Exchange Server

2003
Chapter
1

Exchange Server 2003 is total Messaging Collaboration & contact Management Solution.

Objective

• Security
• Reliability and performance Improvements.
• Administration and Management.
• Server 2003 and Active Directory.
• Compatibility Issues.

Exchange Server 2003

• Enhanced Security.
• Improved Manageability.
• More Reliable.
• Better Productivity.
• Lower TCO (Total Cost of Organization)

Exchange 2003 Security

• Connection Filtering (Block Junk Mail etc.).

• Distribution list restriction.
• OWA Forms-based Authentication.
• Kerberos Authentication.
• Privacy Protection.
• Anti-Virus API 2.5
• Enhanced Public Folder Security.

Reliability and Performance

• 8 Nodes Cluster Support (Which was earlier 2 Nodes support for Exchange 2000)
• Mailbox Recovery Centre
• Automatic Error Reporting
• Virtual Memory Reporting
• Dr. Watson 2.0 (which is a application troubleshooting tool)
• Outlook Synchronization Performance.
• Enhanced DNS-Based Internet mail Delivery.

Administration and Management

• Exchange System Manager.

• Volume shadow copy services.
• Dynamic Distribution Lists
• Public Folder Management
• Move Mailbox Utility
• Deployment Tools.

Server 2003 and Active Directory

 • ADMT 2.0
• Replication Improvements.
• Cross-Forest Trust.
• Active Directory Manageability
• Internet Protocol Support.

Compatibility Issues

• Exchange 2003 (SP) 3+ can operate in Windows 2003 Active Directory

Environment.
• Exchange 2003 runs on either Windows 2003 Server with SP 3 or Windows 2003
Operating System.
• Although 5.5 and 2000 can be installed on windows 2003 servers, File and
Print servers, Domain Controllers, Global Catalog Serves can all be upgraded
to windows 2003 with no impact on Exchange.

Chapter
2
Installing Exchange 2003

• Improvements to setup process.

• Deployment Tools.
• Requirements for Exchange 2003.
• Running FOREST PREP and DOMAIN PREP
• Running Exchange 2003 setup.

Improvements to Exchange setup

• Setup no longer needs full organization permissions.

• Domain users denied local logon rights on Exchange server itself.
• The new “ChooseDC” switch for setup.
• The default permissions are assigned only at the organizational level.
• Warning message appears of Exchange groups are moved, deleted or renamed.
• Mailboxes access permissions.
• Message Size limits and item size for Public folder set by default (10 MB)

Exchange Server Deployment Tools

• Required Tools and documentation.

• Guide for install, upgrade and migration.
• Exchange 2003 Tools and updates at www.Microsoft .com
• Access from Exchange 2003 CD.

The Process goes on like this

DCDiag ---- NetDiag ---- ForestPrep ---- DomainPrep ---- Exchange Setup

Requirements for Exchange 2003

 • Domain Controllers and global Catalog Servers running Windows 2000 server
with SP 3 or Windows Server 2003 . Servers are running Windows 2000 SP 3 or
Windows server 2003 Active Directory.
• DNS and WINS configured properly in your Windows Site.
• Disk Partitions must be formatted for NTFS File System.

Following services must be running:

• .NET Framework
• ASP .NET
• Internet Information System (IIS) 6.0.
• World Wide Web Publishing Service.
• Simple Mail Transfer Protocol (SMTP) service.
• Network News Transfer Protocol (NNTP) service

Hardware Requirement:

• Intel Pentium or compatible 133 MHz or faster processor.

• 256 MB of RAM recommended Minimum, 128 Minimum supported.
• 500 MB of Available Hard Disk space for installation of Exchange.
• 200 MB of Available disk space on hard drive.
• CD Rom
• SVGA or higher resolution monitor.

Scenario:

Make a Service account svc_exchange in 2000 AD and make this account member of Schema Admin, Domain
Admin and Enterprise Admin.

Exchange 2003 Setup Switches:

Setup.exe /ChooseDC <Fully Qualified Domain name>: This is used to choose the DC to and from which read and
write Active Directory during the installation process.

/DisasterRecovery : this is used to recover your Exchange installation after you already configure restoration, you
restored from the backup, when use this switch because setup and skip that process of registering with AD you
need to read or write AD reinstall the binary files of Exchange, Basically you reinstall the information from the
backup to map those Databases.

/?: Shows all the Command line options with brief explanation of all the switches.

/Password <password of currently logged on user>: when it reboots during the setup process it will automatically
auto log on

/ShowUI: this is used with Un attended mode of installation

/NoEventLog: Prevent any log to be written during installation process in Event viewer Application, Security etc.

/NoErrorLog: It disabled any error logging in event viewer

/All: Enables all of the exchange components during install, reinstall or an upgrade process. You can use this when
you have to force the install of a particular component that setup utility makes it available for Exchange 2003

/DomainPrep:, /ForestPrep: these are two major components which is necessary for Exchange installation.
Active Directory has three different partitions in which it stored its data those are:

Schema, Configuration, domain

So before running Exchange setup you have to run Forest Prep and Domain Prep to prepare the partitions. You have
to run in Forest Prep, means you have to run forest root domain which is used to contact the server which is
generally the first domain controller but in large organization it may not be to contact the server Schema Master
Operations master Role so we need to run these two programs.

Setup required prior to setup Exchange 2003

You have to run Forest prep only one time for the entire forest, but you have to run domain prep for each of the
servers in the domain which is having mail Enabled objects.

Exchange installation:
You can use ADSI Edit tool to rename the Exchange server name, which is very typical process and experienced
Administrators are only responsible for that.
And the process starts for installation of Exchange server.
Chapter
3 Upgrading from Exchange 2000 to Exchange 2003
• Upgrading and Migration essentials.
• Front-End servers Vs Back-End Servers.
• Mixed mode and Native Mode.
• Post Installation issues.
• Removing and Exchange 2003 server.

Upgrading and Migration essentials

This will tell you upgrading from Exchange 5.5 to 2003, which is considered to be much easier and much simpler
Some of the things which need to be done prior to the upgrade

There is no support for Cc:Mail and MSFT Mail

First you have to remove following services from Exchange 2000
1. Instant Messaging
2. Microsoft Chat.
3. Key Management service.
4. Lotus CC: mail connector
5. Microsoft mail connector.

We have to just make sure that we have to remove some of the components because server 2003 doest not support
those components but we need to follow and adhere to the following requirements for operating system and
Exchange 2000 server.

Things needs to adhere to

• Install Ex 2000 SP3 or later.

• Install Win 2000 server SP 3 or later.
• Same Language.
• Front-End server first.
Front-End servers that deal with primarily incoming Client connection, Protocol handling,
Where as Back-End servers are specifically for Mail box databases and public folder storage and the matter of fact
dedicated front end server in exchange can’t post public folder and mail box databases this is an important
consideration pre deployment. The main benefits of front end and back end servers are:
Front End servers:
1. Unified Namespace to the users outside and inside the organization accessing the exchange servers they
don’t have to remember the names of the servers. E.g., WWW.Nuggetlab.com gives the Web access to all
over the enterprise.
2. Firewalls: also, firewalls allow placing your front end servers behind the firewalls which prevents severs from
DOS attacks and any other vulnerability from the Internet.
3. Lower SSL overhead: this is used basically for encrypting and decrypting on any activity.

Exchange 2000 overview which is running on Win Advance server 2000

We have to make sure before upgrading Exchange 2000, not running Exchange management and any other type of
management tool for Exchange 2000. We have to got o following path

We have delete the contents for this folder Bad Mail before we start our upgrade, this folder contains the
undeliverable contents of SMTP stores the undeliverable messages that cant be returned to the sender. These
folders can also some messages from outside users who are trying to SPAM for your exchange organization. We
have to delete the contents for this folder because Exchange 2003 has to re stamp the ACL for all of the exchange
server folders. If this folder contains whole of the bunch of messages your setup will take whole lot longer then the
usual time.
Third Pre installation test which you test and investigate thoroughly, to check for any vendor upgrade all the
compatibility issues and any third party software, any third part programs and Add-ons for Exchange 2000. All the
patches and upgrades are available before the complete step. Also, if there is any third party software’s services are
running you have to manually stop those one before start installation.

To Start the migration:

Exchange Migration Factoids:
If you are moved from one organization to another:

• You must have Administrative permissions into source and target Domains.
• May need to setup a two way trust between those domains.
• Can use migration wizard only.
What are Mixed Mode and Native Mode?

These are some major considerations which are taken in mind when you are deploying the exchange server.

• Native mode offers full features.

• Mixed mode is default and ensures feature importability
• Windows OS AD has also these modes or functional levels.
• Exchange implements at the organizational level.

Mixed Mode and Native mode Pro and Cons

Mixed Mode:
PROS
• Interoperability between 2003 and 5.5
• You can install Additional 5.5 servers.
• Replicate objects show up in system manager.
CONS
• SITES map to Admin group.
• All members of routing groups must be in same admin group.
• Some system management functionality limited most choose native mode.

Native Mode:
PROS
• No Exchange 5.5 at all
• Greater flexibility to manage (Routing Groups and Administrative groups).
• Mail Box Movement Easier.
• Faster data transfer when routing, when you are using Bridgehead servers.

To Run Forest Prep

For Domain Prep
Install and Upgrade Exchange
Steps for post installation:

If you go back to the Exchange server Deployment Tool Wizard

Click on perform post-installation steps

Change to Native Mode:

System Manager
Since we have upgraded Exchange 2000 to 2003 its already in Native mode, otherwise there is an option of making
this from Mixed to Native Mode.

After up gradation all of the mail boxes automatically transferred into Mailbox Store (server name) which is the
Database of the Exchange Server. If we are upgrading other servers we have tool to do that i.e., Deployment Tool

Migration Wizard.
We have a wide variety of options

If we choose Migrate from Microsoft Exchange that means we are migrating from other Exchange servers. This is
basically migrating from other Exchange server which is not part of this organization/system.
This step guides you to make sure after Exchange installation all of the services are running and all necessary tools
are installed on the system.

Microsoft Exchange Information Store is very important service if that service stops no mail box stores no folders
are available for the server.
Microsoft Exchange management: this is basically for WMI; if this service stops WMI is not available.
MTA Stacks: this is for X.400 services.
Routing Engine: this is also one of the core services for Exchange this provides the routing information Topology
information to all 2003 servers for optimal routing of messages.
Site Replication Service: If you are in 5.5 environments you have SMS or SRS is disabled for 2003 only used in 5.5
servers.
Exchange System Attendant: This service provides 5 things that it handles. Those are
Monitoring, Monitoring your Connectors, Monitoring your Services, Maintainace like defragmenting your Exchange
store your database, connectors or monitoring connectors forwarding AD lookups to GC servers AD functions.

All these particular services have dependencies

This will tell you the core services on which the specific service depends on.

Removing Exchange server 2003

Best Practice: The Wiz

Move all mailboxes first (or Remove)
Transfer roles of Bridgehead server or Routing group master
No Connection Agreement or Installed Connectors.
TIP: Delete Mailbox for Administrator

Chapter
4 Configuring Exchange 2003 for Proactive Management

• Delegation of Authority.
• Administering from Client Workstation
• The “Magic MMC Tour”.
• Administrative; Routing groups in Nutshell.

Delegating Authority (Organization level or Administrative group level):

• Install user account given full Admin rights.

• Need to track/audit each exchange Admin.
• Delegate Authority to user and groups.

Permissions which can be applied on Organization level or Administrative group level

Exchange Full Administrator: have the ability to do everything in Exchange organization including modifying
permissions.
Exchange Administrator: they can also do everything except for modifying permissions.
Exchange View only Administrator: This is only fro view only or read only role.

Make All the above Global Security groups in AD

Delegation of control to the groups:
Only Exchange Full Administrator having the full control on Exchange Organization by default. After Clicking ADD you
can get the three roles in that:

Select the group and ADD the Exchange Full Admin in this way you can delegate the control for any user or Group.

Administering from Client WorkStation

• Shouldn’t Administer Via server console

• May limit logon locally rights
• Install Exchange System management Tool.
• Workstation must be in same Forest/Domain.

XP Pro SP1, SP2, SP3, Win 2000 server with SP3, Windows server 2003

How to Install System Management Tool on XP Machine:

First you need windows server 2003 Admin pack installed on that Machine for viewing AD users and computers.

Install that from i386/adminpak.msi

Insert Exchange server disk

Click on Exchange System management tools only.

Magical MMC
Start Run
mmc
Which is used as Exchange and Windows administrator

Save this Console on your desktop. This MMC will be the combination for your Windows as well as your Exchange
Administration.
Administrative Groups in Nutshell:
• Sites were limited and inflexible
• Administrative Group’s define the Administrative Topology
• Separated from physical (SITE) structure
• Administrative Group’s contain: servers, policies, routing groups, public
folder trees
• A collection of objects for simpler control

To build up Administrative or routing groups:

We can create Administrative groups for each of the locations
Similarly make other Admin groups also. Denton, Tyler, Austin and we can rename the First Administrative group to
Dallas (this is a Head Quarter).

We can Delegate control of Each of these group

Routing group in a Nutshell

Directly, tightly coupled to physical layout – Like an AD site

Routing Groups connects multiple slow link location

Chapter
5 Exchange Server Security Part-I

• Connecting Exchange over firewall System
• TCP port filtering
 • Internet connection firewall (ICF)
• Using MAPI (Messaging API) through firewall (RPC over HTTP)
• Virus protection measures

Connecting Exchange over Firewall

Firewalls are designed in this way to stop malicious intruders and other attackers to get inside into our internal
Network. A firewall is one or more systems combined with each other which is generally a combination of hardware
or Software. By Definition a firewall is a security mechanism that prevents unauthorized Access into trusted
networks and un-trusted networks and generally it is a line of defense between Exchange organization between
Internal System and Internet. The firewall is a primary tool that will in act the overall security policy of the network.

Prevents External users from accessing your internal network

A Combo of Hardware and Software
First Line of defense to the Internet
Packet filtering: Firewall look into all the data packets that comes into the edge of your organization or it leaves the
network at the edge of your organization and you can basically permit or deny packets based on wide variety like
resource, IP Address or even port numbers (TCP\UPD).
Scanning: It is also use to scan viruses which is combined with other softwares to scan worms’ viruses and malicious
code.
Proxy Server (NAT): it is also used as Proxy server to hide the internal network list and only expose only one single
Address on the internet filtering packets like web pages and accept only those which is according to business needs.

A firewall has to protect our back end Exchange server that keeps our Public folder stores, our Mailbox store, and
our Mailbox databases. Also we have to protect our Front end servers e.g., Exchange Server, web Server, AD etc.
It is recommended that we may keep our front end server in a DMZ Zone and or you may also call it as perimeter
network. Exchange itself is not a firewall product but it can be defined as application proxy server this is because
exchange comprehends protocols like mail protocols depends on data type and they can figure out the data source
that you doing to be acceptable or even corrupted, and if you have set Exchange 2003 properly you wont need a
separate proxy server you don’t need a firewall.

TCP Port Filtering:

SMTP : 25 this is the mail protocol which we are using to transfer mail and routing mail to different
systems.
HTTP : 80 for Web Access
Kerberos : 88 this handles the Authentication system/ Ticketing System.

MTA-X.400 over TCP/IP : 102 Message transport Agent.

POP3 : 110 this is used to store/retrieve messaged over internet.

NNTP : 119 news protocol

RPC Exchange : 135

IMAP4 : 143 new protocols for client access to exchange.

LDAP : 389 which are used to do the queries of AD Global catalog servers.

HTTP with SSL : 443

NNTP with SSL : 563
LDAP with SSL : 636 Used under secure
IMAP with SSL : 993 layer
POP3 with SSL : 995

Lookups in AD
Global Catalog : 3268 & 3269

TCP is allowing two separate hosts to establish an connection allowing two separate connections to exchange data
and lot of the services will be user with internet specifically are using different ports from the TCP port so this is
important for us what ports we want to leave open and what port we want to close off.

Internet Connection firewall (ICF):

You can add any other services to this.

Configuring Exchange 2003 for RPC over HTTP

1. Setup Front end server as RPC proxy server.

2. Enable basic authentication in IIS for RPC virtual directory.
3. hack the registry to open ports
4. Open the same ports in firewall to Back end servers
5. Create a profile on outlook clients

Let us configure Front End Server (nugget1) to use RPC over HTTP.
Start
Control panel
Add Remove Programs
Add Remove windows Components
Networking Services

RPC over HTTP Proxy

To configure RPC virtual Directory.

Start
Administrative Tools
IIS
Web Sites
Default Web Site
RPC
Right Click
Properties
Directory Security
Authentication and
access control
Disable Anonymous Access
Basic Authentication
Yes
OK

Hacking the Registery

Start
run
regedit
HKEY_Local_Machine
SOFTWARE
Microsoft
RPC
Rpc Proxy
Valid Ports

Modify

To enhance knowledge you can download Ex2k3RPC_HTTP_Deploy.exe document.

Virus Protection Measures:

Virus:
- Chunk of Executable code that latches on to files or applications. It replicates and proliferates from host to
host over the network.
- Require a Host computer and can also deliver and payload. Usually it consumes bandwidth, memory, and
Disk storage.

Worm:
- Replicates like a virus but doesn’t need a host program. Usually does its damage when the operating system
or program copies data.

Trojan horse:
- A program that masquerades (hide himself) as something harmless (System Tool or Game) but is potentially
dangerous. Generally comes through E mail or Floppy but does not replicate like worm or Virus.

Anti Virus Protections:

1. Install updated software.

2. Educate users.
3. Verify compatibility – Vendor support.
4. Performance Affect?
5. Safeguard all threats?
6. Inbound: Outbound scanning.
7. Automatic Updates?
8. Client, Information Store, Transport, Firewall.

Chapter 6: Exchange server 2003 Security Part 2

• Exchange Mailbox Security.
• Digital Signatures and Encryption
• Disabling Unnecessary Services.
• Protocol Logging.
Securing mailboxes in Exchange 2003

• Message filtering matches established rules to E mail headers and body text.
• OWA and Outlook 2003 have a Junk E mail tool.
• For exchange 2003 filtering configure properties of the Global message delivery object to generate global
filters.
• SMTP virtual server is setup to use filters.

Client Side Junk E mail Feature Tool:

Relay Blocking Lists (RBL)

Published lists of known sources of Junk E mail and Spam

www.Mail-Abuse.org
Not 100% foolproof!!
Exchange 2003 connection filtering can subscribe to RBL

Configuring Connection Filtering: We are going to configure that our DNS lookups will see the Relay Blocking lists.
To block manually a Spammer or nay Junk E mail provider for the entire Domain.