxes may contain sensitive information. You must secure journaling mailboxes because they collect messages that your organizations recipients send and receive, and those messages may be part of legal proceedings or subject to regulatory requirements. Create policies that govern who can access your organizations journaling mailboxes and limit access to only those individuals who have a direct need for access. Ensure that legal representatives approve your plan to ensure that your journaling solution complies with all the laws and regulations that apply to your organization.
9-34
What Is Multi-Mailbox Search?
Key Points
Many organizations need to be able to search mailboxes for specific content while performing compliance audits. By using the Exchange Server 2010 Multi-Mailbox Search feature, organizations can now easily search all user mailboxes.
How Multi-Mailbox Search Works

In Exchange Server 2010, the mailbox search functionality is now available through the Multi-Mailbox Search feature in the ECP. The Multi-Mailbox Search feature allows you to search multiple mailboxes for mailbox items (including e-mail, attachments, Calendar items, Tasks, and Contacts) across both primary and archive mailboxes. Advanced filtering capabilities include: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, and regular expressions. Multi-Mailbox Search uses the content indexes that Exchange Search creates. Having a single contentindexing engine ensures no additional resources are utilized for crawling and indexing mailbox databases when information technology (IT) departments receive discovery requests. Discovery Management Role A user who is a member of the Discovery Management role group can perform a Multi-Mailbox Search. The Discovery Management role group is a universal security group that you configure in AD DS or Active Directory during the Exchange Server 2010 installation. The Discovery Management role group is assigned to the Mailbox Search management role, which has permission to search all mailboxes in the organization. Note: Exchange Server 2010 uses Role Based Access Control (RBAC) to define what actions users can perform in the Exchange Server organization. RBAC uses management roles and management role groups to manage these permissions. For more information on management roles and management role groups, see Module 10.
9-35
Viewing Search Results

Multi-Mailbox Search copies the search results to the Discovery Search Mailbox. It creates a new folder in the target mailbox that bears the same name as the search, with a subfolder for each source mailbox that was searched. Additionally, it copies messages that the search returns to the corresponding folder in the target mailbox.
9-36
Demonstration: How to Configure Multi-Mailbox Search
Key Points
In this demonstration, you will review how to configure Multi-Mailbox Search. To use Multi-Mailbox Search feature, you must add the users who will perform the search to the Mailbox Search management role. The easiest way to do this is to add the user to the Discovery Management universal security group in AD DS or Active Directory. The user then can use the ECP to search for messages based on multiple criteria.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, add the user or group that will perform Discover searches to the Discovery Management group. Send a message with a key word or phrase in it. You will be searching on this key word or phrase. Connect to the Exchange Control Panel on a Client Access server using the account that will perform the search. On the Reporting tab, under Multi-Mailbox Search, configure the search parameters. Select the Send me an e-mail when the search is done check box, and then start the search. Open the e-mail indicating the search is finished, and then click the Discovery Search Mailbox link. Review the messages located by the search.
9-37
Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running: 3. 4. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
If required, connect to the virtual machines. Log on to VAN-DC1, and VAN-EX1 as Adatum\Administrator using the password Pa$$w0rd. Log on to VAN-CL1 as Adatum\Luca using the password Pa$$w0rd.
Lab Scenario
You are a messaging administrator in A. Datum Corporation. Your organization has deployed Exchange Server 2010. The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include applying rights protection to some messages sent inside and outside the organization, restricting message flow based on message classifications, and restricting which messages are sent to critical distribution lists. You also must ensure that you establish a separate and secure mailbox in which to retain all messages that the legal department sends and receives.
9-38
Exercise 1: Configuring Transport Rules

Scenario
A. Datum Corporation is completing its Exchange Server 2010 deployment and is preparing to implement messaging policies to manage e-mail messages in transit and in user mailboxes. The project sponsors have developed the following requirements for transport rules: All messages sent to users on the Internet must have a disclaimer that the legal department approves. Messages with an Internet Confidential classification must not be sent to the Internet. The transport rule should apply the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. A member of the Marketing group must approve all messages sent to the All Company distribution list before the message is delivered.
The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Create a transport rule that adds a disclaimer to all messages sent to the Internet. Enable message classifications for Outlook 2007 clients. Create a transport rule that blocks all messages with an Internet Confidential classification from being sent to the Internet. Enable AD RMS integration for the organization. Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Configure a moderated group. Test the transport rule configuration.
To start the lab, complete the following steps

On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. 3. In the Actions pane, click New Send Connector. 4. On the Introduction page, type Internet Connector as the connector name. In the Select the intended use for this Send connector drop-down list, click Internet, and then click Next. 5. On the Address space page, click Add. 6. In the Address field, type *, click OK, and then click Next. 7. On the Network settings page, click Route mail through the following smart hosts, and click Add. 8. In the IP address field, type 10.10.0.10, click OK, and then click Next. 9. On the Configure smart host authentication settings page, click Next. 10. On the Source Server page, click Next, click New, and then click Finish. 1.
Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet
On VAN-EX1, create a new transport rule with the following settings: Name: Internet E-Mail Disclaimer Conditions: Sent to users outside the corporation Actions: Add a disclaimer
9-39
Disclaimer text: This e-mail is intended solely for the use of the individual to whom it is addressed
Task 2: Configure and enable message classifications for Outlook 2007 clients
1. On VAN-EX1, use the new-messageclassification -Name CompanyConfidential displaynameCompany Confidential -senderdescription Do not forward to the Internet cmdlet to configure a new message classification. Use the Export-Classification.ps1 script in the c:\Program Files \Microsoft\Exchange Server\v14\scripts folder to export the message classifications to the C:\Classifications.xml file. Copy the Classifications.xml file to drive C on VAN-CL1. On VAN-CL1, import the EnableClassifications.reg file from \\van-ex1\d$\Labfiles.
2.
3. 4.
Task 3: Create a transport rule that blocks all messages with a Company Confidential
classification from being sent to the Internet
Create a new transport rule with the following settings: Name: Company Confidential Rule Condition: Marked with classification Company Confidential Actions: Send rejection message to sender with enhanced status code Rejection message text: Company confidential e-mail messages cannot be sent to the Internet Enhanced status code: 5.7.1
Task 4: Enable AD RMS integration for the organization

1. 2. 3. On VAN-DC1, grant the Exchange Servers group and the IIS_IUSRS read and execute permission to the C:\inetpub\wwwroot\_wmcs\certification\ servercertification.asmx file. Restart IIS on VAN-DC1. On VAN-EX1, use the set-irmconfiguration InternalLicensingEnabled:$true cmdlet to enable AD RMS encryption.
Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to
all messages with the words confidential or private in the subject
Create a new transport rule with the following settings: Name: Confidential E-Mail Rule Condition: Where the subject contains the words Confidential or Private Actions: protect the message with the Do not Forward template
Task 6: Configure a moderated group

1. 2. On VAN-EX1, configure the All Company distribution group to require moderation. Configure Andreas Herbinger as the groups moderator.
Task 7: Test the transport rule configuration

1. 2. On VAN-CL1, verify that you are logged on as Adatum\Luca, and then open Office Outlook 2007. Send two messages to Carol@contoso.com. The first message should contain no settings, and the second message should have the Internet Confidential message classification assigned.
9-40
3.
4. 5. 6. 7. 8. 9.
On VAN-DC1, open Windows Explorer. Browse to the C:\inetpub\mailroot \queue folder. Open the EML file with Notepad. Scroll to the middle of the message, and verify that the disclaimer has been added to the message. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the second message could not be delivered. In Outlook, create a new message, and send it to the All Company distribution group. Connect to the Outlook Web App site on VAN-EX1. Log on as Andreas. Approve the message. In Outlook, verify that the message to the All Company distribution list has arrived. In Outlook Web App, logged on as Andreas, create a new message with a subject of Private. Send the message to Luca. In Outlook, verify that Luca received the message and that it has the Do Not Forward template applied. Verify that the Forward option is not available on the message. Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with an Company Confidential classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.
9-41
Exercise 2: Configuring Journal Rules and Multi-Mailbox Search

Scenario
In addition to requirements restricting message flow, the project sponsors at A. Datum Corporation also have the following requirements for saving messages and enabling auditors to search all mailboxes: A copy of all messages sent to and from the Executives group will be saved. The journal mailbox should be accessible only with a special auditor account. Implement an auditor account that has permission to search all user mailboxes and access the journaled Executive messages.
The main tasks for this exercise are: 1. 2. 3. 4. Create a mailbox for the Executives department journaling messages. Create a journal rule that saves a copy of all messages sent to and from Executives department members. Create and configure the MailboxAuditor account. Test the journal rule and Multi-Mailbox Search configuration.
Task 1: Create a mailbox for the Executives department journaling messages

Create a new recipient with the following attributes: First name: Executives Journal Mailbox User Logon name (User Principal Name): ExecutivesJournal Password: Pa$$w0rd Create the mailbox in Mailbox Database 1
Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members
Create a new journal rule with the following attributes: Rule name: Executives Department Message Journaling Journal mailbox: Executives Journal Mailbox Scope: Global Recipient: Executives distribution group
Task 3: Create and configure the MailboxAuditor account

1. Create a new recipient with the following attributes: 2. 3. First name: Mailbox Auditor User Logon name (User Principal Name): MailboxAuditor Password: Pa$$w0rd Create the mailbox in Mailbox Database 1
Grant the Mailbox Auditor account full access to the Executives Journal Mailbox and Discovery Management Mailbox mailboxes. Add the Mailbox Auditor account to the Discovery Management Active Directory group.
9-42
Task 4: Test the journal rule and Multi-Mailbox Search configuration

1. 2. 3. 4. On VAN-CL1, if required, open Outlook. Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives group. Connect to Outlook Web App as Marcel, and confirm that the message was delivered. Reply to the message. Connect to Outlook Web App as MailboxAuditor. Right-click Mailbox Auditor, and then click Open Other Users Inbox. Open the Executives Journal Mailbox and verify that the two journaled messages are in the Inbox. In Outlook, send a message with the following properties: 6. 7. 8. To: George; Carol@contoso.com Subject: Customer Order Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.
5.
Connect to the Exchange Control Panel as the MailboxAuditor. Create a new search named Customer Number Discovery. Configure the search to look for the phrase customer number in George Schaller and Luca Dellamores mailboxes. Wait until the search finishes, and then in the bottom right pane, click the Open link. In Outlook Web App, verify that the discovery folder named Customer Number Discovery contains two subfolders and contains the discovered messages. Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.

Do not shut down the virtual machines and revert them to their initial state when you finish this lab. The virtual machines are required to complete this modules last lab.
9-43
Lesson 4
Configuring Messaging Records Management
An important requirement for many organizations is managing the e-mail stored in users mailboxes. In some cases, organizations may need to retain some messages while deleting others after a specified time. Exchange Server 2010 uses MRM to implement this functionality through retention policies and managed folders. This lesson describes how to implement MRM in Exchange Server 2010. After completing this lesson, you will be able to: Describe Retention Tags and retention policies. Configure Retention Tags and retention policies. Describe managed folders. Deploy managed folders. Implement managed custom folders and content settings. Identify options for implementing MRM.
9-44
What Are Retention Tags and Retention Policies?
Key Points
In Exchange Server 2010, you use Retention Tags to tag messages or folders for retention or deletion. Each Retention Tag is associated with one or more managed content settings, which define the time for which items are retained, and what will happen when the retention period expires. You can associate multiple Retention Tags with a retention policy, which then is assigned to a user mailbox.
Retention Tags
Use Retention Tags to apply retention settings to mailbox folders and individual items. The following types of Retention Tags are available: Retention Policy Tags: Retention Policy Tags are applied to default mailbox folders such as Inbox, Deleted Items, and Junk Mail. A Retention Policy Tag has one or more Managed Content Settings associated with it for retaining messages of different types. It may have an additional Managed Content Settings associated with journaling settings. Default Policy Tag: A Default Policy Tag can be associated with a retention policy and applies to all items in the mailbox that do not have a Retention Tag explicitly applied to them, or that do not inherit a tag from the folder they reside in. A Default Policy Tag can have more than one Managed Content Settings associated with it for different item types such as e-mail messages, voice mail, and Contacts. Additionally, it can also have a Content Settings with journaling settings. You cannot have more than one Default Policy Tag associated with a retention policy. Personal Tags: Personal Tags are Retention Tags available to users as part of their retention policy. A user can opt-in to use additional Personal Tags using the ECP, and can apply them to folders or items in the mailbox. Personal Tags can have only one managed content setting for expiry of all message types.
9-45
Managed Content Settings

Managed content settings define settings for message retention and journaling. They are associated with Retention Tags. The content settings specify how long a message remains in a mailbox folder, and the action that Exchange Server should take when the message reaches the specified retention age. You can also configure journal settings to ensure that all message copies with the associated Retention Tag are sent to another recipient.
Retention Policies
Retention policies group one or more Retention Tags and apply the tags to mailboxes. A Retention policy consists of one or more Retention Policy Tags, a maximum of one Default Policy Tag, and any number of Personal Tags. You can link or unlink tags from a retention policy at any time. You can apply Retention policies to mailboxes using the Exchange Management Shell or the ECP. A mailbox cannot have more than one retention policy.
Retention Policy Tags and Mailbox Folders

Retention Policy Tags apply to default folders as specified in the retention policy. Users cannot change the Retention Policy Tags associated with default folders. However, users can apply a different tag to an item in a default folder, thereby causing the item to have a different retention setting than the folder in which it resides. Similarly, an item in a user-created folder can also have a different tag than the folder within which it resides.
9-46
What Is AutoTagging?
Key Points
AutoTagging is an Exchange Server 2010 feature that optimizes the use of Retention Tags by automatically applying Retention Tags to items based on past user behavior.
Based on User Behavior

AutoTagging uses a machine-learning algorithm that tracks users tagging behavior. Given a sampling that is large enough for it to learn, AutoTagging can predict the users tagging behavior from the sampling. The user must have manually tagged a minimum of 500 e-mail messages for AutoTagging to start learning. The AutoTagging algorithm inspects message characteristics, content, and the userassigned Retention Tags, and creates a model to predict the users tagging behavior. Once learning is complete, AutoTagging automatically assigns the appropriate Retention Tags to new items as they arrive.
User Management of AutoTagging

Users can enable AutoTagging from the ECP. The mailbox should have at least 500 messages tagged before AutoTagging is enabled. You also can use cmdlets to enable or disable AutoTagging for one or more mailboxes, and to determine the AutoTagging status of users. Users can disable AutoTagging at any time. They also can override the Retention Tag automatically applied to a message by applying a different tag that may be more appropriate, or they can move a message to a folder to which a tag is applied. User-applied tags always take precedence, and AutoTagging never alters them.
Administrative Control
Regardless of whether a user or administrator enables AutoTagging on a mailbox, Exchange Server 2010 lets the administrator control AutoTagging functionality, as necessary. Administrators can enable or disable AutoTagging for a mailbox. To do this, use the Set-MailboxComplianceConfiguration -Identity user -RetentionAutoTaggingEnabled cmdlet to assign a value of $true or $false.
9-47
Demonstration: How to Configure Retention Tags and Policies
Key Points
In this demonstration, you will review how to configure the three types of Retention Tags, and how to configure content settings for the Retention Tags. Then you will see how to combine the Retention Tags into a retention policy and how to assign the retention policy to a user.
Demonstration Steps
Use the following cmdlets to configure Retention Tags and policies: New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete isprimary:$true This cmdlet creates a new default Retention Policy Tag that applies to all folders named DefaultTag. The retention policy content settings will apply to all messages that do not have another Retention Tag assigned to them, and will permanently delete all messages after 365 days. New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems This cmdlet sets a Retention Tag for the Inbox folder and configures a content setting to move all messages to the Deleted Items folder after 30 days. New-RetentionPolicyTag Business Critical -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive This cmdlet creates a Personal Tag named Business Critical that sets a retention period of about three years and moves the messages to the user archive mailbox when the retention period expires. New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,Business Critical
9-48
This cmdlet creates a new retention policy named AllTagsPolicy, and adds all of the Retention Tags to the policy. Set-Mailbox Luca -RetentionPolicy AllTagsPolicy
Question: Do you think you will implement retention policies? Question: Which MRM option are you more likely to implement: managed custom or default folders, or retention policies?
9-49
What Are Managed Folders?
Key Points
In addition to retention policies, you can implement MRM by configuring managed folders. When you configure managed folders, you can configure managed content settings that specify how long to retain messages in specified e-mail folders. You can apply managed content settings to the default e-mail folders or to managed custom folders that you create in user mailboxes. You then can create managed folder mailbox policies that apply the content settings for a folder or group of folders to specified users. Note: Exchange Server 2007 introduced managed folders, and Exchange Server 2010 supports managed folders that are configured in Exchange Server 2007.
Managed Folder Options

Use the following options when configuring managed folders: Configure content settings for the default folders that are created in all user mailboxes. When configuring content settings for the default folders, set restrictions on how long the folder retains messages. You can also use the Exchange Management Console to apply content settings to the entire Mailbox folder. The content settings applied to this folder will apply to all folders in the user mailbox, including folders they have created. Configure custom managed folders and then apply content settings to the custom folders. When creating a custom managed folder, you can add that folder the user mailbox. You then can configure content settings to apply to that folder. This is a useful option when users require the same folder, and you need to manage the messages in the folder identically for all users.
Managed Content Setting Options

When you configure managed content settings, use the following options for configuring how users manage messages:
9-50
Configure retention periods, which enable you to define how long content will remain in users mailboxes. You can configure these policies by content age and message type, such as voice mail or appointments. Configure what action occurs when the retention period expires. For example, you can configure messages to be deleted permanently, moved to the Deleted Items folder, or moved to anther folder. Configure journal settings to ensure copies of all messages in the specified folder are sent to another recipient.
Managed Folder Mailbox Policies

Managed folder mailbox policies enable you to group managed folders and assign the managed folder settings to user accounts. For example, you might have created a managed content setting for the Inbox and the Sent Items folders, and a custom managed folder for a sales project. To apply these settings to users, you need to create a managed folder mailbox policy and assign the Inbox, Sent Items, and the custom managed folders to the policy. You then assign the policy to all of the users in the Sales department.
User Interaction with Messaging Records Management

When you create custom managed folders, users have to move e-mail messages from their Inbox to the appropriate folders. MRM policies are applied automatically to messages that users have moved. User also can sort messages into appropriate folders by using Outlook rules. If you apply content settings to default folders in a user mailbox, no user interaction is necessary for the settings to apply to the folders.
9-51
Process for Deploying Managed Folders
Key Points
To implement MRM, you must complete the following steps: 1. 2. Specify the folders to which you want to apply MRM. You can apply managed content settings to default folders in user mailboxes, or you can create managed custom folders in user mailboxes. Specify the managed content settings for selected folders. When you configure content settings, you can configure options that define the message types you want to manage, how long to retain the messages, and what action to take when messages expire. You also can configure journaling settings that will save a copy of all messages in the folder. Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed folders. Apply the managed folder mailbox policy to users mailboxes. By default, no managed folder mailbox policies are created or applied to user mailboxes. Schedule the managed folder assistant to apply the changes to users mailboxes. The managed folder assistant creates managed folders in users mailboxes and applies managed content settings to them. By default, the managed folder assistant runs from 1 A.M. to 5 A.M. everyday.
3. 4. 5.
9-52
Demonstration: How to Implement Managed Custom Folders and Content Settings
Key Points
In this demonstration, you will review how to configure a managed custom folder, and then apply a content setting to the custom folder. You also will see how to configure a managed folder mailbox policy and apply it to a user account.
Demonstration Steps
1. 2. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox. Create a new managed custom folder using the following configuration: 3. Name: Contoso Project Comment: All items related to Contoso Project should be posted here and will be retained for 2 years
Right-click the Contoso Project folder, and then create a new managed content setting with the following configuration: Name: Contoso Project Content Settings Message type: All Mailbox Content Length of retention period: 731 Retention period starts: When item is moved to the folder Action to take at the end of the retention period: Permanently delete Journaling: Disabled
4.
In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed folder mailbox policy named Accounting Department Policy that includes the Contoso Project folder.
9-53
5. 6. 7. 8.
Assign the Accounting Department Policy to all users in the Accounting OU. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current time. Restart the Microsoft Exchange Mailbox Assistants service. Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the Contoso Project folder was created in the users mailbox.
9-54
Considerations for Implementing Messaging Records Management
Key Points
MRM policies deal primarily with other message retention issues. By implementing MRM policies, you can ensure that certain messages are deleted in user mailboxes and that certain messages are retained for an extended period. Note: MRM requires an Exchange Enterprise CAL for each mailbox on which it is enabled. Ensure that you have business and legal approval before configuring MRM policies. This is particularly important if you are configuring policies that will delete messages from user mailboxes. You can use retention policies and managed folder mailbox polices to group a collection of folders with associated Retention Tags or content settings. If different user groups in your organization have different requirements for MRM, you can create a unique policy for each user group that includes just the folders that should apply to those users. If your organization requires messages to be retained or managed based on projects, consider using managed custom folders to apply messaging records management policies. With managed custom folders, you can create the required folders in the mailboxes for all users associated with the projects, and then ensure appropriate management of the folders messages. If you want to automate the MRM process for all users, consider using retention policies and AutoTagging. With retention policies, you can set default tags that will be assigned to all folders, while providing users with the option of overriding the tags. With AutoTagging, you can further automate the process for managing Retention Tags to the extent that users no longer have to manage the tags. If you need to ensure that copies of some messages are retained for extended periods, consider using journaling as part of a content setting to ensure message retention. When you configure a content setting, you can add a journal location so that all messages that the content setting covers also are
9-55
moved automatically to the journal location. With this as an option, you can consider deleting messages from user mailboxes. Use MRM policies to limit mailbox sizes. You can use MRM policies to remove old messages from folders such as the Deleted Items folder, or the Sent Items folder.
9-56
Lesson 5
Configuring Personal Archives
A compliance issue that many organizations must solve is that much of the information users receive by email is not stored within the e-mail system. Because of mailbox size limits, many users move messages from their mailboxes to personal storage table (PST) files, where the messages are not backed up regularly, and where the messages are not available for discovery or indexing. Exchange Server 2010 introduces Personal Archives as an option for ensuring that all messages are stored in a mailbox on an Exchange server. This lesson describes how to configure and manage Personal Archives in Exchange Server 2010. After completing this lesson, you will be able to: Describe options for implementing mailbox archiving. Describe how Personal Archives work in Exchange Server 2010. Configure Personal Archives. Identify options for implementing Personal Archives.
9-57
Discussion: Options for Implementing Mailbox Archiving
Key Points
Some organizations have implemented mailbox archiving by using third-party products. These products provide different types of functionality and implement the functionality in different ways. In this discussion, you will review the mailbox archiving solutions that organizations have implemented. Question: Do you have any archiving or journaling requirements in your organization? Question: How are you currently meeting these requirements?
9-58
How Personal Archives Work in Exchange Server 2010
Key Points
Exchange Server 2010 provides Personal Archives as a feature that enables users to move their PST files back into the Exchange Server database. To implement a Personal Archive, create a second mailbox that the user can use to store messages that are no longer current, but which they may need to retain. The user can access this archive mailbox in Outlook 2010 or Microsoft Outlook Web App just like any other folder in the user mailbox.
How Personal Archives Works

To implement Personal Archives, the Exchange Server administrator creates a new archive mailbox for the users. You must create this mailbox in the same mailbox database as the users primary mailbox. You can create the archive mailbox when you create the primary mailbox, or add the archive mailbox later. The archive mailbox appears as a folder in the users regular mailbox when the user accesses their mailbox by using Outlook 2010 or Outlook Web App. Users can the move their PST folders, or any other messages, into the archive mailbox simply by dragging and dropping e-mail into an archive folder. One of the differences between the primary mailbox and the archive mailbox is that the archive mailbox is not cached on the client computer when you configure Outlook in cache mode. This decreases the mailbox cache size on the client, but also means that the user can access the mail in the mailbox only when connected to the Exchange server. You can manage the archive mailbox through MRM policies. For example, you can configure retention policies that will move messages from the primary mailbox to the secondary mailbox based on the Retention Tags assigned to the primary mailbox folders. You can also configure retention policies for folders located in the archive mailbox.
9-59
Demonstration: How to Configure Personal Archives
Key Points
In this demonstration, you will review how to configure a Personal Archives mailbox for a user account. You will also see how to access the mailbox by using Outlook Web App.
Demonstration Steps
1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox. Right-click a mailbox, and then click Enable Archive. On the mailbox properties, review the archive quota settings. Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and ArchiveQuota settings. Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook Web App.
Question: Will you implement Personal Archives in Exchange Server 2010? Question: What are the benefits and disadvantages of the Personal Archives feature?
9-60
Considerations for Implementing Personal Archives
Key Points
Personal Archives provides an excellent opportunity for organizations to ensure that all messages in the email system are stored in a location where the messages can be managed and accessed. However, deploying Personal Archives will also require careful planning to ensure that the implementation is a success. In many organizations, some users may have several gigabytes of data stored in PST files. If all of these messages are moved into archive mailboxes, the amount of storage required for the mailbox databases will increase dramatically. Some considerations for managing the implementation for Personal Archives include: Consider an incremental implementation for Personal Archives. If your storage infrastructure cannot handle implementing Personal Archives for all users, start by identifying the users that will benefit most from Personal Archives. This may include users with the most critical information currently stored in PST files, or it may include all executives in the organization. With the decrease in disk input/output (IO) per mailbox and the option of using database availability groups (DAGs) for high availability, Exchange Server 2010 enables some important new options for implementing storage. Because of the decrease in disk IO, it is now feasible to store mailbox databases on lower performance and less expensive disk arrays using SATA drives. Additionally, rather than depending on redundant disk arrays and backup to provide high availability, you can use DAGs to provide the required level of availability. You can also use MRM policies to manage the archive mailboxes. By configuring retention tags for the primary mailbox, you can ensure that messages are moved into the archive mailbox on a regular basis. You can also use retention tags to manage the messages in the archive mailbox. After you implement Personal Archives, you should consider removing the option for users to use PST files. You can start moving users away from using PST files by creating a Group Policy object that prevents new items from being added to existing PST files. Making PST files read-only gives users access to the PST files they may already have while encouraging them to keep the messages that they
9-61
want to keep in their mailboxes. Eventually, you may want to create a GPO to remove access to PST files altogether.
9-62
Lab B: Configuring Messaging Records Management and Personal Archives
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include configuring rules that will ensure that some messages are retained for an extended period, while other messages are deleted when they expire. Finally, you must enable Personal Archives for all of the users in the Executives department.
9-63
Exercise 1: Configuring Messaging Records Management

Scenario
A. Datum Corporation also wants to ensure proper management of messages in the user mailboxes. The project sponsors have provided the following requirements: For all users, all messages in the default mailbox folders must be deleted after 90 days. All members of the Finance department require a custom folder in their mailbox that contains confidential messages related to finance. The messages in these custom folders must be retained for 180 days, after which the messages must be marked in Outlook as expired.
A. Datum Corporation would like to automate message management in user mailboxes. To test this implementation, the executives have approved a pilot project to use retention policies for the ITAdmins group. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create a managed custom mailbox folder named Executives Confidential. Configure content settings for the Executives Confidential folder. Configure content settings for all mailbox folders. Configure a managed folder mailbox policy that applies to all users. Configure a managed folder mailbox policy that applies to the Executives department. Start the managed folder assistant process. Test the managed custom folder implementation. Configure Retention Tags and a retention policy. Apply the retention policy to the Marketing group.
Task 1: Create a managed custom mailbox folder named Executives Confidential

Create a new managed custom folder with the following attributes: Name: Finance Confidential. Comment: All confidential items related to Finance should be posted here. Messages in this folder are valid for 180 days. Do not allow users to minimize the comment in Outlook.
Task 2: Configure content settings for the Executives Confidential folder

Create a new managed content settings object with the following attributes: Name: Executives Confidential Content Settings. Message type: All Mailbox Content. Messages are retained for 180 days after they have been moved to the managed folder. After the retention period ends, the messages should be marked in Outlook as past retention limit.
Task 3: Configure content settings for all mailbox folders

Configure a new mailbox content setting object that applies to all folders in the default mailbox with the following attributes: Name: Mailbox Content Settings. Message type: All Mailbox Content.
9-64
Messages will be retained for 90 days. Retention period starts when messages are delivered. Delete messages, and allow recovery.
Task 4: Configure a managed folder mailbox policy that applies to all users
1. Create a new managed folder mailbox policy with this attribute: 2. 3. Name: Default Policy All Users
Associate the Entire Mailbox with the policy. Use the following command to assign the policy to all users: Get-Mailbox | Set-Mailbox ManagedFolderMailboxPolicy Default Policy All Users.
Task 5: Configure a managed folder mailbox policy that applies to the Executives
department
1. Create a new managed folder mailbox policy with the following attribute: 2. 3. Name: Executives Department Policy
Associate the Entire Mailbox and the Executives Confidential mailbox to this policy. Use the following command to assign the new policy to the users in the Finance OU: Get-Mailbox | where-object {$_.distinguishedname -ilike *ou=executives,dc=adatum,dc=com} | SetMailbox ManagedFolderMailboxPolicy Executives Department Policy
Task 6: Start the managed folder assistant process

1. 2. Create a custom schedule for the managed folder assistant process to run from Monday 6:00 A.M. to Friday 6:00 P.M. Stop and then start the Microsoft Exchange Mailbox Assistants service.
Task 7: Confirm that the managed custom folder is created for the Executives
department users
1. 2. 3. In the Exchange Management Console, confirm that the managed folder mailbox policy is assigned to Marcel Truempy. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with the password of Pa$$w0rd. Confirm that the Finance Confidential folder was created in Marcels mailbox.
Task 8: Configure Retention Tags and retention policies

Use the following cmdlets to configure the Retention Tags and retention policy. New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete isprimary:$true New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems New-RetentionPolicyTag Retain for Records -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive
9-65
New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,Retain for Records
Task 9: Apply the retention policy to the Marketing group

1. Use the following cmdlet to apply the retention policy to all users in the Marketing OU: Get-Mailbox | where-object {$_.distinguishedname -ilike *ou=Marketing,dc=adatum,dc=com} |SetMailbox -RetentionPolicy AllTagsPolicy. Run the Start-ManagedFolderAssistant cmdlet. Log on to Outlook Web App, and log on as Manoj. Verify that the retention policy tags are applied. Results: After this exercise, you should have configured a managed folder policy that ensures that all messages in the default mailbox folders are deleted after 90 days. You also will have configured a custom managed folder to ensure that all members of the Executives department have a custom folder in their mailbox that will contain confidential messages. You also should have configured Retention Tags and retention policies for the Marketing group.
2. 3.
9-66
Exercise 2: Configuring Personal Archives

Scenario
A. Datum Corporation is also concerned about the number of e-mails that some users are storing in PST files. In particular, some members of the Executives group have several gigabytes (GB) of data stored in PST files. To provide these users with larger mailboxes, the project team has agreed to provide the members of the Executives group with archive mailboxes. You need to configure the mailboxes for these users. The main tasks for this exercise are: 1. 2. Create an archive mailbox for all members of the Marketing group. Verify that the archive mailbox was created for members of the Marketing group.
Task 1: Create an archive mailbox for all members of the Marketing group
On VAN-EX1, in the Exchange Management Console, under Recipient Management, click Mailbox. Sort the mailbox list by organizational unit, select all of the users in the Marketing OU, and then create an archive mailbox for them.
Task 2: Verify that the archive mailbox was created for members of the Marketing group
Log on to Outlook Web App as Manoj, and then verify that the archive mailbox was created. Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
9-67
Review Questions
1. You need to ensure that a copy of all messages sent to a particular distribution group is saved. You only want copies of messages sent to the distribution group, not copies of all messages sent to individual members of the group. What should you configure? You need to ensure that a user can search all Exchange Server organization mailboxes for specific content. What should you do? What user training will you need to provide? You need to ensure that all messages related to a particular project are retained for three years. Users in your organization use both Outlook 2007 and Outlook 2010. What should you do?
2. 3.
Common Issues Related to Implementing Messaging Policies

Identify the causes for the following common issues related and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Transport rules that use regular expressions are not applied consistently Troubleshooting tip If you are using a transport rule to check for information such as customer identification numbers or some other regular pattern of characters, ensure that your rule also checks for variations on the regular pattern. For example, if the customer identification number usually has dashes, you might also want to add the pattern without dashes to the rule. If you have a transport rule in place that modifies the message content, any digital signature attached to the message will be invalid and users will get an error message when they open the message. To avoid this, consider instructing users to add a disclaimer to all messages as part of their signature, and remove the transport rule.
Message recipients report that they are receiving error messages when they receive digitally signed messages from other users in the organization.
After you implement a transport Ensure that when you implement a transport rule that might affect rule, users report that some of message delivery, you configure an action in the transport rule that
9-68
Issue the messages they send to Internet recipients are not delivered and they do not receive notification of why the messages were not delivered.
Troubleshooting tip informs the user if the message cannot be delivered. Normally, you would do this with a bounce message.

1. The Exchange Server administrators at Contoso, Ltd., have implemented a custom message classification on the Exchange servers, but they notice that the custom classification is not available on the Outlook 2007 clients in the organization. What do they need to do? A. Datum Corporation has deployed an AD RMS server, and users are using it to protect e-mail. However, users report that when they protect e-mail messages, users outside the organization cannot read the messages. What should A. Datum messaging administrators do? Woodgrove Bank has implemented message journaling for all messages sent to and from the legal and compliance teams. These messages need to be available to auditors for seven years. The mailboxes used for journaling are growing rapidly. What should the messaging administrators at Woodgrove Bank do?
2.
3.
Best Practices Related to a Particular Technology Area in this Module

Supplement or modify the following best practices for your own work situations: Implementing messaging policies in Exchange Server 2010 can be complicated and the optimal configuration will be different in every organization. However, it is critical that you start thinking about this issue now in order to implement the policies and configurations that will meet your organizations legal requirements. Implement messaging policies only after extensive testing in a lab environment. If you configure messaging policies incorrectly, you could potentially delete messages that should be retained, or disrupt message delivery. Additionally, some messaging policies may have unintended consequences. Because of this, be sure to test all messaging policies thoroughly, and implement the policies in the production environment incrementally. Planning messaging policies always involves discussions with legal and compliance personnel who may not understand how you can use Exchange Server to enforce messaging policies. Be prepared to explain what Exchange Server can and cannot do in terms that people who are not messaging experts can understand.
Securing Microsoft Exchange Server 2010
10-1
Module 10
Contents:
Lesson 1: Configuring Role Based Access Control Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 Lesson 3: Configuring Secure Internet Access Lab: Securing Exchange Server 2010 10-3 10-20 10-24 10-38
10-2
Configuring, Managing and Troubleshooting MicrosoftExchange Server 2010
Module Overview
In many organizations, Microsoft Exchange Server 2010 provides a critical business function for both internal and external users. Additionally, many organizations expose at least a few of their Exchange servers to the Internet. For these reasons, it is important that you do what you can to secure the Exchange Server deployment. There are two components to securing your Exchange Server deployment: configuring administrative permissions appropriately and securing the Exchange Server configuration. This module describes how to configure permissions and secure Exchange Server 2010. After completing this module, you will be able to: Configure role based access control (RBAC) permissions. Configure security for Exchange Server 2010 server roles. Configure secure Internet access.
10-3
Lesson 1
Configuring Role Based Access Control
Exchange Server 2010 uses the RBAC permissions model to restrict which administrative tasks users can perform on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC, you can control the resources that administrators can configure and the features that users can access. This lesson describes how to implement RBAC permissions in Exchange Server 2010, and how to configure permissions on Edge Transport servers. After completing this lesson, you will be able to: Describe RBAC and management role groups. Identify Exchange Server 2010 built-in management role groups. Manage RBAC permissions. Configure custom management role groups. Describe management role assignment policies. Work with management role assignment policies. Manage permissions on Edge Transport servers.
10-4
What Is Role Based Access Control?
Key Points
RBAC is the new permissions model in Exchange Server 2010. With RBAC, you do not have to modify and manage access control lists (ACLs) on Exchange Server or Active Directory Domain Services (AD DS) and Active Directory directory services objects. In Exchange Server 2010, RBAC controls the administrative tasks that users can perform and the extent to which they can administer their own mailbox and distribution groups. When you configure RBAC permissions, you can define precisely which Exchange Management Shell cmdlets a user can run and which objects and attributes the user can modify. All Exchange Server administration tools, including Exchange Management Console, Exchange Management Shell, and Exchange Control Panel (ECP), use RBAC to determine user permissions. Therefore, permissions are consistent regardless of which tool you use.
RBAC Options
RBAC assigns permissions to users in two primary ways, depending on whether the user is an administrator or end user: Management role groups. RBAC uses management role groups to assign permissions to administrators. These administrators may require permissions to manage the Exchange Server organization or some part of it. Some administrators may require limited permissions to manage specific Exchange Server features, such as compliance or specific recipients. To use management role groups, add users to the appropriate built-in management role group, or to a custom management role group. RBAC assigns each role group one or more management roles that define the precise permissions that RBAC grants to the group. Management role assignment policies. Management role assignment policies are used to assign enduser management roles. Role assignment policies consist of roles that control what users can do with
10-5
their mailboxes or distribution groups. These roles do not allow management of features with which users are not associated directly.
Note: You also can use direct role assignment to assign permissions. Direct role assignment is an advanced method for assigning management roles directly to a user or Universal Security Group, without the need to use a role group or role assignment policy. Direct role assignments are useful when you need to provide a granular set of permissions to a specific user only. However, we recommend that you avoid using direct role assignment, as it is significantly more complicated to configure and manage.
Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure?
10-6
What Are Management Role Groups?
Key Points
Use management role groups to assign administrator permissions to groups of users. To understand how management role groups work, you need to understand their components.
Management Role Group Components

Management role groups use several underlying components to define how RBAC assigns permissions as assigned: Role holder. A role holder is a user or security group that you can add to a management role group. When a user becomes a management role-group member, RBAC grants it all of the permissions that the management roles provide. You can either add user accounts to the group in AD DS or Active Directory, or use the Add-RoleGroupMember cmdlet. Management role group. The management role group is a universal security group that contains users or groups that are role-group members. Management role groups are assigned to management roles. The combination of all the roles assigned to a role group defines everything that users added to a role group can manage in the Exchange Server organization. Management role. A management role is a container for a group of management role entries. These entries define the tasks that users can perform if RBAC assigns them the role using management role assignments. Management role entries. A management role entry is a cmdlet, including its parameters, which you add to a management role. By adding cmdlets to a role as management role entries, you are granting rights to manage or view the objects associated to that cmdlet. Management role assignment. A management role assignment assigns a management role to a role group. Once you create a management role, you must assign it to a role group so that the role holders use it. Assigning a management role to a role group grants the role holders the ability to use the cmdlets that the management role defines.
10-7
Management role scope. A management role scope is the scope of influence or impact that the role holder has once RBAC assigns a management role. When assigning a management role, use management scopes to target which objects that role controls. Scopes can include servers, organizational units, recipient objects, and more.
For more information about management role groups, refer to the CD content.
10-8
Built-In Management Role Groups
Key Points
Exchange Server 2010 includes several built-in role groups that you can use to provide varying levels of administrative permissions to user groups. You can add users to, or remove them from, any built-in role group. You also can add or remove role assignments to or from most role groups. Role group Organization Management View-Only Organization Management Recipient Management UM Management Description Role holders have access to the entire Exchange Server 2010 organization and can perform almost any task against any Exchange Server object. Role holders can view the properties of any object in the organization. Role holders have access to create or modify Exchange 2010 recipients within the Exchange Server organization. Role holders can manage the Unified Messaging features within the organization, such as Unified Messaging server configuration, properties on mailboxes, prompts, and auto-attendant configuration. Role holders can perform searches of mailboxes in the Exchange organization for data that meets specific criteria. Role holders can configure compliance features, such as retention policy tags, message classifications, transport rules, and more. Role holders have access to Exchange server configuration. They do not have access to administer recipient configuration. Role holders can perform limited recipient management.
Discovery Management Records Management Server Management Help Desk
10-9
Role group Public Folder Management Delegated Setup
Description Role holders can manage public folders and databases on Exchange servers. Role holders can deploy previously provisioned Exchange servers.
Note: All of these role groups are located in the Microsoft Exchange Security Groups OU in AD DS or Active Directory. This OU contains several other universal security groups that grant permissions to the Exchange server computer accounts.
10-10
Demonstration: Managing Permissions Using the Built-In Role Groups
Key Points
In this demonstration, you will review how to manage RBAC permissions in Exchange Server 2010 by using the built-in role groups. You will see how to add users to the built-in role groups and how RBAC assigns the resulting permissions to the user accounts.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, add a user or security group to the Recipient Management group. Log on to an Exchange server using the delegated user account. Open the Exchange Management Console and the Exchange Management Shell. Verify that the user has read access to the Exchange Server organization configuration. Verify that the user cannot modify the settings on the Mailbox databases. Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user account has permission to move mailboxes to another server. In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user has Read permission to the Exchange server information. Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.
10-11
Process for Configuring Custom Role Groups
Key Points
In addition to the built-in role groups, you also can create custom role groups to delegate specific permissions within the Exchange Server organization. Use this option when your ability to limit permissions is beyond the scope of the built-in role groups.
Configuring a Custom Management Role Group

RBAC enables complete flexibility in how you assign permissions in an Exchange Server 2010 environment. For example, RBAC enables you to assign permissions to a group of administrators in a branch office who only need to manage recipient tasks for branch-office users and mailboxes on branch office Mailbox servers. To implement this scenario, you would: 1. Create a new role group, and add the branch office administrators to the role group. You can use the New-RoleGroup cmdlet to create the group. When you create the group, you must specify the management roles. Additionally, you also can specify the management scope for the role. Assign management roles to the branch office administrators. To delegate permissions to a custom role group, you can use one or more of the default built-in management roles, or you can create a custom management role that is based on one of the built-in management roles. Exchange Server 2010 includes approximately 70 built-in management roles that provide granular levels of permissions.
2.
10-12
Note: You also can configure a new management role rather than use one of the existing management roles. To do this, use the New-ManagementRole cmdlet to create a custom management role based on one of the existing management roles. You can then add and remove management role entries as needed. By default, the new management role inherits all of the permissions assigned to the parent role. You can remove permissions from the role, as necessary, by using the Remove-managementroleentry cmdlet. However, it can be complicated to create a new management role and remove unnecessary management role entries, so we recommend that you use one of the existing roles whenever possible.
3. 4. Identify the management scope for the management role. For example, in the branch office scenario, you could create a role assignment with an OU scope that is specific to the branch office OU. Create the management role group using the information that you collect. Use the New-RoleGroup cmdlet to create the link between the role group, the management roles, and the management scope.For example, consider the following command: New-RoleGroup Name BranchOfficeAdmins roles Mail Recipients, Distribution Groups, Move Mailboxes, Mail Recipient Creation User BranchOfficeAdmins RecipientOrganizationalUnitScope Contoso.com/BranchOffice. It does the following: Creates a new role group named BranchOfficeAdmins. Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation management roles to the BranchOfficeAdmins role group. Configures a management role scope limited to the BranchOffice OU in the Contoso.com domain.
10-13
Demonstration: Configuring Custom Role Groups
Key Points
In this demonstration, you will review how to create a custom role group and how to assign management roles to the group. You also will verify that the correct permissions are assigned to the user accounts.
Demonstration Steps
1. 2. On VAN-EX1, open the Exchange Management Shell. Create a new management scope that will limit the tasks that can be performed by using the following command: New-ManagementScope Name MarketingMailboxes recipientroot adatum.com/Marketing -RecipientRestrictionFilter {RecipientType -eq UserMailbox} 3. Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup Name MarketingAdmins roles Mail Recipients, Mail Recipient Creation -CustomRecipientWriteScope MarketingMailboxes 4. Add a user to the management role group by using the following command: Add-rolegroupmember id MarketingAdmins member Andreas 5. 6. In Active Directory Users and Computers, verify that the group has been created in the Microsoft Exchange Security Groups OU and that the user has been added to the group. Open the Exchange Management Console as the delegated user account. Verify that the user can modify mailboxes and create new mailboxes only in the Marketing OU.
Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles?
10-14
What Are Management Role Assignment Policies?
Key Points
Management role-assignment policies associate end-user management roles with users. You do not configure administrative permissions with management role-assignment policies. Rather, you use management role assignment policies to configure what changes users can make to their mailbox settings and to distribution groups that they own.
Role Assignment Components

Role assignment policies consist of the following components that define what users can do with their mailboxes: Mailbox. Mailboxes are assigned a single role assignment policy. When a mailbox is assigned a role assignment policy, the policy is applied to the mailbox. This grants the mailbox all of the permissions that the management roles provide. Management role assignment policy. The management role-assignment policy is an object in Exchange Server 2010. Users are associated with a role assignment policy when you create their mailboxes or change the role assignment policy on their mailboxes. The combination of all the roles included in a role assignment policy defines everything that associated users can manage on their mailboxes or distribution groups. Management role assignment. Management role assignments link management roles and role assignment policies. Assigning a management role to a role assignment policy grants users the ability to use the cmdlets in the management role. When you create a role assignment, you cannot specify a scope. The scope that the assignment applies is based on the management role, and is either Self or MyGAL. Management role. A management role is a container for a group of management role entries. Roles define the specific tasks that users can do with their mailboxes or distribution groups.
10-15
Management role entry. A management role entry is a cmdlet, script, or special permission that enables users to perform a specific task. Each role entry consists of a single cmdlet and the parameters that the management role can access.
10-16
Working With Management Role Assignment Policies
Key Points
Exchange Server 2010 includes a default role assignment policy that provides end users with the most commonly used permissions. For most organizations, you do not need to modify the configuration. However, you can change the management role assignment policy if your organization has specific requirements regarding how users can interact with their mailboxes or groups.
Note: To view the default management role assignment policy configuration, use the GetManagementRoleAssignment RoleAssignee Default Role Assignment Policy cmdlet. This cmdlet lists all the management roles that are assigned to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, executing the get-managementrole Mybaseoptions | FL cmdlet displays all management role entries associated with the Mybaseoptions management role.
Working with Assignment Policies

You can modify the default role-assignment configuration in several ways: Change the default permissions on the default role assignment policy by adding or removing management roles. For example, if you want to enable users to perform additional tasks on their mailboxes, you can identify the management role that grants them the necessary permissions, and add the role to the Default Role Assignment Policy. Define a new role assignment, and then configure that role assignment to be the default for all mailboxes. Use the Set-RoleAssignmentPolicy cmdlet to replace the built-in default role assignment policy with your own. When you do this, RBAC assigns the role assignment policy that you specify to new mailboxes, by default.
10-17
Note: When you change the default role assignment policy, RBAC does not assign the new default role assignment policy automatically. You will need to use the Set-Mailbox cmdlet to update previously created mailboxes to the new default role assignment policy.
Configure additional role assignment policies and assign the policies to a mailbox manually by using the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox, or Enable-Mailbox cmdlets. When you assign an explicit role assignment policy, the new policy takes effect immediately and replaces the previously assigned explicit role assignment policy. If you have many different user groups with special needs, you can create role assignment policies for each group.
Question: How will you configure role assignment policies in your organization?
10-18
Managing Permissions on Edge Transport Servers
Key Points
You deploy the Edge Transport server role in an organizations perimeter network, either as a stand-alone server or as a member of a perimeter Active Directory domain. No Exchange Server-specific groups are created when you install an Edge Transport server role. The Administrators local group is granted full control of the Edge Transport server, which includes an instance of Active Directory Lightweight Directory Service (AD LDS). You can administer Edge Transport servers remotely by using Remote Desktop. The Administrators local group is granted remote logon permissions automatically when you enable Remote Desktop.
Permissions Required to Administer the Edge Transport Server

The following table lists common administrative tasks that users perform on the Edge Transport server and the group memberships necessary to complete each task successfully. Task Backup and restore Enable and disable agents Configure connectors Configure anti-spam policies Configure IP Block and Allow lists View queues and messages Manage queues and messages Required group membership Backup Operators Administrators Administrators Administrators Administrators Users Administrators
10-19
Task Create an Edge Subscription file
Required group membership Administrators
10-20
Lesson 2
Configuring Security for Server Roles in Exchange Server 2010
The second component to configuring Exchange Server 2010 security is to secure the Exchange Server deployment as much as is possible. To do this, you should understand the security risks for which you need to prepare, and then you need to configure your Exchange Server security settings appropriately. After completing this lesson, you will be able to: Identify the Exchange Server security risks. Implement best practices security measures.
10-21
Discussion: What Are the Exchange Server Security Risks?
Key Points
To prepare for Exchange Server security, you first must understand the security risks that threaten the Exchange server environment. Question: What security risks do you need to protect against when deploying Exchange Server? Question: What risks are the most serious?
10-22
Exchange Server Security Guidelines
Key Points
The design of Exchange Server 2010 makes it secure when you deploy it. Many of its features, such as server roles, Kerberos authentication, and self-signed certificates ensure that the servers present a minimal attack surface and facilitate encryption for most network traffic sent to and from Exchange servers. To maintain Exchange Server security, implement regular processes to monitor and validate the Exchange Server configuration.
Apply Security and Software Updates

One of the most critical components for maintaining Exchange Server security is to install all security updates as soon as possible after their release. Be sure to apply both the operating-system updates and the Exchange Server updates. Before update installation, test the deployment of all software updates on your Exchange servers. To do this, you need a test environment that emulates your production environment.
Run the Exchange Best Practices Analyzer Tool Regularly

The Exchange Best Practices Analyzer automatically examines your Exchange Server deployment and determines whether the configuration is set according to Microsoft best practices. Use the Exchange Best Practices Analyzer as part of a proactive health check, which can expose availability or scalability issues that pertain to your Exchange Server installations. You also can use it as a reactive troubleshooting tool for problem diagnosis and identification. For most environments, we recommend running the Exchange Best Practices Analyzer at least once per quarter. However, it is a best practice to run this tool once a month on all servers installed with Exchange Server.
10-23
Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a security scanning and analysis tool that you can use to check Exchange Server for a wide range of faulty configurations or security issues. You can configure MBSA to scan a single machine or multiple machines within a range of IP addresses to which you have administrator access.
Avoid Running Additional Software on Exchange Servers

One way to reduce an Exchange servers attack surface is to avoid running unnecessary software on the server. Ideally, you should dedicate the Exchange server to Exchange server roles, and the only additional software that you should install are utilities, such as anti-virus software and server-management tools.
Install and Maintain Anti-Virus Software

Virtually all organizations deploy anti-virus software to guard against malicious e-mail. You also should deploy file-level, anti-virus software on the Exchange servers to ensure that the servers are secure from virus attacks.
Enforce Strong Passwords in Your Organization

If you enable remote access to your Exchange Server organization, attackers from outside the organization can use brute force password attacks to attempt to compromise user accounts. Therefore, it is very important that you define and enforce password policies for all user accounts. This includes mandating the use of strong passwords. A password is strong if it meets several requirements for complexity that make it difficult for attackers to figure out. These password requirements include rules for password length and character categories. By establishing strong password policies for your organization, you can help prevent an attacker from impersonating users, and thereby prevent the loss, exposure, or corruption of sensitive information.
10-24
Lesson 3
Configuring Secure Internet Access
Exchange Server 2010 provides access to user mailboxes from a wide variety of clients. In many cases, these clients may be located outside the corporate network and may be accessing the user mailboxes through an Internet connection. Because the Exchange servers cannot provide this functionality without being accessible from the Internet, it is important that the connections from the Internet be as secure as possible. This lesson describes how to configure secure access to the Exchange servers from the Internet. After completing this lesson, you will be able to: Describe secure Internet access components. Deploy Exchange Server 2010 for Internet access. Secure Client Access server traffic from the Internet. Secure SMTP connections to the Internet. Describe reverse proxy. Configure secure access.
10-25
Secure Internet Access Components
Key Points
Exchange Server 2010 enables users to access their mailboxes from many different types of messaging clients and from almost anywhere. To provide secure access for the messaging clients, you need to understand what types of access each client type requires.
Client Access to Exchange Servers

The following table lists the access requirement for clients when connecting to the Exchange servers from the Internet. Client Outlook Anywhere Access requirements Access to the remote procedure call (RPC), Exchange Web Services (EWS), and online address book virtual directories on a Client Access server Access to the Autodiscover virtual directory on a Client Access server if Autodiscover is enabled Protocol requirements: HTTPS Access to Outlook Web App and ECP virtual directories on a Client Access server Protocol requirements: HTTPS Access to the Microsoft-Server-ActiveSync virtual directory on a Client Access server Access to the Autodiscover virtual directory on a Client Access server if Autodiscover is enabled Protocol requirements: HTTPS
Microsoft Outlook Web App
Exchange ActiveSync
Internet Message Access to the IMAP4 service on a Client Access server Access Protocol version Access to a SMTP Receive connector on either a Hub Transport server, a Edge
10-26
Client 4rev1 (IMAP4)
Access requirements Transport server, or another SMTP server Protocol requirements: IMAP4, SMTP (Port 25 or 587) Access to the POP3 service on a Client Access server Access to a SMTP Receive connector on either a Hub Transport server, a Edge Transport server, or another SMTP server Protocol requirements: POP3, SMTP (Port 25 or 587)
Post Office Protocol 3 (POP3)
Note: In addition to the Client Access components, you also need to configure the environment to support secure sending and receiving of SMTP e-mail. In most cases, this includes deploying an Edge Transport server in the perimeter network.
Options for Configuring Internet Access

There are several options available to provide the necessary access to the Client Access and transport servers. The most common options include: Virtual Private Network (VPN). Some organizations require that all clients use a VPN to connect to the internal network. The VPN gateway may be a Windows Server 2008 Routing and Remote Access server, or a third-party solution. By enabling VPN access, users can access all resources on the internal network, including the Exchange servers. Firewall configuration. Virtually all organizations have firewalls that protect their internal networks from unwanted Internet access. You can configure these firewalls to enable users to connect to the required virtual directories and services on the Client Access server, and to provide access to an SMTP server for IMAP4 and POP3 clients. Implementing a firewall solution means that messaging clients need to be configured to use a server name that resolves to an external IP address on the firewall. If users connect to the Exchange servers from both inside and outside the organization, this can complicate the messaging client configuration. For example, users may connect to the Exchange servers from the internal network using the actual server name, but may need to use a more generic name, such as mail.contoso.com, when connecting to the server from the Internet. You may need to instruct users to use the two server names, or you may need to configure the internal DNS zone to provide name resolution to the more generic name. Reverse proxy configuration. As an alternative to the standard firewall, you can use a reverse proxy, or application layer firewall, to enable access to the internal Exchange servers. When you configure a reverse proxy, it terminates all client connections and scans all network packets for malicious code. The reverse proxy then initiates a new connection to the Client Access server and forwards the traffic to the internal network. When you use a reverse proxy, you must configure messaging clients to use a server name that resolves to an external IP address on the firewall.
10-27
Deploying Exchange Server 2010 for Internet Access
Key Points
When deploying Exchange Server 2010 so that it is accessible from the Internet, you must deploy all server roles on the internal network, except for the Edge Transport server role. You should deploy the Edge Transport server role in the perimeter network, and it should run on a server that is not an internal domain member. The recommended deployment for Exchange Server 2010 Internet access includes two firewalls in a backto-back firewall scenario, which enables you to implement a perimeter network between the two. An external firewall faces the Internet and protects the perimeter network. You then deploy an internal firewall between the perimeter and internal networks.
Configuring External Firewalls for Internet Access

The Internet facing or external firewall in this deployment protects the perimeter network. You configure the firewall to accept packets based on source and destination IP addresses and ports. To support the Exchange Server deployment, you need to configure the external firewall with the firewall rules that the following table lists: Destination port 25 Address Source address: All Destination address: Edge Transport server May also need to configure the external IP address of the internal firewall as a destination address, if POP3 and IMAP4 clients are using port 25 to relay messages through a Hub Transport server Source address: All Destination address: External IP address of the internal firewall Source address: All
80, 443
110, 993
10-28
Destination port
Address Destination address: External IP address of the internal firewall Only required for POP3 access
143, 995
Source address: All Destination address: External IP address of the internal firewall Only required for IMAP4 access Source address: All Destination address: External IP address of the internal firewall Only required if POP3 and IMAP4 clients are using the SMTP client submission port to send SMTP e-mail
587
Configuring Internal Firewalls for Internet Access

The internal firewall may be another standard firewall or reverse proxy. To support the Exchange Server deployment, configure the internal firewall with the following firewall rules:
Destination port Address

25 Source address: Edge Transport server Destination address: Hub Transport server May also need to configure the internal IP address of external hosts as a source address, if POP3 and IMAP4 clients are using port 25 to relay messages through a Hub Transport server Source address: Internal IP address of the external firewall Destination address: Client Access server Source address: External IP addresses Destination address: Client Access server Only required for POP3 access Source address: External IP addresses Destination address: Client Access server Only required for IMAP4 access Source address: External IP addresses Destination address: Hub Transport server Only required if POP3 and IMAP4 clients are using the SMTP client submission port to send SMTP e-mail Source address: Hub Transport servers on the internal network Destination address: Edge Transport server Required for the Hub Transport server to replicate information to the Edge Transport servers using EdgeSync Source address: Administrator computers on the internal network Destination address: Edge Transport server Required if you want to use Remote Desktop to administer the Edge Transport server remotely
80, 443
110, 993
143, 995
587
50636
3389
10-29
Note: Edge Transport servers also listen on port 50389 for unencrypted LDAP connections. This port is used only for administering the AD LDS instance on the Edge Transport server using standard LDAP tools. However, this port does not have to be open on the internal firewall.
10-30
Securing Client Access Traffic from the Internet
Key Points
To ensure that the client connections are as secure as possible, implement the following recommendations: Create and configure a server certificate. By default, all Client Access servers are configured with selfsigned certificates during Exchange Server 2010 installation. Because clients do no trust this certificate, you should replace the certificate with one from a public Certification Authority (CA) or from an internal CA. If you use an internal enterprise CA, the certificates will be trusted by computers that are the internal domains members, but not by other client computers. Require Secure Sockets Layer (SSL) for all virtual directories. With Exchange Server 2010, you can configure all of the Client Access server virtual directories to require SSL. Enable only required client access methods. You should enable access to only the client access options that your organization requires. For example, if your organization only requires Exchange ActiveSync and Outlook Web App connectivity from the Internet, then only allow access to those virtual directories through the firewall. Require secure authentication. Forms-based authentication is the most secure authentication mechanism for Outlook Web App. Other client access options, such as Outlook Anywhere or Exchange ActiveSync, cannot use forms-based authentication, and may need to use authentication by Microsoft Windows NTLAN) Manager, also known as NTLM, or use basic authentication. If you configure the virtual directories to require SSL, the network traffic that authenticates the user is encrypted. Require TLS/SSL for IMAP4 and POP3 access. To help secure communications between your POP3 and IMAP4 clients and the Client Access server, configure the Client Access server to use a certificate for these protocols, and then force all clients to use Transport Layer Security (TLS) or SSL to encrypt all authentication and message access traffic. Implement an application layer firewall or reverse proxy. To provide additional security, place an application layer firewall or reverse proxy between the Internet and the Client Access server. This
10-31
firewall can decrypt all network traffic between the client and the Client Access server, and inspects the traffic for malicious code.
10-32
Securing SMTP Connections from the Internet
Key Points
If you enable POP3 and IMAP4 connections from the Internet to your Client Access servers, you must provide a means by which those clients can send e-mail using SMTP. As part of ensuring security for your client-access deployment, you also need to ensure secure SMTP connectivity.
Providing SMTP Connectivity for POP3 and IMAP4 Clients

You can use POP3 and IMAP4 only to retrieve, not send, messages from user mailboxes. To enable clients to send e-mail, you must configure the clients to use an SMTP server that relays the messages to both internal and external recipients. To enable the POP3 and IMAP4 clients to send e-mail, you must configure a Hub Transport server SMTP Receive connector to accept SMTP connections from the Internet. Configure the SMTP Receive connector to require authentication, so that only users with valid accounts in the Exchange Server organization can relay messages through the server.
Note: If you accept anonymous SMTP connections from the Internet on the Hub Transport server, using the Default SMTP Receive connector, you need to create an additional SMTP Receive connector for the POP3 and IMAP4 clients, and configure the new connector to required authenticated connections. Note: You cannot use an Edge Transport server to accept authenticated SMTP connections, and then use it to relay SMTP messages from POP3 and IMAP4 clients. You can configure a SMTP Receive connector on an Edge Transport server that uses port 587, and you can configure the Receive connector to accept authenticated connections. However, you cannot configure the connector to authenticate the client connections using the users internal Active Directory account.
10-33
Securing SMTP Connections

To secure the SMTP connections to the Hub Transport server, complete the following steps: 1. Enable TLS for SMTP client connections. You can configure the SMTP Receive connector on the Hub Transport server to require TLS security or to enable basic authentication, only after you initiate a TLS session. If you have a trusted certificate assigned to the SMTP service, you should enable these options, and then configure all clients to use TLS. Use the Client Receive connector (port 587), and configure the Hub Transport servers with two Receive connectors. The Default Receive connector is configured to use port 25, while the Client Receive connector is configured to use port 587. By default, both connectors are configured to require TLS security and to allow users to connect to the connector. However, by using the Client Receive connector, you can avoid using the default SMTP port for client connections. As described in RFC 2476, port 587 was proposed only for message submission use from e-mail clients that require message relay. Ensure that anonymous relay is disabled. Both Receive connectors block anonymous relays, and you should not modify this option on any Receive connector that is accessible from the Internet. If you enable anonymous relay, anyone can use your server to relay spam.
2.
3.
Note: In some cases, you may need to enable anonymous relay to allow internal applications to send SMTP e-mail through the Exchange server. If you require this functionality, then configure restrictions on the Receive connector so that only the IP addresses that you specify can relay through the server.
4. Enable IMAP4 and POP3 selectively. If only some users in your organization require POP3 and IMAP4 access, then disable this option on all other mailboxes.
10-34
What Is a Reverse Proxy?
Key Points
You may want to use a reverse proxy server to manage incoming requests to a Client Access server. A reverse proxy server provides the following advantages over a direct connection to a Client Access server: Security. The reverse proxy server provides an extra protective layer between the network and external computers. This is because the reverse proxy server is the endpoint for all client connections. The reverse proxy server then creates a new connection to the internal server. Application layer filtering. Most reverse proxy servers also can operate as application layer firewalls. Application layer filtering enables the proxy to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an HTTP filter intercepts communication on port 80 and inspects it to verify that the commands are authorized before passing the communication to the destination server. Firewalls that are capable of application-layer filtering can stop dangerous code at the networks edge before it does any damage. SSL bridging. If you must encrypt communication between the reverse proxy server and the Client Access server, do this by ending the SSL session between the Web browser and reverse proxy server. You then establish a new SSL session between the reverse proxy server and the Client Access server. This protects the Client Access server from direct access from the Internet, enables the reverse proxy server to filter the data packets before they reach the Client Access server, and encrypts the data along the whole path between the Web browser and the Client Access server. Load balancing. A reverse proxy server can distribute the traffic that is destined for a single URL to a group of servers. You automatically implement Web load-balancing features when you publish Outlook Web App and Outlook Anywhere. Outlook Web App automatically selects a rule by using cookie-based load balancing. With cookie-based load balancing, the reverse proxy server forwards all requests that relate to the same session (the same unique cookie provided by the server in each response) to the same server. Outlook Anywhere uses source-IP-based load balancing. With sourceIP-based load balancing, the reverse proxy server forwards all requests from the same client (source) IP address to the same server. Other Exchange services and features, such as Exchange ActiveSync,
10-35
must use cookie-based load balancing. This also includes the Exchange services, such as the offline address book and the Availability Service. SSL offloading. Instead of configuring the Client Access server to provide SSL encryption, you can offload that function to the reverse proxy server. Not only does it encrypt data that is sent between the Web browser and the Client Access server, but it also enables the reverse proxy server to inspect the data packets and apply filters before they reach the Client Access server. If you offload SSL encryption to a proxy server, data that is sent between the reverse proxy server and the Client Access server will not be encrypted unless you use SSL bridging.
10-36
Demonstration: Configuring Threat Management Gateway for Outlook Web App
Key Points
In this demonstration, you will review how to create an Outlook Web App publishing rule in Forefront TMG.
Note: Forefront TMG is an upgrade of Microsoft Internet Security and Acceleration (ISA) Server 2006.
Demonstration Steps
1. 2. On VAN-TMG, open the Forefront TMG Management console. In the Firewall Policy node, create an Exchange Server publishing rule by using the New Exchange Publishing Rule Wizard. Configure the rule with the following settings: 3. Name: OWA Access Rule Exchange version: Exchange Server 2010 Service: Outlook Web App Server Connection Security: Use SSL to connect the published Web server or server farm Internal site name: VAN-EX1.Adatum.com Public Name Details page: mail.Adatum.com
Create a new Web Listener with the following settings: Name: HTTP Listener Client Connection Security: Do not require SSL secure connections from clients Web Listener IP Addresses: External
10-37
4. 5.
Authentication Settings: HTML Form Authentication Single Sign-On (SSO) Settings: Enabled SSO domain name: ADatum.com
On the Authentication Delegation page, click Basic authentication. Accept the default User Sets configuration, finish the wizard, and then apply the changes.
Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG?
10-38
Lab: Securing Exchange Server 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-EX2 at this point.
Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include: Exchange Server administrators should have minimal permissions, which means that, whenever possible, you should delegate Exchange Server management permissions. Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.
10-39
Exercise 1: Configuring Exchange Server Permissions

Scenario
A. Datum Corporation has completed the Exchange Server 2010 deployment, and now is working on integrating Exchange Server and recipient management with their current management practices. To meet the management requirements, you need to ensure that: Members of the ITAdmins group can administer individual Exchange servers, but they should not be able to modify any of the Exchange Server organization settings. Members of the HRAdmins group must be able to manage mail recipients throughout the entire organization. They should not be able to manage distribution groups and should not be able to create new mailboxes. Members of the SupportDesk group should be able to manage mailboxes and distribution groups for users in the organization. They should also be able to create new mailboxes.
The main tasks for this exercise are as follows: 1. 2. 3. Configure permissions for the ITAdmins group. Configure permissions for the Support Desk and HRAdmins groups. Verify the permissions.
Task 1: Configure permissions for the ITAdmins group

On VAN-EX1, in Active Directory Users and Computers, add the ITAdmins group to the Server Management group.
Task 2: Configure permissions for HRAdmins and Support Desk groups

1. On VAN-EX1, open the Exchange Management Shell. Use the following command to create the HRAdmins role group: New-RoleGroup Name HRAdmins roles Mail Recipients 2. Use the following command to create the SupportDesk role group: New-RoleGroup Name SupportDesk roles Mail Recipients, Mail Recipient Creation, Distribution Groups 3. On VAN-EX1, open the Exchange Management Console. Access the Role Based Access Control (RBAC) User Editor from the Exchange Management Console Toolbox node. Log on as Adatum\administrator using a password of Pa$$w0rd Add Anna Lidman to the SupportDesk group. Add Paul West to the HRAdmins group.
4. 5.
Task 3: Verify the permissions

1. On VAN-EX2, log on as Shane. Shane is a member of the ITAdmins group. Open Exchange Management Console and verify that the account has the following permissions: 2. Can modify the Issue warning at (KB) setting for the Accounting mailbox database. Cannot modify Hub Transport settings at the organization level. For example, try to modify the accepted domain settings. Cannot modify recipient settings. For example, try modifying any properties on one of the mailboxes.
Log off VAN-EX2.
10-40
3.
On VAN-EX1, open Internet Explorer and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Anna, and verify that the account has the following permissions: Can modify mailbox settings for users by using the Exchange Control Panel. For example, try modifying the department attribute for Andreas Herbinger. Can modify distribution groups using the Exchange Control Panel. For example, add a group description for the Accounting group.
Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer.
4. Close Internet Explorer, and open it again and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Paul, and verify that the account has the following permissions: Can modify mailbox settings for users by using the Exchange Control Panel. Cannot modify distribution groups using the Exchange Control Panel.
To prepare for the next exercise

1. 2. 3. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-EX2, click Revert, and then click Revert. Start the VAN-TMG and VAN-CL1 virtual machines. Log on to VAN-TMG as Adatum\Administrator using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.
10-41
Exercise 2: Configuring a Reverse Proxy for Exchange Server Access

Scenario
A. Datum Corporation has decided to enable users to access their mailboxes remotely by using Outlook Web App. To provide maximum security for the external clients, A. Datum wants to deploy a Forefront TMG server as a reverse proxy. You must encrypt all connections to the TMG server, and all connections from the TMG server to the Client Access server. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Prepare the Windows Server 2008 CA to issue certificates with multiple SANs. Request a server certificate with multiple SANs on the Client Access server. Export the certificate from the Client Access server. Import the certificate on the TMG server. Configure an Outlook Web Access publishing rule. Configure the Client Access server. Test the Outlook Web App publishing rule.
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple SANs
1. 2. On VAN-DC1, use the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA to issue certificates with multiple SANs. Stop and restart the Certificate Services service.
Task 2: Request a server certificate with multiple SANs on the Client Access server
1. On VAN-EX1, run the New Exchange Certificate Wizard using the following configuration options: 2. 3. 4. Friendly name: Adatum Mail Certificate Outlook Web App: Outlook Web App is on the intranet and uses a host name of VANEX1.adatum.com Outlook Web App: Outlook Web App is on the Internet and uses a host name of mail.adatum.com Exchange ActiveSync: Enabled and uses a host name of mail.adatum.com Autodiscover: Used on the Internet Long URL: Used for AutoDiscover with a host name of Autodiscover.adatum.com Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
Save the file using the name CertRequest.req. Copy the text of the certificate request file to the clipboard. Connect to http://van-dc1.adatum.com/certsrv, and create an advanced certificate request using a certificate request file. Paste the contents of the certificate request file into the Saved Request field. Request a Web server certificate. Download the certificate and save it to the C: drive.
5.
10-42
6. 7.
In the Exchange Management Console, use the Complete Pending Request Wizard to import the Adatum Mail certificate. In the Exchange Management Console, use the Assign Services to Certificate Wizard to assign the Adatum Mail certificate to IIS.
Task 3: Export the certificate from the Client Access server

On VAN-EX1, in Exchange Management Console, export the certificate to C:\CertExport.pfx.
Task 4: Import the certificate on the TMG server

On VAN-TMG, use the Certificates MMC to import \\VAN-EX1 \c$\CertExport.pfx into the Computer Personal store.
Task 5: Configure an Outlook Web Access publishing rule

1. 2. On VAN-TMG, open the Forefront TMG Management console. In the Firewall Policy node, use the New Exchange Publishing Rule Wizard to create an Exchange Server publishing rule. Configure the rule with the following settings. 3. Name: OWA Rule Exchange version: Exchange Server 2010 Service: Outlook Web Access Server Connection Security: Use SSL to connect the published Web server or server farm Internal site name: VAN-EX1.Adatum.com Public Name Details page: mail.Adatum.com
Create a new Web Listener with the following settings: Name: HTTPS Listener Client Connection Security: Require SSL secured connections with clients Web Listener IP Addresses: External Listener SSL Certificates: mail.adatum.com Authentication Settings: HTML Form Authentication Single Sign On Settings: Enabled SSO domain name: Adatum.com
4.
Configure Authentication Delegation to use Basic authentication.
Task 6: Configure the Client Access server

1. On VAN-EX1, in the Exchange Management Console, configure the owa (Default Web Site) and ecp (Default Web Site) to use the following configuration External URL: https://mail.adatum.com/owa or https://mail.adatum.com/ecp Basic authentication
Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible.
10-43
2.
Use the IISReset command to restart the IIS service.
Task 7: Test the Outlook Web App publishing rule

1. 2. 3. On the host computer, in Hyper-V Manager, modify the 10135A-VAN-CL1 settings to connect the network adapter to Private Network 2. On VAN-CL1, log on as Adatum\Administrator and modify the network adapter settings to use an IP address of 131.107.0.50, and a default gateway of 131.107.0.1. Open the c:\windows\system32\drivers\etc\hosts file and add the following line to the file: 131.107.1.1 mail.adatum.com 4. 5. 6. Open Internet Explorer, and connect to https://mail.adatum.com/owa. Log on as adatum\administrator using a password of Pa$$w0rd. Verify that you access the user mailbox. In the Outlook Web App window, click Options. Verify that you can connect to the Exchange Control Panel.
Results: After this exercise, you should have configured a Forefront Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You will also have verified that the access is configured correctly.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect.
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
10-44
Review Questions
1. 2. 3. You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Users in your organization are using POP3 clients from the Internet. These users report that they can receive, but not send, e-mail. What should you do? Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do?
Common Issues Related to Configuring Exchange Server Publishing Rules on a Reverse Proxy
Identify the causes for the following common issues related to configuring Exchange Server publishing rules on a reverse proxy, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Clients cannot connect to the published sites, and they receive internal server errors. Clients cannot connect to the published sites, and they receive certificate errors. Clients cannot connect to the published sites, and Troubleshooting tip Normally, these errors occur when the reverse proxy cannot connect to the internal site. Verify that the reverse proxy can connect to the virtual directories on the Client Access server. When configuring a reverse proxy to use SSL bridging, you need to ensure that the configuration is correct for certificates on both the reverse proxy and the Client Access server. Check information such as whether the certificates are trusted and whether the names the certificates use match the names that the clients use when connecting to the site. Normally, this type is error displays when there is a problem connecting to the reverse proxy from the Internet. Verify that DNS name resolution is
10-45
Issue they receive site-not-found errors.
Troubleshooting tip working correctly and that the external firewall is not blocking access to the reverse proxy.

1. Your organization has configured an SMTP Receive connector on an Edge Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do? You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do? Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do?
2.
3.
Best Practices Related to Configuring Exchange Server Permissions

Supplement or modify the following best practices for your own work situations: When you configure permissions in the Exchange Server organization, ensure that users have the minimal permissions required for them to perform their tasks. Add only highly trusted users to the Organization Management role group, as it has full control of the entire organization. Whenever possible, use the built-in role groups to assign permission in the Exchange Server organization. Creating custom role groups with customized permissions is more complicated and may lead to users having too many, or too few, permissions. Ensure that you document all permissions that you assign in the Exchange Server organization. If users are unable to perform required tasks, or if they are performing tasks to which they should not have access, you should be able to identify the reason by referring to your documentation.
10-46
Maintaining Microsoft Exchange Server 2010
11-1
Module 11
Contents:
Lesson 1: Monitoring Exchange Server 2010 Lesson 2: Maintaining Exchange Server 2010 Lesson 3: Troubleshooting Exchange Server 2010 Lab: Maintaining Exchange Sever 2010 11-3 11-13 11-20 11-26
11-2
Configuring,Managing and Troubleshooting MicrosoftExchange Server 2010
Module Overview
Once you deploy Microsoft Exchange Server 2010, you must ensure that it continues to run optimally by maintaining a stable environment. To maintain a stable environment, you must monitor Exchange Server performance, and make adjustments as required. This module describes how to monitor and maintain your Exchange Server environment. This module also describes troubleshooting techniques. From time to time, problems arise that need to be fixed. Although troubleshooting problems can be complex, using a troubleshooting methodology can help you pinpoint the problem and then determine the proper method to use to fix the problem. After completing this module, you will be able to: Monitor Exchange Server 2010. Maintain Exchange Server 2010. Troubleshoot Exchange Server 2010.
11-3
Lesson 1
Monitoring Exchange Server 2010
Monitoring practices typically are an afterthought, and people often configure them after deploying the solution. However, having a well-tuned and consistently used monitoring solution can greatly improve your ability to identify, troubleshoot, and repair issues before end users notice them. Reducing end-user problems and preventing more-serious problems are worth the additional thought and effort that it requires to design a comprehensive monitoring solution for your Exchange Server organization. In this lesson, you will review the basic monitoring tools as well as the metrics that you should monitor. After completing this lesson, you will be able to: Describe the importance of performance monitoring. Identify key monitoring metrics for monitoring Exchange Server 2010. Collect performance data for the Exchange server. Collect performance data for the Mailbox server. Collect performance data for the Hub Transport and Edge Transport servers. Collect performance data for the Client Access server. Use the collected performance data.
11-4
Why Is Performance Monitoring Important?
Key Points
Monitoring the Exchange Server environment is important for the following reasons: Identifying performance issues. When problems arise, you can pinpoint and repair them without relying on users to report the problems. Identifying growth trends to improve plans for upgrades. As the system grows and usage patterns change, hardware modifications may be required to accommodate these changes. Identifying trends also allows you to forecast future changes that might be necessary. Measuring performance against service level agreements. Demonstrating whether Exchange Server meets performance-based service level agreements and measuring the end-user experience shows the value that Exchange Server administrators are providing. Identifying security issues and denial-of-service attacks. When performance and other metrics stray from the established baselines, you can correlate these incidents to identify and mitigate the source.
Since Exchange Server 2010 is complex, you need to monitor several aspects. Primarily, you should gather and monitor metrics from the processor, memory, disk, and the Exchange services. You may monitor additional information, depending on the Exchange Server roles that you install.
11-5
Tools for Monitoring Exchange Server
Key Points
Most enterprise environments already use monitoring and alerting systems across their IT infrastructures. In cases where a monitoring solution does not exist, Microsoft System Center Operations Manager 2007 or System Center Essentials (with the Exchange Server 2010 management pack) provide an easily deployable Exchange Server monitoring solution. Enterprise-class monitoring solutions also allow you to customize the data you want to collect, which can be helpful when tracking down specific problems, or when default monitoring sets do not collect the appropriate data. Since each deployment is unique, adjustments are required to fit particular usage and hardware scenarios. In instances where a problem exists on a single or limited number of servers, you can use the Performance and Reliability Monitor to collect additional performance data that standard monitors might not capture.
11-6
Collecting Performance Data for the Exchange Server
Key Points
When monitoring Exchange servers, you should know which performance aspects are most important. You can use the common counters and threshold values detailed in this lesson to identify potential issues proactively, and help identify the root cause of issues when troubleshooting. Since these values are general guidelines, it is important to trend and perhaps adjust these values to meet the needs of the specific environment. You can determine values that work in a specific environment by documenting normal operating values to create a baseline. After creating the baseline, set thresholds so that when performance metrics are not met, you know that the server is not operating optimally. For more information about the performance counters, refer to the CD content.
Processor
The processor is one of the fundamental components that you need to monitor to ensure server health on all Exchange Server roles. Standard counters include the total percentage of processor time, the percentage of user-mode processor time, and the percentage of privilege-mode processor time. An additional counter related to processor performance is the processor queue length. If a processor queues length is greater than the specified threshold value, this may indicate that there is more work available than the processor can handle. If this number is greater than 10, per processor core, this is a strong indicator that the processor is at capacity, particularly when coupled with high CPU utilization. Although you typically do not use processor queue length for capacity planning, you can use it to identify whether systems within the environment are capable of running the loads, or whether you should purchase faster processors for future servers.
11-7
Memory
Another key performance indicator is the memory counter. Tracking the available memory and how much memory has to be written to the page file can tell you when you need to increase server memory, or reduce server load.
MSExchange ADAccess Domain Controllers

Exchange Server relies heavily on Active Directory Domain Services (AD DS) and Active Directory directory service for information. Therefore, it is essential to measure the response time and connection health.
11-8
Collecting Performance Data for the Mailbox Server
Key Points
When you collect performance data about Mailbox servers, you may focus on disk-response time and the speed with which the server responds to requests. The average response time for reading data should be under 20 milliseconds (ms) and the average write response time should be less than 100 ms on average. If the disk queue length begins to grow, this is another indicator that the disk system is not meeting demand. All of these may require you to purchase additional or faster disks, or to modify the disk configuration. There are many performance counters for Mailbox servers for which you can trend, depending on your messaging environment. However, the following counters are crucial and are a good place to begin when collecting performance data for the Mailbox server. For more information about the performance counters, refer to the CD content.
Logical Disk
Logical Disk counters determine whether disk performance is meeting demands. As disk latency increases, database reads and writes take more time.
MSExchangeIS Mailbox and MSExchangeIS Public

When messages are being queued for submission to the local Hub Transport server, it may indicate a problem with connectivity to the transport server.
MSExchangeIS
The Client Access and transport servers use Microsoft Remote Procedure Call (RPC) to communicate with Mailbox servers, thus it is important to monitor the response time for RPC requests, to be sure that the mailbox server is responding quickly enough to support the load.
11-9
Question: If any of these performance counters measured outside its normal range, what is the most likely cause?
11-10
Collecting Performance Data for the Hub Transport and Edge Transport Servers
Key Points
The transport servers store message queue information to disk. The average response time for reading data should be less than 20 ms, and the average write-response time should be less than 100 ms on average. Another indicator that the disk system is not keeping up with demand is if the disk queue length starts to grow. All of these may require you to purchase additional or faster disks, or modify the disk configuration. For more information about the performance counters, refer to the CD content.
Logical Disk
MSExchange Database ==> Instances

Transport servers store message queue information in databases. Therefore, monitoring database performance will help you identify issues with reading or storing queue information in the databases.
MSExchange Transport Queues

Additionally, you also should monitor the transport server queues to ensure delivery of e-mail messages. Question: If any of these performance counters measured outside its normal range, what is the most likely cause?
11-11
Collecting Performance Data for the Client Access Server
Key Points
The Client Access server role performs many of the key client connectivity functions for Exchange Server clients. Disk performance is important for determining overall server health. Additionally, you should monitor the response time for services used by Client Access servers to ensure proper performance. For more information about the performance counters, refer to the CD content.
Logical Disk
ASP.NET Services and Applications

Microsoft Outlook Web App and the Exchange Web Services rely heavily on the Microsoft .NET Framework and ASP.NET files, which are read, processed, and rendered for the end users. Monitoring the response time and the number of times the application has had to restart can help you verify the overall health of the services.
MSExchange Web Services

Additionally, Outlook Web App, the Outlook Anywhere (RPC/HTTP) Proxy, Microsoft Exchange ActiveSync, Offline Address Book downloads, and the Availability Service response times are valuable metrics to monitor. Question: If any of these performance counters measured outside its normal range, what is the most likely cause?
11-12
Using the Collected Performance Data
Key Points
To determine which thresholds denote an existing problem, set a monitoring baseline by reviewing monitoring data over a full business cycle. Business cycles vary for each company, and your cycle should include both busy and slow periods. For some businesses, busy periods might correlate with the end-ofmonth accounting close process or periods with notably high sales figures. Gathering a broad data set will provide sufficient data to determine the appropriate operating thresholds. To use the collected performance data: 1. Create a monitoring baseline by averaging performance metrics from a properly operating system: 2. 3. Monitor performance for a full business cycle. Note any peaks or troughs in the data.
Set warning and error level thresholds. Review growth trends regularly to: Adjust thresholds. Adjust server configurations.
It is important that you review your thresholds periodically, so you can adjust the serversor the thresholds themselvesto ensure proper monitoring.
11-13
Lesson 2
Maintaining Exchange Server 2010
Maintaining the Exchange Server messaging solution is an ongoing process that requires discipline, not only for the administrator but also for the organization. Using change management techniques to control change has many benefits as described in this lesson. Change management often includes controlling which software updates are applied, how the updates are applied, and when the updates are applied. It also includes managing your hardware upgrades. In this lesson, you will review the importance of change management, and techniques you can use to perform upgrades to your Exchange Server computers. After completing this lesson, you will be able to: Describe change management. Describe the change management process. Describe software updates. Deploy software updates. Determine when to upgrade your hardware. Implement hardware upgrades.
11-14
Discussion: What Is Change Management?
Key Points
The change management process controls environmental change through a frameworksuch as the Microsoft Operations Frameworkthat includes change management components. Change management is important, as it can lead to better application availability, better educated IT staff, and a more predictable infrastructure. Planning which changes to deploy, and how and when to deploy them, falls into the purview of a change management framework. Question: How does your organization address change management? Question: Are there some situations where change management is more important? Question: What are the benefits of having a formal change management process? Question: Are there situations in which you cannot follow the normal change process?
11-15
Considerations for Managing Change
Key Points
The change management process varies widely from organization to organization. The basic components for managing change are as follows: 1. Adopt a process model like the Microsoft Operations Framework. A number of well-defined frameworks are available. Adopting an established framework may make educating employees easier, because they already may be familiar with the framework. Define a process and use it consistently. Once you have a process, ensure that everyone involved understands why it was adopted, and how to follow the process. Support the change management process. If you do not support the process properly, it will not be as effective as possible. It is essential that everyone work to support the process.
2. 3.
11-16
Discussion: What Are Software Updates?
Key Points
Software requires continuous improvement, whether to fix software bugs, mitigate security risks, add features, or improve performance. Every month Microsoft releases relevant security updates for affected products. These updates are usually important updates that reduce security vulnerabilities. Additionally, Microsoft product groups periodically release hotfixes (interim updates), update rollups, and service packs. Question: What is the difference between a hotfix and an update? Question: Why should your organization deploy software updates?
11-17
Process for Deploying Software Updates
Key Points
You should adopt an update deployment strategy that suits your organizations requirements. Some businesses choose to deploy updates only at set intervals, while others deploy all updates as they become available. Once you adopt a strategy, the process for deploying it is: 1. 2. Determine which updates are required. This step relies heavily on you deployment strategy for software updates. Test and document the update in a compatible environment. Testing updates before you place them in production is an essential step to ensure that the changes do not cause other problems. The testing process should include installing the update, as well as verifying that all related software still functions as expected. Testing updates often is done in a lab environment that is configured similar to the production environment. Many companies have adopted a virtualized platform such as Hyper-V to create a flexible and inexpensive test environment. Test and document the back-out plan. Update deployments can fail for many reasons: updates can fail to install, can cause server failure, or can alter software behavior in an unexpected way. Back up the server. Before applying an update, ensure that you can recover the server data and configuration in the event of an unsuccessful update. Performing a full backup of all data unique to the server is an essential step in deploying an update. Schedule and install the software update. You can install updates in a variety of ways: you can use tools such as Windows Server Update Services or System Center Configuration Manager to complete the installation, or in smaller and more restrictive environments, you can manually install the updates. Verify and monitor the software update installation. After installation, test the updated application to ensure the updates completed successfully. At times, this includes verifying that the proper file versions are present, and that the software is behaving as if the update was applied.
3. 4.
5.
6.
11-18
Determining the Need for Hardware Upgrades
Key Points
Exchange Server 2010 uses hardware more efficiently than previous Exchange Server versions, which means there may be less need than in the past to upgrade hardware. In particular, Exchange Server 2010 reduces disk activity. Disk capacity is one of the most commonly required hardware upgrades. Proactively monitoring hardware performanceprocessor, memory, disk, or networkis the best way to determine whether bottlenecks exist in the environment. Another valid trigger for researching hardware issues is gathering and examining user feedback. You should not rely solely on user feedback as the first indication of issues, but it can help you pinpoint particular user issues with the hardware.
11-19
Process for Implementing Hardware Upgrades
Key Points
Hardware upgrades are more difficult to test than software upgrades. Many organizations do not use exactly the same hardware in a test environment as they do in a production environment. However, to the extent possible, test your hardware upgrades on non-production hardware. The upgrade process works as follows: 1. 2. 3. Determine which upgrades are required. After reviewing the monitoring data to determine the bottleneck, you will know which hardware changes or upgrades you need to deploy. Test and document the upgrade in a test environment. Testing and documenting updates in a test lab reduces the likelihood of running into problems during hardware deployment. Test and document the back-out plan. Sometimes the upgrade does not go as planned, so documenting the steps required to return the server to the pre-upgraded state is essential. Although this may seem like extra work, when problems arise during a change and you must complete or back out the change within a limited amount of time, it is best to have the steps already worked out. Back up the server. Before applying the upgrade, ensure that you can recover the server data and the configuration should your upgrade be unsuccessful. Performing a full backup of all data unique to the server is an essential step in deploying an update. Schedule and install the hardware upgrade. Working within the change management process, schedule the upgrade and then assign a qualified person to complete the documented steps. Verify and monitor the hardware upgrade. After completing the upgrade, monitor the hardware for basic functionality and to ensure that it performs as you would expect.
4.
5. 6.
11-20
Lesson 3
Troubleshooting Exchange Server 2010
Even in a well-maintained Exchange Server organization, problems can arise that you must identify and repair. Although general troubleshooting guidelines exist, often experience and an analytical attitude provide the best tools for successfully discovering the problems source and fixing it. After completing this lesson, you will be able to: Develop a troubleshooting methodology. Identify troubleshooting tools that you can use. Troubleshoot Mailbox servers. Troubleshoot Client Access servers. Troubleshoot Message Transport servers.
11-21
Developing a Troubleshooting Methodology
Key Points
The goal of troubleshooting is to identify and diagnose problems, and then determine and execute the necessary repair. There are many troubleshooting methods, and they vary by type of problem that you are trying to resolve. Implementing a repeatable troubleshooting process is important so that you can quickly resolve problems. A common troubleshooting method is as follows: 1. 2. 3. 4. Clearly define the problem. Obtain an accurate description of the problem by verifying the reported problem, including when you noticed it and how you can reproduce it. Gather information related to the problem. Turn up logging, review event logs, and try to reproduce the problem. List the potential cause of the problem. With the problem statement and gathered data, you can enumerate all potential problem causes. Rank the possible causes by probability, and define their solutions. Create a list of either solutions or additional troubleshooting that is required to address each potential cause. Search your knowledge base, product support documentation, and the Internet for information about possible resolutions. Rank solutions by ease of resolution and impact to complete. Try the most probable and easily implemented resolutions first. Work through the list of solutions, one at a time, until you resolve the issue, or gather additional information that changes the definition of the problem. Reduce logging to normal. Document resolution and root cause for future reference. Although you may remember details of the solution later, documenting the root cause and the resolution will reduce resolution times in the future.
5. 6.
7. 8.
11-22
Troubleshooting Tools
Key Points
Over the years, a number of useful Exchange Server troubleshooting tools have been introduced. Each tool has a specific use, but they all use detailed product knowledge and information about your environment to suggest potential problem solutions. Exchange Best Practices Analyzer (ExBPA). This invaluable tool enables you to identify potential issues based on deviations from best practices, and for gathering a great deal of information about the Exchange Server organization that you can use for reference and for troubleshooting problems. Performance Troubleshooter. This tool helps you locate and identify performance-related issues that could affect Exchange servers. You diagnose problems by selecting the symptoms observed. Based on the symptoms, the tool walks you through the correct troubleshooting path. Performance Troubleshooter identifies possible bottlenecks and suggests corrective actions. The Exchange Mail Flow Troubleshooter. This tool helps provide easy access to various data sources that are required to troubleshoot problems with mail flow, such as non-delivery reports, queue backups, and slow deliveries. The tool then automatically diagnoses the retrieved data, presents an analysis of the possible root causes, and suggests corrective actions.
Other tools such as the Performance and Reliability Monitor check the health of the Exchange Server processes. You can use the Queue Viewer to view the message status in transport queues. Tools such as Network Monitor and Telnet can help you troubleshoot network issues and message tracking, and the routing log viewer can help you troubleshoot message delivery issues. For information about other troubleshooting tools, refer to the CD content.
11-23
Discussion: Troubleshooting Mailbox Servers
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with Mailbox servers. Use tools such as the Database Troubleshooter and the Event Viewer to identify the problem and work toward a resolution. Question: A database has gone offline. What process can you use to troubleshoot the problem?
11-24
Discussion: Troubleshooting Client Access Servers
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with Client Access servers. Use tools such as the Exchange Best Practices Analyzer and the Event Viewer to identify the problem and work toward a resolution. Question: Outlook users can no longer connect to the system. What process can you use to troubleshoot the problem?
11-25
Discussion: Troubleshooting Message Transport Servers
Key Points
You can apply standard troubleshooting techniques to the unique problems that can occur with transport servers. Use tools such as the Queue Viewer, message tracking system, and Mail Flow Troubleshooter to identify the problem, and then work toward a resolution. Question: Users are reporting non-deliverable and slow-to-deliver outbound e-mail. What process can you use to troubleshoot the problem?
11-26
Lab: Maintaining Exchange Server 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1 and the 10135A-VAN-EX1 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
Lab Scenario
You are the messaging administrator at A. Datum Corporation. You need to configure basic monitoring by using the Performance and Reliability Monitor. You also must troubleshoot issues with a mailbox database and a Client Access server.
11-27
Exercise 1: Monitoring Exchange Server 2010

Scenario
You are the messaging administrator at A. Datum Corporation. You need to configure basic monitoring using the Performance and Reliability Monitor. Before implementing Microsoft Systems Center Operations Manager to monitor your Exchange Server 2010 computers, you must create a data collector set to monitor key performance components that are running on your Mailbox server. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a new data collector set named Exchange Monitoring. Create a new performance-counter data collector set for monitoring basic Exchange Server performance. Create a new performance-counter data collector set for monitoring Mailbox server role performance. Verify that the data collector set works properly.
Task 1: Create a new data collector set named Exchange Monitoring

On VAN-EX1, open the Performance Console, and create a data collector set named Exchange Monitoring.
Task 2: Create a new performance counter data collector set for monitoring basic
Exchange Server performance
1. 2. Create a performance data collector set named Base Exchange Monitoring. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1: Object Processor Counter % Processor Time % User Time % Privileged Time Available Megabytes (MB) Page Reads/sec Pages Input/sec Pages/sec Pages Output/sec Pool Paged Bytes Transition Pages Repurposed/sec LDAP Read Time LDAP Search Time LDAP Searches timed out per minute Long running LDAP operations/Min Processor Queue Length
Memory
MSExchange ADAccss Domain Controllers
System
Task 3: Create a new performance counter data collector set for monitoring Mailbox
server role performance
1. 2. Create a performance data collector set named Mailbox Role Monitoring. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1:
11-28
Object LogicalDisk
Counter Avg.Disk sec/Read Avg.Disk sec/Transfer Avg.Disk sec/Write RPC Averaged Latency RPC Num Slow Packets RPC Operations/sec RPC Requests Messages Queued for Submission Messages Queued for Submission
MSExchangeIS
MSExchangeIS Mailbox MSExchangeIS Public
Task 4: Verify that the data collector set works properly

1. 2. Start the Exchange Monitoring data collector set and let it run for five minutes. Stop the Exchange Monitoring data collector set, and then review the latest report.
Results: After this exercise, you should have created a data collector set for monitoring VANEX1 that uses the performance counters that this module recommends.
11-29
Exercise 2: Troubleshooting Database Availability

Scenario
You are the messaging administrator for A. Datum Corporation. After recovering from a hardware failure, your monitoring software reports that one of the mailbox databases is not mounted. You must troubleshoot and repair the database problem. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Identify the scope of the problem. Review the event logs. Run the Best Practices Analyzer. List the probable causes of the problem, and rank the possible solutions if multiple options exist. Review the database configuration. Reconfigure and mount the database.
Preparation
Before you begin this exercise, complete the following steps: 1. 2. 3. On VAN-EX1, open a Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep2.ps1, and then press ENTER. When prompted, type N, and press ENTER. Close the Exchange Management Shell.
Task 1: Identify the scope of the problem

1. 2. 3. On VAN-EX1, open Exchange Management Console. Identify which, if any, mailbox databases are not mounted. List the database(s) that are dismounted.
Task 2: Review the event logs

1. 2. On VAN-EX1, attempt to mount MailboxDB100. Review the warning message, and then click No. Open the Event Viewer. In the Application Log and System Log, review the events generated, and make note of any errors.
Task 3: Run the Best Practices Analyzer

1. 2. On VAN-EX1, run Exchange Best Practices Analyzer. Perform a Health Check scan of just VAN-EX1. Review the ExBPA report, and note issues identified by the scan that may have an impact on the scenario.
Task 4: List the probable causes of the problem, and rank the possible solutions if
multiple options exist
List the problems and possible solutions: Problem Possible solution
11-30
Problem
Possible solution
Task 5: Review the database configuration

1. 2. On VAN-EX1, open Exchange Management Console and review the database configuration. Open Windows Explorer, and locate the database files.
Task 6: Reconfigure and mount the database

1. 2. On VAN-EX1, open Exchange Management Shell and reconfigure the database using the MoveDatabasePath cmdlet with the ConfigurationOnly parameter. Mount the database.
Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.
11-31
Exercise 3: Troubleshooting Client Access Servers

Scenario
You are the messaging administrator for A. Datum Corporation. Users report that they cannot log on to Outlook Web App. You need to determine and then repair the problem. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Verify the problem by attempting to reproduce the problem. Review the event logs. Use the Test cmdlets to verify server health. List the probable causes of the problem, and rank possible solutions if multiple options exist. Check the Outlook Web App configuration. Verify that you resolved the problem.
Preparation
Before you begin this exercise, complete the following steps: 1. 2. On VAN-EX1, open Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep3.ps1, and then press ENTER. Close the Exchange Management Shell.
Task 1: Verify the problem by attempting to reproduce the problem

1. 2. Attempt to log on to https://van-ex1.adatum.com/owa as Administrator using the password Pa$$w0rd. Make note of the error displayed:

1. 2. On VAN-EX1, open Event Viewer, and then review any errors listed in the Application and System logs. Make note of any errors.
Task 3: Use the Test cmdlets to verify server health

1. 2. On VAN-EX1, open the Exchange Management Shell, and run the Test-ServiceHealth cmdlet. Run the Test-OwaConnectivity URL https://VAN-EX1.adatum.com/OWA TrustAnySSLCertificate cmdlet to test Outlook Web App connectivity. Log on as Adatum\administrator. Review the results of the cmdlets, and then make note of any errors.
3.
List the problems and possible solutions: Problem Possible solution
11-32
Problem
Possible solution
Task 5: Check the Outlook Web App configuration

1. Open Exchange Management Console, and then review the Outlook Web App configuration on VANEX1.
Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible.
2. Take the necessary actions to fix the problem. Run IISReset after fixing the problem.
Task 6: Verify that you resolved the problem

Attempt to log on to https://van-ex1.adtum.com/owa as Adatum\Administrator with a password of Pa$$w0rd.
Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Client Access server problem.

Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
11-33
Review Questions
1. 2. Users are reporting issues with sending e-mail to a remote domain. You need to determine the problem and then resolve it. What should you do? Recent organizational growth has resulted in two issues. It has caused several memory thresholds to exceed recommended issues, as well as the average read-latency threshold for the logical disk that stores the page file. What issue should you address first? After reviewing the trend information retrieved from the monitoring system, you noticed that the processor usage for one of the four Mailbox servers is higher than average. What should you do?
3.
Common Issues Related to Troubleshooting Exchange Server Problems

Identify the causes for the following common issues related to troubleshooting Exchange server problems, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Outbound e-mail messages are queuing on the Hub Transport server. Troubleshooting tip Always start with the most common problem causes, such as network connectivity and DNS name resolution.
Multiple sources are simultaneously Gather as much information as possible about each of the reporting different problems. reported problems. Although there might be multiple issues, it is likely that you will find a connection between the multiple reported problems. Users are reporting slowness or other subjective problems. As always, take each report seriously and try to gather as much objective information about the problem as possible. Only then will you reach a suitable and objective solution.
11-34

1. A company has recently experienced growth because of a popular new product. The company has had numerous Mail server outages and downtime due to undocumented changes. What should the company invest in to ensure that it can support continued growth? A database has gone offline, and the organization needs to troubleshoot the problem. A number of impatient users have mailboxes stored in the offline database. What is the best way to address the situation? An Exchange Server service pack was recently released, and the company has decided to deploy it. What should you do before scheduling the deployment?
2.
3.
Best Practices Related to Troubleshooting Exchange Server Problems

Supplement or modify the following best practices for your own work situations: Follow the same steps each time you troubleshoot a problem. This way you get into a habit of making good decisions and finding the answers quickly. Be diligent about separating facts about the issue from feelings or other subjective information. A single persons subjective observation could cause you to troubleshoot the wrong problem and delay resolution of the actual issue. Ask a lot of questions about the problem before starting to troubleshoot. If you have not properly defined the problem, you cannot properly target your troubleshooting steps.
Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
12-1
Module 12
Contents:
Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview Lesson 2: Upgrading from Exchange Server 2003 to Exchange Server 2010 Lesson 3: Upgrading from Exchange Server 2007 to Exchange Server 2010 12-3 12-10 12-27
12-2
Configuring,Managing and Troubleshooting Microsoft Exchange Server 2010
Module Overview
Many organizations already use Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007 to provide messaging services. When these organizations choose to implement Microsoft Exchange Server 2010, they can upgrade the existing Exchange Server organization to Exchange Server 2010. Alternately, they can deploy a parallel Exchange Server organization, and then move mailboxes and other data from one organization to the other. Most organizations might choose to perform an upgrade because it is significantly easier and results in minimal disruption for the messaging users. This module provides an overview of the options that organizations have when they choose to implement Exchange Server 2010. This module also provides details on how to upgrade an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. After completing this module, you will be able to: Describe the general Microsoft Exchange Server 2010 upgrade scenarios and strategies. Upgrade from Microsoft Exchange Server 2003 to Exchange Server 2010. Upgrade from Microsoft Exchange Server 2007 to Exchange Server 2010.
12-3
Lesson 1
Overview of Upgrading to Exchange Server 2010
When you decide to implement an Exchange Server 2010 messaging system in your organization, you may need to maintain both your previous messaging system and Exchange Server 2010 until you ensure the new implementation works correctly. While you upgrade the system, users will need to send e-mail and schedule meetings. The Exchange Server 2010 implementation should disrupt normal business processes minimally, if at all. This lesson describes the options that are available for upgrading existing messaging systems to Exchange Server 2010, and it provides recommendations for when to use each approach. After completing this lesson, you will be able to: Describe the upgrade options for Exchange server. Describe the upgrade scenarios that are supported in Exchange Server 2010. Explain the various upgrade strategies.
12-4
Upgrade Options for Exchange Server
Key Points
Exchange Server 2010 supports several different options for upgrading from other messaging systems.
Exchange Server Upgrade Terminology

The following terminology describes the various upgrade scenarios: Upgrade. In this scenario, you upgrade an existing Exchange Server organization to Exchange Server 2010. This is the easiest and least disruptive scenario for integrating Exchange Server-based messaging systems, because the different Exchange Server versions share configuration and recipient information automatically. However, you can implement this option only if your organization is running Exchange Server 2003 or Exchange Server 2007 currently. Migration. In this scenario, you upgrade from a non-Exchange Server messaging system to Exchange Server 2010 or from an existing Exchange Server organization to a new Exchange Server organization, without retaining any of the existing organizations Exchange configuration data. If you use a migration scenario, it becomes significantly more complicated to configure interoperability, as opposed to configuring coexistence in an upgrade. By default, the two messaging systems share no information. Therefore, you must configure all connections between the systems. Note: Exchange Server 2010 does not provide any migration tools or connectors to other messaging systems such as Novell GroupWise or Lotus Domino. You can configure Simple Mail Transfer Protocol (SMTP) connectivity between Exchange Server 2010 and messaging systems by using SMTP Send and Receive connectors. However, Exchange Server 2010 does not provide any tools for enabling coexistence or for migrating mailboxes to Exchange Server 2010.
12-5
Important: When you perform a migration from one Exchange Server organization to another, you also need to deploy a second Active Directory Domain Services (AD DS) forest, and then migrate all user accounts to the second forest. Each Exchange Server organization requires a unique Active Directory forest. In-Place Upgrade. In this scenario, you upgrade a single computer that is running a previous Exchange Server version to a newer Exchange Server version. Exchange Server 2010 does not support in-place upgrades.
12-6
Supported Upgrade Scenarios
Key Points
Upgrading an Exchange Server organization to Exchange Server 2010 is usually the easiest option. Therefore, most organizations choose this path for upgrading their existing Exchange Server deployments. However, this option has several prerequisites.
AD DS Requirements for Upgrading to Exchange Server 2010

To upgrade from a previous Exchange Server version to Exchange Server 2010, you must meet the following AD DS requirements: The schema master must be running the Windows Server2003 operating system Service Pack 2 or newer. At least one global catalog server in each site must be running the Windows Server2003 operating system Service Pack 2 or newer. The Active Directory forest must be at Windows Server2003 forest-functional level or higher. Each Active Directory site must have at least one domain controller and one global catalog server with a writeable AD DS copy. Exchange Server 2010 cannot use the Windows Server 2008 operating system read-only domain controllers (RODCs) or read-only global catalog servers (ROGCs).
Supported Upgrade Deployments

When upgrading an existing Exchange Server organization to Exchange Server 2010, Microsoft supports the following upgrade deployments: Exchange Server version Microsoft Exchange Server 2000 Exchange Server 2003 Service Pack 2 or newer Exchange organization upgrade Not supported Supported
12-7
Exchange Server version Exchange Server 2007 Service Pack 2 or newer Mixed Exchange Server 2007and Exchange Server 2003 organization
Exchange organization upgrade Supported Supported
Note: When upgrading from Exchange Server 2007, you must upgrade all of your organizations Exchange Server 2007 servers to Service Pack 2. Note: Before you install Exchange Server 2010 servers into an existing Exchange Server 2003 organization, you must configure the organization to run in native mode.
12-8
Upgrade Strategies
Key Points
When planning an Exchange Server 2010 upgrade, you can choose between several options for the upgrade process. Choosing the best option for your organization depends on your current environment, your organizations requirements for data migration, and your project timeline.
Choosing a Single-Phase or Multiphase Upgrade

Your first choice when planning the upgrade is to decide whether to use a single-phase or multiphase upgrade: Single-phase upgrade. In a single-phase upgrade, you replace your existing messaging system with Exchange Server 2010, and move all required data and services to the new system. In a single-phase migration, you do not need to plan for an extended period of coexistence between the two systems.
While this upgrade is the fastest option, it also introduces a significant risk if the upgrade fails. This scenario is feasible only for small organizations that must replace just a few servers and there are only a small number of users to migrate. Multiphase upgrade with coexistence. In a multiphase upgrade, you upgrade one server or site at a time to Exchange Server 2010. Because you spread this incremental upgrade over a longer period, you decrease your organizations risk. However, in this scenario, you also must plan for coexistence or interoperability. This is the best approach for medium to large organizations because of their complex messaging requirements.
Coexistence Components
In most coexistence scenarios, you must ensure that users with mailboxes on both messaging systems have access to the following: E-mail message flow. When you run two messaging systems, users must be able to send e-mail to other organizational users, and to and from users on the Internet. Message flow should be
12-9
transparent to users. Users do not need to know, nor should it matter, which messaging system contains the recipients mailbox. Global Address List (GAL).To simplify the process of sending messages between messaging systems, you must ensure that you synchronize the GAL between the messaging systems. Calendar information. To facilitate scheduling of meetings between the two messaging systems, you must ensure that Free/Busy information replicates between the two messaging systems. Public folder contents. If the organization stores important information in public folders, you may need to replicate the public-folder contents between the messaging systems. Note: If you implement an upgrade to Exchange Server 2010, the design of the upgrade process ensures the maintenance of these coexistence components throughout the coexistence.
12-10
Lesson 2
Upgrading from Exchange Server 2003 to Exchange Server 2010
Many organizations still use Exchange Server 2003 for their messaging system, and they might not have any plans of upgrading to Exchange Server 2007. Microsoft supports an upgrade from Exchange Server 2003 to Exchange Server 2010 for these organizations. This lesson describes how to upgrade an Exchange Server 2003 organization to Exchange Server 2010. After completing this lesson, you will be able to: Describe how to prepare an Exchange Server 2003 organization for Exchange Server 2010. Explain the process for installing Exchange Server 2010 in an Exchange Server 2003 organization. Describe how client access works during coexistence. Describe how to implement client access. Describe the considerations for Microsoft Office Outlook client coexistence. Describe the considerations for message transport coexistence. Describe the considerations for administration coexistence. Describe the process for removing Exchange Server 2003 from an organization.
12-11
Preparing the Exchange Server 2003 Organization for Exchange Server 2010
Key Points
Before you start the upgrade process, you must prepare the Active Directory directory service and AD DS for the Exchange Server 2010 deployment. To do this, you must run Exchange Server 2010 setup using the /PrepareLegacyExchangePermissions parameter and the /PrepareAD parameter.
Changes Made by the PrepareLegacyExchangePermissions Setup Parameter

You must run the setup /PrepareLegacyExchangePermissions command so that the Exchange Server 2003 Recipient Update Service functions correctly after you update the Active Directory schema for Exchange Server 2010. In Exchange Server 2003, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. It could do this because the computer account for the server on which the Recipient Update Service runs is in the Exchange Enterprise Servers group. When you extend the Active Directory schema in preparation for Exchange Server 2010, the schema is modified so that the server running Recipient Update Services no longer has the required permissions to update the recipient properties. Running setup with the /PrepareLegacyExchangePermissions parameter modifies the permissions to ensure that the server can continue to modify recipient properties.
12-12
Note: For more information on the /PrepareLegacyExchangePermissions setup parameter, see the Preparing Legacy Exchange Permissions page on the Microsoft TechNet Web site. Note: You can run Exchange Server 2010 setup with the /PrepareLegacyExchangePermissions parameter on a computer running Windows Server 2008 or newer, or on a computer running the Windows Vista operating system with SP2 or newer. You must install the prerequisite software on the computer where you run setup. The prerequisite tools are Microsoft .NET Framework 3.5 SP1 or newer, AD DS management tools, and Microsoft Windows PowerShell version 2. The Remote Server Administration Tools for Windows Vista includes the AD DS management tools. If you run the command from a computer running Windows Server 2008 R2, all the prerequisite components are installed already, except for Microsoft .NET Framework 3.5 and the Active Directory management tools.
Changes Made by the PrepareAD Command

After running setup with the PrepareLegacyExchangePermissions parameter, you should run setup with the /PrepareAD command. This command makes the following changes to enable coexistence between Exchange Server versions: Creates the Active Directory universal security group, ExchangeLegacyInterop. This group receives permissions that allow the Exchange Server 2003 servers to send e-mail to the Exchange Server 2010 servers. Creates the Exchange Server 2010 Administrative Group, which is called Exchange Administrative Group (FYDIBOHF23SPDLT). Creates the Exchange Server 2010 Routing Group, which is called Exchange Routing Group (DWBGZMFD01QNBJR).
The PrepareAD command also extends the schema to include the Exchange Server 2010 schema objects and attributes.
12-13
Process for Installing Exchange Server 2010 in an Exchange Server 2003 Organization
Key Points
When deploying Exchange Server 2010 in a supported Exchange Server organization, you must follow a specific process.
Installing Exchange Server 2010

If an organization has only a single Active Directory site, use the following process for deploying Exchange Server 2010: 1. 2. Install the Exchange Server 2010 Client Access server. After you install the Client Access server, you should use this as the primary connection point for all client connections. Install Exchange Server 2010 Hub Transport server. When you install the Hub Transport server in an Exchange Server 2003 environment, it prompts you for the name of an Exchange Server 2003 computer that will be the routing-group bridgehead server between the Exchange Server 2003 routing group and the Exchange Server 2010 routing group. Install the Exchange Server 2010 Mailbox servers. After the rest of the infrastructure is in place, you can deploy the Exchange Server 2010 Mailbox servers, and start moving mailboxes and public folders to the new servers. Note: If you deploy Exchange Server 2010 in a small or medium organization, and plan to deploy only one or two Exchange Server 2010 servers, you can perform a typical installation and install the Client Access server role, Hub Transport server role, and the Mailbox server role simultaneously. 4. 5. Install Exchange Server 2010 Unified Messaging servers. For organizations with multiple sites, there are typically two types of Active Directory sites: Internetaccessible sites and non-Internet accessible sites. A single Exchange Server organization may have one
3.
12-14
or more Internet-accessible sites. When upgrading Active Directory sites, you should upgrade Internet-accessible sites before non-Internet accessible sites.
12-15
How Client Access Works During Coexistence
Key Points
The Client Access server role provides the functionality that a front-end server provided in Exchange Server 2003, and it includes additional functionalities. All client connectivity, including Microsoft Office Outlook MAPI connectivity, now goes through the Client Access server role. You must deploy the Client Access server role in every Active Directory site that includes an Exchange Server 2010 Mailbox server.
Client Access During Coexistence

To implement coexistence, you must configure all clients to connect to the Exchange Server 2010 Client Access server. If you have been using an external URL, such as https://mail.contoso.com, to connect to an Exchange Server 2003 front-end server, you should modify the Domain Name System (DNS) or firewall configuration to forward connections to the Exchange Server 2010 Client Access servers URL: When a Microsoft Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange Server 2003 back-end server, the client redirects to the Exchange Server 2003 URL configured on the Client Access server. When an Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange Server 2010 Mailbox server, the Client Access server communicates with the Mailbox server to provide access to the user mailbox. When an Exchange ActiveSync client connects to the Client Access server and the user mailbox is located on an Exchange Server 2003 back-end server, the Client Access server connects to the Exchange Server 2003 server using HTTP and provides access to the user mailbox. When an Exchange ActiveSync client connects to the Client Access server and the user mailbox is located on an Exchange Server 2010 Mailbox server, the Client Access server connects to the Mailbox server using remote procedure call (RPC) and provides access to the user mailbox. When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2003 back-end server, the RPC proxy service on the Client Access server connects to the back end server using RPC.
12-16
When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the Mailbox server using RPC.
Considerations for Client Access During Coexistence

When implementing client access during coexistence, consider the following: Whether a user sees the Outlook Web App client of Exchange Server 2003 or Exchange Server 2010 depends on the location of the users mailbox. For example, if the users mailbox is located on an Exchange Server 2003 back-end server and the Client Access server is running Exchange Server 2010, the user will see the Exchange Server 2003 version of Outlook Web Access. The version of Exchange ActiveSync that clients use also depends on the server version that hosts the users mailbox. The users mailbox must be located on a server that is running Exchange Server 2003 Service Pack 2 or Exchange 2010 to have Direct Push enabled for Exchange ActiveSync. You cannot use an Exchange Server 2003 front-end server to access mailboxes on Exchange Server 2010 Mailbox server. The Outlook Web App URL used to access Outlook Web App depends on whether the users mailbox is located on an Exchange Server 2003 back-end server or on an Exchange Server 2010 Mailbox server. If the users connect to the /owa virtual directory on the Client Access server, and their mailbox is located on an Exchange Server 2003 server, Exchange Server 2010 redirects their Web browser to the /exchange virtual directory on the Exchange Server 2003 front-end server. If users connect to the /exchange virtual directory on the Client Access server, and their mailbox is located on an Exchange Server 2010 mailbox server, Exchange Server 2010 redirects the client request to the /owa virtual directory. Important: If you have multiple Exchange Server 2003 servers, you must have an Exchange Server 2003 front-end server deployed. For each Exchange Server 2010 Client Access server, you can only configure one Outlook Web Access 2003 URL for redirection. You can accomplish this with a single Exchange Server 2003 front-end server or a load balanced array of Exchange Sever 2003 front-end servers.
12-17
Implementing Client Access Coexistence
Key Points
During coexistence, you need to ensure that users have access to their mailboxes on both the Exchange Server 2003 back-end servers and Exchange Server 2010 Mailbox servers. The following steps describe how to enable this: 1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange server, you may need to acquire a new certificate. You should request a certificate that supports at least the following subject alternative names: 2. The primary URL used to access the Exchange 2010 Client Access server. The AutoDiscover server name. An alternate name for the URL that connects to the Exchange Server 2003 front-end server.
Install and configure the Exchange 2010 Client Access server. You should configure the following settings: Configure the external name space during or after setup by using the Exchange Management Console or Exchange Management Shell (EMS). Configure the Client Access server virtual directories to meet your company requirements. Configure the Exchange 2003 URL for Outlook Web App redirection. To do this, use the SetOWAVirtualDirectory -Exchange2003URL cmdlet. For example, you could use a cmdlet such as set-owavirtualdirectory LON-EX3\owa* Exchange2003Url https://legacy.contoso.com/exchange.
12-18
Note: The Exchange Server 2003 URL must refer to an Exchange Server 2003 front end server or a load balanced array of front end servers if you have multiple Exchange Server 2003 servers that host mailboxes. 3. Configure DNS. To configure DNS, you should: Create the legacy host record, such as legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2003 front-end server. This record is required to ensure that the client computers on the Internet can locate the Exchange Server 2003 frontend server when they are redirected to the legacy URL. Create the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server. Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.
4.
5.
If you are using RPC over HTTPS on the Exchange Server 2003 servers, configure the Exchange Server 2003 front-end server to not participate in an Exchange managed RPC-HTTP topology. This is because the Exchange 2010 Client Access server operates as the RPC over HTTPS proxy server rather than the Exchange Server 2003 front-end server. To disable this setting in Exchange System Manager, select the Not part of an Exchange managed RPC-HTTP topology option on the RPC-HTTP tab of the front-end servers properties. Test all client scenarios, and ensure they function correctly.
12-19
Considerations for Outlook Client Coexistence
Key Points
Exchange Server 2003 and Outlook 2003 or earlier clients require system public folders to provide access to free\busy information and to enable offline clients to download the offline address book. Exchange Server 2010 and Outlook 2007 or newer clients do not use public folders to provide this functionality. As you upgrade your Exchange Server organization, you need to ensure that all messaging clients continue to have access to the services they require.
Maintaining Free\Busy Information

Exchange Server 2003 collects free\busy information from all mailboxes, and stores in the SCHEDULE+ FREE BUSY system public folder. In Exchange Server 2010, the Availability service collects availability information from Exchange Server 2010 Mailbox servers and from the Exchange Server 2003 system public folders. Outlook 2003 or earlier clients require the system public folders to access the free\busy information. Outlook 2007 or newer clients can use the availability service on a Client Access server to access this information. If your organization includes Outlook 2003 clients, you need to retain the SCHEDULE+ FREE BUSY system public folder for these clients. When you install the first Exchange Server 2010 Mailbox server in an organization that includes Exchange Server 2003 servers, you configure a public-folder database on the server. You then can replicate the SCHEDULE+ FREE BUSY system public folder to the Exchange Server 2010 server.
Maintaining Access to Offline Address List

Another difference between Exchange Server 2003 and Exchange Server 2010 is the method that they use to distribute offline address book to Outlook 2007 clients. In Exchange Server 2003, a system folder stores the offline address book, and clients must connect to the folder to download it. Outlook 2007 clients
12-20
connecting to an Exchange Server 2007 Client Access server use a Web service to download the offline address book. In an Exchange Server 2003 organization, one of the Exchange servers performs daily updates of the offline address book. When you deploy an Exchange Server 2010 Mailbox server in your organization, you can use the Exchange Server 2010 management tools to move this role to a server running Exchange Server 2010. You will also need to configure the offline address book so that it is distributed through the Exchange Web service. If your organization includes Outlook 2003 clients, you need to ensure that you create a replica, on the Exchange Server 2010 mailbox server, of the system folders for the offline address book.
Maintaining Public Folder Availability

Another issue that may arise in a coexistence scenario is public-folder access. You must consider how users access public folders and provide access between Active Directory sites when designing the access solution for public folders. In Exchange Server 2010, public folders are accessible only to users with an Outlook client using MAPI or Outlook Web App. Also, public folder contents for users with Exchange Server 2010 mailboxes are only accessible through Outlook Web App if a replica of the public folder is located on an Exchange 2010 Mailbox server. Previous Exchange Server versions provided access to public folders to MAPI, Outlook Web Access, Internet Message Access Protocol version 4rev1 (IMAP4), and Network News Transfer Protocol (NNTP) clients. If you have users that access public folders using these clients, maintain a replica of the public folders on an Exchange 2003 server. Another consideration when designing a coexistence strategy for public folders is providing access to public-folder replicas between Active Directory sites. When you install a server running Exchange Server 2003, the default configuration includes a public-folder store. When you install an Exchange Server 2010 Mailbox server, it does not configure a public-folder database by default. If users require access to public folders in an Active Directory site that does not contain any Exchange Server 2003 servers, then configure at least one of the sites Mailbox servers with a public-folder database. After adding the public-folder database to the Exchange 2010 server, you can replicate any public folder between servers running Exchange Server 2003 and the Exchange Server 2010 Mailbox server. Exchange Server 2010 by default enables public-folder referrals between Active Directory sites for MAPI clients. It also enables public-folder referrals across the routing-group connector that is created by default when you install the organizations first Hub Transport server. You can enable or disable public-folder referrals across the connectors as you create additional routing-group connectors.
12-21
Considerations for Message Transport Coexistence
Key Points
To support coexistence between different Exchange versions, all servers running Exchange Server 2010 are added automatically to a single routing group when you install Exchange Server 2010. The Exchange System Manager in Exchange Server 2003 or Exchange 2000 Server recognizes the Exchange Server 2010 routing group as Exchange Routing Group (DWBGZMFD01QNBJR) within Exchange Administrative Group (FYDIBOHF23SPDLT). The Exchange Server 2010 routing group includes all Exchange Server 2010 servers, regardless of the Active Directory site in which they reside. Important: You never should modify the default configuration for the Exchange Server 2010 routing group. Exchange Server 2010 does not support moving servers from this routing group to another, renaming the Exchange Server 2010 routing group, or manually adding Exchange 2003/2000 Servers to the Exchange Server 2010 routing group.
Installing Exchange Server 2010 Hub Transport Servers

When you install the first Exchange Server 2010 Hub Transport server in an existing Exchange organization, you must specify an Exchange Server 2003 bridgehead server that will operate as the first routing-group connectors bridgehead server. The routing-group connector links the routing group where the Exchange Server 2003 resides with the Exchange Server 2010 routing group. The Hub Transport server that you are installing, and the Exchange Server 2003 bridgehead that you select, are configured as the source and target servers on two reciprocal routing-group connectors. This routing-group connector creates a single connection point between Exchange Server 2003 and Exchange Server 2010.
Message Flow During Coexistence

When you have mailboxes located on both Exchange Server 2010 and Exchange Server 2003 servers, all messages that you send between the Exchange Server versions travel across the routing-group connector
12-22
that is created when you install the first Hub Transport Server. For example, if a user with a mailbox on an Exchange Server 2003 server sends a message to a user with a mailbox on an Exchange Server 2010 server, the message is sent using the following process: 1. 2. 3. The Exchange 2003 server that hosts the mailbox sends the message to the Exchange Server 2003 bridgehead server that you configure on the routing-group connector. The Exchange 2003 bridgehead server sends the message to the Exchange Server 2010 Hub Transport server that is the bridgehead server on the routing-group connector. The Exchange Server 2010 Hub Transport server sends the message to the Exchange 2010 Mailbox server hosting the user mailbox.
Optimizing Message Routing Between the Messaging Systems

When you install the first Hub Transport server in the existing Exchange organization, this enables message routing between the two messaging systems. However, all messages flow through the single routing-group connector that you configure during installation. When configuring the message routing topology, you should consider: Adding additional Hub Transport and Exchange Server 2003 servers as bridgehead servers to the default routing-group connector. If your organization has multiple locations and multiple routing groups, you should create additional routing-group connectors to optimize message routing.
To optimize message routing, consider creating a new routing-group connector in each routing group as you deploy a Hub Transport server in the corresponding Active Directory sites. This enables you to send messages between the messaging systems, without routing them to another company location. You must use Exchange Management Shell to manage routing-group connectors. If you implement multiple routing-group connectors between the two Exchange Server versions, you also must suppress link-state updates on Exchange Server 2003. Servers running Exchange Server 2003 maintain a link-state routing table that determines a messages routing inside the organization. If a particular routing group is inaccessible by using the lowest cost route, the routing group master updates the link-state table to show the links state as down.
Exchange Server 2010 Hub Transport servers do not use link-state routing, and Exchange Server 2010 cannot propagate link-state updates. You should suppress link-state updates for each server running Exchange Server 2003 or Microsoft Exchange 2000 Server. This enables the servers that are running Exchange Server 2003 to queue at the failure point rather than recalculating the route. Note: For more information on configuring link-state updates, see the How to Suppress Link State Updates page on the Microsoft TechNet Web site.
12-23
Considerations for Administration Coexistence
Key Points
As you perform the upgrade to Exchange Server 2010, you also must plan for continued administration of the organization.
Comparing Administrator Delegation

Exchange Server 2003 provides predefined security roles for delegating Exchange administrative permissions. These roles are a collection of standardized permissions that you can apply at either the organizational or administrative group level. In Exchange Server 2003, there is no clear separation between administration of users and groups by the Windows Active Directory administrators and Exchange recipient administrators. Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions. You can use RBAC to restrict the EMS cmdlets that users can run and the attributes that they can modify. RBAC provides you with significantly more flexibility in assigning permissions than what was available in Exchange Server 2003.
Replicating Exchange Administrative Designs

Due to the design differences of administrative permissions in Exchange Server 2010 compared to previous Exchange versions, you cannot directly replicate the Exchange Server 2003 administrative design in Exchange Server 2007. One of the main differences that you need to plan for is that Exchange Server 2010 does not use administrative groups for delegating permissions. The following table describes some options for creating an Exchange Server 2010 administrative design that emulates an Exchange Server 2003 design: Exchange Server 2003 administrative option Exchange Server 2010 equivalent Assign Exchange Full Administrator Add users or groups to the Exchange Organization Administrator
12-24
Exchange Server 2003 administrative option Exchange Server 2010 equivalent role at the organization level. role group.
Assign Exchange Administrator role at Exchange Server 2010 does not have a role group equivalent to the organization level. the Exchange Administrator role. You can create a role group and assign the required permissions through RBAC. Assign Exchange View Administrator role at the organization level. Assign Exchange Full Administrator role at the administrative group level. Assign Exchange View Administrator role at the administrative group level. Add users or groups to the Exchange View-Only Administrator role. Create a new role group that is assigned all management roles, but with a limited scope. Create a new role group with View-Only permissions and a limited scope.
Assign recipient administrators with Add users and groups to the Exchange Recipient Administrator Exchange View Administrator role and role group. Active Directory permissions.
Using Administrative Tools in a Coexistence Scenario

In addition to planning permissions delegation in Exchange Server 2010, you also must consider the administrative tools for the different Exchange Server versions. You must use Exchange Server 2010 administration tools to manage all Exchange Server 2010 settings. After installing an Exchange Server 2010 server, you should configure any global settings using Exchange Server 2010 tools. To manage Exchange Server 2003 settings, you need to use the Exchange System Manager. You also can manage recipients with mailboxes on Exchange Server 2003 servers by using Active Directory Users and Computers.
12-25
Process for Removing Exchange Server 2003 from the Organization
Key Points
After you deploy the Exchange Server 2010 servers in the Exchange Server 2003 organization, you can start moving the mailboxes and other resources from the existing servers to the Exchange 2010 servers. Then you can start removing the Exchange 2003 servers.
Moving Resources to Exchange Server 2010 Servers

After you deploy the Exchange Server 2010 servers, you can move the following resources to the new servers: Mailboxes. You can move mailboxes from Exchange Server 2003 SP2 to Exchange Server 2010. Perform the move using the Exchange Management Console or EMS move request cmdlets. You cannot use the Exchange System Manager on the Exchange Server 2003 server to move the mailbox. When you perform the move, the mailbox will be offline and end users will not be able to access their mailboxes. Exchange Server 2003 does not have resource mailboxes. Public folders. If you require system folders or other public folders after the upgrade, create replicas of the public folders on the Exchange 2010 server hosting the public-folder database. Wait for replication to complete, and then remove the replicas on the Exchange Server 2003 servers. Message transport connectors. When you deploy Exchange Server 2010 servers in the Exchange Server 2003 organization, all Internet messages continue to flow through the Exchange Server 2003 SMTP connectors. To move this functionality to the Exchange Server 2010 servers, create new SMTP Send and Receive connectors on the Exchange Server 2010 Hub Transport servers. Then modify the cost for the Exchange Server 2003 SMTP connectors so that the Exchange Server 2010 Send connectors have a lower cost. Also, configure the external MX records, or the SMTP gateway server to forward all messages to the Exchange Server 2010 Hub Transport server. Test the message flow using the new connectors, and then remove the SMTP connectors on the Exchange Server 2003 servers. Offline Address Book generation server. You can use the Exchange Management Console to configure the Exchange 2010 Mailbox server as the offline address book generation server. You also should enable Web distribution of the offline address book.
12-26
Removing Exchange Server 2003 Servers

As you move mailboxes and message delivery to the Exchange Server 2010 servers, you can start removing the previous Exchange Server versions. We recommend the following process for removing Exchange Server 2003 servers: 1. 2. Remove back-end servers first. Remove the Exchange Server 2003 bridgehead servers. After you remove the last mailbox server in a routing group, you also can remove the routing groups bridgehead servers. To send e-mail to the Exchange Server 2010 Mailbox servers, you must configure at least one Exchange Server 2003 server as the routing-group connectors bridgehead server between Exchange 2003 and the Exchange 2010 routing group. Do not remove this server until the last user and required system mailboxes are moved to the Exchange Server 2010 servers. 3. Remove the Exchange Server 2003 front-end servers.
12-27
Lesson 3
Upgrading from Exchange Server 2007 to Exchange Server 2010
The second scenario for upgrading to Exchange Server 2010 is for organizations that are running Exchange Server 2007 currently. This scenarios upgrade process is similar to upgrading from Exchange Server 2003, but there are some important differences. This lesson describes how to complete the upgrade from Exchange Server 2007 to Exchange Server 2010. After completing this lesson, you will be able to: Explain the process for installing Exchange Server 2010 in an Exchange Server 2007 organization. Describe how client access works during coexistence. Describe how to implement client access. Describe the considerations for message transport coexistence. Describe the considerations for administration coexistence. Describe the process for removing Exchange Server 2007 from an organization.
12-28
Process for Installing Exchange Server 2010 in an Exchange Server 2007 Organization
Key Points
Complete the following steps to deploy Exchange Server 2010 servers in an Exchange Server 2007 organization: 1. Update all of the Exchange Server 2007 servers to Service Pack 2. Exchange Server 2010 setup checks the server versions of all Exchange servers and the requirement checks fail if a server is not upgraded. Exchange Server 2007 SP2 includes several schema updates that are required for interoperability with Exchange Server 2010. If an organization only has a single Active Directory site, use the following process for deploying Exchange Server 2010. 2. Install the Exchange Server 2010 Client Access server. After you complete this installation, you should use this as the primary connection point for all client connections. This means that you should modify the AutoDiscover settings, both internally and externally, to point to the Exchange Server 2010 Client Access server. Note: Later sections of this lesson include more information on how to configure the client-access settings, including the Autodiscover settings. 3. Install the Exchange Server 2010 Hub Transport server. Both Exchange Server 2007 and Exchange Server 2010 Mailbox servers must use a Hub Transport server that is the same version as the Mailbox server for routing messages in the same site. Install Exchange Server 2010 Unified Messaging servers. If you have deployed Unified Messaging in Exchange Server 2007, add the Exchange Server 2010 UM Server to one of your organizations dial plans.
4.
12-29
5.
6.
Install the Exchange Server 2010 Mailbox servers. After the rest of the infrastructure is in place, you can deploy the Exchange Server 2010 Mailbox servers, and start moving mailboxes and public folders to the new servers. Install the Exchange Server 2010 Edge Transport servers. Exchange Server 2010 Edge Transport servers can synchronize only with Exchange Server 2010 Hub Transport servers.
For organizations with multiple sites, there typically are two types of Active Directory sites: Internetaccessible sites, and non-Internet accessible sites. A single Exchange Server organization may have one or more Internet-accessible sites. When upgrading Active Directory sites, you must begin your upgrade by upgrading Internet-accessible sites first, followed by non-Internet accessible sites. You should follow the same process for deploying Exchange 2010 servers in both Internet accessible and non-Internet accessible sites. Before deploying any Exchange Server 2010 Mailbox server in a site, you must deploy Exchange Server 2010 Client Access and Hub Transport servers.
12-30
How Client Access Works During Coexistence
Key Points
The Client Access server role in Exchange Server 2010 has changed significantly from the Client Access server in Exchange Server 2007. The most important change is that all client connectivity, including Outlook MAPI connectivity, now goes through the Client Access server role.
Client Access During Coexistence

After you deploy the Exchange Server 2010 Client Access and Mailbox servers, the process for when nonMAPI clients access the user mailboxes depends on the type of client you are using, and on the location of the user mailbox. To implement coexistence, you must configure all clients to connect to the Exchange Server 2010 Client Access server. If you have been using an external URL, such as https://mail.contoso.com, to connect to an Exchange Server 2007 Client Access server, you should modify the DNS or firewall configuration to forward connections to the Exchange Server 2010 Client Access servers URL. When an Outlook Web App client connects to the Client Access server, and the user mailbox is located on an Exchange 2007 Mailbox server, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to the external URL that you configure on the Exchange Server 2007 Client Access server. When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2007 Mailbox server, the process will depend on whether the mobile devices supports Autodiscover: If the device does not support Autodiscover, the Exchange Server 2010 Client Access server proxies the client request to the Exchange Server 2007 Client Access server using HTTPS, and then the Exchange Server 2007 Client Access server connects to the Exchange Server 2007 Mailbox server and provides access to the user mailbox.
12-31
If the Mobile client does support Autodiscover, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to use the external URL configured on the Exchange Server 2007 Client Access server.
When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the Client Access server connects to the Mailbox server using RPC and provides access to the user mailbox. When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2007 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC. When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC. If the user mailbox is on an Exchange Server 2007 Mailbox server in a different Active Directory site, the Exchange Server 2010 Client Access server always proxies the client requests. For Outlook Web App and Exchange ActiveSync clients, the Client Access server proxies the requests using HTTP to an Exchange Server 2007 Client Access server. For Outlook Anywhere clients, the Client Access server proxies the request using RPC to an Exchange Server 2007 Mailbox server. When a MAPI client connects to the user mailbox, and the user mailbox is on an Exchange Server 2007 server, the MAPI client connects directly to the Mailbox server. If the user mailbox is on an Exchange Server 2010 server, the MAPI client connects to an Exchange 2010 Client Access server. Note: When you move a user mailbox from an Exchange Server 2007 Mailbox server to an Exchange Server 2010 Mailbox server, the client profile is configured automatically to use the Exchange Server 2010 Client Access server for MAPI connectivity. You do not need to modify the client profile manually.
Considerations for Client Access During Coexistence

When implementing client access during coexistence, consider the following: Whether a user sees the Outlook Web App client of Exchange Server 2007 or Exchange Server 2010 depends on the location of the users mailbox. For example, if the users mailbox is located on an Exchange Server 2007 Mailbox server and the Client Access server is running Exchange 2010, the user sees the Exchange Server 2007 version of Outlook Web Access. You cannot use an Exchange Server 2007 Client Access server to access mailboxes on Exchange Server 2010 Mailbox server.
12-32
Implementing Client Access Coexistence
Key Points
During coexistence, you need to ensure that users with mailboxes on both Exchange Server 2007 Mailbox servers and Exchange Server 2010 Mailbox servers can access their mailboxes. The following steps describe how to enable this: 1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange servers, you may need to acquire a new certificate. You should request a certificate that supports at least the following Subject Alternative Names: The primary URL to use to access the Exchange 2010 Client Access server. The AutoDiscover server name. An alternate name for the URL to use to connect to the Exchange 2007 Client Access server.
Note: The Exchange Server 2010 Client Access server requires this certificate, but you also might install the same certificate on the Exchange 2007 Client Access server. The Exchange Server 2007 Client Access server requires a certificate with subject alternative names that include the alternate name, legacy.contoso.com, and the Autodiscover server name. 2. 3. Install and configure the Exchange Server 2010 Client Access server. You should configure external name space during or after setup by using the Exchange Management Console or EMS. Modify the external URLs on the Exchange Server 2007 Client Access server to use the alternate name. If you are using legacy.contoso.com as the alternate name, configure this as the external URL for the Outlook Web App, Offline Address Book, Unified Messaging, Web Services and Exchange ActiveSync virtual directories. Configure DNS. To configure DNS, you should:
4.
12-33
5.
Create the legacy host record, which is legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2007 Client Access server. Create or modify the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange 2010 Client Access server. Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.
6.
If you use Outlook Anywhere on the Exchange Server 2007 servers, disable Outlook Anywhere on the Exchange Server 2007 Client Access server. When you implement Outlook Anywhere on the Exchange Server 2010 Client Access server, it proxies the Outlook Anywhere client requests directly to the Exchange Server 2007 Mailbox server. Test all client scenarios, and ensure they function correctly.
12-34
Considerations for Message Transport Coexistence
Key Points
A second coexistence component between the two Exchange Server versions is message transport. Message transport coexistence is configured automatically, as long as the correct versions of Hub Transport servers are available.
Message Routing During Coexistence

As you deploy Exchange Server 2010 Hub Transport and Mailbox servers in an Exchange 2007 organization, message transport works as follows: Each version of Exchange Mailbox server must use an equivalent version of the Hub Transport server when routing messages within the same site. If you have both Exchange Server 2007 and Exchange Server 2010 servers deployed in a site, messages will flow from the Exchange 2010 Mailbox server, to the Exchange Server 2010 Hub Transport server, to the Exchange Server 2007 Hub Transport server, and then to the Exchange Server 2007 Mailbox server. Messages sent from an Exchange Server 2007 mailbox would follow the reverse route. Message routing between Active Directory sites can use Hub Transport servers on either Exchange Server version. If you installed an Exchange Server 2010 Hub Transport server in one site, it can send messages to Exchange Server 2007 Hub Transport servers in another site. Message routing to and from the Internet can use either Exchange Server 2007 or Exchange Server 2010 Hub Transport servers. If your current deployment uses Exchange Server 2007 Edge Transport servers for inbound e-mail, you can continue to have the Edge Transport servers forward all messages to the Exchange Server 2007 Hub Transport server. As you deploy Exchange Server 2010 Hub Transport servers, you can add them to the edge subscription or configure the Exchange Server 2007 Edge Transport servers to forward messages to the Exchange Server 2010 Hub Transport servers. For outbound messages, you can add Exchange Server 2010 Hub Transport servers to the SMTP Send connector that is responsible for sending messages to the Internet. This enables outbound messages to be sent through either Exchange Server 2007 or Exchange Server 2010 Hub Transport servers.
12-35
Note: In Exchange Server 2010, you can view message-tracking information using the Exchange Management Console or the Exchange Control Panel. If an administrator or user views the messagetracking information in Exchange Control Panel, the message can be tracked only on Exchange Server 2010 Hub Transport servers. Administrators can track messages on both Exchange Server 2010 and Exchange Server 2007 Hub Transport servers by using the Message Tracking tool in Exchange 2007 and the Tracking Log Explorer tool in Exchange Server 2010.
Edge Transport Server Coexistence

If you deploy the Exchange Server 2007 Edge Transport server role, you can retain or replace the server with an Exchange Server 2010 Edge Transport server. You can implement edge synchronization between Exchange Server 2010 Hub Transport servers and Exchange Server 2007 Edge Transport servers, but you cannot configure edge synchronization between Exchange Server 2007 Hub Transport servers and Exchange Server 2010 Edge Transport servers. This means that if you are using edge synchronization, you should not deploy an Exchange Server 2010 Edge Transport server before deploying at least one Exchange Server 2010 Hub Transport server in the adjacent Active Directory site.
12-36
Considerations for Administration Coexistence
Key Points
When implementing Exchange Server 2010 in an Exchange Server 2007 organization, you also need to plan for administrative coexistence. In this scenario, you need to consider how you will use the Exchange Server management tools and how you will delegate permissions.
Management Console Coexistence

The Exchange Management Console is available in both Exchange Server 2007 and Exchange Server 2010. You can perform the following tasks and actions using the different Exchange Management Consoles: You can perform actions that create new objects, such as new mailboxes or a new offline address book, on a version of the Exchange Management Console that is the same as the target object. For example, you must create a new mailbox on an Exchange Server 2007 Mailbox server by using the Management Console in Exchange Server 2007. You cannot manage Exchange Server 2007 Mailbox databases from the Exchange Server 2010 Management Console, although you can view these databases. You cannot enable or disable Exchange Server 2007 Unified Messaging mailboxes from the Exchange Server 2010 Management Console. You cannot use the Exchange Server 2010 Management Console to manage mobile devices for users that have mailboxes on an Exchange Server 2007 Mailbox server. You can perform actions that require management on Exchange Server 2007 objects from the Exchange Management Console in Exchange Server 2010. You cannot perform these actions from the Management Console in Exchange 2007 on Exchange Server 2010 objects. You can use any Exchange Management Console version to perform actions that require viewing of any version of Exchange Server objects, with the following exceptions: You can view only Exchange Server 2007 and Exchange Server 2010 transport rule objects from the corresponding version of the Exchange Management Console.
12-37
You can view only Exchange Server 2007 and Exchange Server 2010 servers from their corresponding version of the Exchange Management Console. The Queue Viewer tool in Exchange Server 2010 Management Console cannot connect to an Exchange Server 2007 server to view queues or messages.
Delegating Administration During Coexistence

The model for delegating administrative permissions has changed significantly in Exchange Server 2010. Exchange 2007 setup creates several Active Directory groups with designated permissions in Active Directory and in the Exchange organization. To delegate permissions, you just add users to the appropriate Active Directory groups. RBAC replaces this model in Exchange Server 2010, where you will use role groups to configure permissions. When you install Exchange Server 2010 servers in an Exchange Server 2007 organization, this adds the Exchange Server 2010 role groups to Active Directory, and the Exchange Server 2007 groups are retained. When assigning permissions on Exchange Server 2007 servers, use the Exchange Server 2007 groups. When assigning permissions on the Exchange Server 2010 servers, use the Exchange Server 2010 role groups.
12-38
Process for Removing Exchange Server 2007 from the Organization
Key Points
After deploying the Exchange Server 2010 servers, you can start moving resources to the Exchange Server 2010 servers and removing the Exchange Server 2007 servers.
Moving Resources to Exchange Server 2010 Servers

Before removing the Exchange Server 2007 servers, you should move all required functionality and data to the Exchange Server 2010 servers: Transport connectors. You can add Exchange Server 2010 Hub Transport servers as source servers on Send connectors created in Exchange Server 2007. To upgrade message-transport functionality, add the Exchange Server 2010 Hub Transport servers to the Send connectors, and then remove the Exchange Server 2007 servers. Mailboxes. You can move mailboxes from Exchange Server 2007 SP2 to Exchange Server 2010. This move occurs online, and end users can access their mailboxes during the move. You must perform the move from the Exchange Server 2010 server using the move request cmdlets in the EMS, or by using the New Local Move Request option in the Exchange Management Console. You cannot use the Move-Mailbox functionality on the Exchange Server 2007 server to move mailboxes to Exchange 2010 servers. Public folders. If you require system folders or other public folders after the upgrade, create replicas of the public folders on an Exchange Server 2010 server hosting the public-folder database. Wait for replication to complete, and then remove the replicas on the Exchange Server 2007 servers.
Removing Exchange 2007 Servers

As you move mailboxes and message delivery to the Exchange Server 2010 servers, you can start removing the previous Exchange Server versions. We recommend the following process for removing Exchange Server 2007 servers: 1. Remove Mailbox servers first.
12-39
2. 3. 4.
Remove the Exchange Server 2007 Unified Messaging server role. Remove the Exchange Server 2007 Hub Transport servers. Remove the Exchange Server 2007 Client Access Servers.
After you remove the last mailbox and public folder from the Exchange Server 2007 Mailbox server, you may remove all other Exchange Server 2007 servers in the Active Directory site.
12-40
Review Questions
1. Your organization is deploying Exchange Server 2010 in an Exchange 2003 organization. You have made the changes to Active Directory. What is the first Exchange 2010 server role that you should deploy? How will this deployment change the user experience? Why do you need to configure a new external URL on Exchange Server 2007 Client Access servers when you deploy Exchange Server 2010 Client Access servers? Your organization includes two locations and Active Directory sites. You have deployed Exchange Server 2007 servers in both sites. You now are deploying Exchange Server 2010 servers in one of the sites and removing the Exchange Server 2007 servers. When can you remove the last Exchange 2007 Hub Transport server in the site?
2. 3.
Common Issues Related to Upgrading to Exchange 2010

Identify the causes for the following common issues related to upgrading to Exchange Server 2010. For answers, refer to relevant lessons in the module. Issue When you try to remove an Exchange Server 2003 server, you receive an error message that you cannot remove the server because it is a bridgehead server for a routing-group connector. You have upgraded all external message routing to Exchange Server 2010. You are upgrading your Exchange Server 2007 organization to Exchange Server 2010, and you have configured Troubleshooting tip The Exchange Server 2003 server may be the designated routing-group bridgehead server for the routing-group connector between the Exchange Server 2003 routing group and the Exchange Server 2010 routing group. If this is the last Exchange Server 2003 server, you can remove it from the routing-group connector. If you have other Exchange Server 2003 servers deployed, you will need to designate one of them as the routing-group connectors bridgehead server. Check the DNS configuration to ensure that users from the Internet can resolve the host name for the alternate or legacy URL that you have configured. Also, check the reverse proxy or
12-41
Issue
Troubleshooting tip
Client Access servers for Internet firewall configuration to ensure that all client requests to the access. Users with mailboxes on legacy URL are directed to the Exchange Server 2007 Client Exchange Server 2010 Mailbox servers Access server. can access their mailbox using Outlook Web App from the Internet, but users with mailboxes on the Exchange Server 2007 Mailbox servers cannot. You have deployed Exchange Server You have to use the same version of the Exchange 2010 servers in your Exchange Server Management Console as the server that you are managing. 2007 organization. You need to modify the settings on both Exchange Server 2007 and Exchange Server 2010 servers, but you cannot see both servers in the Exchange Management Console.

1. A. Datum has three office locations and three Active Directory sites. They have deployed Exchange Server 2003 servers in all offices, but have enabled Internet access to the servers only in the main office. What high-level process should A. Datum use to upgrade to Exchange Server 2010? Your organization has deployed Forefront Threat Management Gateway (TMG) to secure access to the Client Access server deployment. You have completed all of the steps required to enable access to both the Exchange 2010 Client Access server and the Exchange 2007 Client Access server. What changes do you need to make on the TMG server? Your organization is deploying Exchange Server 2010 in an Exchange Server 2003 organization. Your organization does not provide Internet access to messaging clients, and all users are located in a single office. You deploy an Exchange Server 2010 server using a standard installation. What else do you need to do before you start moving mailboxes to the Exchange Server 2010 server? Users need to be able to access their mailboxes by using Outlook Web App and Outlook 2003.
2.
3.
Best Practices Related to Upgrading to Exchange Server 2010

Supplement or modify the following best practices for your own work situations: If your Exchange Server 2003 organization has multiple routing groups, consider creating additional routing-group connectors between each of the routing groups and an Exchange 2010 Hub Transport server in each office location. By doing this, you can ensure that all messages are sent from the Exchange Server 2003 servers to the Exchange Server 2010 servers without crossing the wide area network (WAN) links between the routing groups. Plan to increase the number of Client Access servers as you upgrade to Exchange Server 2010. For Exchange Server 2003 and Exchange Server 2007 deployments, we recommended a one-to-four ratio of Client Access server or front-end server processor cores to Mailbox server or back-end server cores. In Exchange Server 2010, we recommend a three-to-four ratio. Use certificates with subject alternative names rather than using wildcard certificates when you obtain certificates for the Client Access servers. Wildcard certificates are less secure, because they can be used to secure connections to any server name. If an attacker obtains a copy of the certificate, they can use it to secure connections to any server name while using your domain name.
Tools
Tool Use for Where to find it
12-42
Tool Remote Connectivity Analyzer
Use for
Where to find it
Testing client access
http://go.microsoft.com/fwlink connections during the /?LinkId=179969 upgrade to Exchange Server 2010
12-43
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
12-44
Implementing Unified Messaging
A-1
Appendix A
Contents:
Lesson 1: Overview of Telephony Lesson 2: Introducing Unified Messaging Lesson 3: Configuring Unified Messaging Lab: Implementing Unified Messaging A-3 A-13 A-28 A-39
A-2
Appendix Overview
Unified Messaging combines voice and e-mail messaging into one location, accessible from a telephone and a computer. Microsoft Exchange Server 2010 Unified Messaging integrates Exchange Server with telephony networks and makes the Unified Messaging features available in the user mailbox. This module describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging. After completing this module, you will be able to: Describe telephony systems. Describe Unified Messaging features and integration with Exchange Server 2010. Configure Unified Messaging.
A-3
Lesson 1
Overview of Telephony
Unified Messaging enables you to integrate telephony systems with Exchange Server 2010. You must have an understanding of core telephony concepts to understand how Unified Messaging works and how to implement it. In this lesson, you will learn the basics about a telephony system and what protocols Unified Messaging provides. After completing this lesson, you will be able to: Describe types of telephone systems. Describe telephony-system components. Describe types of Private Branch Exchange (PBX) phone systems. Describe Voice over IP (VoIP) gateway. Describe Unified Messaging protocols.
A-4
Types of Telephone Systems
Key Points
There are three general types of business telephone systems: Centrex, Key Telephone System, and PBX. You can integrate each of these phone systems with Unified Messaging.
Centrex Phone System

Phone companies lease a Centrex phone system (also know as Central Office Telephone Exchange) to businesses. The Centrex phone system uses the phone companys central office (CO) exchange to route internal calls to an extension. A new Centrex version, called IP Centrex, is available. With IP Centrex, the organization does not rent phone lines from the telephone companys CO. Instead, the CO sends the phone calls through a VoIP gateway, which routes them through the Internet. At the organizations office, another VoIP gateway translates the call to a traditional circuit-switched call.
Key Telephone System

A Key Telephone System is similar to the Centrex system in that the organization leases several phone lines from the telephone companys CO. However, with the Key Telephone System, each phone line connects to multiple telephones in the organization. When someone calls the company, all phones ring that are associated with that line. Businesses with Key Telephone Systems often arrange for someone to answer incoming calls, and then announce the call to the correct recipient.
PBX Business Phone Systems

PBX systems are different from Centrex or Key Telephone Systems in that they typically have only a single connection to the CO, and all call switching happens on the organizations premises. The connection to the CO usually occurs through a T1 or E1 line, both of which provide multiple channels to enable multiple calls over the same line. Trunk lines is another name for these lines.
A-5
The PBX routes internal phone calls, and those between external and internal users. In a PBX system, each user has a telephone extension. When an internal user places a call to another internal user, they use just the extension number, and the PBX routes the call to the appropriate extension. Users make external telephone calls through a PBX by dialing 9 or 0, and then the external number. You can configure the external access number configure-on the PBX, which automatically selects an outgoing trunk line to complete the call. The PBX accepts incoming calls and automatically forwards them to the appropriate organizational extension. In larger organizations, PBXs make it possible for users to reach other users in different locations just by dialing an extension number. This may involve networking multiple PBXs.
A-6
Components of a Telephony System
Key Points
Telephony administrators use specialized terminology to describe many of the features and concepts that relate related to PBXs. When deploying Unified Messaging servers, you need to understand these terms and how they relate to Unified Messaging.
Direct Inward Dialing

A Direct Inward Dialing (DID) phone number is a unique number that an organization assigns to a person. It lets that individual receive calls directly from an external phone without having to transfer the call. The DID is a combination of company-specific phone number and the users extension. If the organization has implemented a PBX, the PBX uses a mapping of DID numbers to internal extensions to route calls to the correct phone.
Dial Plan
A dial plan consists of the rules that a PBX uses to determine what action to take when it receives a set of dialed numbers. For example, a 9 often triggers call setup to an outside line, so that users can call external phone numbers. When 9 is not the first number, the PBX needs to know how many numbers to collect before taking action. If internal extension numbers are three digits long, it waits for just three numbers before taking action.
Hunt Group
A hunt group is a collection of extensions. In most cases, a hunt group represents a set of identical resources that an application or a group shares. This provides more-efficient access to applications, like voice mail, an auto attendant, or even a call center, so that callers do not experience a busy signal. Instead, the PBX hunts for an open line to which to connect them.
A-7
Pilot Number
A pilot number is the address or label that the PBX uses to identify a hunt group. It is an unused extension, meaning it is not associated with a person or phone. For example, there may be a specific extension number 3900 for the telesales team, which may be the pilot number for the hunt group of telesales extension numbers. When a call comes into the 3900 sales number, the PBX recognizes it as a pilot number and searches for an available line within the sales hunt group. The PBX then delivers the call to an available sales extension number.
Coverage Path
A PBX uses a set of directions that you configure for each extension, and it tells the PBX where to route unanswered calls and calls that receive busy signals. The set of directions is a coverage path. If a DID call arrives at the Unified Messaging server via a users desktop phone, and the line is busy or not answered within a certain number of rings, the PBX knows to send the call to the pilot number for the hunt group that attaches to the VoIP gateway. The PBX routes the call through the VoIP gateway to the Unified Messaging server, where the caller can record a voice message. The Unified Messaging server sends the voice message to the Unified Messaging users mailbox.
Call Transfer
Users transfer calls routinely from one extension to another. An unsupervised transfer occurs when a user transfers a call to the next extension without determining whether the extensions user answers the call. For example, consider when a user transfers a call to voice mail when a phone is not answered or is busy.
A-8
Types of PBXs
Key Points
The PBX system is the most common type that medium- and large-size organizations use. There are several types of PBX systems available.
Analog PBX
Analog PBX systems send voice and signaling information, like the touch tones of dialed phone numbers, as actual analog sound. Analog PBX systems never digitize the sound. To direct the call, the PBX and the phone companys CO listens for the signaling information.
Digital PBX
Digital PBXs encode analog sound into a digital format. They typically encode the voice using a standard industry audio codec, G.711. Once digital PBXs encode the sound, they send the digitized voice on a channel using circuit switching. The process of circuit switching establishes an end-to-end, open connection, and leaves the channel open for the calls duration and for the calls users only. Some PBX manufacturers have proprietary signaling methods for call setup.
IP PBX
IP PBXs carry voice-over data networks. The IP phone contains a Network Interface Card (NIC), so it is part of the network. The phone converts voice into digitized packets, which it then places on the data network. The network sends the voice packets via packet switching, a technique that enables a single network channel to handle multiple calls. The IP PBX also acts as a gateway between the internal packet-switched network and the external circuitswitched networks that telephone companies use. In this situation, external phone calls arrive at the IP PBX on the normal public phone lines, and the IP PBX converts the phone call to packets sent on the internal IP-based network.
A-9
Hybrid PBX
Hybrid PBXs provide both digital and IP PBX capabilities. This hybrid approach enables a customer to run a mixture of digital and IP-based phones. Most modern PBXs are in this hybrid category.
A-10
What Is a VoIP Gateway?
Key Points
Telephony and computer systems traditionally use different types of networks to enable communication between attached devices. A telephony system typically uses a circuit-switching network, while the computer system traditionally uses a packet-switching network. You may need to deploy a VoIP gateway to translate data between a circuit-switched network and the data-switched network.
Circuit-Switched Networks
A circuit-switched network uses a dedicated connection between two network devices. For example, you pick up the telephone receiver and dial a phone number. By answering the call, the recipient completes the circuit. After the two nodes establish a call between them, only these two nodes may use the connection. When one of the nodes ends the call, this cancels the connection. Circuit-switched networks, such as the Public Switched Telephone Network (PSTN), transmit multiple calls across the same transmission medium. Frequently, the medium that a PSTN uses is copper. However, it also may use fiber optic cable.
Packet-Switched Networks
Packet switching is a technique that divides a data message into smaller units called packets. The network sends the packets to their destination by the best route available, and then reassembles them at the receiving end.
VoIP
VoIP is a technology that enables an IP-based network to act as the transmission medium for telephone calls. It sends voice data in IP packets rather than by circuit-switched telephone lines. Translating a call from a circuit-switched network to a packet-switched network is complicated because the underlying network connections are so different.
A-11
VoIP Gateway
A VoIP gateway is a third-party hardware device or product that converts traditional phone-system or circuit-switching protocols into data-networking or packet-switched protocols. The VoIP gateway connects a telephone network with a data network. Unified Messaging servers can connect only to packet-switched data networks. This means that organizations with a traditional PBX must deploy a VoIP gateway to communicate between the PBX and the Unified Messaging server. The following table lists the types of telephony systems, and explains when a VoIP gateway is required:
Types of telephony system

Traditional Centrex IP Centrex Key Telephone System Traditional PBX IP or hybrid PBX
VoIP gateway requirement

VOIP gateway required VOIP gateway may not be required VOIP gateway required, and some systems are not supported VOIP gateway required VOIP gateway may not be required
Note: For a list of VoIP gateways and IP/PBX systems that Unified Messaging supports, see the Exchange Server TechCenter.
A-12
Unified Messaging Protocols
Key Points
There are a number of voice-related, IP-based protocols. A Unified Messaging environment with Exchange Server 2010 uses the following: Session Initiation Protocol (SIP). SIP is a real-time signaling protocol that creates, manipulates, and tears down interactive communication sessions on an IP network. You can use SIP in conjunction with Transport Layer Security (TLS) to provide security. Exchange Server Unified Messaging uses SIP mapped over Transmission Control Protocol (TCP) and supports TLS for secured SIP environments. SIP clients, such as IP/VoIP gateways and IP/PBXs, can use TCP port 5060 or port 5061 (for Secure SIP) to connect to SIP servers. Real-Time Transport Protocol (RTP). RTP is for voice transport between the IP gateway and the Unified Messaging server. RTP provides high-quality, real-time, streaming voice delivery. One of the issues with sending voice messages over an IP network is that voice requires real-time transport with specific quality requirements to ensure that the voice sounds normal. If the protocol uses large packets, listeners must wait for the entire packet to arrive before they can respond. Any delay in packet delivery can produce undesirable periods of midstream silence. Packet loss can cause voice garbling. For more information: Request for Comment (RFC) 3550 (which updates RFC 1889) describes RTP), while RFC 3261 (which updates RFC 2543) describes SIP. Real-Time Facsimile or T.38. Real-Time Facsimile or T.38 is an Internet fax-transport protocol. T.38 sets procedures for fax transmission when a portion of the path includes an IP network. The Unified Messaging system uses it to relay a fax that a user originally sends, via voice line across an IP network, in real time.
A-13
Lesson 2
Introducing Unified Messaging
Unified Messaging enables users to receive e-mail, voice, and fax services in their Exchange Server inbox, and allows users to access mailbox contents by phone. This simplifies the experience for users, because they must access and manage only one location for all message types. This also provides more functionality for users because they can use traditional messaging clients to access voice or fax messages, and they can use telephone technology to access e-mail messages. Unified Messaging also simplifies administrators workloads because they must manage this data in one location only. This lesson introduces the features and requirements for Exchange Server 2010 Unified Messaging. After completing this lesson, you will be able to: Describe Unified Messaging. Describe Unified Messaging communication. Describe server communications for Unified Messaging. Describe Unified Messaging call-answering features. Describe Microsoft Office Outlook Voice Access features. Describe how Unified Messaging works with a VoIP gateway. Integrate Unified Messaging with Office Communications Server (OCS) 2007 R2. Describe international Unified Messaging requirements.
A-14
What Is Unified Messaging?
Key Points
Unified Messaging provides the convergence of voice and e-mail messaging into one store, accessible from a phone, a computer running an e-mail client, and mobile devices. Most users and information technology (IT) departments manage their voice mail separately from their email. Usually, voice messages and e-mail exist as separate inboxes on separate servers, and users access them with different clients. Frequently, each communication tool requires a separate address list, which can make it difficult to keep all address lists synchronized. Unified Messaging brings these tools together, and it offers an integrated store and user experience for all Exchange Server message types.
Unified Messaging Features

Unified Messaging provides the following core features: Call answering. Call answering enables the system to answer the telephone and record a message when the user is unavailable. Outlook Voice Access. Exchange Server Unified Messaging provides users with full access to their Exchange Server mailbox from any phone. Outlook Voice Access enables users to use the phone to retrieve their e-mail, voice mail, calendar, and personal contacts. Play on Phone. This feature lets a Unified Messaging-enabled user listen to a voice message using a telephone instead of playing it over their computer speakers or headphones. Voice-mail preview. The Unified Messaging role uses Automatic Speech Recognition (ASR) on newly created voice messages. When users receive voice mails, they receive messages that contain the voice recordings and clear text that Unified Messaging creates from recordings. Protected voice mail. Unified Messaging provides this functionality so that users can send private mail, which Microsoft Rights Management Services (RMS) protects. However, Unified Messaging restricts users to only forwarding, copying, or extracting the voice file from mail.
A-15
Call-answering rules (Personal Auto Attendant). The Unified Messaging role allows Unified Messaging-enabled users to create and customize call-answering rules to enhance their callers callanswering experience.
A-16
Overview of Unified Messaging Communications
Key Points
Unified Messaging combines voice and e-mail messaging in the Exchange Server store, and it integrates telephony networks into Exchange Server 2010. Phone calls enter the organization through an IP PBX or a legacy PBX. Legacy PBX needs a Unified Messaging IP Gateway to talk to a Unified Messaging protocol, such as SIP, whereas most of the IP PBX already support this feature. The Unified Messaging role communicates with the regular phones or PSTN using the PBX. The public telephone network that connects to the PBX communicates using Time Division Multiplex (TDM). TDM is a technique of transmitting multiple digitized data, voice, and video signals simultaneously over one communication media. It does this by interleaving pulses representing bits from different channels or time slots. Unified Messaging handles all internal communications, as follows: It connects to Active Directory Domain Services (AD DS) and Active Directory directory services using Lightweight Directory Access Protocol (LDAP). It connects to the Mailbox server using MAPI. It accepts requests from that Client Access server as RPC. In the case of OCS 2007 integration, it accepts SIP request from the OCS server for missed call notifications.
As usual, any Exchange Server client computer using Outlook 2007, Outlook 2010, or Outlook Web App communicates to the Client Access server role. In Exchange Server 2010, Outlook 2007, and Outlook 2010 access the Client Access server for Unified Messaging release Web-services requests. However, there is no separate Unified Messaging virtual directory as there was in Exchange Server 2007.
A-17
Server Communications for Unified Messaging
Key Points
To install Unified Messaging servers, you also must have the Mailbox, Hub Transport, and Client Access server roles installed in the same Active Directory site. The Unified Messaging servers cannot provide full functionality unless they can communicate with all of these server roles.
Unified Messaging Server Communication with Domain Controllers

The Unified Messaging server performs AD DS directory lookups for recipient information. You must add each Unified Messaging-enabled user to a dial plan and then assign each user an extension number in AD DS. This provides the user mailbox with a unique identifier. The Unified Messaging server performs AD DS directory lookups in several different scenarios, including: Locating the Mailbox server that hosts the user mailbox so that the Unified Messaging server can send voice messages or faxes to the mailbox, or extracting the users personal greeting from the Mailbox server. Locating users prerecorded spoken names from AD DS. Locating subscriber extensions and other attributes, such as department names or e-mail addresses, when users call the auto attendant.
Unified Messaging Server Communication with Other Server Roles

The Unified Messaging server must communicate with all other Exchange Server 2010 server roles, except the Edge Transport server role: Communication with the Mailbox server role. The Unified Messaging server communicates with the Mailbox server role to access user-mailbox contents. This happens in two scenarios. The Mailbox server stores the personal greetings that users create to play for their callers. The Unified Messaging server retrieves these greetings from the Mailbox server and plays them when applicable.
A-18
When Unified Messaging subscribers call the Unified Messaging server to access their mailbox contents via Outlook Voice Access, the Unified Messaging server directly accesses the Mailbox server to extract the mailbox contents. All communications between the Unified Messaging server and the Mailbox server use MAPI. Communication with the Hub Transport server role. The Unified Messaging server communicates with the Hub Transport server role to send messages to the Mailbox server. When a caller leaves a voice mail for a Unified Messaging subscriber or sends a fax to a Unified Messaging subscriber, the Unified Messaging server attaches the voice mail or fax to a message and forwards it to the Hub Transport server using Simple Mail Transfer Protocol (SMTP). Communication with the Client Access server role. The Unified Messaging server communicates with the Client Access server role when a subscriber uses the Play on Phone feature or when they reset their personal identification number (PIN) through Outlook Web App. Using Play on Phone, a Unified Messaging subscriber can use Outlook 2007 or Outlook Web App to instruct the Unified Messaging server to send a voice mail to a telephone number. When the user does this, the client communicates with Unified Messaging Web Services, which you install on a Client Access server. Unified Messaging Web Services then uses SIP to communicate with the Unified Messaging server, which instructs the VoIP gateway to place the phone call.
A-19
Call-Answering Features of Unified Messaging
Key Points
Call handling describes how an Exchange Server 2010 Unified Messaging server answers and handles incoming calls. The Unified Messaging server can handle a variety of incoming calls.
Voice Calls
The Unified Messaging server uses voice-call handling when an internal or external user leaves a voice message for Exchange Server 2010 Unified Messaging system user. The Unified Messaging server creates Multipurpose Internet Mail Extensions (MIME) messages from incoming calls, and then submits them to a Hub Transport server using SMTP. The Hub Transport server submits the message to the users Mailbox server. The Unified Messaging server always uses SMTP to send voice messages, even if the mailbox resides on the same computer on which you install the Unified Messaging server role.
Outlook Voice Access

To access their Exchange Server 2010 mailbox using Outlook Voice Access, users must dial a subscriber access number that is on a Unified Messaging dial plan. A dial plan consists of the rules that a PBX uses to determine what action to take when it receives a set of dialed numbers. A welcome message and a series of telephone user-interface voice prompts enable the user to listen to messages in the mailbox or manipulate mailbox contents. These voice prompts help the user navigate and interact with the Unified Messaging system using touch-tone or speech inputs.
Unified Messaging Auto Attendants

When anonymous or unauthenticated users call into an organization, voice prompts assist them in placing calls to Unified Messaging-enabled users. Additionally, when you want to make an internal call, Unified Messaging automatically places the call when you say the persons name that you are calling. Unified Messaging auto attendant is a series of voice prompts comprised of WAV files that callers hear instead of a human operator. The Unified Messaging auto attendant lets callers navigate the menu system, place calls, or locate users using DTMF or voice inputs.
A-20
When you configure a Unified Messaging auto attendant, you can create custom WAV files and replace the default prompts to meet your organizations needs.
A-21
Outlook Voice Access Features
Key Points
Outlook Voice Access enables Unified Messaging users to access their Exchange Server 2010 mailbox using mobile devices or an analog, digital, or wireless telephone.
What Users Can Do with Outlook Voice Access

When accessing their Exchange Server 2010 mailbox, users can: Listen to new and saved e-mail and voice-mail messages. Forward, reply, save, and delete e-mail and voice messages. Interact with their calendars, including: Listening to daily calendar appointments and meeting details. Accepting or declining meeting requests. Sending an Ill be late message to meeting participants.
Reply to meeting requests using voice inputs to send messages to meeting participants. Decline or cancel meetings. Interact with their global address list (GAL) and their personal contact list. These interactions can include: Locating a person in the GAL or personal contact list. Inputting a telephone extension number to leave a message. Sending voice messages.
Change their personal identification number (PIN), spoken name, or greetings.
Outlook Voice Access is central to the Unified Messaging infrastructure because it allows users to access their mailboxes through universally accessible telephones.
A-22
How Unified Messaging Works with a VoIP Gateway
Key Points
The following steps describe the communication flow for an organizations incoming phone calls when it deploys Exchange Server 2010 Unified Messaging: 1. A caller dials a users number in the organization. This caller could be inside or outside the organization. Unified Messaging connects the call to the PBX. The PBX uses the call recipients extension number to route the call to the appropriate desk phone, which then rings. If the recipient does not answer the call, the PBX checks its configuration to see where to route the unanswered call. In this case, the PBX routes the unanswered calls for this phone to the number associated with the VoIP gateway. The VoIP gateway converts the circuit-switched protocols to packet-switched protocols. It uses the information about the Exchange Server Unified Messaging environment, which you configure during the VoIP gateway installation, to route the call to the appropriate Unified Messaging server. The Unified Messaging server receives the now VoIP-based, packet-switched call. The Unified Messaging server contacts AD DS to retrieve the recipient information. This Active Directory lookup occurs using the combination of dial plan plus extension number, which provides a unique identifier for each mailbox. The Unified Messaging server uses this information to contact the users mailbox to play the individuals greeting. Then the Unified Messaging server answers the call and captures the voice message. The Unified Messaging server packages the message into a voice message for Exchange Server. It then uses SMTP to route the message to a Hub Transport server in the same site. The Hub Transport server routes the voice message to the users Exchange Server mailbox, where it is stored. The message is accessible to the Unified Messaging subscriber through Outlook Voice Access, Outlook, Outlook Web App, or Exchange ActiveSync.
2.
3.
4.
A-23
Note: These steps describe the communication flow when Exchange Server 2010 Unified Messaging answers a call. The process is similar when you use other systems, such as Outlook Voice Access or auto attendant access. For example, when using Outlook Voice Access, the user calls a number that you configure the PBX to forward automatically to the VoIP gateway. The gateway then forwards the call to the Unified Messaging server, which checks AD DS for the user mailbox location. It then uses MAPI to connect to the appropriate Mailbox server. When you use an auto attendant, the PBX forwards the phone number through the VoIP gateway to the Unified Messaging server, which locates the requested information in AD DS and Active Directory.
A-24
Integrating Unified Messaging with OCS 2007 R2
Key Points
Exchange Server 2010 Unified Messaging provides OCS 2007 R2 with the voice mailbox feature. Only Unified Messaging supports this feature. Additionally, since Unified Messaging utilizes existing IP PBX that is configured with OCS 2007 R2, you do not need additional hardware to connect Unified Messaging to your PBX if OCS 2007 R2 is installed already. OCS 2007 R2 also provides other features that integrate into Unified Messaging, such as instant messaging, presence information, Web conferencing, and VoIP telephony: Instant messaging. The OCS 2007 R2 client provides instant messaging (IM) functionality that the OCS hosts. The solution provides IM features, such as group IM, and extends the internal IM infrastructure to external IM providers. Presence information. OCS 2007 R2 tracks presence information for all OCS users, and it provides this information to the OCS 2007 R2 client and other applications, such as Outlook 2007. Web conferencing. OCS 2007 R2 can host on-premise conferences, which you can schedule or reschedule, and they can include IM, audio, video, application sharing, slide presentations, and other forms of data collaboration. Audio conferencing. Users can join OCS 2007-based audio conferences using any desk or mobile phone. When connecting to an audio conference using a Web browser, users can provide a telephone number that the audio-conferencing services calls. VoIP telephony. Enterprise Voice enables OCS 2007 R2 users to place calls from their computers by clicking an Outlook or Communicator contact. Users receive calls simultaneously on all their registered user endpoints, which may be a VoIP phone, mobile phone, or OCS 2007 R2 client. The OCS 2007 R2 Attendant is an integrated call-management client application that enables a user, such as a receptionist, to manage many conversations simultaneously.
A-25
Response Group service. This service enables administrators to create and configure one or more small response groups for routing and queuing incoming phone calls to one or more designated agents. Typical scenarios include an internal help desk or customer-service desks.
A-26
International Requirements for Unified Messaging
Key Points
Unified Messaging provides language packs to satisfy international Unified Messaging requirements. In multiple language environments, you should install the applicable Unified Messaging language packs, because some Unified Messaging users prefer their voice prompts in a different language or because they receive e-mail messages in multiple languages that they need to access using OVA. If you do not install the Unified Messaging language pack for a particular language, e-mail messages in that language will be illogical and incoherent when they relayed to the user. Several key components rely on Unified Messaging language packs to enable users and callers to interact effectively with Exchange Server 2010 Unified Messaging in multiple languages. Each language pack includes: A Text-to-Speech (TTS) engine to read and convert messages when Outlook Voice Access users access their inboxes. The prerecorded prompts used to configure Unified Messaging dial plans and auto attendants. ASR support for speech-enabled Unified Messaging dial plans and auto attendants.
To install a language pack, use Setup.com /AddUMLanguagePack found in the Exchsrvr\Bin directory of the Exchange Server installation. Once you install your language packs, you can change the default language configured for each dial plan. Users automatically use the default language if their configured language setting in Outlook Web App is not available as a language pack. For example, if you install only the English and German language packs, and the English language pack is the default on the dial plan, a user with the French language configuration in Outlook Web App will hear English prompts. In Exchange Server 2007, each language pack included the TTS engine but only supported ASR for US English. In Exchange Server 2010, all available language packs contain ASR support.
A-27
Lesson 3
Configuring Unified Messaging
To enable Unified Messaging in Exchange Server 2010, you first need to understand how Exchange Server 2010 implements Unified Messaging. Then you need to configure the Unified Messaging server role and its required components. This lesson describes the basic Exchange Server 2010 Unified Messaging components. After completing this lesson, you will be able to: Describe the process for installing Unified Messaging. Implement a Unified Messaging dial plan. Implement a Unified Messaging IP gateway. Implement a Unified Messaging hunt group. Implement a Unified Messaging mailbox policy. Create a Unified Messaging auto attendant. Configure call-answering rules.
A-28
Process for Installing Unified Messaging
Key Points
Complete the following steps to install Unified Messaging: 1. Install the Unified Messaging server role. You must install a Mailbox server, a Hub Transport server, and a Client Access server before you can install the Unified Messaging server role. You can install the Unified Messaging role on the same computer that runs these prerequisite roles or on a separate computer. Note: Before you install the Unified Messaging server role on a Windows Server 2008 computer, you must install the Desktop Experience feature. This feature provides the Windows Media Encoder and Windows Media Audio Voice Codec that the Unified Messaging server requires. 2. Create a Unified Messaging dial plan. A dial plan is the telephony extension-numbering plan. All users within a dial plan have a unique extension number, and the combination of dial plan and the user extension uniquely identifies each Unified Messaging user. After creating the Unified Messaging dial plan, you need to associate it with a Unified Messaging server. Create a Unified Messaging IP gateway. A Unified Messaging IP gateway object represents a physical VoIP gateway (with an IP address) from which a Unified Messaging server can receive calls. The Unified Messaging server requires this information to connect to the VoIP gateway and the PBX. Create a Unified Messaging hunt group. A hunt group groups phone numbers together for specific purposes. An IP gateway object contains hunt groups. You can associate one or more hunt groups with an IP gateway. A default hunt group is created automatically if you create an IP gateway and associate it with a Unified Messaging dial plan. You can customize that hunt group or create additional ones. Configure a Unified Messaging mailbox policy. A Unified Messaging mailbox policy is created by default each time you create a Unified Messaging dial plan. You can configure that mailbox policy or create a new one. When you configure the policy, you can specify policy properties, such as the
3.
4.
5.
A-29
6.
7.
maximum greeting length, the number of unsuccessful login attempts before the Unified Messaging server resets the password, the minimum digits that a PIN requires, and international calling restrictions. Enable mailboxes for Unified Messaging. You must enable mailboxes to allow the mailboxes to access Unified Messaging services. You must associate each user mailbox with a Unified Messaging mailbox policy and a unique extension number. Create a Unified Messaging auto attendant object. The auto attendant feature is an optional component. To enable the auto attendant, you must create and configure an associated dial plan. Note: These steps describe the process of installing Unified Messaging in an Exchange Server 2010 environment. To complete this installation in a production environment, you also must configure the PBX and the VoIP gateway to route calls to the Unified Messaging servers.
A-30
What Is a Unified Messaging Dial Plan?
Key Points
The Unified Messaging dial plan is the basic Unified Messaging administrative unit. It is the telephony extension-numbering plan. Within Unified Messaging, the dial plan, plus the extension number, provides the unique identifier for each Unified Messaging user. The dial plan also controls the numbering scheme and the outbound dialing plan.
How Unified Messaging Uses Dial Plans

The Unified Messaging dial plan is an Active Directory container object that is a logical representation of a telephony dial plan that you configure on a PBX. The dial plan establishes a link from an Exchange Server 2010 recipients telephone extension number in AD DS to a Unified Messaging-enabled mailbox. Unified Messaging uses dial-plan information, such as the number of digits an extension has. When you configure Unified Messaging, you enter the extension length. You also can configure many other dial-plan settings, including: Access numbers for subscriber of this dial plan. Default greetings that uses when dial-plan subscribers call into the Unified Messaging server. Dial codes for dialing external phone numbers and international numbers. Features such as whether subscribers can transfer callers to other users and whom callers can contact. Time limits for calls, messages, and idle timeouts. Default language for voice prompts. The audio codec format for voice messages, such as MP3. Note: You need at least one Unified Messaging dial plan, and that dial plan requires a Unified Messaging server and an associated Unified Messaging IP gateway.
A-31
What Is a Unified Messaging IP Gateway?
Key Points
The Unified Messaging IP gateway is an Active Directory container object that logically represents a physical IP gateway hardware device that translates between the circuit-switched telephone network and an IP or packet-switched network. The Unified Messaging IP gateway can represent either a VoIP gateway or an IP-PBX. The Unified Messaging IP gateway contains one or more Unified Messaging hunt-group objects and other Unified Messaging IP gateway-configuration settings, including the actual IP gateway object. The combination of the IP gateway object and a Unified Messaging hunt-group object establishes a logical link between an IP gateway hardware device and a Unified Messaging dial plan. Note: Before an IP gateway can process calls, a Unified Messaging IP gateway must be associated with at least one Unified Messaging dial plan.
Implementing Unified Messaging IP Gateways

You can create a Unified Messaging IP gateway using the Exchange Management Shell or Exchange Management Console. When you create a new Unified Messaging IP gateway object, you enable Unified Messaging servers to connect to the VoIP gateway or IP PBX. By default, IP gateways remain in an enabled state after you create them. However, you can enable or disable the Unified Messaging IP gateway. If you disable a Unified Messaging IP gateway, it can be in one of two disabled modes. The first disabled mode forces all associated Unified Messaging servers to drop existing calls. The second disabled mode forces the Unified Messaging server associated with the Unified Messaging IP gateway to stop handling any new calls that the IP gateway presents. You can enable or disable an IP gateway from the Exchange Management Console or the Exchange Management Shell.
A-32
What Is a Unified Messaging Hunt Group?
Key Points
The Unified Messaging hunt group is a logical representation of an existing PBX or IP PBX hunt group. When the hunt groups pilot number receives a call, the PBX or IP PBX looks for the next available extension number to deliver the call. When the calls recipient does not answer an incoming call, or the line is busy because the recipient is on another call, the PBX or IP PBX routes the call to the Unified Messaging server. Unified Messaging hunt groups act as a connection or link between the Unified Messaging IP gateway and the Unified Messaging dial plan. Therefore, you must associate a single Unified Messaging hunt group with at least one Unified Messaging IP gateway and one Unified Messaging dial plan. Unified Messaging hunt groups locate the PBX hunt group from which the incoming call was received. A pilot number that is specified for a hunt group in the PBX also must be specified within the Unified Messaging hunt group. The pilot number enables the Unified Messaging server to associate the call with the correct dial plan so that it can route the call correctly.
Implementing Unified Messaging Hunt Groups

When you create a new hunt-group object, you enable Unified Messaging servers in the specified dial plan to communicate with the IP gateway object. When creating a new hunt-group object, you need to specify the dial plan, and the pilot identifier or pilot number, that you want it to use with the new hunt group. Question: Is it possible to create a Unified Messaging hunt group without an available Unified Messaging IP gateway?
A-33
What Is a Unified Messaging Mailbox Policy?
Key Points
Unified Messaging mailbox policies apply and standardize Unified Messaging configuration settings for Unified Messaging-enabled users. You can create Unified Messaging mailbox policies, and then add the policy to Unified Messaging-enabled mailboxes to apply a common set of policies or security settings. Unified Messaging mailbox policies are required before you can enable users to use Unified Messaging.
Implementing Unified Messaging Mailbox Policies

Create Unified Messaging mailbox policies in the Active Directory Configuration container, using either the Exchange Management Shell or Exchange Management Console. When you create a dial plan, a single, default Unified Messaging mailbox policy is created for it. However, you can create additional Unified Messaging mailbox policies based on your organizations needs. When you create a Unified Messaging mailbox policy, you can configure the following settings: Dial plan (required) Maximum greeting length Number of unsuccessful login attempts before it resets the password Minimum number of digits that a PIN requires Number of days until users must create a new PIN Number of previous passwords that it does not allow Restrictions on in-country/region or international calling Protected voice-mail settings
Each Unified Messaging-enabled users mailbox must link to only one Unified Messaging mailbox policy.
A-34
What Is a Unified Messaging Auto Attendant?
Key Points
A Unified Messaging auto attendant is an optional component of the Unified Messaging server. It creates a voice-menu system that enables external and internal callers to navigate through voice menus to locate and place, or transfer, calls to company users or organizational departments. When anonymous or unauthenticated users call an external business telephone number, or when internal callers call a specified extension number, voice prompts help them place a call to a user, or locate and call a user. The Unified Messaging auto attendant uses a series of WAV files that callers hear instead of a human operator. The Unified Messaging auto attendant lets callers navigate the menu system, place calls, or locate users using DTMF or voice inputs. A Unified Messaging auto attendant provides: Corporate or informational greetings, such as business hours or directions to a location. Custom corporate menus that you can customize to have more than one level. A directory search function that enables callers to search the organizations name directory. The ability for callers to connect to the telephone of, or leave a message for, organizational members.
Creating Auto Attendants

Each Unified Messaging auto attendant that you create is represented as an Active Directory object. There is no limit to how many Unified Messaging auto attendants you can create, and each auto attendant can support an unlimited number of extensions. However, you should design menu systems for auto attendants carefully to ensure that the user has a positive experience. If you design them incorrectly, it can be very frustrating to users if the time it takes to connect correctly is lengthy or it is difficult to navigate through the system.
A-35
A Unified Messaging auto attendant can reference only one Unified Messaging dial plan. However, Unified Messaging auto attendants can reference or link to other Unified Messaging auto attendants. When you create an auto attendant, you must provide the associated dial plan and extension numbers. After creating the auto attendant, you can configure alternative greetings by specifying the WAV files to use. You also can configure different settings for work and nonwork hours, and features such as call transferring. Create auto attendants in the Exchange Management Console or by running the NewUMAutoAttendant cmdlet in the Exchange Management Shell.
A-36
Rules for Call Answering
Key Points
Call-answering rules, also known as Personal Auto Attendants, allow users to create and customize rules to enhance the experience that callers have when their calls are answered. For example, the call-answering rules can include features such as special greetings by contact or time of the day. Using call answering rules, the caller can decide to: Leave a voice message for the Unified Messaging-enabled user. Transfer to an alternate contact of the Unified Messaging-enabled user. Transfer to an alternate contacts voice mail. Transfer to other phone numbers that the Unified Messaging-enabled user configures. Use the Find-Me feature or locate the Unified Messaging-enabled user via a supervised transfer.
Call-answering rules consist of conditions, a greeting and menu, and actions. You can configure callanswering rules in Outlook Web App or Outlook 2010.
Condition
The following conditions are available: If the caller is: calling from a phone number, this specific contact, or in my contacts folder. If it is during this period: working hours or nonworking hours to a specific time defined. If the users schedule shows a status of: free, tentative, busy, away. If you turn on automatic replies, such as when you turn on an automatic Out of Office message.
A-37
Greeting and Menu

Greeting and Menu is the area where the caller can take specific actions that users predefine. For example, after hearing a greeting that you previously recorded, you can provide a prompt so that the caller can dial you at home.
Actions
Actions define the tasks that occur when callers choose specific menu selections. You can select the following actions: Find me at the following numbers: Defines a recording text, the number key to press to transfer, and enables you to call two phone numbers for a specific time. Transfer the call to: Defines a recording text, the number key to press to transfer, and either a phone number or a contact, or indicates that the call should transfer directly to voice mail. Leave a voice message. Directly transfers the caller to voice mail.
A-38
Lab: Implementing Unified Messaging
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain.
Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. Your users expect to have voice access to their mailboxes, so you must enable this feature and configure Unified Messaging. Additionally, many native German speakers work at A. Datum, so you need to install the German language pack so that they also can use Unified Messaging.
A-39
Exercise 1: Installing and Configuring Unified Messaging Features

The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. Install the Desktop Experience feature. Install the Unified Messaging role. Install the German language pack. Create a dial plan. Create a Unified Messaging IP gateway and hunt group. Change the default Unified Messaging mailbox policy. Associate the Unified Messaging server with the dial plan. Verify that the default dial-plan language is German.
Lab preparation
1. 2. 3. 4. 5. On the host computer, open Hyper-V Manager. Right-click 10135A-VAN-EX2, and then click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso.iso, and then click Open. Click OK.
Task 1: Install the Desktop Experience feature

1. 2. 3. 4. On VAN-EX2, close the AutoPlay dialog box. In Server Manager, add the Desktop Experience feature and other required features. When prompted, restart the computer. After the computer restarts, log on as Adatum\Administrator.
Task 2: Install the Unified Messaging role

1. 2. Use Programs and Features in Control Panel to open Microsoft Exchange Server 2010 Setup. Install the Unified Message server role.
Task 3: Install the German language pack

1. 2. In the Hyper-V management console, attach the UMLanguagePack_DE.iso file to 10135A-VANEX2. Install the German language pack.
Task 4: Create a dial plan

1. 2. On VAN-EX2, create a new dial plan using the Exchange Management Console. Configure the dial plan with following settings: Name: DP-VAN-5digit VoIP security: Unsecured Country/Region code: 1604
Task 5: Create a Unified Messaging IP gateway and hunt group

1. 2. Create a Unified Messaging IP gateway named IPTestPhone using Exchange Management Console, and then configure an IP address of 10.10.0.10, and use DP-VAN-5digit as the dial plan. Create a Unified Messaging hunt group named HG-VAN-5digits for the IP gateway, and then configure a Pilot identifier of 90000.
A-40
Task 6: Change the default Unified Messaging mailbox policy

1. Configure message text for the Unified Messaging mailbox policy that reads Welcome to the Unified Messaging Server VAN-EX2 to be sent to users when their mailboxes are enabled for Unified Messaging. Configure the PIN policies for the mailbox policy so that they never expire.
2.
Task 7: Associate the Unified Messaging server with the dial plan
1. 2. Open the VAN-EX2 server properties in Exchange Management Console. Add an associated dial plan to the server.
Task 8: Verify that the default dial-plan language is German

1. 2. In the Organization Configuration, Unified Messaging node, double-click the DP-VAN-5digit dial plan to open it. In the Settings tab, verify that the default language was changed to German. Results: After this exercise, you should have installed the Unified Messaging role and configured the basic server-side settings for Unified Messaging, namely a dial plan, an IP gateway, a hunt group, and a mailbox policy. You also will have assigned the dial plan to a Unified Messaging server.
To revert the virtual machines

A-41
Review Questions
1. If your company already implemented Microsoft Office Communication Server 2007 R2 and connected OCS to the PBX, do you need an additional IP PBX for Exchange Server 2010 Unified Messaging? Users want to ensure that private voice mails are protected. Does Exchange Server 2010 Unified Messaging have a feature to do this?
2.
Common Issues Related to Unified Messaging

Identify the causes for the following common issues related to implementing Unified Messaging, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue You are unable to enable Unified Messaging in mailbox properties on the Mailbox Features tab. It is unavailable. Troubleshooting tip This is a common mistake. Do not enable Unified Messaging in the mailbox properties. Instead, select Enable Unified Messaging on the Actions pane in Recipient Configuration.
Best Practices Related to Implementing Unified Messaging

Supplement or modify the following best practices for your own work situations: Once you install the Unified Messaging server role, check the event log to make sure the service is operational and no error messages appear. After installing the Unified Messaging server role, configure a dial-plan, and Unified Messaging IP gateway, hunt group, and Unified Messaging mailbox policy, and then associate it to the Unified
A-42
Messaging server. Then use the Exchange Unified Messaging Test Phone to see if the configuration is working, before you configure your IP PBX or PBX to communicate with the Exchange server.
Tools
Tool Exchange Server Unified Messaging Test Phone Use for Connect to your Unified Messaging server via voice access to your mailbox. Where to find it Exchange Server\bin\ ExchangeUMTestPhone.exe http://go.microsoft.com/fwlink /?LinkId=179981
Advanced Topics in Exchange Server 2010
B-1
Appendix B
Contents:
Lesson 1: Deploying Highly Available Solutions for Multiple Sites Lesson 2: Implementing Federated Sharing B-3 B-9
B-2
Appendix Overview
Microsoft Exchange Server 2010 offers several advanced features that organizations with special requirements may find interesting. These features include the ability to deploy a highly available Exchange Server across multiple data centers and deploy Federated Sharing, which enables sharing of availability and contact information between organizations. This appendix provides an overview of how to deploy these two features. After completing this appendix, you will be able to: Implement high availability solutions for multiple sites. Implement Federated Sharing.
B-3
Lesson 1
Deploying Highly Available Solutions for Multiple Sites
Multiple site recovery is an important concern for many companies because of the natural disasters that have affected many organizations and resulted in increased regulatory-compliance requirements. Exchange Server 2010 greatly simplifies creating a multiple-site, high-availability solution, and it enables organizations to adopt the solution more easily than previous Exchange versions. This lesson provides an overview of how to apply single-site, high availability concepts to a multiple-site configuration. After completing this lesson, you will be able to: Describe scenarios for deploying multiple-site, high-availability solutions. Describe the challenges of creating a multiple-site database availability group (DAG). Describe the challenges of implementing high availability across multiple sites for nonmailbox roles. Describe the data center failover process. Describe the best practices for implementing a multiple-site, high-availability solution.
B-4
Discussion: High Availability for Multiple Sites
Single-site availability enables you to host your companys Exchange Server environment in many different scenarios. You also can use a secondary site for maintenance events or in cases where the primary site experiences a level of failure that your organization cannot sustain. Although Exchange Server 2010 simplifies multisite configuration, it still requires ample planning and configuration to implement and maintain a multisite configuration successfully. Question: What are some common multisite high availability scenarios? Question: Does your company have a warm disaster-recovery site or is it planning to have one? Question: After mail services successfully fail over to the second site, what other issues might you still need to address?
B-5
Using Cross-Site DAGs
Key Points
Exchange Server 2010 enables a multisite deployment of the Exchange Server infrastructure that reduces the requirements you must meet compared to previous Exchange Server versions. In earlier Exchange Server versions, multisite clustering requires complicated hardware and is difficult to configure. For example, creating a multisite an Exchange Server 2007 mailbox cluster on Windows Server 2003 requires a complicated network configuration to span a subnet, and the Active Directory directory service site, between the two sites. Exchange Server 2007 Service Pack 1 introduced a failover method called Standby Continuous Replication (SCR). However, as the name suggests, it does not take advantage of clustering and only provides a standby copy of the data, which requires a manual activation process. With Exchange Server 2010 combined with Windows Server 2008 failover clustering, you can create a cross-site DAG without any need for special network hardware, a single subnet spanned, or a shared Active Directory site between the two locations. However, you need to meet a number of requirements to configure and maintain a cross-site DAG configuration: Less than 250 milliseconds (ms) latency between all DAG nodes. To maintain the cluster operation properly, there should be minimal latency as each node communicates with the other nodes. Reestablishing of cluster quorum after site failure. If the majority of the nodes are not available because a failure occurs at the initial site, you should reconfigure the DAG manually to reestablish quorum, by using the Exchange Management Shell. Supporting nonmailbox roles in each site. To provide mail delivery and client access to the second sites DAG members, you must ensure that the appropriate Exchange server roles are available. At least one domain controller in each site. In any configuration, Exchange Server requires that each Active Directory site into which you deploy Exchange Server have a domain controller available. To provide redundancy, you should deploy at least two domain controllers per site.
Question: Why should you not implement an automatic data center failover, even if it is possible?
B-6
Challenges of Implementing Cross-Site, Nonmailbox Servers
Key Points
When you deploy nonmailbox servers to support a cross-site failover, you might come across several issues, including: You have to change Domain Name System (DNS) entries for Microsoft Outlook Web App, Outlook Anywhere, and Autodiscover to reflect the secondary sites IP addresses. If you do not change these entries quickly, it may increase the time that it takes users to reconnect to the secondary sites Exchange server. You also can handle these changes by deploying DNS servers in multiple locations or by using third-party global-server load balancing to provide traffic only to the active site. Certificates should include all possible service names in both data centers. However, each separate certificate that you use in each data center should have the same principal name. You must redirect external services to the secondary site, so that Exchange can accept inbound connections and you can restore service. This would include changing the weight of mail exchanger (MX) resource records for inbound e-mail, or reconfiguring hosted anti-spam, antivirus, and archiving services. A standard configuration requires users to log off and then log on to their client, since it must switch to the remote procedure call (RPC) client-access array to which it is connected. You need to notify or train users that this is expected behavior. Alternatively, using the same server certificate in both RPC client-access arrays, and then pointing the DNS record for the primary RPC client-access array to the secondary RPC client-access array, will remove this requirement for Outlook 2007 and newer clients. However, Outlook 2003 clients require that you repair the MAPI profile manually to complete the failover.
B-7
Failover Process for Data Centers
Key Points
To prepare for failure activation, you must enable datacenter activation coordination (DAC) mode on the DAG. This allows an administrator to activate the site, even if a majority of DAG members remains unavailable in the failed site, and it prevents split-brain scenarios. The failover process includes the following steps: 1. 2. The primary data center fails. Adjust DNS records, if necessary, for Simple Mail Transfer Protocol (SMTP), Outlook Web App, Autodiscover, Outlook Anywhere, and any legacy protocols. You can make adjustments manually or use third-party, global-server load balancing to make changes automatically. Reconfigure the DAG to remove the primary sites servers from the Windows Failover Cluster, but retain them in the DAG. Reconfigure the DAG to use an alternative file-share witness and restore the functionality in the Secondary site. The remaining Active Managers coordinate mounting databases in Site B.
3. 4. 5.
B-8
Best Practices for Multisite Failover
Key Points
By implementing certain best practices, you can ensure a successful highly available, multiple-site configuration. To begin, reduce failover time by using low Time to Live (TTL) on DNS records for the Client Access server array, Client Access server URLs, and SMTP records. Using a low TTL enables the DNS clients to discover DNS entries more quickly that point to the secondary site. If a failure occurs, it is important to ensure that everything works as designed. Therefore, you should continually monitor and verify that all messaging-system components are functioning properly. To do this, you should first monitor all aspects of the Exchange Server environment to ensure that it is functioning normally, and that mailbox data is successfully replicating to the secondary site in a timely manner. Next, you can schedule periodic failover tests to provide an additional level of preparation and to validate the configuration and operation of the cross-site failover process. You also should follow a change-management process to ensure that each Mailbox server in the DAG, each Client Access server, and each Hub Transport server are configured identically and have the same updates applied. Doing this reduces the possibility of incompatibilities and unexpected behavior if a failover occurs. Finally, we recommend that you follow the Windows Server Failover Clustering best practice of having each node connected to multiple networks. These multiple networks provide communication redundancy between cluster nodes, however, to reduce network congestion and potential communications problems, you should not allow them to perform cluster heartbeat communications.
B-9
Lesson 2
Implementing Federated Sharing
Federated Sharing enables organizations to share availability and contact information, and send secure messages, to other organizations that also are running Exchange Server 2010. Federated Sharing enables a user to share information transparently with users in other Exchange Server organizations. Information that they can share includes free or busy data or Calendar details. After you configure Federated Sharing, your users can book meetings with a partner organizations users by utilizing exactly the same steps as booking meetings with users inside your organization. After completing this lesson, you will be able to: Define Federated Sharing. Describe the components that are required for Federated Sharing. Describe how Federated Sharing works. Describe how Federated message delivery works. Describe how to configure a Federated Trust. Describe how to configure organizational relationships and sharing policies.
B-10
What Is Federated Sharing?
Key Points
Federated Sharing uses standard federation technologies to allow organizations to establish trusted relationships with each other. To establish federation trust, organizations exchange certificates with public keys, or with a trusted third party, and use those certificates to authenticate and secure all communications between them. In Exchange Server 2010, you use the Microsoft Federation Gateway to establish the federation. The Microsoft Federation Gateway is an identity service that runs over the Internet and works as a trust broker for Federated Sharing. To enable Federated Sharing, the organization must register with the Microsoft Federation Gateway, and then configure a federated sharing relationship with another organization that also registers with the Federation Gateway. The Federation Gateway then acts as a hub for all connections that the organizations make to each other. For example, in a Federated Sharing scenario, the Client Access servers in each organization should be able to establish an authenticated and secure connection with each other to enable the exchange of availability information or to enable calendar sharing. The Client Access servers use the federated trust that you configure with the Federation Gateway to verify the other organizations Client Access servers and to encrypt all traffic sent between the organizations. You also can use the federated sharing relationship to send encrypted and authenticated e-mail between the organizations. Note: The Federation Gateway only provides a broker service to establish the communication between the organizations. The Federation Gateway does not authenticate individual users or require any user accounts from either organization. Although the Federation Gateway uses Windows Live as the authentication mechanism, it shares no user accounts with Windows Live.
B-11
In a Federation Sharing scenario, each organization only needs to manage its trust relationship with the Federation Gateway, and to manage only its user accounts. After the organization establishes the trust relationship with the Federation Gateway, you can configure other trusted organizations with which you want to share information, and the types of information that you want to share. When you enable Federation Sharing, all communications between organizations is sent through the organizations Exchange Server 2010 servers. This communication is transparent to the messaging clients. This means that the feature works with any client that can connect to Exchange Server 2010, including Outlook Web App, Outlook 2003, and Outlook 2007.
B-12
Components of Federated Sharing
Key Points
To set up federation, you must configure three major components in Exchange Server 2010.
Federation Trust
This establishes a trust with Microsoft Federation Gateway. The federation trust configures the Microsoft Federation Gateway as a federation partner with the Exchange Server organization. This means that Exchange Web Services on the Client Access servers can validate all Microsoft Federation Gateway authentication requests.. You establish the federation trust by submitting the organizations public key and certificate to Microsoft Federation Gateway and downloading Window Microsoft Federation Gateway public key and certificate.
Organization Identifier
The organization identifier defines which of the Exchange organizations authoritative accepted domains is available for federation. If an organization supports multiple SMTP domains, you can include one or all of the domain names in the organization identifier. Users can participate in Federated Sharing only if they have e-mail addresses in the domains that you configure with the organization identifier. The first domain that you specify with the organization identifier is the Account namespace. Microsoft Federation Gateway creates federated users identifiers within this account namespace when the Client Access server requests a delegation token for an Exchange Server organization user. This process is transparent to the Exchange Server organization.
Organization Relationships
An organization relationship allows you to establish a federated sharing relationship with another federated organization for the purpose of sharing availability (free/busy) information, or enabling federated delivery of e-mail. Organization relationships are one-to-one relationships established between two organizations. To configure an organization relationship, you must establish a single Federation Trust with the Microsoft Federation Gateway, and configure the Organization Identifier.
B-13
When you create an organization relationship with an external organization, it allows users in the external organization to access your users availability information, allowing them to schedule meetings easily with your users. No replication of Global Address List (GAL) information is required. Outlook 2010 and Outlook Web App allow users to enter the SMTP address of an external recipient when scheduling meetings. For users in your organization to have similar access to availability information of users in the external organization, the administrator in the external organization must also create an organization relationship with your organization.
Sharing Relationships
You can use sharing policies to enable users to share calendar and contact information that resides in the respective folders with users in external federated organizations. After configuring the sharing relationship, a user can send a sharing invitation to an external recipient to share his/her calendar or contact folder. Using sharing policies, you control the domains with which your users share information with, and the extent of sharing. You can also disable a sharing policy for a user or a group of users to deny any sharing for those users. Sharing policies are assigned to mailbox users. A default sharing policy applies to users by default, and allows sharing of their calendar to the extent of availability information with all external domains. After you create a Federation Trust with the MFG, and configure the Federated Organization Identifier (OrgID), users can send sharing invitations to share their availability information with users in any external organization. Note: Although organization relationships and sharing policies allow sharing of availability information with external users, they are intended for different scenarios. Organization relationships are created to collaborate with external organizations, and include the capability to enable Federated Delivery of e-mail between the two organizations. Sharing policies govern what your users can share on an ad-hoc basis with users in external organizations, including organizations with which an organization relationship does not exist.
B-14
How Federated Sharing Works for Availability Information Access
Key Points
One of the options when configuring a sharing relationship is to enable users from one organization to view availability information for another organizations users. The following steps describe the communication flow when you configure this option, and a user in one organization invites another organizations user to a meeting. 1. 2. A user in the Contoso.com organization invites a user in the Adatum.com organization to a meeting. This meeting request is sent to the Exchange Web Service on the Client Access server at Contoso. The Contoso Client Access server checks with a Contoso.com domain controller to verify that the user has permission to utilize the sharing relationship to request availability information and that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step. The Contoso Client Access server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because you configure Contoso.com in the organization identifier, the Federation Gateway issues the token. The Contoso Client Access server sends a request for the availability information for the user to the Adatum Client Access server. The Contoso Client Access server includes the security token with the request. The Adatum Client Access server validates the security token and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com. The Adatum Client Access server retrieves the users availability information from the users Mailbox server. The Adatum Client Access server sends the availability information to the Contoso Client Access server. The Contoso Client Access server provides the availability information to the Contoso user.
3.
4.
5.
6. 7. 8.
B-15
How Federated Message Delivery Works
Key Points
The second option you can use when configuring a sharing relationship is to enable Federated Delivery. When you enable this option, users from one organization can send encrypted and authenticated e-mail to users in the other organization. The following steps describe the communication flow when you configure this option, and a user in one organization sends an e-mail to a user in the other organization: 1. 2. A user in the Contoso.com organization sends an e-mail to a user in the Adatum.com organization. The message is sent through the Mailbox server to a Hub Transport server at Contoso. The Hub Transport server at Contoso checks with a Contoso.com domain controller to verify that the user has permission to send messages across the sharing relationship, and to verify that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step. The Contoso Hub Transport server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because Contoso.com is configured in the organization identifier, the Federation Gateway will issue the token. The Contoso Hub Transport server encrypts the message and sends the message to the Adatum.com Hub Transport server. The Contoso Hub Transport server encrypts the message using a key that the security token includes. The security token is encrypted using the Federation Gateway public key, and is sent to the Adatum.com Hub Transport server. The Adatum Hub Transport server validates the security token, and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com. The Adatum Hub Transport server decrypts the security token and extracts the encryption key. The Hub Transport server then decrypts the message and forwards it to the users mailbox server.
3.
4.
5.
6.
B-16
Note: When you configure a sharing relationship with another organization and enable Federated Delivery, all messages sent by users with the appropriate permissions to use the sharing relationship are encrypted automatically. Users do not need to have certificates installed locally, and do not need to choose the option to send encrypted e-mail in Outlook.
B-17
Configuring a Federation Trust
Key Points
Before you can configure a sharing relationship with another organization, both organizations must configure a federation trust with the Microsoft Federation Gateway.
Prerequisites for Configuring a Federation Trust

Before configuring the federation trust, you must ensure that your organization meets the following prerequisites: Obtain a trusted certificate. Setting up a federation trust with the Federation Gateway requires a certificate from a public certificate authority (CA) that the Federation Gateway server trusts. The certificate requires a private/public key pair that is both a client and server certificate, and requires a Subject Key Identifier. This certificate must be deployed on all Exchange Server 2010 Client Access servers. The associated name of the certificate is not relevant to federation, so you can reuse an existing certificate on the Client Access server if the certificate is trusted. The private/ public key pair associated with the certificate signs and decrypts delegation tokens that the Federation Gateway issues. Configure the authoritative domains. You must configure all SMTP domain names that you want to use for Federated Sharing as authoritative accepted domains in Exchange. Configure external DNS records. To enable Federated Sharing, you need to ensure that servers from other organizations can resolve your servers names on the Internet. Additionally, you need to configure DNS with a text (TXT) resource record that provides proof-of-ownership for your domain name. The Federation Gateway uses the proof-of-ownership record to ensure that your servers are authoritative for the domain name that you provide. To create this proof-of-ownership record, you need to: 1. Obtain the application identifier that is created when you create a federation trust. You can obtain this identifier by running the Get-FederationTrust Identity FederationTrustName | fl ApplicationIdentifier cmdlet.
B-18
2.
Create a new TXT record on the DNS server that is accessible from the Internet. The TXT record should include the following information: domainname IN TXT AppID=ApplicationIdentifier.
Establishing the Federation Trust with Microsoft Federation Gateway

You can set up and mange the federation trust by using the Exchange Management Console or the Exchange Management Shell. On the machine where you run these tasks, you should deploy the certificates that federation should use. The machine also needs to have Internet connectivity to reach Microsoft Federation Gateway. If you are using the Exchange Management Console, click the Organization Configuration node, and then click New Federation Trust to start the New Federation Trust wizard. When you run the wizard, you must configure a certificate that will validate the trust. When you use the Exchange Management Console to create the federation trust, it receives the name Microsoft Federation Gateway automatically. If you are using the Exchange Management Shell, run the New-FederationTrust Name TrustName Thumbprint <org-cert-thumbprint> cmdlet. Note: When you use the Exchange Management Console to configure the federation trust, you can browse to locate a valid certificate. If you are using the Exchange Management Shell, you can use the Get-ExchangeCertificate cmdlet to obtain the certificate thumbprint.
B-19
Configuring Organizational Relationships and Sharing Policies
Key Points
After you create the federated trust, the next steps are to configure the organizational relationships and sharing policies that will enable your organizations users to share information with other organizations.
Configuring Organizational Relationships

Organizational relationships define with which other domains you want to share information, and what types of information you will share. To configure organizational relationships in the Exchange Management Console, click the Organization Management node, and then click New Organizational Relationship. When configuring the organizational relationship, you can configure the following: Name. Use a descriptive name. Enable or disable the organizational relationship. Enable the sharing of free/busy information. If you enable this option, you can configure the following levels of free/busy access: No Calendar sharing. Calendar sharing with free/busy information only. Calendar sharing with free/busy information, plus subject and location. Specify a security distribution group. If you specify this option, the free/busy information only for users in the group is accessible through the organizational relationship.
Enable Federated Delivery. When you enable Federated Delivery, you also must configure the SMTP address for a valid mailbox in the destination domain. Configure the information for the external organization. You can configure the Exchange Server to discover the external organizations configuration information automatically. When you do this, the Exchange server contacts the Microsoft Federation Gateway to locate this information. Alternatively,
B-20
you can enter the external organizations information manually, including the domain names, application uniform resource identifier (URI), and Autodiscover endpoint.
Configuring Sharing Policies

Sharing policies define which users in your organization can share information with other organizations, and what types of information those users can share. The Default Sharing Policy is created by default when you install Exchange Server 2010. This policy enables sharing with all domains, but enables only calendar sharing with free/busy information. The policy is assigned to no mailboxes. You can modify all settings for the Default Sharing Policy. If you want to enable users to participate in Federated Sharing, you can add the mailboxes to the Default Sharing Policy or create a new sharing policy. When you create a new sharing policy, you can configure: The domain name for the external domain. The sharing actions that are permitted under the policy. Options include: Calendar sharing with free/busy information only. Calendar sharing with free/busy, subject and location. Calendar sharing with free/busy, subject, location, and body. Contacts sharing. Calendar sharing with free/busy information only and contacts sharing. Calendar sharing with free/busy, subject and location, and contacts sharing. Calendar sharing with free/busy, subject, location and body, and contacts sharing.
The mailboxes to which the sharing policy will be assigned.
L1-1
Module 1: Deploying Microsoft Exchange Server 2010

Exercise 1: Evaluating Requirements for an Exchange Server Installation
Task 1: Evaluate the Active Directory directory service requirements
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, right-click Computer, and then click Properties. On the System page, in the Windows edition section, verify that the domain controller operating system is compatible with Exchange Server 2010 requirements. Close the System page. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click Contoso.com, and then click Properties. In the Contoso.com Properties dialog box, verify that the domain and forest functional levels are compatible with the Exchange Server 2010 requirements. Click OK, and then close Active Directory Users and Computers. Click Start, and in the Search box, type adsiedit.msc, and then press ENTER. Right-click ADSI Edit, and then click Connect to.
10. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Configuration, and then click OK. 11. In the left pane, expand Configuration[NYC-DC1.Contoso.com], and then click CN=Configuration,DC=Contoso,DC=com. 12. Expand CN=Services, and verify that the CN=Microsoft Exchange has not been created. 13. Close ADSI Edit.
Task 2: Evaluate the DNS requirements

1. 2. 3. 4. 5. 6. 7. On NYC-SVR2, click Start, and, in the Search box, type cmd, and then press ENTER. At the command prompt, type IPConfig /all, and then press ENTER. Verify that the Domain Name System (DNS) server IP address for the Local Area Connection 2 is 10.10.10.10. At the command prompt, type Ping NYC-DC1.contoso.com. Verify that you have network connectivity with the domain controller. At the command prompt, type Nslookup, and then press ENTER. At the command prompt, type set type=all, and then press ENTER. At the command prompt, type _ldap._tcp.dc._msdcs.Contoso.com, and then press ENTER. Verify that an SRV record is returned. Close the command prompt.
Task 3: Evaluate the server requirements

1. 2. 3. On NYC-SVR2, click Start and point to Administrative Tools, and click Server Manager. In the left pane, click Features. Verify that no Windows Server 2008 features are installed, including the Active Directory Domain Services (AD DS) management tools. In the left pane, click Roles. Verify that no Windows Server 2008 roles are installed.
L1-2
4. 5. 6. 7. 8. 9.
Click Start and point to Administrative Tools. Verify that Internet Information Services (IIS) Management is not listed. Click Start, click All Programs, click Accessories, click Windows PowerShell, and then click Windows PowerShell. At the PS prompt, type help about_windows_powershell, and then press ENTER. Verify that about_Windows_PowerShell_2.0 is listed. It is installed with Windows PowerShell v2. Close Windows PowerShell. Click Start, and then click Control Panel.
10. In the Control Panel, click Programs. 11. In the Programs window, click Programs and Features. Verify that Microsoft Filter Pack 1.0 is installed. Close the Programs and Features window. Results: After this exercise, you should have evaluated the requirements for Active Directory directory service, DNS, and servers.
Exercise 2: Preparing for an Exchange Server 2010 Installation

Task 1: Install the Windows Server 2008 server roles and features
1. 2. On NYC-SVR2, in Server Manager, click Features, and then click Add Features. In the Select Features page, expand Remote Server Administration Tools, expand Role Administration Tools, expand AD DS and AD LDS Tools, expand AD DS Tools, and then select the AD DS Snap-Ins and Command-Line Tools check box. Expand .NET Framework 3.5.1 Features, and then select the .NET Framework 3.5.1 check box. Expand WCF Activation, select the HTTP Activation check box, and then click Add Required Role Services. Select the RPC over HTTP Proxy check box, and then click Add Required Role Services. Click Next. On the Web Server (IIS) page, click Next. On the Select Role Services page, under Security, select the Digest Authentication check box. Under Performance, select the Dynamic Content Compression check box.
3. 4. 5. 6. 7. 8. 9.
10. Under IIS 6 Management Compatibility, select the IIS 6 Management Console check box. 11. Click Next, and then click Install. 12. Click Close. 13. Click Start, point to Administrative Tools, and click Services. 14. In the Services list, double-click Net.Tcp Port Sharing Service. 15. In the Net.TCP Port Sharing Service Properties dialog box, in the Startup type drop down list, click Automatic, then click Apply. 16. Click Start, wait for the service to start, click OK, and then close the Services console.
L1-3
Task 2: Prepare AD DS for Exchange Server 2010 installation

This task requires that the Exchange Server 2010 iso be attached to the NYC-SVR2 virtual machine as a DVD drive. Complete the following steps to attach it: 1. 2. 3. 4. 5. 6. 7. In the 10135A-NYC-SVR2 on localhost Virtual Machine Connection window, on the File menu, click Settings. Click DVD Drive, and then click Image File. Click Browse, and browse to C:\Program Files\Microsoft Learning \10135\Drives. Click EXCH201064.iso, and click Open. Click OK. On NYC-SVR2, click Close to close the AutoPlay dialog box. On NYC-SVR2, open a Command Prompt. Type D:\setup.com /PrepareAD /OrganizationName:Contoso, and then press ENTER. Close the command prompt window when the task is complete. Results: After this exercise, you should have installed the Windows Server 2008 server roles and features, and prepared AD DS for an Exchange Server 2010 installation.
Exercise 3: Installing Exchange Server 2010

Task 1: Install Microsoft Exchange Server 2010
1. Click Start, click Run, type D:\setup.exe, and then click OK. Steps 1 and 2 are unavailable because they are already complete. If the components were not installed, Exchange Server provides links to download the necessary software. 2. 3. 4. 5. 6. 7. 8. 9. Click Step 3: Choose Exchange language option. Click Install only languages from the DVD. Click Step 4: Install Microsoft Exchange. The installation begins copying files. Click Next to begin Exchange Server 2010 Setup. On the License Agreement page, click I accept the terms in the license agreement, and then click Next. On the Error Reporting page, click No to disable error reporting, and then click Next. You are disabling error reporting because your virtual machine does not have access to the Internet. On the Installation Type page, click Typical Exchange Server Installation, and then click Next. On the Client Settings page, click Yes to configure Exchange Server for Outlook 2003 or Entourage clients, and then click Next.
10. On the Configure Client Access server external domain page, click Next. 11. On the Customer Experience Improvement Program page, click I dont wish to join the program at this time, and click Next. A readiness check takes place to ensure that Exchange is ready to install on the server. This check takes several minutes to complete. 12. Click Install. The installation begins, and takes approximately 15-20 minutes to complete. 13. Click Finish.
L1-4
14. Click Close and Yes to exit Exchange Server 2010 Setup. You are not obtaining the critical updates for Exchange Server 2010 because the virtual machine does not have Internet connectivity. Results: After this exercise, you should have installed Exchange Server 2010.
Lab B: Verifying an Exchange Server 2010 Installation

Exercise 1: Verifying an Exchange Server 2010 Installation
Task 1: View the Exchange Server services
1. 2. 3. 4. On NYC-SVR2, click Start, point to Administrative Tools, and then click Services. Scroll down the list of services, and click the Microsoft Exchange Active Directory Topology service. Review the service description. Review the status of the remaining Exchange Server services. Ensure that all services that are set for automatic startup are running. Close Services.
Task 2: View the Exchange Server folders

1. 2. Click Start, and then click Computer. Browse to C:\Program Files\Microsoft\Exchange Server\V14. This list of folders includes ClientAccess, Mailbox, and TransportRoles. These three roles were installed as part of the typical setup. Open TransportRoles. The Hub Transport server role uses these folders. Close Windows Explorer.
3. 4.
Task 3: Create a new user, and send a test message

1. 2. 3. 4. 5. 6. 7. 8. 9. If necessary, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the left pane, click Microsoft Exchange On-Premises. Wait for the initialization to finish, and then click OK to acknowledge that the server is unlicensed. Click Recipient Configuration. Notice that a mailbox for the Administrator and a Discovery Search Mailbox are the only mailboxes created by default. Right-click Recipient Configuration, and then click New Mailbox. Wait for the New Mailbox wizard to start. Click Next to accept the User Mailbox option. Click Next to accept the New user option. In the First name box, type TestUser. In the User logon name box, type TestUser. In the Password and Confirm password boxes, type Pa$$w0rd.
10. Click Next.
L1-5
11. On the Mailbox Settings page, in the Alias box, type TestUser, and then click Next to accept the mailbox settings. 12. On the Archive Settings page, click Next. 13. Click New to create the new mailbox. 14. Click Finish. 15. Click Start, point to All Programs, and then click Internet Explorer. 16. In the Address bar, type https://NYC-SVR2/owa, and then press ENTER. 17. Click Continue to this website (not recommended) to proceed. 18. Log on as Contoso\TestUser with a password of Pa$$w0rd. 19. Click OK to accept the default Outlook Web App settings. 20. Click New to create a new message. 21. Click Continue to this website (not recommended). 22. In the To box, type Administrator. 23. In the Subject box, type Test Message, and then click Send. 24. Close Internet Explorer. 25. Click Start, point to All Programs, and then click Internet Explorer. 26. In the Address bar, type https://NYC-SVR2/owa and press ENTER. 27. Click Continue to the website (not recommended) to proceed. 28. Log on as Contoso\Administrator with a password of Pa$$w0rd. 29. Click OK to accept the default Outlook Web App settings. 30. Double-click the message from TestUser to read it. Click Continue to this website (not recommended). 31. Close the message from TestUser. 32. Close Internet Explorer.
Task 4: Run the Exchange Server Best Practices Analyzer tool

1. 2. 3. 4. 5. 6. 7. 8. 9. In Exchange Management Console, in the left pane, click Toolbox. In the center pane, double-click Best Practices Analyzer. Click Do not check for updates on startup. You do this because your virtual machine does not have Internet access. Click I dont want to join the program at this time. Click Go to the Welcome screen. Click Select options for a new scan. Click Connect to the Active Directory server. In the Enter an identifying label from this scan box, type Post-Installation Test. Review the options, and then click Start scanning.
10. When the scan is complete, click the View a report of this Best Practices scan link.
L1-6
11. On the Critical Issues tab, click Unrecognized Exchange signature. This gives you the option to get information about how to fix the problem or hide the message. 12. Click Tell me more about this issue and how to resolve it. This opens the Microsoft Exchange Server Best Practices Analyzer Help, and provides specific information about the warning and troubleshooting it. 13. Close Exchange Server Best Practices Analyzer Help. 14. Close the Exchange Server Best Practices Analyzer Tool. Results: After this exercise, you should have verified the successful installation of Exchange Server 2010 by viewing the Exchange Server services and folders. You should also have created a new user and sent a test message to that user. Finally, you should have used the Exchange Server Best Practices Analyzer tool to view information about any installation issues.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX3. Connect to the virtual machine.
L2-1
Module 2: Configuring Mailbox Servers

Exercise 1: Configuring Mailbox Databases
Task 1: Create a new database for the Executive mailboxes
On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. In the Console Tree, expand Microsoft Exchange, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. 3. In the Content pane, select the Database Management tab. 4. In the Actions pane, click New Mailbox Database. 5. In the New Mailbox Database Wizard, type Executive in the Mailbox database name field, and then click Browse. 6. In the Select Mailbox Server dialog box, select VAN-EX1, and then click OK. 7. Click Next. 8. In the Database file path field, type C:\Mailbox\Executive\Executive.edb. 9. In the Log folder path field type C:\Mailbox\Executive. 10. Click Next. 11. Click New. 12. Click Finish. 1.
Task 2: Configure the Executive mailbox database with appropriate limits

1. 2. 3. 4. 5. 6. In the Content pane, select the Database Management tab, right-click on the Executive database, and then click Properties. Click the Limits tab. Type 850000 for Issue warning at (KB). Uncheck Prohibit send at (KB). Type 1024000 for Prohibit send and receive at (KB). Click OK.
Task 3: Move the existing Accounting database to a new location

1. 2. 3. 4. 5. 6. 7. 8. In the Content pane, select the Database Management tab, and then select the Accounting database. In the Actions pane, click Move Database Path. In the Move Database Path Wizard, in the Database file path field, type C:\Mailbox\Accounting\Accounting.edb. In the Log folder path field type C:\Mailbox\Accounting\. Click Move. Click Yes. Click Finish. Close the Exchange Management Console.
Results: After this exercise, you should have created a new database, set the specified limits, and moved the existing Accounting database to a new folder.
L2-2
Exercise 2: Configuring Public Folders

Task 1: Check Executives public folder statistics
On VAN-EX3, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. In the Console Tree, expand Microsoft Exchange, expand Microsoft Exchange On-Premises, and then click Toolbox. 3. In the Content pane, double-click Public Folder Management Console. 4. If you are not connected, then in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse. 5. In the Select Public Folder dialog box, select VAN-EX1, click OK, and then click Connect. 6. In the Console Tree, expand Public Folders, and then select Default Public Folders. 7. In the Content pane, right-click Executives, and then choose Properties. 8. On the General tab, note the Total Items and Size of the items in the public folder. 9. Click OK. 10. Leave the Public Folder Management Console running. 1.
Task 2: Create a public folder database on VAN-EX3

On VAN-EX3, in the Exchange Management Console, expand Organization Configuration, and then click Mailbox. 2. In the Content pane, select the Database Management tab. 3. In the Actions pane, click New Public Folder Database. 4. On the New Public Folder Database page, type PF-VAN-EX3 in the Public Folder database name field, and then click Browse. 5. In the Select Mailbox Server dialog box, select VAN-EX3, and then click OK. 6. Click Next. 7. In to Database file path field, type C:\Mailbox\PF-VAN-EX3 \PF-VAN-EX3.edb. 8. In the Log folder path field, type C:\Mailbox\PF-VAN-EX3\, and then click OK. 9. Click Next. 10. Click New. 11. Click Finish. 1.
Task 3: Add a replica of the Executives public folder on VAN-EX3

1. 2. 3. 4. 5. In the Console Tree for the Public Folder Management Console, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. Click the Replication tab. Under Replicate content to these public folder databases, click Add. Select PF-VAN-EX3, and then click OK.
Note: It can take up to 15 minutes for replication to complete.
Task 4: Verify replication between VAN-EX1 and VAN-EX3

1. Click Public Folders, in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse.
L2-3
2. 3. 4. 5. 6. 7. 8.
In the Select Public Folder Servers dialog box, select VAN-EX3, click OK, and then click Connect. In the Console Tree, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. On the General tab, note the Total Items and Size of the items in the public folder. Click OK. Close the Public Folder Management Console. Close the Exchange Management Console.
Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added replicas for each public folder.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
L2-4
L3-1
Module 3: Managing Exchange Recipients

Exercise 1: Managing Recipients
Task 1: Create and configure a mailbox called Adventure Works Questions
1. 2. 3. 4. 5. 6. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox. In the Actions pane, click New Mailbox. Choose User Mailbox, and then click Next. Choose New user, and then click Next. Fill in the following information: 7. 8. 9. Name: Adventure Works Questions User logon name (User Principal Name): AdventureWksQ Password: Pa$$w0rd Confirm password: Pa$$w0rd
Click Next. Type AdventureWksQ as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and click Browse. Click Mailbox Database 1, click OK, and then click Next.
10. Click Next. 11. Click New. 12. Click Finish. 13. In the Results pane, select the Adventure Works Questions mailbox, and then in the Actions pane, click Manage Full Access Permission. 14. In the Manage Full Access Permission Wizard, click Add. 15. In the Select User or Group dialog box, choose George Schaller, and then click OK. 16. Click Manage. 17. Click Finish.
Task 2: Create resource mailboxes, and configure auto-accept settings for the
ProjectRoom
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mailbox. In the Actions pane, click New Mailbox. In the New Mailbox Wizard, select Room Mailbox, and then click Next. Verify New user is selected, and then click Next. Fill in the following information: Name: ProjectRoom User logon name (User Principal Name): ProjectRoom
L3-2
6. 7. 8. 9. 10. 11. 12. 13. 14.
Password: Pa$$w0rd Confirm Password: Pa$$w0rd
Click Next. Type ProjectRoom as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and then click Browse. Click Mailbox Database 1, click OK, and then click Next. Verify that the Create an archive mailbox for this account check box is not selected, and then click Next. Click New, and then click Finish. In the Results pane, click ProjectRoom, and in the Actions pane, click Properties. Click the Resource General tab. Select the Enable the Resource Booking Attendant check box. If you do not enable this option, the resource will not process meeting requests, even if you configure other settings. Click OK.
Task 3: Move George Schallers mailbox to the VAN-EX1\Mailbox Database 1

1. 2. 3. 4. 5. 6. 7. 8. 9. In the console tree, under Recipient Configuration, click Mailbox. Click the George Schaller mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request Wizard, click Browse. Click Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New. Click Finish. In the console tree, click Move Request to verify the move request is complete.
Note: If the mailbox move fails, and the error indicates that no MRS service is available, start the Microsoft Exchange Mailbox Replication service, and try the mailbox move again.
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mail Contact. In the Actions pane, click New Mail Contact. Verify that New contact is selected. Click Next. Fill in the following information: 6. 7. 8. 9. 10. First Name: Ian Last name: Palangio Alias: IanPalangioWB
To set the e-mail address, click Edit. In the E-mail address box, type ian.palangio@woodgrovebank.com, and then click OK. Click Next. Click New. Click Finish.
L3-3
Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1. 2. 3. 4. 5. 6. In the console tree, under Recipient Configuration, click Distribution Group. In the Actions pane, click New Distribution Group. Verify New group is selected. Click Next. Under Group Type, verify that Distribution is selected. Fill in the following information: 7. 8. 9. 10. 11. 12. 13. Name: Adventure Works Project Alias: AdventureWorksProject
Click Next. Click New. Click Finish. In the Work pane, select the Adventure Works Project group. In the Actions pane, click Properties. Click the Members tab. Click Add, and then select the following users by holding down CTRL: George Schaller Ian Palangio Wei Yu Paul West
14. 15. 16. 17. 18. 19. 20. 21.
Click OK. Click the Mail Flow Settings tab. Select Message Moderation, and then click Properties. Select the Messages sent to this group have to be approved by a moderator check box. In the Specify group moderators section, click Add. Select George Schaller, and then click OK. Click OK. Click OK.
Task 6: Verify that changes were completed successfully

1. 2. 3. 4. On VAN-CL1, verify that you are logged in as Administrator. Open Microsoft Office Outlook 2007. In the toolbar, click the down arrow next to New, and then click Meeting Request. Click the To button.
Note: If you receive an error message when you click To, click Cancel. Start or restart the Microsoft Exchange Address Book Service on VAN-EX1, and then try this step again. 5. 6. 7. 8. 9. 10. 11. Select the Adventure Works Project group, and then click Required. Select the ProjectRoom, and then click Resources. Click OK. Select a time. Type Project Kickoff as the subject. Click Send. Close Outlook.
L3-4
12. 13. 14. 15. 16. 17. 18.
Log off from VAN-CL1. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer. Type https://VAN-EX1.Adatum.com/OWA in the address bar. Log on to Microsoft Outlook Web App as Adatum\George with a password of Pa$$w0rd. Click OK. Double-click the message with the subject of Project Kickoff. Click Accept. Choose to send the response now. Close Windows Internet Explorer.
Results: At the end of this exercise, you will have completed all of the assigned tasks, including creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
Exercise 2: Configuring E-Mail Address Policies

Task 1: Create an e-mail address policy for Adventure Works users
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. On VAN-EX1, in the Exchange Management Console, expand Organization Configuration, and then select Hub Transport. In the Actions pane, click New E-mail Address Policy. In the New E-Mail Address Policy Wizard, type Adventure Works as the policy name. Click Browse. Click Adatum.com in the Select Organizational Unit dialog box, and then click OK. Verify that All Recipient types is selected, and then click Next. In the Step 1 box, select the Recipient is in a Company check box. In the Step 2 box, click specified. In the Specify Company dialog box, type Adventure Works, and then click Add. Click OK. In the New E-Mail Address Policy dialog box, click Next. Click Add. In the SMTP E-mail Address dialog box, click First name.last name (john.smith). Click Select the accepted domain for the e-mail address, click Browse, click Adventureworks.com, and then click OK. Click OK. Click Next. Verify Immediately is selected, and then click Next. Click New. Click Finish.
Task 2: Verify that addresses are applied correctly

1. 2. 3. 4. 5. 6. In the console tree, under Recipient Configuration, click Mailbox. In the Results pane, double-click George Schaller. In the Properties dialog box for George Schaller, click the E-Mail Addresses tab, and view the current e-mail addresses that are assigned. Click the Organization tab. Type Adventure Works for the Company, and then click Apply. Click the E-Mail Addresses tab, and view the current e-mail addresses that are assigned. Microsoft Exchange should have assigned the new adventure-works.com e-mail address when the company change was made. Click OK.
7.
L3-5
Results: At the end of this exercise, you will have created an e-mail address policy for Adventure Works users.
Exercise 3: Configuring Address Lists

Task 1: Create an empty-container address list named Companies
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox. In the Results pane, click the Address lists tab. In the Actions pane, click New Address List. In the Name box, type Companies. Click Next. Select None under Include these recipient types. Click Next. Click New. Click Finish.
Task 2: Create a new address list for Adventure Works recipients

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. In the console tree, under Organization Configuration, click Mailbox. In the Results pane, click the Address Lists tab. In the Actions pane, click New Address List. In the Name box, type Adventure Works. Click Browse. In the Select Address List dialog box, select Companies, and then click OK. Click Next. Verify that All Recipient types is selected, and then click Next. In the Step 1 box, select the Recipient is in a Company option. In the Step 2 box, click specified. In the Specify Company dialog box, type Adventure Works, and then click Add. Click OK. Click Preview, and then click OK. Click Next. Verify Immediately is selected, and then click Next. Click New. Click Finish.
Task 3: Create a new address list for A. Datum Corporation recipients

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. In the console tree, under Organization Configuration, click Mailbox. In the Results pane, click the Address lists tab. In the Actions pane, click New Address List. In the Name box, type A. Datum. In the Display name box, type A. Datum. Click Browse. In the Select Address dialog box, click Companies, and then click OK. Click Next. Verify that All Recipient types is selected, and then click Next. In the Step 1 box, check Recipient is in a Company. In the Step 2 box, click specified. In the Specify Company dialog box, type A. Datum, and then click Add. Click OK.
L3-6
14. 15. 16. 17. 18.
Click Preview, and then click OK. Click Next. Verify Immediately is selected, and then click Next. Click New. Click Finish.
Task 4: Verify the new address list is available in Microsoft Office Outlook
1. 2. 3. 4. On VAN-CL1, log on as Administrator with a password of Pa$$w0rd. Open Office Outlook 2007. Click the Tools menu, and then click Address Book. Under Address Book, click the down arrow to display the options. You can see that under All Address Lists, the Companies container is listed and includes the address lists Adventure Works and A. Datum. Close all open windows, and log off VAN-CL1.
5.
Task 5: Create a new offline address book for the Adventure Works address list to
support both Office Outlook 2003 and Outlook 2007 clients
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox, and then click the Offline Address Book tab. In the Actions pane, click New Offline Address Book. In the Name box, type Companies. Click Browse, select VAN-EX1, and then click OK. Clear the Include the default Global Address List check box. Select the Include the following address lists check box. Click Add, expand Companies, click Adventure Works, and then click OK. Click Add, expand Companies, click A. Datum, and then click OK. Click Next. Select Enable Web-based Distribution and Enable public folder distribution. Click Add, and in the Microsoft Exchange dialog box, click OK. Click OAB (Default Web Site), click OK, and then click Next. Click New, and then click Finish.
Results: At the end of this exercise, you will have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
Exercise 4: Performing Bulk Recipient Management Tasks

Task 1: Add a header to the .csv file exported from the Human Resources (HR) system
1. 2. 3. 4. 5. On VAN-EX1, click Start, point to All Programs, click Accessories, and then click Notepad. Click the File menu, click Open. Change the Files of Type to All Files. Browse to D:\Labfiles\Users.csv, and then click Open. At the top of the file, replace Add Header Here with FirstName,LastName,Password. The ImportCSV cmdlet uses this header to name each column of imported information. You then can reference these names to view and manipulate information. Click the File menu, and then click Save. Close Notepad.
6. 7.
L3-7
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a
.csv file
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Click Start, point to All Programs, click Accessories, and then click Notepad. Click the File menu, click Open. Change the Files of Type to All Files. Select D:\Labfiles\CreateUsersLab.ps1, and then click Open. In Section 1, define $db as Mailbox Database 1. In Section 1, define $upndom as adatum.com. In Section 1, define $ou as Adventureworks. In Section 1, define $csvFile as D:\Labfiles\Users.csv. In Section 4, replace all instances of property1 with firstname. In Section 4, replace all instances of property2 with lastname. In Section 4, replace property3 with password. Click the File menu, and then click Save. Close Notepad.
Task 3: Create the AdventureWorks Organizational Unit

1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers. In the Console tree right-click Adatum.com, expand New and click Organizational Unit. In the New Object Organizational Unit dialog in the Name box type AdventureWorks. Click OK.
Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users

1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Type D:\Labfiles\CreateUsersLab.ps1 and press ENTER.
Task 5: Set mailbox limits for all Adventure Works users

1. 2. In Exchange Management Shell run, Get-Mailbox OrganizationalUnit Adventureworks. Run: Get-Mailbox OrganizationalUnit Adventureworks | Set-Mailbox IssueWarningQuota 100MB ProhibitSendQuota 150MB.
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script and set the storage quota.

L3-8
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. 8. Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
L4-1
Module 4: Managing Client Access

Exercise 1: Configuring Client Access Servers
1. 2. 3. On VAN-DC1, click Start, in the search box type cmd.exe, and then press ENTER. At the command prompt, type certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, and then press ENTER. At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER.
Task 2: Configure an external client access domain for VAN-EX2

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX2, open the Exchange Management Console. Expand Microsoft Exchange On-Premises. In the left pane, expand Server Configuration, and then click Client Access. In the Actions pane, click Configure External Client Access Domain. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add. In the Select Client Access Server dialog box, click VAN-EX2, and then click OK. Click Configure. In the Microsoft Exchange dialog box, click Yes, and then click Finish. In the results pane, click VAN-EX2, and then in the work pane, double-click owa (Default Web Site). On the General tab, verify that the External URL field has been changed to https://mail.adatum.com/owa, and then click OK.
Task 3: Prepare a Server Certificate request for VAN-EX2

In the left pane, click Server Configuration. In the results pane, click VAN-EX2. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. On the Introduction page, type Adatum Mail Certificate as the friendly name for the certificate, and then click Next. 4. On the Domain Scope page, click Next. 5. On the Exchange Configuration page, expand Client Access server (Outlook Web App), and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes. Verify that Mail.adatum.com is displayed in the second text box. 6. Expand Client Access server (Exchange ActiveSync), and then verify that Exchange Active Sync is enabled check box is selected. 7. Expand Client Access server (Web Services, Outlook Anywhere, and Autodiscover). Enter mail.adatum.com as the external host name. 8. Ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected, and then click Next. In the Autodiscover URL to use field, delete all entries except for autodiscover.adatum.com, and then click Next. 9. On the Certificate Domains page, click Next. 10. On the Organization and Location page, enter the following information: Organization: A Datum Organizational Unit: Messaging Country/region: Canada 1. 2. 3.
L4-2
City/locality: Vancouver State/province: BC
11. Click Browse, type CertRequest as the File name, and then click Save. 12. Click Next, click New, and then click Finish.
Task 4: Request the certificate from the CA

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Click the Folder icon in the task bar, and click Documents. Right-click CertRequest.req, and then click Open. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. In the Open with dialog box, click Notepad, and then click OK. In the CertRequest.req Notepad window, click Ctrl+A to select all the text, and then click Ctrl+C to copy and save the text to the clipboard. Close Notepad. Click Start, click All Programs, and then click Internet Explorer. Connect to https://van-dc1.adatum.com/certsrv. Log on as Administrator using a password of Pa$$w0rd. On the Welcome page, click Request a certificate. On the Request a Certificate page, click advanced certificate request. On the Advanced Certificate Request page, click Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. In the Certificate Template drop-down list box, click Web Server, and then click Submit. Click Yes. On the Certificate Issued page, click Download certificate. In the File Download dialog box, click Save. In the Save As dialog box, click Save. In the Download complete dialog box, click Open. In the Certificate dialog box, on the Details tab, click Subject Alternative Name. Verify that the certificate includes several Subject Alternative Names (SANs), and then click OK.
12. 13. 14. 15. 16. 17. 18.
Task 5: Import and assign the IIS Exchange Service to the New Certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. In the Exchange Management console, click Server Configuration. Click ADatum Mail Certificate, and in the Actions pane, click Complete Pending Request. On the Complete Pending Request page, click Browse. Under Favorites, click Downloads. Click certnew.cer and click Open. Click Complete, and then click Finish. In the Exchange Management console, click Server Configuration. In the results pane, click VAN-EX2. In the bottom pane, click Adatum Mail Certificate. In the Actions pane, click Assign Services to Certificate. On the Select Servers page, verify that VAN-EX2 is listed, and then click Next. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
Task 6: Verify Outlook connectivity to the Exchange Server

1. On VAN-CL1, log on as Molly using the password Pa$$w0rd.
L4-3
2. 3. 4. 5. 6.
Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. On the Outlook 2007 Startup page, click Next. On the E-Mail Accounts page, click Next. On the Auto Account Setup page, click Next. On the Configuring page, click Finish. Note: If Microsoft Office Outlook cannot connect to the server, ensure that all of the Microsoft Exchange Server services on VAN-EX2 that are set to Automatic start are started. Start all services that have not started, and try connecting again.
7. 8. 9. 10. 11. 12. 13. 14.
In the User Name dialog box, click OK. On the Privacy Options page, clear all check boxes, and then click Next. On the Sign up for Microsoft Update page, click I dont want to use Microsoft Update, and then click Finish. In the Microsoft Office Outlook dialog box, click No. In Office Outlook, click Tools, and then click Account Settings. Click MollyDempsey@adatum.com, and then click Change. Verify that the user mailbox is located on VAN-EX2, click Cancel, and then click Close. Close Outlook.
Exercise 2: Configuring Outlook Anywhere

Task 1: Configure a DNS record for Mail.Adatum.com
1. 2. 3. 4. 5. On VAN-DC1, click Start, point to Administrative Tools, and then click DNS. In DNS Manager, in the left pane, expand Forward Lookup Zones, and then expand Adatum.com. Right-click Adatum.com, and then click New Host(A or AAAA). In the New Host dialog box, in the Name box, type mail. In the IP Address box, type 10.10.0.21, and then click Add Host. Click OK to close the prompt, and then click Done. Close DNS Manager.
Task 2: Configure Outlook Anywhere on VAN-EX2

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX2, click Start, point to Administrative Tools, and then click Server Manager. Click Features. In the Features list, verify that the RPC over HTTP Proxy feature is listed. On VAN-EX2, if required, open the Exchange Management Console. In the Exchange Management Console, expand Server Configuration, and then click Client Access. Click VAN-EX2, and in the Actions pane, click Enable Outlook Anywhere. On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com. Under Client authentication method, click NTLM authentication, and then click Enable. On the Completion page, click Finish. Close all open windows, and then restart VAN-EX2.
Task 3: Configure the Outlook profile to use Outlook Anywhere

1. 2. 3. 4. On VAN-CL1, ensure that you are logged on as Adatum\Molly. Click Start, and then click Control Panel. In the Search field, type Mail. Right-click Mail, and then click Open. In the Mail Setup - Outlook dialog box, click E-mail Accounts. In the E-mail Accounts dialog box, click MollyDempsey@adatum.com, and then click Change.
L4-4
5. 6. 7.
On the Microsoft Exchange Settings page, click More Settings. In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): mail.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
8. 9. 10. 11.
Click OK, and then click OK again to close the Microsoft Exchange dialog box. On the Microsoft Exchange Settings page, click Next. On the Change E-mail Account page, click Finish. On the E-mail Accounts page, click Close, and then click Close again to close the Mail Setup Outlook dialog box.
Task 4: Verify the Outlook Anywhere connectivity

1. 2. 3. 4. Wait until VAN-EX2 finishes restarting, and then log on as Administrator using the password Pa$$w0rd. On VAN-CL1, open Office Outlook 2007. If an Outlook dialog box appears, click No. Verify that the Outlook connection indicator states Connected to Microsoft Exchange. Note: If Outlook cannot connect to the server, ensure that all of the Exchange Server services on VANEX2 that are set to Automatic start are started. Start all services that have not started, and try connecting again. 5. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. You may need to click the up arrow in the Windows 7 notification area to view the Office Outlook icon. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Click Close. Press and hold CTRL, and then click the Outlook icon in the Windows task bar notification area. Click Test E-mail AutoConfiguration. In the Password field, type Pa$$w0rd. Clear the Use Guessmart and Secure Guessmart Authentication check boxes. Click Test. View the information displayed on the Results tab. Click the Log tab to view how the client completed Autodiscover. Close the Test E-mail AutoConfiguration dialog box. Close Microsoft Outlook, and then log off VAN-CL1.
6. 7. 8. 9. 10. 11. 12. 13. 14.

Do not shut down the virtual machines or revert them to their initial state when you finish this lab. The virtual machines are required to complete the last lab in this module.
L4-5
Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
Exercise 1: Configuring Outlook Web App
Task 1: Configure IIS to use the Internal CA certificate
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX2 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click owa. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Under Sites, click Default Web Site, and in the Actions pane, click Bindings. In the Site Bindings dialog box, click https, and then click Edit. In the SSL Certificate drop-down list, verify that Adatum Mail Certificate is selected Click OK, click Close, and then close the Internet Information Services (IIS) Manager.
Task 2: Configure Outlook Web App settings for all users

Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access. 3. In the work pane, select VAN-EX2, and in the result pane, right-click owa (Default Web Site), and then click Properties. 4. Click the Authentication tab, and verify that Use forms-based authentication is selected. 5. Under Logon Format, click User name only, and then click Browse. 6. Click Adatum.com, and then click OK. 7. Click the Segmentation tab, click Tasks, and then click Disable. Click Rules, and then click Disable. Click OK twice. 8. Open the Exchange Management Shell. At the PS prompt, type set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .doc, and then press ENTER. 9. Type set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, and then press ENTER. 10. Type Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter, and then press ENTER. 11. Type IISReset /noforce, and then press ENTER. If you get a message that the service did not start, open the Services Microsoft Management Console (MMC), and start the World Wide Web Publishing Service. 12. Close the Exchange Management Shell. 1.
Task 3: Configure an Outlook Web App Mailbox Policy for the Branch Managers
1. 2. 3. 4. 5. 6. On VAN-EX2, in Exchange Management Console, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Outlook Web App Mailbox Policy. In the New Outlook Web App Mailbox Policy page, type Branch Managers Policy as the policy name. In the list of features, click Change Password, and then click Disable. Click New, and then click Finish. Right-click Branch Managers Policy, and then click Properties.
L4-6
7. 8. 9. 10. 11. 12. 13. 14.
On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes, and then click OK. Under Recipient Configuration, click Mailbox. Click the Organizational Unit column heading to sort the view by organizational units (OU). Select all the users in the Branch Managers OU, right-click, and then click Properties. On the Mailbox Features tab, click Outlook Web App, and then click Properties. Select the Outlook Web App mailbox policy check box, and then click Browse. Click Branch Managers Policy, and then click OK four times.
Task 4: Verify the Outlook Web App configuration

On VAN-EX1, open Internet Explorer. In the address field, type https://mail.Adatum.com/owa, and then press ENTER. Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the Branch Managers OU. Click OK. 4. Verify that the Tasks folder is not displayed in the user mailbox. 5. On the Outlook Web App page, click Options. 6. On the Organize E-Mail tab, verify that you cannot create a new Inbox rule. Close Microsoft Internet Explorer. 7. Open Internet Explorer. 8. In the address field, type https://mail.Adatum.com/owa, and then press ENTER. 9. Log on to Outlook Web App as Adatum\Johnson using the password Pa$$w0rd. Johnson is in the Branch Managers OU. Click OK. 10. Verify that the Tasks folder is listed in the user mailbox. 11. On the Outlook Web App page, click Options. 12. In the left pane, click Settings. Notice that you do not have an option to change passwords. Close Internet Explorer. 1. 2. 3.
Exercise 2: Configuring Exchange ActiveSync

Task 1: Disable SSL for Exchange ActiveSync
1. 2. 3. 4. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In Internet Information Services (IIS) Manager, expand VAN-EX2 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync. In the center pane, double-click SSL settings. Clear the Require SSL check box, and then click Apply. Close the Internet Information Services (IIS) Manager.
Task 2: Verify the Exchange ActiveSync virtual directory configuration

1. 2. 3. 4. 5. 6. On VAN-EX2, in the Exchange Management Console, expand Server Configuration, and then click Client Access. In the result pane, click VAN-EX2, and in the work pane, click the Exchange ActiveSync tab. Right-click Microsoft-Server-ActiveSync, and then click Properties. Review the information on the General tab. Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because you typically would use SSL to secure the credentials in transit. Click OK.
L4-7
Task 3: Connect to the server using Exchange ActiveSync

1. 2. On VAN-CL1, log on as Adatum\Administrator. Click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone Emulator Images, and under US English, click WM 6.1.4 Professional. 3. 4. 5. 6. 7. 8. While the emulator is booting, in the WM 6.1.4 Professional window, click File, and then click Configure. On the Network tab, select the Enable NE2000 PCMIA network adapter and bind to check box, and then click OK. In Windows Mobile 6 Professional, click Start, and then click Settings. Click the Connections tab, and then double-click Network Cards. On the Configure Network Adapters page, under My network card connects to, click The Internet, and then click NE2000 Compatible Ethernet Driver. Click Use specific IP address, and then enter the following settings: 9. IP address: 10.10.0.51 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1
On the Name Servers tab, type 10.10.0.10 as the Domain Name System (DNS) server address, and then click OK twice. Close the Settings window.
10. In Windows Mobile 6 Professional, click Start, click Programs, and then click ActiveSync. 11. Read the Microsoft ActiveSync information, and then click the set up your device to sync with it link. 12. On the Enter Email Address page, in the Email address box, type ScottMacDonald@adatum.com, and then click Next. The device will attempt to use Autodiscover to configure the user settings. 13. On the User Information page, type Scott in the User Name field, type Pa$$w0rd in the Password field, and Adatum in the Domain field, and then click Next. 14. On the Edit Server Settings page, in the Server Address field, type VAN-EX2.adatum.com. Clear the This server requires an encrypted (SSL) connection check box. In the ActiveSync message, click OK, and then click Next. 15. In the Choose the data you wish to synchronize box, click Calendar, and then click Settings. 16. In the Synchronize only the past list, click All, and in the upper-right corner, click OK. 17. In the Choose the data you wish to synchronize box, click E-mail, and then click Settings. 18. In the Download the past list, click All, and in the upper-right corner, click OK. 19. Confirm that the Contacts, Calendar, E-mail, and Tasks check boxes are selected, and then click Finish. 20. In the ActiveSync dialog box, click OK. After synchronization is complete, click the X in the upperright corner to close ActiveSync. Close the Programs window. 21. On VAN-CL1, open Internet Explorer, and connect to https://mail.adatum.com/owa. 22. Log on as Adatum\Wei using the password Pa$$w0rd. Click OK. 23. Click New, and then in the To field, type Scott, and then press CTRL+K to resolve the name.
L4-8
24. In the Subject line, type Test Message from Wei. 25. In the message body, type Testing mobile messaging, and then click Send. 26. On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scotts mailbox. Wait for the Windows Mobile device to complete synchronization. 27. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click View. 28. Open the message. Click Reply at the bottom of the message window. 29. In the message body, type Test Reply, and then click Send. 30. Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received. Close Internet Explorer.
Task 4: Create a new Exchange ActiveSync mailbox policy

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX2, if required, open the Exchange Management Console. In the console tree, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Exchange ActiveSync Mailbox Policy. In the Mailbox policy name box, type EAS Policy 1. Select the Allow non-provisionable devices check box. Confirm that the Allow attachments to be downloaded to device option is selected. Select the Require password check box. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the Exchange Control Panel (ECP). Click New to create the mobile mailbox policy. Read the completion summary, and then click Finish. Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy.
10. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has additional options. 11. Click the Password tab. Notice the additional password-option list that was not available when creating the mobile mailbox policy. 12. On the Sync Settings tab, review the configuration options. 13. On the Device tab, review the configuration options. 14. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. 15. On the Other tab, review the options for allowing or blocking specific applications, and then click OK. 16. In the console tree, expand Recipient Configuration, and then click Mailbox. 17. In the result pane, right-click Scott MacDonald, and then click Properties. 18. Click the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. 19. In the Exchange ActiveSync Properties dialog box, click Browse. 20. Select EAS Policy 1, and then click OK.
L4-9
21. Click OK twice to save and apply the changes.
Task 5: Validate the Exchange ActiveSync mailbox policy

1. 2. 3. On VAN-CL1, wait for ActiveSync to synchronize, or click Menu, and then click Send/Receive. In the Update Required dialog box, click OK. In the Password and Confirm Password fields, type 12345, and then click OK.
Task 6: Install a root CA on the mobile device

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-CL1, click Start, click All Programs, and then click Internet Explorer. Connect to http://van-dc1/certsrv. On the Welcome page, click Download a CA certificate, certificate change, or CRL. On the Download a CA certificate, certificate change, or CRL page, click Download CA certificate chain. In the File download dialog box, click Save. In the Save As dialog box, click Save. Close Internet Explorer, and open it again. Connect to https://mail.adatum.com/owa. Log on as adatum\administrator. Create a new message, with Scott as the recipient. Type a subject of Root Certificate. Attach the certnew.p7b file from the Downloads folder. In Windows Mobile 6 Professional, wait for a minute, and then notice the animated Synchronization arrows. These indicate that the device is synchronizing automatically, and that the arrival of a message in Scotts mailbox triggered the synchronization. Wait for the Windows Mobile device to complete synchronization. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click View. In the message window, double-click certnew.p7b. In the Certificate Installer dialog box, click OK. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In Internet Information Services (IIS) Manager, expand VAN-EX2 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync. In the center pane, double-click SSL settings. Select the Require SSL check box, and then click Apply. Close the Internet Information Services (IIS) Manager. On VAN-CL1, in the Windows Professional emulator, click Menu, click Tools, and then click Options. Click Outlook E-mail, and then select the The server requires an encrypted (SSL) connection check box. Click Next two times, and then click Finish. Click Menu, click Send\Receive, and verify that synchronization is successful. If prompted for the password, type Pa$$w0rd.
10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.
Task 7: Wipe the mobile device

1. 2. 3. 4. 5. 6. 7. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Click Continue to the website (not recommended). Log on as Adatum\Scott using the password Pa$$w0rd. Click Phone. Notice the PocketPC listed in the Device list. On VAN-EX1, in the Exchange Management Console, under Recipient Configuration, click Mailbox. In the result pane, click Scott Macdonald. In the action pane, click Refresh.
L4-10
In the action pane, click Manage Mobile Phone. On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data, and then click Clear. 10. In the Microsoft Exchange warning message, click Yes, and then click Finish. 11. In Windows Mobile 6 Professional, and wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe. 12. On the Windows Mobile 6.1.4 Professional window, click File, and then click Exit.
8. 9.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
L5-1
Module 5: Managing Message Transport

Exercise 1: Configuring Internet Message Transport
To prepare for this lab
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, right-click Network, and click Properties. Click Change adapter settings. Right-click Local Area Connection 2, and click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. Change the IP address to 10.10.11.21, and then click OK. Click Close. Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then click OK. After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.
Task 1: Configure a Send connector to the Internet

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. In the Hub Transport pane, click the Send Connectors tab. In the Actions pane, click New Send Connector. In the New Send Connector window, in the Name box, type Internet Send Connector. In the Select the intended use for this Send connector list, click Internet, and then click Next. On the Address space page, click Add. In the Address field, type *, click OK, and then click Next. On the Network settings page, click Route mail through the following smart hosts, click Add, and then click Fully qualified domain name (FQDN).
10. In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, click OK, and then click Next. 11. On the Configure smart host authentication settings page, click Next. 12. On the Source Server page, ensure that VAN-EX1 is listed, and then click Next. 13. On the New Connector page, click New, and then click Finish.
Task 2: Configure a Receive connector to accept Internet messages

1. 2. In Exchange Management Console, expand Server Configuration, click Hub Transport, and then in the Hub Transport pane, click VAN-EX1. In the Actions pane, click New Receive Connector.
L5-2
3. 4. 5. 6. 7. 8. 9.
In the New Receive Connector window, in the Name box, type Internet Receive Connector. In the Select the intended use for this Receive connector list, click Custom, and then click Next. On the Local Network Settings page, click Next. On the Remote Network Settings page, click the red X to delete the entry, and then click Add. In the Address or address range box, type 10.10.0.10, click OK, and then click Next. On the New Connector page, click New, and then click Finish. In the VAN-EX1 pane, double-click Internet Receive Connector.
10. In the Internet Receive Connector window, on the General tab, in the Protocol logging level list, click Verbose. 11. On the Permission Groups tab, select the Anonymous users check box, and then click OK.
Task 3: Enable anti-spam functionality on the Hub Transport server

1. 2. 3. 4. 5. 6. 7. 8. 9. In Exchange Management Console, expand Server Configuration, click Hub Transport, and then click VAN-EX1 in the Hub Transport pane. In the VAN-EX1 pane, verify that only the Receive Connectors tab is available. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the PS prompt, type cd c:\Program Files\Microsoft\Exchange Server \v14\scripts and press ENTER. At the PS prompt, type .\install-AntispamAgents.ps1, and then press ENTER. Type Restart-Service MSExchangeTransport, and then press ENTER. Wait for the Transport Service to finish restarting. In Exchange Management Console, expand Server Configuration, click Hub Transport, click Refresh in Hub Transport Actions pane, and then click VAN-EX1 in the Hub Transport pane. In the content pane, click the Anti-Spam tab. Expand Organization Configuration, click Hub Transport, and then click the Anti-spam tab.

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX1, start Microsoft Internet Explorer, and connect to https://VAN-EX1.Adatum.com/OWA. Log on as Adatum\Wei with the password Pa$$w0rd. On the Microsoft Outlook Web App page, click OK. Create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet. Close Internet Explorer. Switch to Exchange Management Console. On the left pane, expand Microsoft Exchange On-Premises, and then click Toolbox. In the Toolbox pane, double-click Queue Viewer. On the Queues tab, verify that the VAN-DC1.adatum.com queue has a Message Count of 0. Note: If the VAN-DC1.adatum.com message queue is not empty, verify that the Simple Mail Transfer Protocol (SMTP) service is running on VAN-DC1.
L5-3
9.
On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt.
10. At the command prompt, type telnet van-ex1 smtp, and then press ENTER. 11. Type helo, and press ENTER. 12. Type info@internet.com, and press ENTER. Response: 250 2.1.0 Sender OK 13. Type rcpt to:WeiYu@adatum.com, and press ENTER. Response: 250 2.1.5 Recipient OK 14. Type data, and press ENTER. Response: 354 Start mail input; end with <CRLF>.<CRLF> 15. Type Subject: Test from Internet, and press ENTER. 16. Press the PERIOD key, and then press ENTER. 17. Type Quit, and press ENTER. 18. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. 19. Log on as Adatum\Wei with the password Pa$$w0rd. 20. Verify that the mail with the subject Test from Internet mail has arrived in the Junk E-Mail folder. Close Internet Explorer. Results: After this exercise, you should have configured Internet message transport by configuring Send and Receive connectors, enabling anti-spam functionality, and verifying Internet message delivery.
Exercise 2: Troubleshooting Message Transport

Task 1: Check the routing log, and verify that mail delivery works correctly
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Routing Log Viewer. In the Routing Log Viewer window, select the File menu, and then click Open log file. In the Open Routing Table Log File dialog box, click Browse server files. In the Open dialog box, select the latest RoutingConfig#... file, and then click Open. On the Active Directory Sites & Routing Groups tab, expand the Active Directory sites until you see the Exchange Servers in their respective sites. Start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. Log on as Adatum\Wei with the password Pa$$w0rd. Create and send a new e-mail to Anna, with the subject Test Mail to VAN-EX2.
10. On VAN-EX2, start Internet Explorer, and connect to https://VAN-EX2.adatum.com/OWA. 11. Log on as Adatum\Anna with the password Pa$$w0rd. 12. On the Microsoft Outlook Web App page, click OK. 13. Reply to the mail Test Mail to VAN-EX2 from Wei.
L5-4
14. Switch back to VAN-EX1, and check the Inbox in Microsoft Outlook Web App to see if the mail has arrived.
Task 2: Troubleshoot message transport

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Shell, type d: \labfiles\Lab05Prep1.ps1, and then press ENTER. On VAN-EX1, in Internet Explorer, create and send a new e-mail to Anna with the subject Another Test Mail to VAN-EX2. Close Internet Explorer. Switch to VAN-EX2, and in Outlook Web App, check the Inbox to see if the mail has arrived. Switch to VAN-EX1, and in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Queue Viewer. On the Queues tab, double-click site2 to open the queue. Verify that the message that Wei sent to Anna is listed in the queue. Then click the Queues tab. On the Queues tab, click Site2, and scroll to the right to view the Last Error column. Read the Last Error message of that Queue.
10. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 11. At the command prompt, type telnet van-ex2 smtp, and press ENTER. Verify that you receive a Connect failed error. 12. On VAN-EX2, open the Exchange Management Console. Expand Microsoft Exchange On-Premises, expand Server Configuration, click Hub Transport, and then click VAN-EX2 in the Hub Transport pane. 13. On the Receive Connectors tab, notice that only the Client VAN-EX2 connector exists. This is the reason the server does not accept a port 25 connection. 14. In the Actions pane, click New Receive Connector. 15. In the New Receive Connector window, in the Name box, type Internal VAN-EX2. 16. In the Select the intended use for this Receive connector list, click Internal, and then click Next. 17. On the Remote Network settings page, click Next. 18. On the New Connector page, click New, and then click Finish. 19. Switch to VAN-EX1, and in Exchange Management Console, click Toolbox. 20. In the Toolbox pane, under Mail flow tools, click Queue Viewer. 21. Right-click site2, and then click Retry to force an immediate retry of the message delivery. Verify that the queue now has a message count of 0. 22. Switch to VAN-EX2, and check Annas Inbox in Outlook Web App to see that the message is now delivered. Results: After this exercise, you should have verified routing logs, and used the other troubleshooting tools in Exchange Server to troubleshoot message transport.
L5-5
Exercise 3: Troubleshooting Internet Message Delivery

Task 1: Send a message to the Internet, and track it
On VAN-EX2, open Outlook Web App, and from Annas mailbox, create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet from VAN-EX2.
Task 2: Implement user-based message tracking to verify mail delivery

1. 2. 3. 4. 5. On VAN-EX2, in Outlook Web App, click Options to open the Exchange Control Panel. On the left pane, click Organize E-Mail, and then click the Delivery Reports tab. Click Search. In the Search Results pane, select the message you sent to Info@Internet.com, and click Details. Verify that is the message was sent to a server outside the organization. Close Internet Explorer.
Task 3: Troubleshoot Internet message delivery

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. On VAN-EX1, in Exchange Management Shell, type d:\ labfiles\Lab05Prep2.ps1, and then press ENTER. On VAN-EX2, start Internet Explorer, and connect to https://VAN-EX2.adatum.com/owa. Log on as Adatum\Anna with the password Pa$$w0rd. Create and send a new e-mail to Info@Internet.com with the subject Another Mail to Internet from VAN-EX2. On VAN-EX1, in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Message Tracking. An Internet Explorer window opens with Outlook Web App running. Log on as adatum\administrator with the password Pa$$w0rd. If the Choose the language you want to use page appears, click OK. In the Select what to manage drop down list, click My Organization. Click Reporting. On the Delivery Reports tab, in the Mailbox to search field, click Browse, select Anna Lidman in the Select Mailboxes to Search window, and then click OK. Click Search. In the Search Results window, select the message with the subject Another Mail to Internet from VAN-EX2, and then click Details. In the middle pane of the Delivery Report window, notice that the Status of the message is Pending. Review the Delivery Report pane as it lists every route the message has taken in the Exchange Organization. At the end of the list, you will see the reason why the message is pending. Click Close in the Delivery Report pane. In Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Mail Flow Troubleshooter. On the Updates and Customer Feedback page, click Do not check for updates on startup and I dont want to join the program at this time. Click Go to Welcome Screen. On the Exchange Mail Flow Troubleshooter page, in the Enter an identifying label for this analysis text box, type Internet Message Delivery Failure. Under What symptoms are you seeing?, click Messages are backing up in one or more queues on a server. Click Next. On the Enter Server and User Information page, enter the following information, and then click Next: Exchange Server Name: VAN-EX1 Global Catalog Server Name: VAN-DC1
L5-6
21. On the Basic Server Information page, review the information, and then click Next. 22. On the Initial Queue Analysis Results page, click the displayed item, review the information, and then click Next. 23. On the Remote Delivery Queue(s) Initial Analysis Results page, review the information, scroll down, and then click Next. 24. On the DNS Availability Check Results, review the information, and then click Next. 25. On the DNS Record Analysis Results, review the information, and then click Next. 26. On the Remote Delivery Queue(s) DNS Records Analysis Results, notice that the wizard has identified a possible root cause, and then click Next. 27. On the Remote Delivery Queue(s) Connectivity Test Results page, review the information, and then click Next. 28. On the Remote Delivery SMTP Instance Configuration Analysis Results page, click Next. 29. On the Remote SMTP Service Diagnosis Results page, click Next. 30. On the Remote Delivery Queue(s) Message Tracking Log Analysis Results page, click Next. 31. On the Remote Delivery Queue(s) SMTP Commands Analysis Results page, click Next. 32. On the Third-Party Application Analysis Results, click Next. 33. On the View results page, click the Root Causes tab, review the displayed information, and then close the Troubleshooting Assistant. 34. Switch to VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. 35. At the command prompt, type nslookup, and then press ENTER. 36. Type set querytype=MX, and press ENTER. 37. Type internet.com, and press ENTER. The query will timeout, which indicates that the domain name cannot be resolved. This means that the host cannot directly resolve a Domain Name System (DNS) domain and has to use a smart host to send a message to the internet. 38. On VAN-EX1, in Exchange Management Console, expand Organization Configuration, and then click Hub Transport. 39. On the Send Connectors tab, double-click Internet Send Connector. 40. Click the Network tab, select Route mail through the following smart hosts, and then click Add. 41. In the Add smart host dialog box, in the Fully qualified domain name (FQDN) box, type vandc1.adatum.com, click OK, and then click OK again. 42. In Exchange Management Console, click Toolbox. 43. In the Toolbox pane, under Mail flow tools, double-click Queue Viewer. 44. Right-click internet.com, and then click Retry to force message delivery retry. Results: After this exercise, you should have identified and resolved issues in Internet message delivery by using the Exchange Server troubleshooting tools such as Message Tracking and Mail Flow Troubleshooter.

L5-7
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
L5-8
L6-1
Module 6: Implementing Messaging Security

Exercise 1: Configuring Edge Transport Servers
Task 1: Install the Edge Transport Server role
1. 2. 3. 4. 5. 6. 7. On VAN-SVR1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type d:\Setup /mode:install /role:EdgeTransport, and then press ENTER. Wait for the installation to finish. The installation will take approximately eight to 10 minutes. At the command prompt, type Exit, and press ENTER. Restart VAN-SVR1 and logon as Administrator, using the password Pa$$w0rd. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Microsoft Exchange window, click OK. In Exchange Management Console, in the left pane, click Edge Transport.
Task 2: Configure Edge Synchronization

1. 2. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, at the command prompt, type New-EdgeSubscription -FileName c:\VAN-SVR1.xml, and then press ENTER. In the Confirm text box, enter Y, and then press ENTER. Click Start, and in the search box, type \\van-ex1\c$, and then press ENTER. Copy c:\VAN-SVR1.xml to the VAN-EX1\c$. Remember, that in real-world scenarios, it would be a security violation if you are able to copy the EdgeSubscription file directly from the Edge Transport server to the Hub Transport server. Normally, you would use a universal serial bus (USB) device or other means to copy the file. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. In the Hub Transport pane, click the Edge Subscriptions tab. In the Actions pane, click New Edge Subscription. In the New Edge Subscription window, beside Active Directory Site, click Browse. Select DefaultFirst-Site-Name as Active Directory Domain Services site, and then click OK.
3. 4.
5. 6. 7. 8. 9.
10. Beside Subscription file, click Browse. Browse to the C:\ click VAN-SVR1.XML click Open, and then click New. 11. On the Completion page, click Finish.
L6-2
Task 3: Verify that EdgeSync is working and that Active Directory Lightweight Directory
Services contains data
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, at the command prompt, type Start-EdgeSynchronization, and then press ENTER. At the command prompt, type Test-EdgeSynchronization, and then press ENTER. Ensure that the result displayed includes SyncStatus: Normal, otherwise you need to wait for another minute and run Test-EdgeSynchronization again. At the command prompt, type Get-User -Identity Wei | ft Name, GUID, and then press ENTER. Write down the first eight characters of the globally unique identifier (GUID) in your notes. Switch to VAN-SVR1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type LDP, and then press ENTER. In the LDP window, click Connection on the menu bar, and then click Connect.
10. In the Connect window, type VAN-SVR1 in the Server box, type 50389 in the Port box, and then click OK. 11. Click Connection on the menu bar, and then click Bind. 12. In the Bind window, in the Bind type pane, click Bind as currently logged on user, and then click OK. 13. Click View on the menu bar, and then click Tree. 14. In the Tree View dialog box, clear any entry in the BaseDN field, and then click OK. 15. In the LDP window, in the left pane, double-click OU=MSExchangeGateway to expand it. 16. Double-click CN=Recipients,OU=MSExchangeGateway. 17. By using the GUID you entered in previous steps, you can locate the recipient. It starts with CN=<GUID>. After you find it, double-click the recipient GUID, and review the data that is available for this recipient. Close LDP.

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab. Double-click EdgeSync - Default-First-Site-Name to Internet. Click the Network tab, click Route mail through the following smart hosts, and then click Add. In the IP address field, type 10.10.0.10, and then click OK twice. In Exchange Management Shell, type Start-EdgeSynchronization, and then press ENTER. At the command prompt, type Exit, and then press ENTER. Start Windows Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Wei using the password Pa$$w0rd.
10. On the Microsoft Outlook Web App page, click OK.
L6-3
11. Create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet. 12. Verify that you do not get a non-delivery report message. Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge Synchronization between a Hub Transport and an Edge Transport server.
Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers

Task 1: Install Microsoft Forefront Protection 2010 for Exchange Server
1. 2. 3. 4. 5. 6. 7. 8. 9. On the host computer, in the Hyper-V Manager Microsoft Management Console (MMC), right-click the 10135A-VAN-SVR1 virtual machine, and then click Settings. In the Settings for 10135A-VAN-SVR1 dialog box, in the Hardware section, expand IDE Controller 1, and then click DVD Drive. In the details pane, click Image file, and type C:\Program Files\Microsoft Learning\10135\Drives\ForeFrontInstall.iso in the field, and click OK. On VAN-SVR1, close the Autoplay dialog box. Click Start, in the Search field, type D:\, and then press ENTER. In Windows Explorer, double-click forefrontexchangesetup.exe. In the Setup Wizard Window, on the License Agreement page, click I agree to the terms of the license agreement and privacy statement, and then click Next. On the Service Restart page, click Next. On the Installation Folders page, click Next. On the Proxy Information page, click Next.
10. On the Antispam Configuration page, click Enable antispam later, and then click Next. 11. On the Microsoft Update page, click I dont want to use Microsoft Update, and then click Next. 12. On the Customer Experience Improvement Program page, click Next. 13. On the Confirm Settings page, click Next. Wait for the installation to finish. It will take about five minutes. 14. On the Installation Results page, click Finish. Close Windows Explorer.
Task 2: Configure Forefront Protection 2010 for Exchange Server

1. 2. 3. 4. 5. 6. 7. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Protection for Exchange Server Console. In the Evaluation License Notice window, click OK. In the Forefront Protection 2010 for Exchange Server Administrator Console window, in the left pane, click Policy Management. In the Policy Management pane, under Antimalware, click Edge Transport. On the Antimalware - Edge Transport page, in the Engines and Performance pane, select the Scan with all engines option. In the Scan Actions pane, click Delete in the Virus list. On the Antimalware - Edge Transport page, click Save.
L6-4
8. 9.
In the Policy Management pane, expand Global Settings, and then click Advanced Options. On the Global Settings - Advanced Options page, in the Threshold Levels pane, increase the value of Maximum nested depth compressed files to 10 and Maximum nested attachments to 50.
10. Under Intelligent Engine Management, select Manual in the Engine management drop-down list. 11. In the Update scheduling table, click Norman Virus Control, and then click Edit Selected Engines button. 12. In the Edit Selected Engine dialog box, in the Update frequency pane, verify that the Check for updates every check box is selected, type 00:30 in the box, and then click Apply and Close. 13. On the Global Settings - Advanced Options page, click Save. Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for Exchange.

L6-5
Lab B: Implementing Anti-Spam Solutions

Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers
Task 1: Configure Domain Name System (DNS) for Internet message delivery
1. 2. 3. 4. 5. On VAN-DC1, click Start, point to Administrative Tools, and click DNS. Expand Forward Lookup Zones, and then click Adatum.com. Right-click Adatum.com, and then click New Mail Exchanger (MX). In the New Resource Record dialog box, in the Fully qualified domain name (FQDN) of mail server box, type VAN-SVR1.Adatum.com. Click OK, and close DNS Manager.
Task 2: Configure global SCL for junk mail delivery

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, click Edge Transport. In the Edge Transport pane, select VAN-SVR1, and then click the Anti-spam tab. In the Anti-spam pane, double-click Content Filtering. In the Content Filtering Properties window, click the Action tab. In the Action tab, clear the Reject messages that have an SCL rating greater than or equal to check box, and then click OK. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, type Set-OrganizationConfig -SCLJunkThreshold 6, and then press ENTER. At the PS prompt, type D:\labfiles\Lab6Prep.ps1, and then press ENTER. This will send 11 messages with the following spam confidence level (SCL) ratings: Mail sender Msg1@contoso.com Msg2@contoso.com Msg3@contoso.com Msg4@contoso.com Msg5@contoso.com Msg6@contoso.com Msg7@contoso.com Msg8@contoso.com Msg9@contoso.com Msg10@contoso.com Msg11@contoso.com SCL level 7 8 7 7 8 6 8 7 6 6 8
L6-6
10. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. 11. Log on as Adatum\Wei using the password Pa$$w0rd. 12. In the Mail pane, click Inbox. You should see three new messages in the Inbox. If not, wait for another minute until they arrive. 13. In the Inbox pane, double-click the message from Msg10@contoso.com. 14. In the message window, click Message Details on the toolbar. 15. In the Message details window, identify the SCL level of this message by looking for X-MSExchange-Organization-SCL in the Internet Mail Headers box. Then click Close to close Message Details. Close the message window. 16. In the Mail pane, click Junk E-Mail. You should see eight new messages in the Junk E-Mail folder that have been identified as junk mail as their SCL level was more than six. You can verify this by looking at the Message Details of the messages. 17. Delete all messages in the Inbox and Junk E-Mail folders.
Task 3: Configure content filtering to reject junk messages

1. 2. 3. 4. 5. 6. 7. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, click Edge Transport. In the Edge Transport pane, select VAN-SVR1, and then click the Anti-spam tab. In the Anti-spam pane, double-click Content Filtering. In the Content Filtering Properties window, click the Action tab. In the Action tab, select the Reject messages that have an SCL rating greater than or equal to check box, configure it to 7, and then click OK. On VAN-EX1, in Exchange Management Shell, type: D:\labfiles\Lab6Prep.ps1 and then press ENTER. This will send the 11 messages again, but notice that the Content Filter agent rejects all messages as spam if they have a SCL level of 7 or more. Thus, only three messages will reach Weis Inbox, and the other messages should not be delivered to the users Junk E-Mail folder. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. Log on as Adatum\Wei using the password Pa$$w0rd.
8. 9.
10. In the Mail pane, click Inbox. Notice the three new messages in the Inbox. 11. To delete all messages in the Inbox, select them, and then click Delete.
Task 4: Configure an IP Allow List

1. 2. 3. 4. 5. 6. 7. On VAN-SVR1, in Exchange Management Console, click the Anti-spam tab. In the Anti-spam pane, double-click IP Allow List. In the IP Allow List Properties window, click the Allowed Addresses tab. On the Allowed Addresses tab, click Add. In Add Allowed IP Address window, type 10.10.0.10 in the Address or address range box, and then click OK. On the Allowed Address tab, click OK. On VAN-EX1, in Exchange Management Shell, type: D:\ labfiles\Lab6Prep.ps1, and then press ENTER.
L6-7
8. 9.
On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1/OWA. Log on as Adatum\Wei using the password Pa$$w0rd.
10. In the Mail pane, click Inbox. You should see 11 new messages in the Inbox. 11. Double-click one message, and review the Message Detail. The SCL rating should be -1. When the sending SMTP server is added to the IP Allow List, content filtering is not applied to the messages. 12. To delete all messages in the Inbox, select them, and then click Delete.
Task 5: Configure a Block List Provider

1. 2. 3. 4. 5. On VAN-SVR1, in Exchange Management Console, click the Anti-spam tab. In the Anti-spam pane, double-click IP Block List Providers. In the IP Block List Properties window, click the Providers tab. On the Providers tab, click Add. In the Add IP Block List Provider window, type Spamhaus in the Provider name box, type zen.spamhaus.org in the Lookup domain box, and then click OK twice. Results: After this exercise, you should have configured different SCL levels, and verified the behavior of junk mail in user mailboxes. You should also have configured a Block List Provider.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. 8. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine. Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.
L6-8
L7-1
Module 7: Implementing High Availability

Exercise 1: Deploying a DAG
Task 1: Create a DAG named DAG1 using the Exchange Management Shell
On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 2. At the PS prompt, type New-DatabaseAvailabilityGroup Name DAG1 WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 -DatabaseAvailabilityGroupIPAddress 10.10.0.80, and then press ENTER. 3. At the PS prompt, type Add-DatabaseAvailabilityGroupServer DAG1 MailboxServer VAN-EX1, and then press ENTER. 4. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 5. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. 6. In the Results pane, click the Database Availability Groups tab. 7. In the Work pane, on the Database Availability Groups tab, right-click DAG1, and then click Manage Database Availability Group Membership from the context menu. 8. In the Manage Database Availability Group Membership Wizard, click Add. 9. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK. 10. In the Manage Database Availability Group Membership Wizard, click Manage to complete the changes, wait for the installation to finish, and then click Finish to close the wizard. 1.
Task 2: Create a mailbox database copy of the Accounting database

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Results pane, click the Database Management tab. In the Results pane, click Accounting, and then in the Actions pane, click Add Mailbox Database Copy. In the Add Mailbox Database Copy Wizard, click Browse to select the server to which to add the copy. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK. In the Add Mailbox Database Copy Wizard, click Add to create the copy of the Accounting mailbox database. Review the results, and then click Finish.
Task 3: Verify successful completion of database copying

1. 2. 3. 4. In the Results pane, click the Database Management tab, and then click Accounting. In the bottom Work pane, view the Copy Status column for each database copy. Click the Accounting entry that has a Healthy copy status, right-click it, and then choose Properties from the context menu. View the Status, Copy queue length, and Replay queue length on the General tab, and then click on the Status tab.
L7-2
5.
On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK.
Task 4: Suspend the Accounting database copy on VAN-EX2

1. 2. 3. 4. 5. In the Results pane, on the Database Management tab, click Accounting. In the bottom Work pane, view the Copy Status column for each database copy. Click the Accounting entry that has a Healthy copy status, right-click on it, and then choose Suspend Database Copy from the context menu. In the Suspend Mailbox Database Copy dialog box, type Software Updates being applied, and then click Yes. In the bottom Work pane, view the Copy Status column for each database copy. The copy status will turn to Suspended.
Results: After this exercise, you should have created a DAG and a mailbox database copy of the Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.
Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers
Task 1: Create and configure a client access array for CASArray.adatum.com
On VAN-EX1, in the Exchange Management Shell, at the PS prompt, type New-ClientAccessArray FQDN casarray.adatum.com Name CASArray.adatum.com Site Default-First-Site-Name, and then press ENTER.
Task 2: Assign the client access array to the databases

1. 2. At the PS prompt, type Get-MailboxDatabase, and then press ENTER. At the Exchange Management Shell prompt, type Get-MailboxDatabase |Set-MailboxDatabase RpcClientAccessServer casarray.adatum.com, and then press ENTER.
Results: At the end of this exercise, you should have created a client access array and assigned it to the databases.
Exercise 3: Testing the High Availability Configuration

Task 1: Create a SMTP connector associated with VAN-EX1 and
VAN-EX2
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click on Hub Transport. Click the Send Connectors tab, and then in the Actions pane, click New Send Connector. In the Name box, type Internet Mail. In the Select the intended use for this Send connector drop-down menu, select Internet, and then click Next. On the Address space page, click Add. In the SMTP Address space dialog box, in the Address box, type *, click OK, and then click Next on the Address space page.
L7-3
8. 9. 10. 11. 12. 13. 14. 15. 16.
On the Network Settings page, click Route mail through the following smart hosts, and then click Add. In the Add smart host dialog box, click Fully qualified domain name (FQDN). In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, and then click OK. On the Network settings page, click Next. On the Configure smart host authenticates settings page, ensure None is selected, and then click Next. On the Source server page, click Add. On the Select Hub Transport or Subscribed Edge Transport Server dialog box, hold the CTRL key, click VAN-EX1 and VAN-EX2, and then click OK. On the Source server page, click Next. Click New to create the connector, and then click Finish to close the wizard.
Task 2: Stop the SMTP server on VAN-DC1

1. 2. 3. On VAN-DC1, click Server Manager from the quick launch bar. In the Console Tree, expand Configuration, and then click Services. In the Results pane, click Simple Mail Transfer Protocol (SMTP), and then in the Actions pane, under Simple Mail Transfer Protocol (SMTP) click More Actions, and then click Stop.
Task 3: Send an e-mail to an internal user and an external SMTP address

1. 2. 3. 4. 5. 6. 7. On VAN-EX1, open Windows Internet Explorer, and connect to https://VANEX1.adatum.com/owa. Log on as Adatum\Jason with a password of Pa$$w0rd. Jasons mailbox is on VAN-EX3. Click OK. Click New to create a new e-mail message. In the To box, type terry@contoso.com; janedow@adatum.com;. In the Subject box, type Shadow Redundancy. In the message body, type Test email, and then click Send. Close Internet Explorer.
Task 4: Use Queue Viewer to locate the message in the queue

1. 2. 3. On VAN-EX2, in the Exchange Management Console, click Toolbox. In the Results pane, double-click Queue Viewer. On the Queues tab, locate the entry with van-dc1.adatum.com as the next hop domain. If the message is not visible, then complete the following steps: a. b. c. d. 4. 5. 6. 7. 8. 9. 10. 11. 12. Click Connect to Server in the Actions pane. On the Connect to Server dialog box, click Browse. On the Select Exchange Server dialog box, click VAN-EX1, click OK, and then click Connect. On the Queues tab, locate the entry with the van-dc1.adatum.com as the next hop domain.
In the Actions pane, click Connect to Server. On the Connect to Server dialog box, click Browse. On the Select Exchange Server dialog box, click VAN-EX3, click OK, and then click Connect. Click the Queues tab, and then click Create Filter. In the first drop-down menu, select Delivery Type. In the second drop-down menu, select Equals. In the third drop-down menu, select Shadow Redundancy. Click Apply Filter. Examine the shadow-redundancy queue contents.
L7-4
13. 14. 15. 16. 17. 18.
Click on the Messages tab, and then click Create Filter. In the first drop-down menu, select From Address. In the second drop-down menu, select Equals. In the third drop-down menu, type JasonCarlson@adatum.com. Click Apply Filter. Examine the message in the VAN-EX3\Shadow queue.
Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1. 2. On VAN-DC1, in Server Manager, expand Configuration, and then click on Services. In the Results pane, click Simple Mail Transport Protocol (SMTP), and then in the Actions pane, under Simple Mail Transfer Protocol (SMTP), click More Actions, and then click Start.
Task 6: Verify that the messages were removed from the shadow redundancy queue
1. 2. 3. On VAN-EX2, in the Queue Viewer, verify that you are connected to VAN-EX3. Click the Queues tab, and verify that the Shadow Redundancy filter is still being applied. Examine the contents of the shadow redundancy queue.
Note: You may need to wait a few minutes for the message to be removed from the Shadow redundancy queue.
Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1. 2. 3. On VAN-EX1, in the Exchange Management Console, locate the Console Tree, expand Organization Configuration, and then click Mailbox. In the Results pane, click the Database Management tab, and then click Accounting. In the bottom Work pane, view the Copy Status column for each database copy, click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Properties from the context menu. View the Status, Copy queue length, and Replay queue length on the General tab, and then click on the Status tab. On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK. Click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Resume Database Copy from the context menu. On the Resume Mailbox Database Copy dialog box, click Yes. Wait until the copy status of the Accounting database copy on VAN-EX2 is Healthy. You may need to refresh the display.
4. 5. 6. 7. 8.
Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy
active
1. In the bottom Work pane, view the Copy Status column for each database copy, click the Accounting entry that has a Healthy copy status, right-click on it, and then choose Activate Database Copy from the context menu. In the Activate Database Copy dialog box, verify None is selected, and then click OK.
2.
L7-5
Task 9: Simulate a server failure

1. 2. 3. On VAN-EX1, in the Results pane, click the Database Management tab. Wait until the Accounting database copy status for VAN-EX1 is Healthy. In Hyper-V Manager, select 10135A-VAN-EX2, and then click Revert in the Actions pane. In the Revert Virtual Machine dialog box, click Revert. View the status of the Accounting database in the Results pane. The database copy on VAN-EX1 will change to a Mounted status, and the database copy on VAN-EX2 will have a ServiceDown status. Results: After this exercise, you should have verified that the mailbox databases could fail over and switch between DAG servers, and that Hub Transport shadow redundancy is working properly.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
L7-6
L8-1
Module 8: Implementing Backup and Recovery

Exercise 1: Backing Up Exchange Server 2010
Task 1: Populate a mailbox
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to All Programs, and then click Internet Explorer. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Parna with a password of Pa$$w0rd. Click OK to accept the default Microsoft Outlook Web App settings. Click New to create a new message. In the To box, type George. In the Subject box, type Message before Backup, and then click Send. Close Windows Internet Explorer. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 10. At the PS prompt, type Restart-Service MSExchangeIS, and then press ENTER.
Task 2: Perform a backup of the mailbox database using Windows Server Backup
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Server Manager. In Server Manager, click Features, and then on the Features Summary pane, click Add Features. In the Add Features Wizard, expand Windows Server Backup Features, click Windows Server Backup, and then click Next. On the Confirm Installation Selections page, click Install. When the installation finishes, click Close. Click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup. In Windows Server Backup, on the Actions pane, click Backup Once. In the Backup Once Wizard, on the Backup Options page, select Different options, and then click Next. On the Select Backup Configuration page, select Custom, and then click Next. On the Select Items for Backup page, click Add items, check Local disk (C:) in the Select Items window, and then click OK. On the Select Items for Backup page, click Advanced Settings, click on the VSS Settings tab, select VSS full Backup, click OK, and then click Next. On the Specify Destination Type page, select Remote shared folder, and then click Next. On the Specify Remote Folder page, in the Location field, type \\VAN-DC1\Backup, and then click Next. On the Confirmation page, click Backup. The backup will take approximately 15 to 20 minutes On the Backup Progress page, click Close.
Task 3: Delete messages in mailboxes

1. 2. 3. 4. 5. 6. 7. Click Start, point to All Programs, and then click Internet Explorer. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\George with a password of Pa$$w0rd. Click OK to accept the default Outlook Web App settings. Right-click the message with the subject Message before Backup, and then click Delete. In the left pane, right-click Deleted Items, and then click Empty Deleted Items. In Empty Deleted Items box, click Yes.
L8-2
8. 9. 10. 11. 12. 13. 14.
Close Internet Explorer. Open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Parna with a password of Pa$$w0rd. Click Sent Items, and delete all messages in the folder. In the left pane, right-click Deleted Items, and then click Empty Deleted Items. In the Empty Deleted Items box, click Yes. Close Internet Explorer.
Results: After this exercise, you should have created a backup of an Exchange Server database, and deleted messages.
Exercise 2: Restoring Exchange Server Data

Task 1: Restore the database using Windows Backup
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup. In Windows Server Backup, on the Actions pane, click Recover. In the Recovery Wizard, on the Getting Started page, select This Server (VAN-EX1), and then click Next. On the Select Backup Date page, click Next. On the Select Recovery Type page, select Applications, and then click Next. On the Select Application page, select Exchange, and then click Next. On the Specify Recovery Options page, click Recover to another location, click Browse, expand Computer, click Local Disk (C:), click Make New Folder, enter DBBackup, click OK, and then click Next. On the Confirmation page, click Recover. On the Recovery Progress page, click Close. Close Windows Server Backup.
8. 9.
Task 2: Create a recovery database by using the backup files

1. On VAN-EX1, at the Exchange Management Shell prompt, type New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting\Accounting.edb -Logfolderpath c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\AccountingRecovery, and then press ENTER. At the Exchange Management Shell prompt, type cd c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting, and then press ENTER. At the Exchange Management Shell prompt, type eseutil /R E02 /i /d and then press ENTER. At the Exchange Management Shell prompt, type Mount-Database RecoverDB, and then press ENTER. At the Exchange Management Shell prompt, type Get-MailboxStatistics -Database RecoverDB, and then press ENTER.
2.
3. 4. 5.
Task 3: Recover a mailbox from the recovery database

1. 2. 3. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity ParnaKhot RecoveryDatabase RecoverDB, and then press ENTER. At the Confirm prompt, type Y, and then press ENTER. Click Start, point to All Programs, and then click Internet Explorer.
L8-3
4. 5. 6. 7. 8.
In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Parna with a password of Pa$$w0rd. Verify that the deleted message is available in the Sent Items folder. Close Internet Explorer. At the Exchange Management Shell prompt, type Remove-Mailboxdatabase -Identity RecoverDB, and then press ENTER. Type Y, and then press ENTER. Results: After this exercise, you should have created a recovery database, and restored a complete mailbox from the recovery database to their original locations.
Exercise 3: Restoring Exchange Servers (optional)

Task 1: Shutdown VAN-EX1, and reset the computer account
1. 2. 3. 4. 5. 6. On the host computer, open Hyper-V Manager, right-click 10135A-VAN-EX1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. On VAN-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Under Adatum.com, click Computers. In the right pane, right-click VAN-EX1, click Reset Account, and then in the Active Directory Domain Services dialog box, click Yes, and then click OK. Close Active Directory Users and Computers.
Task 2: Prepare VAN-SVR1 as VAN-EX1

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On VAN-SVR1, click Start, right-click Computer, and then click Properties. In the System window, in the Computer name, domain, and workgroup settings pane, click Change settings. On the Computer Name tab, click Change. In the Computer Name/Domain Changes dialog box, in the Computer name field, type VAN-EX1, and then click OK. In the System Properties dialog box, click OK, click Close, and then click Restart Now to restart the computer. After the computer restarts, log on as Administrator using a password of Pa$$w0rd. Click Start, right-click Computer, and then click Properties. In the System window, in the Computer name, domain, and workgroup settings pane, click Change settings. On the Computer Name tab, click Change. Under Member of, click Domain, type Adatum.com, and then click OK. In the Computer Name Changes dialog box, in the User name field, type Administrator. In the Password field, type Pa$$w0rd, and then click OK. In the Computer Name/Domain Changes dialog box, click OK, and then click OK again. In the System Properties dialog box, click OK, click Close, and then click Restart Now to restart the computer. After the computer restarts, log on as adatum\Administrator using a password of Pa$$w0rd.
Task 3: Install Exchange Server 2010 with the RecoverServer mode

1. On VAN-SRV1, click Start, click Run, and then in the Open box, type d:\setup /m:RecoverServer, and then press ENTER. The installation takes approximately 15 minutes.
L8-4
2. 3. 4. 5. 6. 7. 8.
Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Mailbox pane, on the Database Management tab, right-click Accounting, and then click Properties. In Accounting Properties, click on the Maintenance tab, click This database can be overwritten by a restore, and then click OK. Repeat steps 4 and 5 for Mailbox Database 1. In the Mailbox pane, on the Database Management tab, right-click Public Folder Database 1, and then click Properties. In Public Folder Database 1 Properties, on the General tab, click This database can be overwritten by a restore, and then click OK.
Task 4: Recover the mailbox databases from backup

On VAN-SVR1, click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup. 2. In Windows Server Backup, on the Actions pane, click Recover. 3. In the Recovery Wizard, on the Getting Started page, select A backup stored on another location, and then click Next. 4. On the Specify Location Type page, click Remote Shared Folder, and then click Next. 5. On the Specify Remote Folder page, type \\van-dc1\backup, and then click Next. 6. On the Select Backup Date page, click Next. 7. On the Select Recovery Type page, select Applications, and then click Next. 8. On the Select Application page, select Exchange, and then click Next. 9. On the Specify Recovery Options page, click Recover to original location, and then click Next. 10. On the Confirmation page, click Recover. 11. On the Recovery Progress page, click Close. 1.
Task 5: Test the recovery

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox. In the Mailbox pane, on the Database Management tab, right-click Accounting, and then click Mount Database. Mount Mailbox Database 1 and Public Folder Database 1. On VAN-DC1, click Start, point to All Programs, and then click Internet Explorer. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Click Continue to this website (not recommended). Log on as Adatum\Parna with a password of Pa$$w0rd, and then click OK. Verify that the mailbox is accessible. Results: After this exercise, you should have recovered a complete Exchange server by using a different Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and recovering the Exchange Server database from a backup. You have also tested the recovery.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Microsoft Hyper-V Manager.
L8-5
2. 3. 4. 5.
Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7.
L8-6
L9-1
Module 9: Configuring Messaging Policy and Compliance

Exercise 1: Configuring Transport Rules
To start the lab, complete the following steps
On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. 3. In the Actions pane, click New Send Connector. 4. On the Introduction page, type Internet Connector as the connector name. In the Select the intended use for this Send connector drop-down list, click Internet, and then click Next. 5. On the Address space page, click Add. 6. In the Address field, type *, click OK, and then click Next. 7. On the Network settings page, click Route mail through the following smart hosts, and click Add. 8. In the IP address field, type 10.10.0.10, click OK, and then click Next. 9. On the Configure smart host authentication settings page, click Next. 10. On the Source Server page, click Next, click New, and then click Finish. 1.
Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet
On VAN-EX1, in the Exchange Management Console, expand Organization Configuration, click Hub Transport, and then click New Transport Rule. 2. On the Introduction page, in the Name box, type Internet E-Mail Disclaimer, and then click Next. 3. On the Conditions page, in the Step 1: Select condition(s) area, select the sent to users that are inside or outside the organization, or partners check box. 4. In the Step 2: Edit the rule description by clicking an underlined value area, click Inside the organization. 5. In the Select scope dialog box, under Scope, click Outside the organization, and then click OK. 6. On the Conditions page, click Next. 7. On the Actions page, in the Step 1: Select Action(s) area, select append disclaimer text and fallback to Action if unable to apply. 8. In the Step 2: Edit the rule description by clicking an underlined value area, click disclaimer text. 9. In the Specify disclaimer text box, type This e-mail is intended solely for the use of the individual to whom it is addressed., and then click OK. 10. On the Actions page, click Next. 11. On the Exceptions page, click Next, review the rule description, click New, and then click Finish. 1.
Task 2: Configure and enable message classifications for Outlook 2007 clients
1. 2. On VAN-EX1, open the Exchange Management Shell. At the PS prompt, type new-messageclassification -Name CompanyConfidential displaynameCompany Confidential -senderdescription Do not forward to the Internet, and then press ENTER. At the PS prompt, type cd c:\Program Files\Microsoft\Exchange Server \v14\scripts, and then press ENTER.
3.
L9-2
4. 5. 6. 7. 8. 9.
At the PS prompt, type .\Export-OutlookClassification.ps1 > c:\classifications.xml, and then press ENTER. On VAN-CL1, click Start, type \\van-ex1\c$, and then press ENTER. Copy the \\VAN-EX1\c$\classifications.xml file to the C: drive. Provide the administrator credentials to complete the copy. Click Start, type \\van-ex1\d$\Labfiles, and then press ENTER. Double-click EnableClassification.reg. Click Yes, and then click OK. Close Windows Explorer.
Task 3: Create a transport rule that blocks all messages with a Company Confidential
classification from being sent to the Internet
On VAN-EX1, in the Exchange Management Console, in the Actions pane, click New Transport Rule. On the Introduction page, in the Name box, type Company Confidential Rule, and then click Next. On the Conditions page, in the Step 1: Select condition(s) area, select the marked with classification check box. 4. In the Step 2: Edit the rule description by clicking an underlined value area, click classification. 5. In the Select message classification dialog box, click Company Confidential, and then click OK. 6. On the Conditions page, click Next. 7. On the Actions page, in the Step 1: Select Action(s) area, select the send rejection message to sender with enhanced status code check box. 8. In the Step 2: Edit the rule description by clicking an underlined value area, click rejection message. 9. In the Specify rejection message dialog box, type Company confidential e-mails cannot be sent to the Internet, and then click OK. 10. Click enhanced status code, type 5.7.1, and then click OK. 11. On the Actions page, click Next. 12. On the Exceptions page, click Next, review the rule description, click New, and then click Finish. 1. 2. 3.
Task 4: Enable AD RMS integration for the organization

1. 2. 3. 4. 5. 6. 7. 8. On VAN-DC1, open Windows Explorer, browse to C:\inetpub\wwwroot\_wmcs\certification, right-click servercertification.asmx, and then click Properties. In the Server Certification.asmx Properties dialog box, on the Security tab, click Edit. In the Permissions for Server Certification.asmx dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK. In the Enter the object names to select field, type Exchange Servers , and then click OK. Click Add. In the Enter the object names to select field, type IIS_IUSRS, and then click OK three times. On VAN-DC1, open a command prompt, type IISReset, and then press ENTER. Wait for the service to restart, and then close the command prompt. On VAN-EX1, in the Exchange Management Shell, at the PS prompt, type set-irmconfiguration InternalLicensingEnabled $true, and then press ENTER. This cmdlet enables AD RMS encryption for messages sent inside the organization.
L9-3
Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to
all messages with the words confidential or private in the subject
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in the Exchange Management Console, under Organization Configuration, click Hub Transport. In the Actions pane, click New Transport Rule. On the Introduction page, in the Name field, type Confidential E-Mail Rule. Verify that Enable Rule is selected, and then click Next. On the Conditions page, under Step 1, select the when the Subject field contains specific words check box. Under Step 2, click the specific words link. In the Specify words dialog box, type Confidential, click Add, type Private, click Add, and then click OK. Click Next. On the Actions page, under Step 1, select rights protect message with RMS template.
10. Under Step 2, click the RMS Template link. 11. In the Select RMS template dialog box, click Do not Forward, and then click OK. 12. Click Next twice, click New, and then click Finish.
Task 6: Configure a moderated group

1. 2. 3. 4. 5. 6. On VAN-EX1, in the Exchange Management Console, under Recipient Configuration, click Distribution Group. In the middle pane, right-click All Company, and then click Properties. On the Mail Flow Settings tab, double-click Message Moderation. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Under Specify group moderators, click Add. In the Select Recipient Entire Forest dialog box, click Andreas Herbinger, and then click OK three times.
Task 7: Test the transport rule configuration

On VAN-CL1, open Microsoft Office Outlook 2007. Create a new message, and then send it to Carol@contoso.com. Create another message to Carol, click the drop-down arrow next to the Permission icon, click Company Confidential, and then send the message. 4. On VAN-DC1, open Windows Explorer. Browse to C:\inetpub\mailroot \queue folder. Double-click the EML file in the folder. 5. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. Click Notepad, and then click OK. 6. Scroll to the middle of the message, and verify that the disclaimer has been added to the message. 7. Confirm that the second message did not arrive. 8. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the second message could not be delivered. 9. In Outlook, create a new message, and then send it to the All Company distribution group. 10. Open Windows Internet Explorer, and connect to https://van-ex1.adatum.com/owa. Log on as Adatum\Andreas using a password of Pa$$w0rd. Click OK. 1. 2. 3.
L9-4
11. 12. 13. 14. 15.
Double-click the e-mail message to open it, and click Approve. In Outlook, verify that the message to the All Company distribution list has arrived. In Outlook Web App, create a new message with a subject of Private. Send the message to Luca. Close Internet Explorer. In Outlook, verify that Luca received the message with the subject Private. If prompted for credentials, enter Luca as the user name and Pa$$w0rd as the password. Verify that the message has the Do Not Forward template applied. Verify that the Forward option is not available on the message.
Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with a Company Confidential classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words confidential or private in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.
Exercise 2: Configuring Journal Rules and Multi-Mailbox Search

Task 1: Create a mailbox for the Executives department journaling messages
1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Recipient Configuration. In the Actions pane, click New Mailbox to start the New Mailbox Wizard. On the Introduction page, ensure that User Mailbox is selected, and then click Next. On the User Type page, click Next. On the User Information page, type the following information: 6. 7. 8. First name: Executives Journal Mailbox User Logon name (User Principal Name): ExecutivesJournal Password: Pa$$w0rd Confirm password: Pa$$w0rd
Click Next. On the Mailbox Settings page, type ExecutivesJournal as the Alias. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next. 9. On the Archive Settings page, click Next. 10. On the New Mailbox page, click New, and then click Finish.
Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members
1. 2. 3. 4. 5. 6. In the Exchange Management Console, in the Organization Configuration work area, click Hub Transport. In the Actions pane, click New Journal Rule to start the New Journal Rule Wizard. On the New Journal Rule page, in the Rule name box, type Executives Department Message Journaling. Beside Send Journal reports to e-mail address, click Browse, click Executives Journal Mailbox, and then click OK. Under Scope, ensure Global all messages is selected. Select the Journal messages for recipient check box, and then click Browse.
L9-5
7. 8.
In the Select Recipient dialog box, click Executives, and then click OK. On the New Journal Rule page, click New, and then click Finish.
Task 3: Create and configure the MailboxAuditor account

1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Recipient Configuration. In the Actions pane, click New Mailbox to start the New Mailbox Wizard. On the Introduction page, ensure that User Mailbox is selected, and then click Next. On the User Type page, click Next. On the User Information page, type the following information: 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. First name: Mailbox Auditor User Logon name (User Principal Name): MailboxAuditor Password: Pa$$w0rd Confirm password: Pa$$w0rd
Click Next. On the Mailbox Settings page, type MailboxAuditor as the Alias. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next. On the Archive Settings page, click Next. On the New Mailbox page, click New, and then click Finish. In the recipient list, click Executives Journal Mailbox, and then click Manage Full Access Permission. On the Manage Full Access Permission page, click Add, click Mailbox Auditor, and then click OK. Click Manage, and then click Finish. On VAN-DC1, open Active Directory Users and Computers, and then in the Microsoft Exchange Security Groups OU, double-click the Discovery Management group. In the Discovery Management Properties dialog box, on the Members tab, click Add. Type Mailbox Auditor, and then click OK twice.
Task 4: Test the journal rule and Multi-Mailbox Search configuration

1. 2. 3. On VAN-CL1, if required, open Outlook. Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives group. Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with the password Pa$$w0rd. Confirm that the message from Luca arrived. Reply to the message, and then close Internet Explorer. Open a new instance of Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\MailboxAuditor with the password Pa$$w0rd. In the left pane, right-click Mailbox Auditor, and click Open Other Users Inbox. Type Executives Journal Mailbox and click OK twice. Under Executives Journal Mailbox, click Inbox. Verify that the two journaled messages are in the mailbox. In Outlook, create and send a new message with the following configuration: 8. To: George; Carol@contoso.com Subject: Customer Order Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.
4. 5. 6. 7.
In the Microsoft Outlook Web App session where you are logged on as MailboxAuditor, click Options.
L9-6
9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.
In the Select what to manage drop-down list, ensure that My Organization is listed. In the left pane, click Reporting, and then under Multi-Mailbox Search, click New. In the Keywords box, type Customer Number. Expand Mailboxes to Search. Under Select the mailboxes to search, click Add. In the Select Mailbox window, click Luca Dellamore and click Add. Click George Schaller, click Add, and then click OK. Expand Search Name and Storage Location. In the Search name field, type Customer Number Discovery. Next to Select a mailbox in which to store the search results, click Browse. In the Select Mailbox window, click Discovery Search Mailbox, and then click OK. Select the Send me an e-mail when the search is done check box, and then click Save. Wait until the search finishes, and then in the bottom right pane, click the Open link. In the Outlook Web App window, click OK. In the Navigation pane, notice the new discovery folder named Customer Number Discovery. Expand the folder. Note the two folders created that correspond to the mailboxes added to the search criteria. Expand Luca Dellamore, expand Primary Mailbox, expand Sent Items, and then verify that the email was discovered using the search criteria. Expand George Schaller, expand Primary Mailbox, expand Inbox, and then verify that the e-mail was discovered using the search criteria. Close Internet Explorer.
Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.

L9-7
Lab B: Configuring Messaging Records Management and Personal Archives

Exercise 1: Configuring Messaging Record Management
Task 1: Create a managed custom mailbox folder named Executives Confidential
1. 2. 3. 4. On VAN-EX1, in the Exchange Management Console, and then in the Organization Configuration work area, click Mailbox. In the Actions pane, click New Managed Custom Folder to start the New Managed Custom Folder Wizard. On the New Managed Custom Folder page, in the Name box, type Executives Confidential. In the Display the following comment when the folder is viewed in Outlook box, type All confidential items related to Executives group should be posted here. Messages in this folder are valid for 180 days. Select the Do not allow users to minimize this comment in Outlook check box, and then click New. On the Completion page, review the completion report, and then click Finish.
5. 6.
Task 2: Configure content settings for the Executives Confidential folder

1. 2. 3. 4. 5. 6. 7. 8. Right-click the Executives Confidential managed custom folder, and then click New Managed Content Settings. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Executives Confidential Content Settings. In the Message type list, ensure that All Mailbox Content is selected. Select the Length of retention period (days) check box, and then type 180 in the text box. In the Retention period starts list, click When item is moved to the folder. In the Actions to take at the end of the retention period list, click Mark as Past Retention Limit, and then click Next. On the Journaling page, click Next. On the New Managed Content Settings page, review the summary, click New, and then click Finish.
Task 3: Configure content settings for all mailbox folders

1. 2. 3. 4. 5. 6. 7. 8. 9. On the Managed Default Folders tab, right-click Entire Mailbox, and then click New Managed Content Settings. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Mailbox Content Settings. In the Message type list, ensure All Mailbox Content is selected. Select the Length of retention period (days) check box, and then type 90 in the text box. In the Retention period starts list, accept the default of When delivered, end date for calendar and recurring tasks. In the Actions to take at the end of the retention period list, click Delete and Allow Recovery. On the Introduction page, click Next. On the Journaling page, click Next. On the New Managed Content Setting page, review the summary, click New, and then click Finish.
L9-8
Task 4: Configure a managed folder mailbox policy that applies to all users
1. 2. 3. 4. 5. 6. 7. 8. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy Wizard. On the New Mailbox Policy page, in the Managed Folder mailbox policy name box, type Default Policy All Users. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK. On the New Mailbox Policy page, click New, and then click Finish. Open the Exchange Management Shell. At the prompt, type Get-Mailbox | Set-Mailbox ManagedFolderMailboxPolicy Default Policy All Users, and then press ENTER. As the confirmation, type A, and then press ENTER. This command links the policy to all users in the organization.
Task 5: Configure a managed folder mailbox policy that applies to the Executives
department
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy Wizard. On the New Mailbox Policy page, in the Managed folder mailbox policy name box, type Executives Department Policy. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Executives Confidential, and then click OK. In the Specify the managed folders that you want to link to this policy section, click Add. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK. On the New Managed Folder Mailbox Policy page, click New, and then click Finish. In the Exchange Management Shell, type Get-Mailbox | where-object {$_.distinguishedname ilike *ou=Executives,dc=adatum,dc=com} | Set-Mailbox ManagedFolderMailboxPolicy Executives Department Policy, and then press ENTER. This command links the policy to all users in the Executives organizational unit (OU).
Task 6: Start the managed folder assistant process

1. 2. 3. 4. 5. 6. In the Exchange Management Console, expand the Server Configuration node, and then click Mailbox. In the Results pane, right-click VAN-EX1, and then click Properties. On the Messaging Records Management tab, in the Schedule the Managed Folder Assistant list, select Use Custom Schedule, and then click Customize. In the Schedule dialog box, select the times from Monday 6:00 A.M. to Friday 6:00 P.M., and then click OK twice. In the Exchange Management Shell, type stop-service msexchangemailboxassistants, and then press ENTER to stop the Microsoft Exchange Mailbox Assistants service. At the prompt, type start-service msexchangemailboxassistants, and then press ENTER to start the Microsoft Exchange Mailbox Assistants service.
Task 7: Confirm that the managed custom folder is created for the Executives
department users
1. 2. In the Exchange Management Console, click the Recipient Configuration node. In the Results pane, right-click Marcel Truempy, and then click Properties.
L9-9
3.
4. 5.
On the Mailbox Settings tab, click Messaging Records Management, and then click Properties. Confirm that the Managed folder mailbox policy check box is selected, and that the Executives Department Policy is assigned to the mailbox. Click OK twice. On VAN-EX1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with a password of Pa$$w0rd. Click OK. Confirm that the Executives Confidential folder was created in Marcels mailbox under the Managed Folders node. Close Internet Explorer.
Task 8: Configure Retention Tags and retention policies

1. 2. On VAN-EX1, if required, open the Exchange Management Shell. At the PS prompt, type the following cmdlet, and then press ENTER:
New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent RetentionEnabled $true -AgeLimitForRetention 365 RetentionAction PermanentlyDelete isprimary:$true
3.
At the PS prompt, type the following, and then press ENTER:

New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 RetentionEnable:$True -RetentionAction:MovetoDeletedItems
4.

New-RetentionPolicyTag "Retain for Records" -Type:Personal -MessageClass:* AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive
5.

New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,"Retain for Records"
Task 9: Apply the retention policy to the Marketing group

1. At the PS prompt, type the following, and then press ENTER:
Get-Mailbox | where-object {$_.distinguishedname -ilike '*ou=Marketing,dc=adatum,dc=com'} |Set-Mailbox -RetentionPolicy AllTagsPolicy
2. 3.
Read the confirmation statement, type A, and then press ENTER. At the PS prompt, type the following, and then press ENTER: Start-ManagedFolderAssistant
4. 5. 6. 7.
Open Internet Explorer, and connect to https://van-ex1.adatum.com/owa. Log on as Adatum\Manoj using a password of Pa$$w0rd. Click a message in the Inbox, and then in the reading pane, point out the expiration time for the message. Right-click the message, and review the options under the Retention Policy and Archive Policy menu items. Close Internet Explorer.
Results: After this exercise, you should have configured a managed folder policy that ensures that all messages in the default mailbox folders are deleted after 90 days. You also will have configured a custom managed folder to ensure that all members of the Executives department have a custom folder
L9-10
in their mailbox that will contain confidential messages. You also should have configured Retention Tags and retention policies for the Marketing group.
Exercise 2: Configuring Personal Archives

Task 1: Create an archive mailbox for all members of the Marketing group
1. 2. 3. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox. In the Results pane, click the Organization Unit heading to sort the mailbox list by OU. Select all of the mailboxes in the Marketing OU, right-click, click Enable Archive, and then click Yes.
Task 2: Verify that the archive mailbox was created for members of the Marketing group
Open Internet Explorer, and then connect to https://VAN-EX1.adatu.com/owa. Log on as Adatum\Manoj with a password of Pa$$w0rd. Click OK. Verify that the archive mailbox is visible through Outlook Web App. Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. 7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Lab 10: Securing Exchange Server 2010
L10-1
Module 10: Securing Microsoft Exchange Server 2010

Exercise 1: Configuring Exchange Server Permissions
Task 1: Configure permissions for the ITAdmins group
1. 2. 3. 4. On VAN-EX1, open Active Directory Users and Computers. Click Microsoft Exchange Security Groups, and then double-click Server Management. On the Members tab, click Add. In the Enter the object names to select field, type ITAdmins, and then click OK twice.
Task 2: Configure permissions for HRAdmins and Support Desk groups

1. On VAN-EX1, open the Exchange Management Shell. In the Exchange Management Shell, at the PS prompt, type the following command, and then press ENTER: New-RoleGroup Name HRAdmins roles Mail Recipients 2. At the PS prompt, type the following command, and then press ENTER: New-RoleGroup Name SupportDesk roles Mail Recipients, Mail Recipient Creation, Distribution Groups 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. On VAN-EX1, open the Exchange Management Console. Expand Microsoft Exchange On-Premises, and click Toolbox. Double-click Role Based Access Control (RBAC) User Editor. Log on as Adatum\administrator using a password of Pa$$w0rd, and then click OK. Click SupportDesk, and then click Details. Under Members, click Add. Add Anna Lidman to the group, and then click OK. Click Save. Click HRAdmins, and then click Details. Under Members, click Add. Add Paul West to the group, click OK, and then click Save. Close Windows Internet Explorer
Task 3: Verify the permissions

1. 2. 3. On VAN-EX2, log on as Shane using a password of Pa$$w0rd. Open the Exchange Management Console, and then click Yes. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, click Mailbox, and in the Results pane, double-click the Accounting mailbox database. On the Limits tab, clear the Issue warning at (KB) check box, and then click OK. Under Organization Configuration, click Hub Transport. Verify that many of the tabs normally shown in this view are not available. On the Accepted Domains tab, double-click Adatum.com. Verify that you cannot modify the settings, and then click Cancel. Expand Recipient Configuration, click Mailbox, double-click one of the mailboxes, verify that you cannot modify the mailbox properties, and then click Cancel. Log off on VAN-EX2. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Anna using a password of Pa$$w0rd, and then click OK.
4. 5.
6. 7. 8. 9.
L10-2
10. On the Mailboxes tab, click Andreas Herbinger, and then click Details. 11. Click Organization, in the Department field, type IT, and then click Save. 12. Click Public Groups. Click Accounting, and then click Details. Verify that you can modify the group properties by typing a group description, and then clicking Save. Close Internet Explorer. Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer. 13. 14. 15. 16. 17. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Paul using a password of Pa$$w0rd, and then click OK. On the Mailboxes tab, click Franz Kohl, and then click Details. Click Organization, in the Department field, type Customer Service, and then click Save. Verify that the Groups tab is not visible. Close Internet Explorer.
To prepare for the next exercise

1. 2. 3. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-EX2, click Revert, and then click Revert. Start the VAN-TMG and VAN-CL1 virtual machines. Log on to VAN-TMG as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.
Exercise 2: Configuring a Reverse Proxy for Exchange Server Access

1. 2. 3. On VAN-DC1, click Start, in the search box, type cmd.exe, and then press ENTER. At the command prompt, type certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, and then press ENTER. At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER.
Task 2: Request a server certificate with multiple SANs on the Client Access server
1. 2. 3. 4. 5. On VAN-EX1, in the Exchange Management Console, click Server Configuration. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. On the Introduction page, type Adatum Mail Certificate as the friendly name for the certificate, and then click Next. On the Domain Scope page, click Next. On the Exchange Configuration page, expand Client Access server (Outlook Web App), select the Outlook Web App is on the Intranet check box, and then type VAN-EX1.adatum.com in the domain name box. Select the Outlook Web App is on the Internet check box, and then type Mail.adatum.com in the second text box.
6.
L10-3
Expand Client Access server (Exchange ActiveSync), and then verify that the Exchange Active Sync is enabled check box is selected. Type mail.adatum.com as the domain name. 8. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover), and then enter mail.adatum.com as the external host name. 9. Ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected. In the Autodiscover URL to use field, delete all entries except for autodiscover.adatum.com, and then click Next. 10. On the Certificate Domains page, click Next. 11. On the Organization and Location page, enter the following information: 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
7.
25. 26. 27. 28. 29. 30. 31.
Click Browse, type CertRequest as the File name, and then click Save. Click Next, click New, and then click Finish. Click the Folder icon in the task bar, and then click Documents. Right-click CertRequest.req, and then click Open. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. In the Open with dialog box, click Notepad, and then click OK. In the CertRequest.req Notepad window, select CTRL+A to select all of the text, select CTRL+C to save the text to the clipboard, and then close Notepad. Click Start, click All Programs, and then click Internet Explorer. Connect to https://van-dc1.adatum.com/certsrv. Log on as Adatum\administrator using a password of Pa$$word. On the Welcome page, click Request a certificate. On the Request a Certificate page, click advanced certificate request. On the Advanced Certificate Request page, click Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. In the Certificate Template drop-down list, click Web Server, and then click Submit. In the Web Access Confirmation dialog box, click Yes. On the Certificate Issued page, click Download certificate. In the File Download dialog box, click Save. In the Save As dialog box, browse to the C: drive, and then click Save. In the Download complete dialog box, click Close. Pending Request.
32. In the Exchange Management Console, click Adatum Mail Certificate, and then click Complete 33. On the Complete Pending Request page, click Browse. 34. Browse to the C: drive, click certnew.cer, click Open, click Complete, and then click Finish. 35. On the Exchange Certificates tab, click Adatum Mail Certificate, and then click Assign Services to Certificate. 36. On the Select Servers page, click Next.
L10-4
37. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
Task 3: Export the certificate from the Client Access server

1. 2. 3. 4. On VAN-EX1, right-click Adatum Mail Certificate, and then click Export Exchange Certificate. On the Introduction page, click Browse, and then browse to drive C. Type CertExport.pfx as the file name, and then click Save. In the Password field, type Pa$$w0rd, click Export, and then click Finish.
Task 4: Import the certificate on the TMG server

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. On VAN-TMG, click Start. In the Search box, type MMC, and then press ENTER. On the File menu, click Add/Remove Snap-in. On the Add or Remove Snap-ins page, click Certificates, and then click Add. Click Computer account, click Next, click Finish, and then click OK. Expand Certificates, right-click Personal, point to All Tasks, and then click Import. On the Certificate Import Wizard page, click Next. On the File to Import page, type \\VAN-EX1\C$\CertExport.pfx, and then click Next. On the Password page, type Pa$$w0rd in the Password field, and then click Next. On the Certificate Store page, click Next, and then click Finish. Click OK, and then close Console1 without saving changes.
Task 5: Configure an Outlook Web Access publishing rule

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management. Expand Forefront TMG (VAN-TMG), and then click Firewall Policy. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Rule, and then click Next. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the Outlook Web Access check box, and then click Next. On the Publishing Type page, click Next. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next. On the Internal Publishing Details page, in the Internal site name text box, type VANEX1.Adatum.com, and then click Next. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com, and then click Next. On the Select Web Listener page, click New. On the Welcome to the New Web Listener Wizard page, type HTTPS Listener, and then click Next. On the Client Connection Security page, ensure that Require SSL secured connections with clients is selected, and then click Next. On the Web Listener IP Addresses page, select the External check box, and then click Next. On the Listener SSL Certificates page, click Select Certificate. In the Select Certificate dialog box, click mail.adatum.com, click Select, and then click Next. On the Authentication Settings page, accept the default of HTML Form Authentication, and then click Next.
10. 11. 12. 13. 14. 15. 16.
L10-5
17. On the Single Sign On Settings page, type Adatum.com as the single sign-on (SSO) domain name, click Next, and then click Finish. 18. On the Select Web Listener page, click Next. 19. On the Authentication Delegation page, accept the default of Basic authentication, and then click Next. 20. On the User Sets page, accept the default, and then click Next. 21. On the Completing the New Exchange Publishing Rule Wizard page, click Finish. 22. Click Apply twice to apply the changes, and then click OK when the changes have been applied.
Task 6: Configure the Client Access server

1. On VAN-EX1, in the Exchange Management Console, expand Server Configuration, and click Client Access. Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible. 2. 3. 4. 5. 6. 7. 8. On the Outlook Web App tab, double-click owa (Default Web Site). In the External URL box, type https://mail.adatum.com/owa. On the Authentication tab, click Use one or more standard authentication methods, select the Basic Authentication (password is sent in clear text) check box, and click OK twice. On the Exchange Control Panel tab, double-click ecp (Default Web Site). In the External URL box, type https://mail.adatum.com/ecp. On the Authentication tab, click Use one or more standard authentication methods, select the Basic Authentication (password is sent in clear text) check box, and click OK twice. Open the Exchange Management Shell. At the PS prompt, type IISReset, and then press ENTER. Note: If you receive a message stating that the service did not start, start the World Wide Web service in the Services console.
Task 7: Test the Outlook Web App publishing rule

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-CL1, and then click Settings. Click Network Adapter, and in the Network drop-down list, click Private Network 2, and then click OK. On VAN-CL1, log on as Adatum\Administrator using a password of Pa$$w0rd. Open the Control Panel, and then click View network status and tasks. Click Change adapter settings. Right-click Local Area Connection 3, and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Change the IP address to 131.107.0.50, change the Default Gateway to 131.107.0.1, click OK, and then click Close. Close the Control Panel. Click Start, and in the search field, type notepad c:\windows\system32 \drivers\etc\hosts, and then press ENTER. At the bottom of the hosts file, type 131.107.1.1 mail.adatum.com, and then save and close the file. Open Internet Explorer, and then connect to https://mail.adatum.com/owa. Log on as adatum\administrator using a password of Pa$$w0rd, click OK, and then verify that you access the user mailbox. In the Microsoft Outlook Web App window, click Options. Verify that you can connect to the Exchange Control Panel.
L10-6
14. Close Internet Explorer. Results: After this exercise, you should have configured a Forefront Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You also will have verified that the access is configured correctly.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines. 6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
L11-1
Module 11: Maintaining Microsoft Exchange Server 2010

Exercise 1: Monitoring Exchange Server 2010
Task 1: Create a new data collector set named Exchange Monitoring
1. 2. 3. 4. 5. On VAN-EX1, click Start, click Administrative Tools, and then click Performance Monitor. In the Navigation pane, expand Data Collector Sets, and then click User Defined. Click on the Action menu, click New, and then click Data Collector Set. In the Create new Data Collector Set Wizard, in the Name box, type Exchange Monitoring, select Create manually (Advanced), and then click Next. Select the Performance Counter check box, and then click Finish.
Task 2: Create a new performance counter data collector set for monitoring basic
Exchange Server performance
1. In the Performance Monitor, in the Navigation pane, expand Data Collector Sets, expand User Defined, click Exchange Monitoring, click the Action menu, click New, and then click Data Collector. In the Create New Data Collector Wizard, in the Name box, type Base Exchange Monitoring, select Performance counter data collector, and then click Next. Click Add. In the Available counters object list, expand Processor, and then click % Processor Time. Press and hold the CTRL key, click % User Time, click % Privileged Time, and then click Add. In the Available counters object list, expand Memory, and then click Available Mbytes. Press and hold the CTRL key, click Page Reads/sec, click Pages Input/sec, click Pages/sec, click Pages Output/sec, click Pool Paged Bytes, click Transition Pages Repurposed/sec, and then click Add. In the Available counters object list, expand MSExchange ADAccess Domain Controllers, and then click LDAP Read Time. Press and hold the CTRL key, and click LDAP Search Time, click LDAP Searches timed out per minute, click Long running LDAP operations/Min, and then click Add. In the Available counters object list, expand System, click Processor Queue Length, and then click Add. Click OK. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and then in the Units dropdown menu, select Minutes and click Finish to create the data collector set.
2. 3. 4. 5.
6.
7. 8. 9.
Task 3: Create a new performance counter data collector set for monitoring Mailbox
server role performance
1. 2. 3. 4. In the Reliability and Performance Monitor, in the Navigation pane, click Exchange Monitoring, click the Action menu, click New, and then click Data Collector. In the Create New Data Collector Wizard, in the Name box, type Mailbox Role Monitoring, select Performance counter data collector, and then click Next. Click Add. In the Available counters object list, expand LogicalDisk, and then click Avg.Disk sec/Read. Press and hold the CTRL key, and click Avg.Disk sec/Transfer, click Avg.Disk sec/Write, and then click Add.
L11-2
5.
6. 7. 8. 9.
In the Available counters object list, expand MSExchangeIS, and then click RPC Averaged Latency. Press and hold the CTRL key, and click RPC Num Slow Packets, click RPC Operations/sec, click RPC Requests, and then click Add. In the Available counters object list, expand MSExchangeIS Mailbox, click Messages Queued for Submission, and then click Add. In the Available counters object list, expand MSExchangeIS Public, click Messages Queued for Submission, and then click Add. Click OK. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and in the Units dropdown menu, select Minutes, and then click Finish to create the data collector set.
Task 4: Verify that the data collector set works properly

1. 2. 3. 4. In the Reliability and Performance Monitor, in the Navigation pane, click Exchange Monitoring, click the Action menu, and then click Start. After at least five minutes, click the Action menu, and then click Stop. In the Navigation pane, expand Reports, expand User Defined, expand Exchange Monitoring, click VAN-EX1_DateTime, and then review the report. Close the Performance Monitor. Results: After this exercise, you should have created a data collector set for monitoring VAN-EX1 that uses the performance counters that this module recommends.
Exercise 2: Troubleshooting Database Availability

Preparation
Before you begin this exercise, complete the following steps: 1. 2. 3. On VAN-EX1, open an Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep2.ps1, and then press ENTER. When prompted, type N, and then press ENTER. Close the Exchange Management Shell.
Task 1: Identify the scope of the problem

1. 2. 3. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Work pane, click the Database Management tab, and then view the list of databases, noting that MailboxDB100 is dismounted.

1. 2. 3. In the Work pane, right-click MailboxDB100, and click Mount database. Review the warning message, and then click No. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Event Viewer. In Event Viewer, in the Navigation pane, expand Windows Logs, click on Application, and then in the Content pane, review recent events. Click recent events that have a source from one of the MSExchange services, and then review the details of the error in the lower half of the Content pane.
L11-3
4. 5.
In the Navigation pane, click on System, and then in the Content pane, review recent events. No notable events are present. Close Event Viewer.
Task 3: Run the Best Practices Analyzer

1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, and then expand Toolbox. In the Work pane, double-click Best Practices Analyzer. In the Microsoft Exchange Best Practice Analyzer, if prompted, select Do not check for updates on startup, select I dont want to join the program at this time, and then click Go to the Welcome screen. On the Welcome to the Exchange Best Practices Analyzer page, click Select options for a new scan. On the Connect to Active Directory page, click Connect to the Active Directory server. On the Start a new Best Practices scan page, in the Enter an indentifying label for this scan box, type VAN-EX1 Scan, and then click Unselect all. In the Specify the scope for this scan box, select VAN-EX1, verify that Health Check is selected, and then click Start scanning to start the best practices scan process. On the Scanning completed page, click View a report of this Best Practices scan. Verify that there are no errors listed that may have caused this issue.
5. 6. 7. 8. 9.
Task 4: List the probable causes of the problem, and rank the possible solutions, if
List the problems and possible solutions: Problem Disk errors are preventing access to the database. Database path is incorrect because of storage changes. Possible solution Replace disks and restore from backup. Change storage or database configuration.
Task 5: Review the database configuration

1. 2. 3. 4. 5. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox. In the Work pane, click the Database Management tab, click on MailboxDB100. Expand the Database File Path column, and then identify the database file location. Click Start, click All Programs, click Accessories, and then click Windows Explorer. In the Navigation pane, expand Computer, expand Local Disk (C:), expand Program Files, expand Microsoft, expand Exchange Server, expand V14, expand Mailbox. Verify that the MailboxDB100NewPath folder does not exist. In the Navigation pane, click MailboxDB100 and locate the database files. This is the actual location of the database files. The configuration is pointing to the wrong path. Close Windows Explorer.
6. 7.
Task 6: Reconfigure and mount the database

1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.
L11-4
2.
In the Exchange Management Shell, type the follow cmdlet, and then press ENTER. Move-DatabasePath MailboxDB100 LogFolderPath C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100 EdbFilePath C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100\MailboxDB100.edb ConfigurationOnly force
3. 4. 5.
Type Y, and then press ENTER. In the Exchange Management Shell, type Mount-Database MailboxDB100, and then press ENTER. Close Exchange Management Shell. Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.
Exercise 3: Troubleshooting Client Access Servers

Preparation
Before you begin this exercise, complete the following steps: 1. 2. On VAN-EX1, open Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep3.ps1, and then press ENTER. Close the Exchange Management Shell.
Task 1: Verify the problem by attempting to reproduce the problem

1. 2. On VAN-EX1, open Windows Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa. Note the error displayed in the browser: HTTP Error 401.2 Unauthorized.

1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Event Viewer. In Event Viewer, in the Navigation pane, expand Windows Logs, click Application, and then in the Content pane, review recent events. There is nothing substantial to point to the problem. In the Navigation pane, click System, and then in the Content pane, review recent events. Close Event Viewer.
Task 3: Use the Test cmdlets to verify server health

1. 2. 3. 4. 5. 6. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. In the Exchange Management Shell, type Test-ServiceHealth, and then press ENTER. Verify that the output does not return any errors. In the Exchange Management Shell, type Test-OwaConnectivity URL https://VAN-EX1.adatum.com/OWA -TrustAnySSLCertificate, and then press ENTER. In the Windows PowerShell Credential Request dialog box, in the User name box, type Adatum\Administrator, and in the Password box, type Pa$$w0rd, and then click OK. Note the authentication errors. Close Exchange Management Shell.
L11-5
List the problems and possible solutions: Problem Internet Information Server (IIS) Configuration is not configured correctly. Possible solution Modify the IIS configuration.
Microsoft Outlook Web App authentication Modify Outlook Web App is not configured correctly. authentication configuration.
Task 5: Check the Outlook Web App configuration

1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access. Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible. 3. In the upper portion of the Work pane, click VAN-EX1, and then in the lower portion of the Work pane, select the Outlook Web App tab. Right-click owa (Default Web Site), and then click Properties. In the owa (Default Web Site) Properties dialog box, click the Authentication tab, select Use forms-based authentication, and then click OK. Review the Microsoft Exchange Warning, and then click OK. Click Start, click Program, click Accessories, and then click Command Prompt. At the command prompt, type iisreset, and then press ENTER. Note: If you receive an error indicating that the service did not start, start the World Wide Web Service in Services management console. 8. Close the command prompt.
4. 5. 6. 7.
Task 6: Verify that you resolved the problem

1. 2. 3. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa. Log on to Outlook Web App as Adatum\Administrator using the password Pa$$w0rd. Confirm that Administrator can now access Outlook Web App, and then close Internet Explorer. Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Client Access server problem.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
L11-6
1. 2. 3. 4. 5.
On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect. Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
LA-1
Appendix A: Implementing Unified Messaging

Exercise 1: Installing and Configuring Unified Messaging Features
Lab preparation
1. 2. 3. 4. 5. On the host computer, open Hyper-V Manager. Right-click 10135A-VAN-EX2, and then click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then click Open. Click OK.
Task 1: Install the Desktop Experience feature

1. 2. 3. 4. 5. On VAN-EX2, close the AutoPlay dialog box. Open Server Manager, click Features, and then click Add Features. On the Select Features page, select the Desktop Experience check box, click Add required features, click Next, and then click Install. Click Close, and then when prompted, click Yes to restart the computer. After the computer restarts, log on as Adatum\Administrator. Wait for the installation to finish, and then click Close.
Task 2: Install the Unified Messaging role

1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, and then click Control Panel. In Control Panel, click Programs, and then click Programs and Features. In Control Panel, on the Programs and Features page, select Microsoft Exchange Server 2010, and then click Change. In Exchange Server 2010 Setup, click Next. On the Server Role Selection page, click Unified Messaging Role, and then click Next. On the Readiness Checks page, click Install. On the Completion page, click Finish.
Task 3: Install the German language pack

1. 2. 3. 4. 5. 6. 7. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-EX2, and then click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click UMLanguagePack_DE.iso, and then click Open. Click OK. On VAN-EX2, close the AutoPlay dialog box. Open Windows Explorer, browse to D:\, and then double-click UMLanguagePack.de-DE.exe. In Exchange Server 2010 Setup, on the License Agreement page, click I accept the terms in the license agreement, and then click Next. On the Unified Messaging Language Pack page, click Install. Wait for the installation to finish, and then click Finish. Close all open Windows.
LA-2
Task 4: Create a dial plan

1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Unified Messaging. In the Actions pane, click New UM Dial Plan. In the New UM Dial Plan Wizard, on the New UM Dial Plan page, in the Name field, type DP-VAN5digit. Select Telephone Extension from the URI type drop-down list, and then select Unsecured from the VoIP security drop-down list. In the Country/Region code field, type 1604, and then click New. On the Completion page, click Finish.
Task 5: Create an Unified Messaging IP gateway and hunt group

1. 2. 3. 4. 5. 6. 7. 8. In the Exchange Management Console, in the Actions pane, click New UM IP Gateway. In the New UM IP Gateway Wizard, on the New UM IP Gateway page, type IP Test Phone in the Name field. In the IP address field, type 10.10.0.10 so that VAN-DC1 runs the UM Test Phone tool, and then click Browse, select DP-VAN-5digit in the Select Dial Plan window, click OK, and then click New. On the Completion page, click Finish. In the Exchange Management Console, on the UM IP Gateways tab, in the IP Test Phone Actions pane, click New UM Hunt Group. In the New UM Hunt Group Wizard, type HG-VAN-5digits in the Name field, click Browse, select DP-VAN-5digit in the Select Dial Plan window, and then click OK. In the Pilot identifier field, enter 90000, and then click New. On the Completion page, click Finish.
Task 6: Change the default Unified Messaging mailbox policy

1. 2. 3. In the Exchange Management Console, click the UM Mailbox Policies tab. In the Details pane, double-click DP-VAN-5digit Default Policy. On the DP-VAN-5digit Default Policy Properties page, click the Message Text tab, and then type Welcome to the Unified Messaging Server VAN-EX2 in the Text to send when UM mailbox is enabled field. On the DP-VAN-5digit Default Policy Properties page, click the PIN Policies tab, uncheck PIN lifetime (days), and then click OK.
4.
Task 7: Associate the Unified Messaging server with the dial plan
1. 2. 3. 4. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Unified Messaging. In the Details pane, right-click VAN-EX2, and then click Properties. On the VAN-EX2 Properties page, click the UM Settings tab. On the Associated Dial Plans pane, click Add, select DP-VAN-5digit in the Select Dial Plan window, and then click OK twice.
Task 8: Verify that the default dial-plan language is German

1. 2. In the Exchange Management Console, under Organization Configuration, click Unified Messaging. On the UM Dial Plans tab, double-click DP-VAN-5digit.
LA-3
3.
On the DP-VAN-5digit Properties page, click the Settings tab, verify that German (Germany) is selected in the Default language drop-down list, and then click OK. Results: After this exercise, you should have installed the Unified Messaging role and configured the basic server-side settings for Unified Messaging, namely, a dial plan, an IP gateway, a hunt group, and a mailbox policy. You also will have assigned the dial plan to a Unified Messaging server.
To revert the virtual machines

LA-4

10135A ENU TrainerHandbook

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

10135A ENU TrainerHandbook

Încărcat de

Drepturi de autor:

Formate disponibile

O F F I C I A L

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Product Number: 10135A Part Number: X17-40190

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Siegfried Jagott Content Developer

Stan Reimer Content Developer

Joel Stidley - Content Developer

Damir Dizdarevic - Technical Reviewer

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Module 2: Configuring Mailbox Servers

Module 3: Managing Recipient Objects

Module 4: Managing Client Access

Module 5: Managing Message Transport

Module 6: Implementing Messaging Security

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

6-31 6-44 6-57

Module 7: Implementing High Availability

Module 8: Implementing Backup and Recovery

Module 9: Configuring Messaging Policy and Compliance

Module 10: Securing Microsoft Exchange Server 2010

Module 11: Maintaining Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Appendix A: Implementing Unified Messaging

Appendix B: Advanced Topics in Exchange Server 2010

Lab Answer Keys Appendix

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

About This Course

About This Course

About This Course

About This Course

About This Course

About This Course

Virtual Machine Environment

Virtual Machine Configuration

About This Course

Course Hardware Level

Deploying Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Deploying Microsoft Exchange Server 2010

Overview of Exchange Server 2010 Requirements

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Discussion: Reviewing Active Directory Components

Deploying Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Reviewing Active Directory Partitions

Deploying Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

How Exchange Server 2010 Uses Active Directory

Deploying Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Reviewing DNS Requirements for Exchange Server 2010

SRV Resource Records

Deploying Microsoft Exchange Server 2010

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Preparing Active Directory for Exchange Server 2010

Prepares the global Exchange Server objects in Active Directory, creates

/PrepareDomain /PrepareDomain domainname /PrepareAllDomains

Prepares the domain for Exchange Server 2010 by creating a new

Deploying Microsoft Exchange Server 2010

Options for Preparing Active Directory