Thursday, August 11, 2011

Configuring Exchange Server Roles


Lesson 2: 
Installing roles is not the end point of deploying Exchange 2007. Once roles are deployed, it is necessary to configure them. Configuring a role to best meet the needs of your organization is a critical part of the postinstallation process. Although when you install a role it is configured to suit the needs of most organizations, you will find that you can make a number of tweaks that best suit your organization. Although later chapters in this book look in more detail at specific configuration settings, this lesson provides an overview of the general postinstallation tasks an Exchange administrator would carry out on servers assigned these roles.

After this lesson, you will be able to:

  • Configure Exchange Server roles.
    • Configure the Hub Transport server role.
    • Configure the Edge Transport server role.
    • Configure the Client Access server role.
      • Configure Outlook Anywhere.
      • Configure the server to enable client and mobile device connectivity.
      • Configure OWA for changing passwords.
      • Configure OWA for file sharing.
      • Configure OWA for SharePoint.
    • Configure the Mailbox server role.
      • Create, modify, and delete databases and storage groups.
      • Manage mailbox size limits.
    • Add and remove roles.
    • Remove the Exchange Server.

Estimated lesson time: 40 minutes



Configuring the Edge Transport Server Role

Once the Edge Transport server role is installed, you need to configure it to work with EdgeSync. EdgeSync links Active Directory with ADAM. Prior to establishing replication from Active Directory to ADAM, it is necessary to create an Edge subscription file. Each Edge Transport server requires a unique Edge subscription file. Three Edge Transport servers means three separate Edge subscription files.
To create an Edge subscription file, perform the following steps:
  1. Verify that the Edge Transport server can resolve the FQDN of the Hub Transport server to an IP address using the nslookup command-line utility. Verify that the Hub Transport server can resolve the FQDN of the Edge Transport server to an IP address using the nslookup command-line utility.
  2. Create the Edge subscription file on the Edge Transport server by issuing the following command from Exchange Management Shell: New-EdgeSubscription –file “C:\EdgeSubExport.xml.”

    NOTE Loss of manual configuration settings

    When you configure an Edge Transport server to be managed by EdgeSync, you will lose configuration settings that may have already been made to the Edge Transport server manually, such as accepted domains, message classifications, remote domains, and send connectors. Once the subscription is configured, the Exchange Management Shell commands that allow you to make these configuration settings will be blocked on the Edge Transport server. All these settings will be configured through the organization-wide Hub Transport settings.

  3. Copy the exported file to a Hub Transport server. This file needs to be imported within 1,440 minutes (24 hours) of creating the file; otherwise, you will need to re-create it.
  4. On the Hub Transport server, open the Exchange Management Console and click on Hub Transport under Organization Configuration.
  5. Click the Edge Subscriptions tab and then click New Edge Subscription in the Actions pane.
  6. This will launch the New Edge Subscription Wizard, shown in Figure 2-19. Ensure that you have selected the site for which the Edge Transport server will become a member and then click Browse to locate the subscription file.
    Cc505858.figure_C02624108_19(en-us,TechNet.10).png
    Figure 2-19 Enabling anti-spam updates
  7. Click New to create the new subscription.
Once an Edge Transport server is subscribed, all Hub Transport servers located in the site to which the Edge Transport server is subscribed can contribute to the EdgeSync process. This does not apply to any new Hub Transport servers added to the site after the subscription has occurred. If you add more Hub Transport servers to the site, it will be necessary to remove and re-create the Edge subscription. In the event that the licensing status of the Edge Transport server changes, for example, if you created the subscription prior to activating the Edge Transport server, it will be necessary to perform the subscription process again.

MORE INFO Subscribing the Edge Transport server

For more information on subscribing the Edge Transport server to your Exchange organization, consult the following link: http://technet.microsoft.com/en-us/library/bb125236.aspx.


For successful synchronization between Active Directory and ADAM to occur, the firewall between the secure network and the perimeter network needs to have TCP/IP port 50636 open. Once the subscription has been set up, the Hub Transport server will periodically sync with the Edge Transport server, transmitting information about accepted domains, remote domains, and internal Simple Mail Transfer Protocol (SMTP) servers. To force synchronization, issue the Start-EdgeSynchronization command in the Exchange Management Shell.

Configuring the Hub Transport Server Role

Hub Transport servers are configured both at the server and at the organizational level. Server-level configuration includes external and internal DNS configuration, domain controller, and global catalog server configuration and message limit configurations. The domains for which your Exchange Server 2007 computers will accept e-mail are configured on an organizational level rather than a per server level. The New Accepted Domain Wizard allows you to configure Exchange Server 2007 to be authoritative for a domain. This configures your Exchange organization to accept e-mail sent to particular e-mail addresses, such as @tailspintoys.com or @wingtiptoys.com. If mail arrives at the server and is not addressed to a domain on the accepted domain list, it will bounce. The accepted domain list stops nefarious third parties from using your mail servers as relays to send spam and viruses.
You can configure an accepted domain through the wizard or from the Exchange Management Shell by issuing the command new-AcceptedDomain –Name ‘tailspin-toys.com’ –DomainType ‘Authoritative,’ where you substitute tailspintoys.com for the domain name for which you wish your Exchange organization to accept mail.
You can also use the New Accepted Domain Wizard to configure an internal relay domain and an external relay domain. The internal relay domain option is used if you want e-mail relayed to another Active Directory forest within your organization. An external relay domain is used to relay traffic to an e-mail server outside the Exchange organization.
Any e-mail received by the Hub Transport server that is not addressed to an accepted domain will be dropped. As companies often change their names, it is important to ensure that messages addressed to previously registered domain names will still be received properly. For example, Tailspintoys.com was known several years ago as Wingtiptoys.com. Several customers might still send e-mail to wingtiptoys.com addresses. If Wingtiptoys.com is not on the list of accepted domains, this e-mail will be dropped by the server.

Configuring Remote Domains

Remote domains allow the configuration of formatting and messaging policies to specific remote domains. For example, if you know that a partner company requires specifically configured e-mail, you can set up a remote domain policy for all e-mail sent to that particular domain. Remote domain policies can be applied to a specific domain only or to all subdomains of that specific domain. Configuring mail for specific destinations is covered in more detail in Chapter 7, “Connectors and Connectivity.”

Create a Postmaster Mailbox

The postmaster address is the address listed on nondelivery reports and other delivery status notifications. The postmaster at a particular mail domain is the person whom you contact if you want to follow up on an offensive or problematic e-mail. The standard postmaster alias allows anyone to send an e-mail for whatever reason to the person in charge of the e-mail servers at a particular organization.
Each Transport server will have a separate postmaster address. To view the currently assigned postmaster address, issue the following command in Exchange Management Shell:
Get-TransportServer | Format-List Name,ExternalPostMasterAddress
In the event that you want to redirect the postmaster address to another address, you can use the following Exchange Management Shell command:
Set-TransportServer –Identity ‘ServerName’ –ExternalPostMasterAddress
‘newpostmaster@tailspintoys.com’
Alternatively, you could then assign the postmaster address as a secondary address on the user account that will be responsible for dealing with postmaster inquiries. In the event that person leaves your organization, you can move the postmaster address, as necessary. Ensuring that the postmaster address is watched is an important part of the responsibility of being a mail administrator. For example, if someone from within your organization has been sending spam, the postmaster e-mail address is the first place that some notification about it will exist. It is better to monitor this address than to find out that your mail domain has been placed on a blocking list because you were not aware that a rogue user was sending out unsolicited commercial e-mail.

Enabling Anti-spam Features on Transport Servers

Although Edge Transport servers have anti-spam features enabled by default, Hub Transport servers do not. To enable the Exchange Server 2007 anti-spam features on a computer with the Hub Transport server role installed, issue the following Exchange Management Shell command:
Set-TransportServer –Identity ‘ServerName’ –AntispamAgentsEnabled $true
You will then need to restart the Exchange Server Transport service and any open Exchange Management Consoles before the anti-spam features are enabled. You can verify that anti-spam features have been enabled, as the Enable Anti-Spam Updates item will now be available in the Actions pane when the Hub Transport server is selected under Server Configuration in the Exchange Management Console. The Anti-spam tab will also become available in the Actions pane when the Hub Transport option is selected under Organization Configuration in Exchange Management Console.
Clicking on Enable Anti-spam Updates in the Action pane allows you to configure how the anti-spam definitions and application will be updated, as shown in Figure 2-20. You can allow automatic updating of spam signatures as well as IP reputation updates. Configuring anti-spam settings is covered in more detail in Chapter 6.
Cc505858.figure_C02624108_20(en-us,TechNet.10).png
Figure 2-20 Enabling anti-spam updates

Configuring the Client Access Server Role

The Client Access role is the gateway between clients and their mailbox data. It is possible to use NLB to load balance the Client Access role in the event that client traffic is putting too much strain on resources. In most instances, you can install the client access server role, and your users will automatically be able to access e-mail. If you are using SSL, you should remember that clients will not trust the default SSL certificate generated during the installation of the Client Access server role. You have to either obtain an SSL certificate from a commercial and trusted source or find a way for your organization to manage and generate its own SSL certificate.

Configuring Outlook Anywhere

Outlook Anywhere allows clients using Microsoft Outlook 2007 and Outlook 2003 to access Exchange Server 2007 using the RPC over HTTP protocol. The primary benefit of using Outlook Anywhere is that it simplifies the configuration of remote access to Exchange. Access can be granted without having to use VPN connections, and rules allowing the quick setup of RPC over HTTP access to Exchange are built into Internet Security and Acceleration (ISA) Server, Microsoft’s firewall and proxy product.
Outlook Anywhere can be enabled by clicking on Enable Outlook Anywhere on the Actions pane when the Client Access role is selected under the Server Configuration node. When configuring Outlook Anywhere, you need to specify the external host name, the authentication type, and whether you want to allow SSL offloading. The authentication options are Basic and NTLM with the option to use SSL offloading. SSL offloading allows you to use an SSL accelerator device to assist with the processing load involved in encrypting network connections to the Client Access server, as shown in Figure 2-21. You should not enable SSL offloading unless your server has an SSL accelerator device, as this can cause connection problems.
Cc505858.figure_C02624108_21(en-us,TechNet.10).png
Figure 2-21 Outlook Anywhere properties
You can also enable Outlook Anywhere from the Exchange Management Shell by issuing the following command:
Enable-OutlookAnywhere -Server 'GLASGOW' -ExternalHostname 'externalhostname. 
tailspintoys.com' -ExternalAuthenticationMethod 'Basic' -SSLOffloading $false
MORE INFO Enabling Outlook Anywhere
To find out more about Outlook Anywhere, access the following link: http://technet.microsoft.com/ en-us/library/bb123741.aspx.


Configuring Client and Mobile Device Connectivity

Exchange ActiveSync is automatically enabled when the Client Access server role is installed on a computer running Exchange Server 2007. ActiveSync allows for the synchronization of data between mobile devices and Exchange Server 2007. Supported devices include Pocket PC 2002, Pocket PC 2003, and Windows Mobile 5.0. Windows Mobile 5.0 devices that have the Messaging Security and Feature Pack installed also support Direct Push, a technology that keeps a mobile device continuously synchronized with Exchange Server 2007.
The primary configuration that you have to make is on the clients themselves. Lesson 2 of Chapter 7 provides more information on configuring mobile device policies.
MORE INFO Managing ActiveSync
For more information on managing ActiveSync, consult the following link: http://tech-net.microsoft.com/en-us/library/bb124396.aspx.


Configuring OWA

OWA can be used for more than just reading and responding to e-mail. Depending on how the Client Access role is configured, OWA clients can use their browser to access standard file shares or SharePoint sites. Access to Windows file shares and Windows SharePoint services can be enabled on the basis of whether a remote user is accessing OWA using a public or shared computer or is using a private computer. This way, you can disable access to Windows file shares or SharePoint when a user is connecting to OWA from an Internet café but allow access to Windows file shares and SharePoint when connecting to OWA from a company mobile computer using a café’s WiFi connection. This demarcation relies on the user selecting the correct option when logging on to OWA, as shown in Figure 2-22.
Cc505858.figure_C02624108_22(en-us,TechNet.10).png
Figure 2-22 When logging on to OWA, the users specify whether they are using a public or a private computer
This access is granted by setting options within the OWA Web site’s Properties dialog box. The Public Computer File Access tab allows you to configure the access granted to users accessing OWA from computers designated as public or shared. The Private Computer File Access tab allows you to configure the access granted to users accessing OWA from computers designated as private.
Once you have determined what type of access you want to grant users who are connecting remotely to OWA from public, shared, and private computers, you can configure the specific servers on your local network that they can access. You perform this task on the Remote File Servers tab of the OWA Web site properties, as shown in Figure 2-23.
The Remote File Servers tab has four items that can be configured:
  • Block list A list of servers that OWA clients cannot access. Items on this list override items on the allow list.
  • Allow list A list of servers that OWA clients can access.
  • Unknown servers How servers not on either the block list or the allow list are to be treated. The default option is Block. This setting can also be configured to Allow.
Cc505858.figure_C02624108_23(en-us,TechNet.10).png
Figure 2-23 Remote File Servers tab
  • Domain suffixes that should be treated as internal OWA clients can access only servers that are recognized as internal. If a server that an OWA client attempts to access has a DNS suffix that is not on the list, it will be considered external and will not be accessible to the client.
By their nature, OWA clients are usually using computers that are not managed by your organization. You can not always be 100 percent certain that the person logging in using the publicly available computer in an airport in Volgograd, Russia, is actually your company’s sales rep who is currently traveling in the area. It is not unheard of for nefarious third parties to place keylogging devices on public computers at airports or Internet cafés in an attempt to capture user names and passwords from the unwary. Although considering these threats might lead you to block off remote access to OWA entirely, some options that you can use to limit the damage are available. One configurable option allows you to block the ability to make password changes using OWA. In the event that a password is compromised, at least the person who has stolen the password will be unable to entirely hijack the compromised account by changing the password to something unknown to the user. To configure the option to block password changes for OWA users, edit the properties of the OWA Web site in Exchange Management Console, click the Segmentation tab, and then disable the Change Password feature, as shown in Figure 2-24.
Cc505858.figure_C02624108_24(en-us,TechNet.10).png
Figure 2-24 Blocking password change
MORE INFO Managing OWA
For more information on managing OWA, navigate to the following link: http://technet. microsoft.com/en-us/library/aa996373.aspx..


POP3 and IMAP4

POP3 and IMAP4 are disabled by default on a computer configured with the Client Access role. As almost all e-mail clients use one of these protocols to retrieve e-mail, it is necessary to activate them prior to putting the Client Access role into a production environment. You can activate these services using two methods: using the Services console or using the NET START command from a command prompt. You should use the Services console, as this will also allow you to change the service startup type from manual to automatic. If you do not do this, you may reboot the server after applying updates and forget that neither the POP3 nor the IMAP4 service starts automatically. To enable each service, right-click on it within the Services console and select Properties. Change the start-up type to automatic and then click Start, as shown in Figure 2-25.
Cc505858.figure_C02624108_25(en-us,TechNet.10).png
Figure 2-25 Setting the start-up type of the IMAP4 service

Quick Check

  1. How does OWA determine whether a remote client is using a public or shared computer or a private computer?
  2. Which SharePoint sites does a client connecting to OWA have access to by default?

Quick Check Answers

  1. The remote client is queried when connected to OWA.
  2. None. Sites must be added explicitly or by domain suffix.


Configuring the Mailbox Server Role

The immediate postinstallation tasks that you need to perform on a computer hosting the Mailbox server role are creating, modifying, and deleting databases and storage groups. Prior to performing those acts, you need to understand the differences between the two editions of Exchange Server 2007:
  • The standard edition of Exchange Server 2007 supports five storage groups and five mailbox databases per server. The standard edition supports a maximum of five mailbox databases in a single storage group, one of which is reserved for recovery.
  • The enterprise edition of Exchange Server 2007 supports up to 50 storage groups and a maximum of 50 databases per server, with a maximum of five mailbox databases per storage group.
Microsoft recommends that you allocate only one mailbox database per storage group, although it is possible to locate five mailbox databases in a single storage group. All databases within the same storage group share the same backup schedule. Having only a single database within a storage group provides greater flexibility in setting backup schedules on a per mailbox database basis. Storage groups are managed by separate server processes, and separating mailbox databases into their own separate storage group reduces transaction log complexity. Chapter 12, “Configuring Disaster Recovery,” provides more information on backups and storage groups.
Storage groups can be created using the GUI by clicking New Storage Group in the Actions pane. You can also manage storage groups from Exchange Management Shell. The following Exchange Management Console command will create a storage group named Second Storage Group in the location C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group:
new-StorageGroup –Server ‘GLASGOW’ –Name ‘Second Storage Group’ –LogFolderPath ‘C:\Program
Files\Microsoft\Exchange Server\Mailbox\Second Storage Group’ –SystemFolderPath ‘C:\Program
Files\Microsoft\Exchange Server\Mailbox\Second Storage Group’
To create a new mailbox database, select the storage group that will host the database and then click New Mailbox Database. You can achieve the same thing using the Exchange Management Shell by issuing the following command:
new-mailboxdatabase -StorageGroup 'CN=Second Storage 
Group,CN=InformationStore,CN=GLASGOW,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Tailspintoys,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=tailspintoys,DC=internal' -Name 'Second Mailbox 
Database' -EdbFilePath 'C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage 
Group\Second Mailbox Database.edb'
This command creates a mailbox database called Second Mailbox Database in the Second Storage Group of a server named Glasgow. You will create this database and storage group in the practices at the end of this lesson.
You can view the location mailbox database by viewing the Mailbox Database properties, as shown in Figure 2-26. From this dialog box, it is possible to view the last time the mailbox database was backed up and the location of the database mailbox copy if local continuous replication is enabled and to configure the mailbox maintenance schedule.
Cc505858.figure_C02624108_26(en-us,TechNet.10).png
Figure 2-26 Mailbox database properties
During the period specified in the maintenance schedule, the following tasks are completed:
  • Dumpster cleanup involves the removal of deleted messages that have passed the deleted item retention date.
  • Public folder expiration involves messages posted to public folders expiring after a certain amount of time and being removed by the maintenance process.
  • Deleted mailboxes are cleaned up.
  • An online defragmentation of the mailbox is performed.

Managing Mailbox Size Limits

Although on a per gigabyte basis hard disk drive storage costs are always dropping, at some point you will most likely want to limit the amount of information that users can store in a mailbox. Although some users will be diligent about removing unnecessary material, the mailboxes of other users will continue to grow unless they reach some preconfigured limit. Some users never delete an attachment, even if it is completely outdated and has not been relevant for several years. If you do not impose mailbox limits, it is possible that a small number of mailboxes might account for the majority of the disk space on your mailbox servers.
BEST PRACTICES The 80/20 rule
One common rule of thumb in many fields, including systems administration, is that 80 percent of resources will be consumed by 20 percent of the users. This applies to mailbox usage. You will find that without mailbox size limits, 20 percent (or less) of your users will end up taking 80 percent (or more) of the available disk space.


Besides the issue of a small number of users using a disproportionate amount of disk space, another practical reason for limiting the size of mailboxes involves backups. Data can be backed up and restored at only a finite rate. The larger the mailboxes, the longer the backup process is and the greater the amount of backup media that will be required. Larger mailboxes have a similar impact on restore operations. It takes longer to restore data from backups containing larger mailboxes than it does to restore data from backups containing smaller mailboxes.
You can manage mailbox size limits by editing the properties of the mailbox database and clicking the Limits tab. From this tab, it is possible to configure the following properties:
  • Issue Warning At (KB) The threshold in kilobytes when a warning is automatically issued to the user about the amount of data stored in a mailbox.
  • Prohibit Send At (KB) The threshold in kilobytes when the user is no longer able to send e-mail.
  • Prohibit Send And Receive At (KB) The threshold in kilobytes when the user is no longer able to send and receive e-mail.
  • Warning Message Interval The schedule by which warning messages will be sent to users who have mailboxes larger than the specified thresholds.
  • Keep Deleted Items For (Days) How long deleted items are kept before being removed from the mailbox database.
  • Keep Deleted Mailboxes For (Days) How long a deleted mailbox is kept in the database before being permanently deleted.
  • Do Not Permanently Delete Items Until The Database Has Been Backed Up This option overrides the previous settings, keeping deleted items past their expiration date until the database has been backed up.
Mailbox limits are configured in a practice at the end of this lesson.

Removing Exchange Server 2007

Three separate Exchange Server 2007 removal scenarios exist, each of which must be treated differently. These include removing of one or more roles from an Exchange Server while keeping the server operational, removing Exchange Server 2007 in its entirety from a computer, and removing the Exchange Server 2007 organization from an Active Directory forest. Also covered in this section are the steps that must be taken to remove a final Exchange Server 2003 or Exchange 2000 from a mixed Exchange environment.

Removing Roles

To remove roles that have been previously installed on a computer running Exchange Server 2007, your user account must have been added to the Exchange organization administrator role. To remove the roles, open Add Or Remove Programs, click Microsoft Exchange Server 2007, and then click Change. This will bring up the Exchange Server 2007 Setup Wizard in Exchange Maintenance Mode, as shown in Figure 2-27. On the next page of the wizard, you select the roles that you wish to unin-stall from the server. Readiness checks are performed, warning you of potential problems, and then the role removal is completed.
When removing the Mailbox server role, ensure that existing mailboxes have been either moved, disabled, or deleted. You should also ensure that all public folders and public folder replicas have been migrated to another Mailbox server. Similarly, if removing a Client Access server, ensure that clients that are directly connecting to OWA are redirected to an appropriate alternative.
Roles can be removed from an Exchange Server using setup from the command line. The command setup /mode:uninstall /roles:<roles to remove> will remove the specified roles from the computer running Exchange Server. If, in the future, you decide to reinstall the Mailbox server role on a computer that has had that role removed, it will be necessary to manually remove the existing database and log files from the server.
Cc505858.figure_C02624108_27(en-us,TechNet.10).png
Figure 2-27 Removing roles using the GUI

Removing Exchange from a Server

In some cases you may want to remove not only an Exchange role but the entire program itself. It is important to perform a proper uninstall rather than just wiping the server and reinstalling the operating system, as a proper installation updates the rest of the Exchange organization about the status of the decommissioned server. Removing Exchange Server 2007 entirely includes removing all server roles, installation files, the Exchange Server object, and all the associated child objects from the Active Directory forest. For this reason, you can perform a complete removal of Exchange Server 2007 only by using an account that has been delegated the Exchange organization administrator role.
Prior to attempting to remove Exchange Server 2007 entirely, ensure that any mailboxes hosted on the computer have been deleted, disabled, or moved. Also verify that public folders and public folder replicas have been migrated to another server. Removal of Exchange Server 2007 is accomplished using the Add/Remove Programs item in Control Panel. It can also be achieved using the command setup /mode:unin-stall. As with the removal and reinstallation of the Mailbox server role mentioned earlier, if you reinstall Exchange with the Mailbox server role on a computer that has hosted this role in the past, it is necessary to remove the existing database and log files from the server.

Removing an Exchange 2007 Organization

In the event that you want to completely remove an Exchange Server 2007 organization, you must first remove Exchange from all servers in the organization. Once Exchange is removed from all servers, the following data and settings will remain:
  • Microsoft Exchange System Objects container in Active Directory
  • Exchange Configuration container in Active Directory
  • Active Directory schema modification
  • User data, including database files, log files, public folder, and public folder replica data
Although it is relatively simple to remove the Active Directory containers and objects as well as the leftover user data, rolling back the schema modifications made by Active Directory setup is technically possible but very difficult to implement in a production environment. Unless you are well prepared, returning a large environment to the precise state it was in prior to the deployment of Exchange Server 2007 is next to impossible. This is another reason why you need to get deployment right from the start.
MORE INFO Schema rollback
To learn how Microsoft manages its Active Directory schema, including some techniques used for rolling back schema changes, consult the following link: http://www.microsoft.com/technet/ itshowcase/content/adschemamgmt.mspx.


Removing the Last Exchange 2000 or Exchange Server 2003 Server in a Coexistence Environment

Many organizations that implement Exchange Server 2007 are likely to have an existing Exchange Server infrastructure. As you roll out Exchange Server 2007 across your organization, you are likely to want to decommission the previous versions of Exchange. Before decommissioning legacy Exchange server computers, you need to ensure that people in your organization are not using services that only those editions of Exchange provide and that all relevant user data has been migrated to Exchange Server 2007.
Just as Exchange Server 2007 includes new features not available in previous editions, previous editions of Exchange Server have features that do not exist in Exchange Server 2007. If your organization still uses these services, you will need to migrate users to alternatives prior to removing the legacy Exchange servers that support them. The features that you have to be careful about are the following:
  • Exchange Server 2003. Novell GroupWise connector and NNTP Protocol
  • Exchange 2000 Server. Mobile Information Server, Instant Messaging Service, Exchange Chat Service, Exchange 2000 Conferencing Server, Key Management Service, cc: Mail connector, and MS Mail connector

You do not want to remove a prior version of Exchange server only to discover that it provides a critical service to some department in your organization of which you were unaware. Other steps that you need to take prior to decommissioning a legacy Exchange Server include the following:
  • Move all mailboxes to a computer running Exchange Server 2007.
  • Move all public folder replicas to a computer running Exchange Server 2007.
  • Move all offline address book generation processes to a computer running Exchange Server 2007.
  • Configure send connectors on a computer hosting the Exchange Server 2007 Hub or Edge Transport roles (depending on your Exchange architecture) to replace all existing outbound SMTP connectors.
  • Alter DNS MX records to ensure that they resolve to computers running Exchange Server 2007 with the Hub or Edge Transport roles installed. Ensure that no DNS MX records point to the computer hosting the legacy edition of Exchange.
  • Ensure that inbound protocol services, including ActiveSync, OWA, POP3, and IMAP4, point to a computer running Exchange 2007 with the Client Access role installed.
  • Remove routing group connectors connecting legacy Exchange routing groups to the Exchange 2007 routing group.

MORE INFO Removing and modifying Exchange Server 2007
For more information on how to remove Microsoft Exchange Server 2007 server roles from a computer on which they are already installed, consult the following link: http://technet.microsoft.com/en-us/library/aa998193.aspx.


Exam Tip
When sitting the exam, take a moment to reread the question before you look at the answers. Many people taking multiple-choice exams glance at the answers before they have fully comprehended the question. When they reread the question, they have an incorrect answer in their mind, bending their interpretation of the question text. A helpful technique is to write the answer down on the scratch pad before glancing at the answers on the screen. That way, you will not be tempted to try to fit a wrong answer to the question setup.


Practice: Exchange Server Role Configuration

In these practices, you will perform several exercises that will familiarize you with the configuration of Exchange Server 2007 roles. Each of the practices in this section relates to the most common role configuration tasks that you will have to perform as an Exchange Server 2007 administrator. Before attempting these practices, ensure that you have performed all the practices in Lesson 1 of this chapter.

Practice 1: Configuring the Hub Transport Role

In this practice, we will examine Hub Transport role configuration on both the server and the organizational level. We will be examining organizational policies in more detail in later chapters, and the coverage of organizational configuration is intended only to familiarize you with the configuration options that are available at both the server and the organizational level. To complete this practice, perform the following steps:
  1. Log on to the Exchange Server 2007 computer using the Kim_Akers user account.
  2. Open Exchange Management Console. Dismiss the unlicensed server warning and expand the Server Configuration node.
  3. Click Hub Transport, then right-click the GLASGOW entry and select Properties. This will bring up the GLASGOW Properties dialog box, as shown in Figure 2-28.
  4. Verify that the domain controller and global catalog servers being used by Exchange are set to GLASGOW.tailspintoys.internal. Click the External DNS Lookups tab.
  5. On the External DNS Lookups tab, select the Use These DNS Servers option. In the field, enter the IP address 207.68.160.190 and then click Add.
    Cc505858.figure_C02624108_28(en-us,TechNet.10).png
    Figure 2-28 Hub Transport server general properties
  6. Click the Limits tab. Change the settings so that the value for transient failure retry attempts is set to 10, that the maximum time since submission for message expiration is three days, and that senders will be notified if their message is delayed more than one hour, as shown in Figure 2-29. Click OK to close the Glasgow Properties dialog box.
  7. Under Microsoft Exchange, expand the Organization Configuration node and then click the Hub Transport node.
  8. Click the Accepted Domains tab and then click New Accepted Domains under Actions. This will start the New Accepted Domain Wizard.
  9. On the New Accepted Domain page, enter Tailspintoys.com in the Name box and tailspintoys.com in Accepted Domain. Verify that the Authoritative Domain option is selected, as shown in Figure 2-30. Click New.
  10. Flick Finish to close the wizard. The Exchange Server 2007 organization that you deployed in the first lesson of this chapter is now authoritative for both the tailspintoys.com and the tailspintoys.internal domain.
Cc505858.figure_C02624108_29(en-us,TechNet.10).png
Figure 2-29 Hub Transport server limits
Cc505858.figure_C02624108_30(en-us,TechNet.10).png
Figure 2-30 New accepted domain

Practice 2: Configuring Client Access Server Role

In this practice, you will configure OWA so that remote users can change their password. You will also configure OWA so that remote users can access File Shares and SharePoint sites. To complete this practice, perform the following steps:
  1. Log on to the Exchange Server 2007 computer using the Kim_Akers user account.
  2. Open the DNS console from the Administrative Tools menu.
  3. Create a new primary forward lookup zone called Tailspintoys.com. Create a new host record called outlkany in the tailspintoys.com zone. Assign the new host the IP address of the Exchange Server 2007 computer.
  4. Open Exchange Management Console. Dismiss the unlicensed server warning and expand the Server Configuration node.
  5. Click the Client Access node. In the Actions pane, click Enable Outlook Anywhere.
  6. On the Enable Outlook Anywhere page, set the external host name to out-lkany.tailspintoys.com and verify that basic authentication is set, as shown in Figure 2-31, and then click Enable.
    Cc505858.figure_C02624108_31(en-us,TechNet.10).png
    Figure 2-31 Enable Outlook Anywhere
  7. When the Completion page is shown, click Finish.
  8. Under the Outlook Web Access tab, right-click owa (Default Web Site) and then click Properties.
  9. Click the Segmentation tab, as shown in Figure 2-32. Verify that the Change Password item is set to be enabled.
    Cc505858.figure_C02624108_32(en-us,TechNet.10).png
    Figure 2-32 Allowing OWA users to change passwords
  10. Click the Public Computer File Access tab and remove the checks next to the
  11. Windows File Shares and Windows SharePoint Services items, as shown in Figure 2-33. Click Apply.
  12. Click the Remote File Servers tab and then click Allow.
  13. In the Allow list, enter the hosts sharepoint.tailspintoys.internal and fileserver. tailspintoys.internal and click OK twice to close the dialog box.
  14. From the Administrative Tools Program menu, open the Services console.
  15. Right-click the Microsoft Exchange IMAP4 service and then click Properties.
  16. On the General tab, change Startup Type to Automatic and then click Start. Click OK to close the Properties dialog box.
  17. Repeat this process for the Microsoft Exchange POP3 service.
Cc505858.figure_C02624108_33(en-us,TechNet.10).png
Figure 2-33 Restricting access to shared files on public computers

Practice 3: Configuring the Mailbox Server Role

In this practice, you will create a storage group. Once you have created the storage group, you will create a new mailbox database within the group. You will then also configure the retention settings of the new mailbox database. To complete this practice, perform the following steps:
  1. Log on to the Exchange Server 2007 computer using the Kim_Akers user account.
  2. Open the Exchange Management Console. Dismiss the unlicensed server warning and expand the Server Configuration node.
  3. Click the Mailbox item.
  4. In the Actions pane, click New Storage Group. This will bring up the New Storage Group dialog box.
  5. Enter the name Second Storage Group in the Storage group name text box and accept the default values for the Log Files And System Files path, as shown in Figure 2-34. Click New.
  6. Click Finish to close the New Storage Group Wizard.
  7. Verify the creation of the new storage group by examining the Database Management pane when the Mailbox node is selected under Server Configuration. Click Second Storage Group.
    Cc505858.figure_C02624108_34(en-us,TechNet.10).png
    Figure 2-34 New Storage Group dialog box
  8. With the Second Storage Group highlighted, in the Actions pane, click New Mailbox Database. This will bring up the New Mailbox Database page.
  9. Enter Second Mailbox Database in the Mailbox database name text box, as shown in Figure 2-35, and then click New.
    Cc505858.figure_C02624108_35(en-us,TechNet.10).png
    Figure 2-35 New Mailbox Database dialog box
  10. The exchange mailbox will be created and then mounted, click Finish.
  11. Right-click on Second Mailbox Database under the Second Storage group and then click Properties.
  12. Click the Limits tab, as shown in Figure 2-36.
    Cc505858.figure_C02624108_36(en-us,TechNet.10).png
    Figure 2-36 Configuring mailbox database limits
  13. Change the Keep Deleted Items value to 21 days and the Keep Deleted Mailboxes value to 50 days.
  14. Check the Do Not Permanently Delete Items Until The Database Has Been Backed Up option and then click OK.

Lesson Summary

  • By default, Exchange Server 2007’s anti-spam features are enabled on Edge Transport servers but not enabled on Hub Transport servers. You can enable this feature on Hub Transport servers by executing an Exchange Management Shell command.
  • Edge Transport servers need to have EdgeSync configured to replicate data from Active Directory to ADAM.
  • Outlook Anywhere replaces RPC over HTTP, allowing remote clients to access Exchange Server 2007 without connecting through a VPN.
  • By default, mobile devices can access servers configured with the Client Access server role.
  • OWA can be configured to differentiate access to File Shares and SharePoint servers based on whether a client is connecting using a public or shared computer or a private computer. You can allow or block password changes by accessing SharePoint properties.
  • The standard edition of Exchange Server 2007 can host five mailbox databases and five storage groups. The enterprise edition of Exchange Server 2007 can host up to 50 mailbox databases and 50 storage groups.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2. The questions are also available on the companion CD if you prefer to review them in electronic form.
NOTE Answers
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.


  1. You have recently deployed Exchange Server 2007 for Coho Vineyard, a large local wine manufacturer. The deployment involves a single computer running Exchange Server 2007 with the Hub Transport, Mailbox, and Client Access roles deployed. You receive a complaint from the manager of the winery that several long-term clients have called to complain that their e-mails have bounced back. One clue to the problem is that the messages were sent to addresses using the cohowinery.com domain, an address used by the winery for many years. Messages addressed to people in the cohovineyard.com domain always arrive successfully at their destination. Which of the following configuration changes could you make to Exchange Server 2007 to ensure that e-mails from these long-term clients do not bounce?
    1. Configure cohowinery.com as an authoritative domain in accepted domains
    2. Configure cohovineyard.com as an authoritative domain in accepted domains
    3. Configure cohowinery.com as an internal relay domain in accepted domains
    4. Configure cohowinery.com as a remote domain
    5. Configure cohovineyard.com as a remote domain
  2. Which of the following Exchange Server 2007 roles would you configure to ensure that users received a warning when their mailbox was becoming too large?
    1. Client Access
    2. Mailbox
    3. Hub Transport
    4. Edge Transport
  3. You want to allow OWA clients in your organization the ability to access the SharePoint site hosted on server sharepoint.tailspintoys.internal. You do not want them to access the SharePoint site hosted on server secureshare.tailspin-toys.internal. Which of the following steps do you need to take to allow this to occur?
    1. Add the site sharepoint.tailspintoys.internal to the block list on the Remote File Servers tab of the OWA Web site properties
    2. Add the site sharepoint.tailspintoys.internal to the allow list on the Remote File Servers tab of the OWA Web site properties
    3. Add the site secureshare.tailspintoys.internal to the block list on the Remote File Servers tab of the OWA Web site properties
    4. Add the domain suffix tailspintoys.internal to the list of domain suffixes that should be treated as internal
    5. Add the site secure.tailspintoys.internal to the allow list on the Remote File Servers tab of the OWA Web site properties
  4. You are planning the deployment of Exchange Server 2007 enterprise edition. This server will host the Mailbox server role. The server will host 16 mailbox databases. What is the minimum number of storage groups that will be necessary to host these mailbox databases?
    1. One
    2. Two
    3. Three
    4. Four
    5. Five
  5. Your Exchange Server 2007 organization has a single site and a single server. The server’s name is Canberra. This server hosts the Hub Transport, Mailbox, and Client Access server roles. You want to enable Exchange’s anti-spam features on this server but cannot locate the Enable Anti-spam item in the Actions pane when the Hub Transport server is selected. Which of the following must you do prior to enabling the anti-spam features of Exchange Server 2007?
    1. Install the Edge Transport role
    2. Run the command Set-TransportServer –Identity ‘Canberra’ –AntispamAgentsEnabled $true from the Exchange Management Shell
    3. Install Forefront Security for Exchange Server
    4. Reinstall the Hub Transport role
  6. Several months ago, you removed the Mailbox server role from a computer running Exchange Server 2007. The computer retained the Client Access server role. Conditions at the location where the server is deployed have changed, and you need to reinstall the Mailbox server role. Which of the following steps must you take before reinstalling this role?
    1. Remove the Client Access server role
    2. Remove the Mailbox server role
    3. Remove the computer hosting Exchange from the domain and then rejoin the computer to the domain
    4. Manually remove the existing Mailbox database files and log files
    5. Reinstall the Client Access server role

No comments:

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...