Lesson 1:
In this lesson, you will learn how to perform the installation of Exchange Server 2007 and ancillary components such as clustering, antivirus, and anti-spam. As part of the predeployment process, you will have determined which Exchange Server roles are appropriate for your organization and prepared the appropriate software environment for the installation of these roles. The lesson will then discuss the methods of installing Exchange Server 2007 and how to configure SSL and Network Load Balancing (NLB). The lesson will examine steps that should be taken prior to implementing clustering and adding antivirus and anti-spam protection to Exchange Server 2007.
After this lesson, you will be able to:
Edge Transport servers are often used as a blockade point for incoming and outgoing mail, ensuring that the mail is checked for viruses or unsolicited commercial e-mail, known colloquially as spam, prior to leaving the perimeter network. If problematic messages can be discarded on the perimeter of your organization’s network, they will not clog up your internal mail infrastructure. If only 50 percent of the mail that is addressed to your organization is spam, dealing with it at the edge of your organization’s network will halve the load on the rest of your mail infrastructure.
The main consideration with Edge Transport servers is that this role can be installed only if other roles are not present. Edge Transport servers should be placed only on perimeter networks. If your organization has no perimeter network, you should install the Hub Transport server role instead.
In the event that you do not deploy an Edge Transport server, a server configured with the Hub Transport role can be used to receive and send mail traffic to the Internet. Many small and medium-sized organizations are likely to use the Hub Transport role to handle this traffic, especially if they have only a small number of computers running Exchange Server 2007. Like a server assigned the Edge Transport role, a server assigned the Hub Transport role can be configured to examine the traffic that it processes for viruses and spam. The Hub Transport role can coexist with the Client Access, Unified Messaging, and Mailbox server roles.
If a single external URL of OWA or Exchange ActiveSync is required, Client Access servers must be configured for proxying. The Client Access server should be connected to the Mailbox servers it provides access to with a bandwidth of at least 100 Mbps. In enterprise environments, a gigabit connection is preferable. This means that you should have a Client Access server located in each site where there is a Mailbox server.
There are two separate types of Clustered Mailbox role:
NOTE Unified Messaging For more information on the capabilities of the Unified Messaging server role, consult the following link: http://technet.microsoft.com/en-us/library/bb123911.aspx.
An advantage of load balancing is that it is not necessary to configure it prior to the installation of Exchange Server 2007. Another advantage is that you are able to add and remove nodes without a significant amount of effort. For example, if you have load-balanced Edge Transport servers that are straining under the weight of transmitting and receiving e-mail, it is relatively simple to add another Edge Transport server to the NLB cluster and have it automatically share the load with the existing servers. In the event that a server fails in an NLB cluster, the NLB service automatically reconfigures the way it distributes traffic until the failed server can be brought back online.
Lesson 2 of Chapter 13 covers the configuration of network load balancing in Exchange Server 2007 in more detail. Round-robin DNS also provides a good way of load balancing Hub Transport roles within a particular site. The drawback of using round-robin DNS as a load balancing solution is that, unlike NLB, round-robin DNS cannot automatically detect the failure of one of the load-balanced hosts.
Once you have selected the roles to be installed, either through the typical or the custom setup screen, the Exchange Server 2007 installation routine performs a series of readiness checks, shown in Figure 2-3, to determine that the environment is ready for installation. If the readiness checks are passed, the wizard proceeds to installation. If the readiness checks fail, you will be informed as to the reason for the failure, and the installation process will terminate. During the installation, the Exchange Server 2007 installation files will be copied to the server. This means that if you need to add or remove a role at a later date—assuming that you have installed a role that can coexist with other roles—you will not need to remember where you put the installation media.
When the installation process finishes, the Exchange Server 2007 Finalize Deployment checklist is displayed. The Finalize Deployment checklist reminds you to perform the following tasks:
An unattended installation allows you to set all the Exchange server’s configuration parameters at the start of the installation rather than having to provide them during the installation. Generally, this is done by configuring the options following a single setup command. Although you can use an answer file for part of the installation process, the answer file is used primarily for the installation of Clustered Mailbox roles.
Prior to examining all the options that can be used with the command line, we should examine the answer file, which is used in conjunction with the setup command. The first thing to realize is that not everything goes into the answer file. In fact, only a small set of the possible parameters that you can use with a command-line installation can be included in the answer file. The answer file can have the following parameters: CMSName, CMSIPAddress, CMSSharedStorage, CMSDataPath, NewCMS, RemoveCMS, RecoverCMS, UpgradeCMS, EnableLegacyOutlook, LegacyRouting-Server, ServerAdmin, ForeignForestFQDN, OrganizationName, DoNotStartTrans-port, UpdatesDir, EnableErrorReporting, NoSeltSignedCertificates, AdamLdapPort, and AdamSslPort.
A quick look at these parameters shows you that the majority of them have the CMS prefix. CMS is the acronym for Clustered Mailbox server. The answer file is used to ensure that nodes in a cluster have the same configuration. You use a single answer file for each node of the cluster. You generally do not use an answer file for a nonclus-ter Exchange Server 2007 deployment.
The setup command has the following options:
Many of the options are self-explanatory, and you can use abbreviations rather than entering the full option. The most important ones include the following:
You need to choose a custom Exchange Server installation on the Exchange Server 2007 Setup page to be able to select the Edge Transport server role on the Server Role Selection page. Once the role is installed, Exchange Management Console will launch and a list of postinstallation tasks be displayed. These tasks will be covered in more detail in Lesson 2 of this chapter.
Once the Edge Transport server role has been installed, it is possible to clone the configuration of the server so that you can install more Edge Transport servers to share the load. You run an Exchange Management Shell script to export the configuration from the original Edge Transport server to an XML file and then import that XML configuration file on the target server.
You can also assign roles to users and groups using Exchange Management Shell. The configuration setting shown in the previous figure can be achieved by entering the following command:
It is also possible to apply these roles to users by adding user accounts and groups to the appropriate security group in Active Directory Users and Computers, the method used in Chapter 1.
As an administrator, this gives you a grace period to ensure that the server you install and activate is deployed in the location that best benefits your organization. It also gives you a chance to be certain that you have configured a server correctly. If you are rushed into product activation, you may activate a server only to find that you have to reinstall from scratch because of some configuration problem that you did not initially notice. You do not need to rush to enter the product key, but also make sure that you do not do it at the last moment.
When you are ready to enter the product key, open the Exchange Management Console, click Server Configuration, select the server that you wish to enter the product key for, and then click Enter Product Key in the Actions box. You then enter the product key in the dialog box shown in Figure 2-6. When you click Enter, the product ID will be generated, and Exchange Server 2007 will be licensed.
During the setup of Forefront Security for Exchange Server, five separate antivirus scanning engines can be installed. You can either go with the random selection of engines performed by the Setup Wizard or choose four engines in addition to the Microsoft Antimalware engine, as shown in Figure 2-7. The engines that you can install as a part of Forefront Security include the following:
By default, client computers and devices trust only certain issuing authorities. You can view such a list of trusted authorities by clicking Certificates in the Content tab of Internet Properties or Internet Options (depending on which version of Windows you are using) in Control Panel. Although in a managed environment it is possible to configure clients to trust the self-generated certificate created with the installation of the Client Access role, it may be cheaper to obtain an SSL certificate from an issuing authority that is already a trusted publisher than to configure a new trusted publisher for all clients that will access Exchange Server 2007 using SSL. Trusted SSL certificates do cost money, but it also costs your organization money to have you spending many hours configuring clients to accept a new certificate-issuing authority as trustworthy. The money saved on not buying a certificate is lost on paying you to configure devices to trust another certification authority (CA).
To obtain an SSL certificate for a server, you have to provide identity details about the server, specifically the server’s DNS name information. If you later decide to change the server’s name, you will need to obtain a new SSL certificate that reflects this name change. You can generate a certificate request file by running the Web
Server Certificate Wizard. It is also possible to generate a certificate request from Exchange Management Shell by issuing the following command: New-ExchangeCer-tificate –GenerateRequest –FriendlyName “SSL Access to Exchange 2007” –DomainName glasgow.tailspintoys.internal –path c:\sslrequest.txt. The certificate request file is then forwarded to a trusted issuing authority that will issue the SSL certificate, generally for a certain fee. The process of requesting and installing an SSL certificate is covered in more detail by a practice exercise at the end of this lesson.
You will then install an SSL certificate on Exchange. To complete this practice, you will need access to the Windows Server 2003 installation media. Once you have verified that you have access to the installation media, perform the following steps:
An evaluation version of Forefront Security for Exchange Server is included with the Exchange Server 2007 installation media. Although you would normally perform message screening on an Edge Tansport server on a perimeter network, we will install this package on the computer assigned the Hub Transport server role.
To complete this practice, perform the following steps:
After this lesson, you will be able to:
- Select the appropriate roles for an Exchange Server deployment given a set of organizational requirements.
- Perform a GUI-based, unattended, and command-line install of Exchange Server 2007.
- Install extra components, such as those that support clustering, load balancing, cryptography, antivirus, and spam-blocking functionality.
Choosing the Appropriate Role or Roles for the Server
The roles that you install on a computer running Exchange Server 2007 are determined by a set of needs. For example, if your organization is going to use only traditional e-mail and does not intend Exchange to meet voice-messaging or fax storage roles, you need not install the Unified Messaging server role. Part of the 70-236 exam involves being able to decide which roles to install on an Exchange Server 2007 computer given a specific set of organizational requirements. The first part of this lesson will provide you with the information that will help you make such a recommendation. In the second part of the lesson, we will examine the configuration of clustering, load balancing, and the steps that you should take to protect against spam and viruses. When determining which roles to deploy on a computer, remember that each Active Directory site in which clients will access Exchange resources requires at least one Mailbox server, a Hub Transport server, and a Client Access server.Edge Transport Role
Edge Tansport servers route messages between the Internet and your Exchange organization. Edge Transport servers are placed on an organization’s perimeter network and are not members of the Active Directory environment. A perimeter network is a location between an outer firewall and an inner firewall. Other vendors sometimes refer to perimeter networks as screened subnets or demilitarized zones. Rather than traffic passing through a firewall directly to a protected internal network, perimeter networks are configured so that traffic can pass only from unprotected networks, such as the Internet, to the perimeter network or from the protected network to the perimeter network. Hosts located on the perimeter network are used to relay that traffic.Edge Transport servers are often used as a blockade point for incoming and outgoing mail, ensuring that the mail is checked for viruses or unsolicited commercial e-mail, known colloquially as spam, prior to leaving the perimeter network. If problematic messages can be discarded on the perimeter of your organization’s network, they will not clog up your internal mail infrastructure. If only 50 percent of the mail that is addressed to your organization is spam, dealing with it at the edge of your organization’s network will halve the load on the rest of your mail infrastructure.
The main consideration with Edge Transport servers is that this role can be installed only if other roles are not present. Edge Transport servers should be placed only on perimeter networks. If your organization has no perimeter network, you should install the Hub Transport server role instead.
Hub Transport Role
The purpose of the Hub Transport role is to route traffic between Active Directory sites. If your organization has multiple Active Directory sites, any message you send to someone in a remote site will be routed to that site through your organization’s Hub Transport servers. Exchange servers assigned the Hub Transport role are deployed on the protected network and are members of the Active Directory environment. At least one server assigned the Hub Transport role is required at each site for mail to be routed correctly. Servers with the Hub Transport role function in a manner similar to that of the bridgehead servers in earlier versions of Exchange.In the event that you do not deploy an Edge Transport server, a server configured with the Hub Transport role can be used to receive and send mail traffic to the Internet. Many small and medium-sized organizations are likely to use the Hub Transport role to handle this traffic, especially if they have only a small number of computers running Exchange Server 2007. Like a server assigned the Edge Transport role, a server assigned the Hub Transport role can be configured to examine the traffic that it processes for viruses and spam. The Hub Transport role can coexist with the Client Access, Unified Messaging, and Mailbox server roles.
Client Access Role
The Client Access role provides a gateway between clients and their mailboxes. A client computer running Outlook or Exchange ActiveSync or connected using a Web browser to Outlook Web Access (OWA) connects to the Client Access server, which in turn connects to the appropriate Mailbox server. The Client Access server role is designed to optimize the performance of the Mailbox server by offloading the processing requirements. For example, rather than having the server hosting mailboxes be responsible for performing the necessary calculations to encrypt SSL traffic, this task is handled by the Client Access server. Of course, in many situations, the Client Access role will be hosted on the same computer as the Mailbox server role. The ability to separate these tasks onto a different computer allows administrators to optimize their Exchange organization.If a single external URL of OWA or Exchange ActiveSync is required, Client Access servers must be configured for proxying. The Client Access server should be connected to the Mailbox servers it provides access to with a bandwidth of at least 100 Mbps. In enterprise environments, a gigabit connection is preferable. This means that you should have a Client Access server located in each site where there is a Mailbox server.
Mailbox Server Role
The Mailbox server role hosts mailboxes and public folders. Mailbox servers are where all the message data is stored, so they need to be provisioned with more disk space than any other role in your Exchange organization. There needs to be a computer hosting the Mailbox server role in each location where mail will be accessed. Besides storing message data, Mailbox servers also provide the scheduling services for Microsoft Office Outlook users.Clustered Mailbox Roles
Clustered Mailbox servers provide high availability through the use of Windows Server 2003 and Windows Server 2008 clustering technology. You would choose this role over the standard Mailbox server role if you needed to ensure that mailboxes were always available. Of course, you want mailboxes to be available all the time anyway, but to ensure that they are, your organization will have to spend the money to host them on a cluster. Because of their reliance on clustering technology, you can install the Clustered Mailbox server roles only on computers running Windows Server 2003 enterprise edition or Windows Server 2008 enterprise edition. The standard editions of Windows Server software do not support the necessary form of clustering. Clustered Mailbox servers cannot share hardware with other server roles. If you select one of the Clustered Mailbox options during the installation process, as shown in Figure 2-1, you will not be able to install any other server roles.There are two separate types of Clustered Mailbox role:
- Active Clustered Mailbox role This role provides highly available, redundant e-mail storage. Install this role on the active node of the cluster.
- Passive Clustered Mailbox role This role provides highly available, redundant e-mail storage. Install this role on the passive node of the cluster.
Unified Messaging Server Role
Unified Messaging allows users to access their Exchange Server 2007 mailbox over an appropriately configured smart phone or telephone. You should deploy one Unified Messaging server in each site where you want to provide access to its services. When deployed, Unified Messaging provides the following features:- Answering machine
- Fax reception
- Subscriber access
- Access voice mail over telephone
- Listen to, forward, and reply to e-mail messages over the telephone
- Listen to calendar information over the telephone
- Dial contacts stored within Exchange over the telephone
- Respond to meeting requests over the telephone
NOTE Unified Messaging For more information on the capabilities of the Unified Messaging server role, consult the following link: http://technet.microsoft.com/en-us/library/bb123911.aspx.
Quick Check
- What are the requirements that need to be met to install the Edge Transport role on a computer running Windows Server 2003 R2 64-bit edition?
- Which server role can be used to manage the routing of e-mail into and out of an organization in the event that the Edge Transport server role is not deployed?
Quick Check Answers
- The computer cannot be a member of the domain. Active Directory Application Mode (ADAM) must be installed. Server should be deployed on the perimeter network.
- In the event that a server with the Edge Transport role is not deployed, a server with the Hub Transport role can manage the routing of e-mail into and out of the organization.
Preparing an Exchange Server 2007 Cluster
You can use clustering with Exchange Server 2007 only if you are also using Windows Server 2003 (or Windows Server 2008) enterprise edition. This is because Exchange Server 2007 relies on the Windows Cluster service, which is unavailable in the standard edition of Windows Server 2003. When you start Exchange Server 2007 setup on a node of an existing cluster, a version of Exchange that is compatible with clusters is installed. You cannot install Exchange Server 2007 on a server that is not a member of a cluster, join the server to a cluster, and then configure Exchange Server 2007 to work in a clustered configuration. If you want to shift from a standard Mailbox server role to a Clustered Mailbox server role, it will be necessary to remove Exchange entirely and reinstall the software before assigning the role. Chapter 13, “Recovering Server Roles and Configuring High Availability,” covers Exchange Server 2007 clustering in more detail.Load Balancing
When two or more servers are configured to load balance, they accept requests on the basis of their current workload. For example, if two servers are configured to load balance and the first server is under greater workload than the second server, client requests will be directed to the second server until such time as the workload is balanced more evenly between the computers in the load-balancing set. Load balancing is used primarily with the Client Access, Edge Transport, and Hub Transport server roles.An advantage of load balancing is that it is not necessary to configure it prior to the installation of Exchange Server 2007. Another advantage is that you are able to add and remove nodes without a significant amount of effort. For example, if you have load-balanced Edge Transport servers that are straining under the weight of transmitting and receiving e-mail, it is relatively simple to add another Edge Transport server to the NLB cluster and have it automatically share the load with the existing servers. In the event that a server fails in an NLB cluster, the NLB service automatically reconfigures the way it distributes traffic until the failed server can be brought back online.
Lesson 2 of Chapter 13 covers the configuration of network load balancing in Exchange Server 2007 in more detail. Round-robin DNS also provides a good way of load balancing Hub Transport roles within a particular site. The drawback of using round-robin DNS as a load balancing solution is that, unlike NLB, round-robin DNS cannot automatically detect the failure of one of the load-balanced hosts.
Installing Exchange Server 2007 Using the GUI
Exchange Server setup using the GUI can be completed using two options, as shown in Figure 2-2. Selecting the Typical Exchange Server Installation option with Hub Transport, Client Access, and Mailbox server roles. The Exchange Management tools will also be installed, as it is not possible to install any role without the management tools also being installed. It is possible to install the Edge Transport, Unified Messaging, or Clustered Mailbox server roles only if you select a custom install.Once you have selected the roles to be installed, either through the typical or the custom setup screen, the Exchange Server 2007 installation routine performs a series of readiness checks, shown in Figure 2-3, to determine that the environment is ready for installation. If the readiness checks are passed, the wizard proceeds to installation. If the readiness checks fail, you will be informed as to the reason for the failure, and the installation process will terminate. During the installation, the Exchange Server 2007 installation files will be copied to the server. This means that if you need to add or remove a role at a later date—assuming that you have installed a role that can coexist with other roles—you will not need to remember where you put the installation media.
When the installation process finishes, the Exchange Server 2007 Finalize Deployment checklist is displayed. The Finalize Deployment checklist reminds you to perform the following tasks:
- Enter the Exchange Server product key
- Run the Exchange Best Practices Analyzer
- Configure offline address book distribution for Outlook 2007 clients
- Configure offline address book distribution for Outlook 2003 and earlier clients
- Configure SSL for your Client Access server
- Configure Exchange ActiveSync
- Configure domains for which you will accept e-mail
- Subscribe the Edge Transport server
- Create a postmaster mailbox
- Configure Unified Messaging
Command-Line and Unattended Installations of Exchange Server 2007
You are unlikely to use the unattended installation features of Exchange Server 2007 if you need to configure only one or two Exchange servers. If you need to deploy 50 identically configured servers running Exchange Server 2007, the option to perform an unattended installation becomes far more attractive. The unattended installation feature allows you to perform large deployments of Exchange Server 2007 without having to constantly configure the same set of options through the GUI.An unattended installation allows you to set all the Exchange server’s configuration parameters at the start of the installation rather than having to provide them during the installation. Generally, this is done by configuring the options following a single setup command. Although you can use an answer file for part of the installation process, the answer file is used primarily for the installation of Clustered Mailbox roles.
Prior to examining all the options that can be used with the command line, we should examine the answer file, which is used in conjunction with the setup command. The first thing to realize is that not everything goes into the answer file. In fact, only a small set of the possible parameters that you can use with a command-line installation can be included in the answer file. The answer file can have the following parameters: CMSName, CMSIPAddress, CMSSharedStorage, CMSDataPath, NewCMS, RemoveCMS, RecoverCMS, UpgradeCMS, EnableLegacyOutlook, LegacyRouting-Server, ServerAdmin, ForeignForestFQDN, OrganizationName, DoNotStartTrans-port, UpdatesDir, EnableErrorReporting, NoSeltSignedCertificates, AdamLdapPort, and AdamSslPort.
A quick look at these parameters shows you that the majority of them have the CMS prefix. CMS is the acronym for Clustered Mailbox server. The answer file is used to ensure that nodes in a cluster have the same configuration. You use a single answer file for each node of the cluster. You generally do not use an answer file for a nonclus-ter Exchange Server 2007 deployment.
The setup command has the following options:
Setup.com [/mode:<setup mode>] [/roles:<server roles to install>] [/OrganizationName:<name for the new Exchange organization>] [/TargetDir:<target directory>] [/SourceDir:<source directory>][/UpdatesDir:<directory from which to install updates>] [/DomainControler <FQDN of domain controller>] [/AnswerFile <filename>] [/DoNotStartTransport] [/EnableLegacyOutlook] [/LegacyRoutingServer] [/EnableErrorReporting] [/NoSelfSignedCertificates] [/AdamLdapPort <port>] [/AdamSslPort <port>] [/AddUmLanguagePack:<UM language pack name>] [/RemoveUmLanguagePack:<UM language pack name>] [/NewProvisionedServer] [/RemoveProvisionedServer] [/ForeignForestFQDN] [/ServerAdmin <user or group>] [/NewCms] [/RemoveCms] [/RecoverCms] [/CMSName:<name>] [/CMSIPAddress:<IP address>] [/CMSSharedStorage] [/CMSDataPath:<CMS data path>] [/?]
- /mode or /m You can set this to install, upgrade, uninstall, and recover Server.
- /role, /roles, or /r Specifies which roles to install. You can install the following:
- ClientAccess, CA, or C Client Access role
- EdgeTransport, ET, or E Edge Transport role
- HubTransport, HT, or H Hub Transport role
- Mailbox, MB, or M Mailbox role
- UnifiedMessaging, UM, or U Unified Messaging role
- ManagementTools, MT, or T Management tools (automatically installed if any other role is selected)
- /OrganizationName or /on Necessary only when setting up a new Exchange organization. If you have run Setup /PrepAD, then the /OrganizationName switch is unnecessary.
Installing an Edge Transport Server
Edge Transport servers should be stand-alone computers that are not members of the Active Directory forest. It follows that the user account used for the installation of the Exchange Server 2007 software does not need to be delegated any of the Exchange administrator roles. When installing the Edge Transport server role using the GUI, ensure that the Windows .NET Framework version 2.0, Windows PowerShell, ADAM with Service Pack 1, and Microsoft Management Console version 3.0 or higher are installed. You also need to ensure that the fully qualified domain name (FQDN) for the server that will host the Edge Transport role is set. You can set this information from the Computer Name tab of System Properties. Prior to installing the Edge Transport role, you should also ensure that the IP addresses assigned to the computer are registered in DNS and that MX records have been set appropriately.You need to choose a custom Exchange Server installation on the Exchange Server 2007 Setup page to be able to select the Edge Transport server role on the Server Role Selection page. Once the role is installed, Exchange Management Console will launch and a list of postinstallation tasks be displayed. These tasks will be covered in more detail in Lesson 2 of this chapter.
Once the Edge Transport server role has been installed, it is possible to clone the configuration of the server so that you can install more Edge Transport servers to share the load. You run an Exchange Management Shell script to export the configuration from the original Edge Transport server to an XML file and then import that XML configuration file on the target server.
Quick Check
- What do the majority of the possible parameters in the answer file relate to?
- What command would you use from the command line to install the Edge Transport role on a stand-alone server?
Quick Check Answers
- Clustered Mailbox servers.
- Setup /mode:install
Postinstallation Tasks
The quickest way to verify the configuration of a newly installed Exchange Server 2007 deployment is to open an Exchange Management Shell and issue the command get-ExchangeServer | Format-List. This command produces output in the format shown in Figure 2-4. By examining this output, you can determine which server roles have successfully installed as well as other important configuration information, including whether a valid license key has been input.Examining Logs for Problems
If you suspect that a deployment has not gone according to plan, you should examine the logs to tease out details of things that may have gone awry. You can search for information in two primary locations:- Check the installation logs. The installation logs are located at C:\Program Files\Microsoft\Exchange Server\Logging\SetupLogs.
- Check the event logs. Events related to Exchange Server 2007 are written to the Application event log. Exchange events include warning, information, and critical errors.
Applying Updates and Service Packs
In general, you should apply all available updates and service packs to Windows Server 2003 (or Windows Server 2008 in the event you are using it as the host operating system) prior to the installation of Exchange Server 2007. Once the installation process has been successfully completed, you should check whether new service packs or updates exist for Exchange Server 2007. Service packs provide updates and sometimes add new functionality. The best time to deploy updates and service packs is directly after installation. This way, you do not have to worry about taking management’s mailboxes offline while you do maintenance, as you will not have deployed management mailboxes to the server yet.Assigning Users Roles
Chapter 1 examined what each of the Exchange Server 2007 administrative roles is used for. Once Exchange is installed, it is possible to use the Exchange Management Console to apply these roles to particular users. To do this, open the Exchange Management Console, right-click the Organization Configuration node, and then click Add Exchange Administrator. This will start the Add Exchange Administrator Wizard. As shown in Figure 2-5, you browse to select a user or group and select the role and scope of the role. It is necessary to specify servers for a role only if the Exchange Server administrator role is assigned. If you are assigning the Exchange Server administrator role, you must ensure that the user or group you have assigned this role to is a member of the Local Administrators group on the server you have designated. If the user or group does not have membership of the Local Administrators group, they will be unable to perform some or all of their tasks.You can also assign roles to users and groups using Exchange Management Shell. The configuration setting shown in the previous figure can be achieved by entering the following command:
Add-ExchangeAdministrator –Identity ‘tailspintoys.internal/Users/Sam Abolrous’ –Role ‘ServerAdmin’ –Scope ‘GLASGOW’
Enter the Product Key
In previous versions of Exchange, you entered a product key during the installation process. If you did not have the product key, you could not complete the installation. With Exchange Server 2007, the license key is entered during a 120-day period after the installation process has been completed. Until the product key is entered, Exchange Server 2007 runs in trial mode. This is functionally equivalent to the normal operational mode of Exchange Server 2007 except that the trial period lasts only 120 days.As an administrator, this gives you a grace period to ensure that the server you install and activate is deployed in the location that best benefits your organization. It also gives you a chance to be certain that you have configured a server correctly. If you are rushed into product activation, you may activate a server only to find that you have to reinstall from scratch because of some configuration problem that you did not initially notice. You do not need to rush to enter the product key, but also make sure that you do not do it at the last moment.
When you are ready to enter the product key, open the Exchange Management Console, click Server Configuration, select the server that you wish to enter the product key for, and then click Enter Product Key in the Actions box. You then enter the product key in the dialog box shown in Figure 2-6. When you click Enter, the product ID will be generated, and Exchange Server 2007 will be licensed.
Installing Antivirus and Anti-spam
E-mail communication is the lifeblood of many businesses. E-mail is also the conduit through which harmful material can enter and exit the organization in the form of viruses. Spam, also known as unsolicited commercial e-mail, is less harmful than viruses in terms of damaging computers and infrastructure. However, dealing with spam does take valuable time away from other tasks. An evaluation of Forefront Security for Exchange Server 2007 is included with the Exchange Server 2007 installation media. In this section, we will briefly look at setting up Forefront. Chapter 6, “Spam, Viruses, and Compliance,” provides more detail on the application and how it can be used to protect your network environment.During the setup of Forefront Security for Exchange Server, five separate antivirus scanning engines can be installed. You can either go with the random selection of engines performed by the Setup Wizard or choose four engines in addition to the Microsoft Antimalware engine, as shown in Figure 2-7. The engines that you can install as a part of Forefront Security include the following:
- AhnLab Antivirus Scan Engine
- CA InoculateIT
- CA Vet
- Authentium Command Antivirus
- Kaspersky Antivirus Technology
- Norman Virus Control
- Sophos Virus Detection
- VirusBuster Antivirus
Securing Communication
SSL provides a way of encrypting traffic between a client and a server and also provides a method of verifying the server’s identity. You most likely have used SSL before when performing activities like shopping online. When the Client Access server role is installed, a self-signed SSL certificate is generated and installed for the default Web site in Internet Information Services. You can view this certificate by clicking View Certificate on the Directory Security tab of the default Web site properties in Internet Information Services. The downside to this automatically generated certificate is that it is issued by an authority that will not be trusted by any clients, including, as Figure 2-8 demonstrates, the computer that issued the certificate.By default, client computers and devices trust only certain issuing authorities. You can view such a list of trusted authorities by clicking Certificates in the Content tab of Internet Properties or Internet Options (depending on which version of Windows you are using) in Control Panel. Although in a managed environment it is possible to configure clients to trust the self-generated certificate created with the installation of the Client Access role, it may be cheaper to obtain an SSL certificate from an issuing authority that is already a trusted publisher than to configure a new trusted publisher for all clients that will access Exchange Server 2007 using SSL. Trusted SSL certificates do cost money, but it also costs your organization money to have you spending many hours configuring clients to accept a new certificate-issuing authority as trustworthy. The money saved on not buying a certificate is lost on paying you to configure devices to trust another certification authority (CA).
To obtain an SSL certificate for a server, you have to provide identity details about the server, specifically the server’s DNS name information. If you later decide to change the server’s name, you will need to obtain a new SSL certificate that reflects this name change. You can generate a certificate request file by running the Web
Server Certificate Wizard. It is also possible to generate a certificate request from Exchange Management Shell by issuing the following command: New-ExchangeCer-tificate –GenerateRequest –FriendlyName “SSL Access to Exchange 2007” –DomainName glasgow.tailspintoys.internal –path c:\sslrequest.txt. The certificate request file is then forwarded to a trusted issuing authority that will issue the SSL certificate, generally for a certain fee. The process of requesting and installing an SSL certificate is covered in more detail by a practice exercise at the end of this lesson.
Practice: Exchange Server 2007 Installation and Setup
In these practices, you will perform several exercises that will familiarize you with installing Exchange Server 2007 and performing some postconfiguration steps. Practices 2 and 3 achieve the same goal by different routes, and you should perform only one of these practices before moving on to Practice 4.Practice 1: Installing Exchange Server Using Graphical Tools
In this practice, you will create user accounts that will be used in the installation and configuration of Exchange Server 2007 in later practices. To complete this practice, perform the following steps:- Log on to the computer that you prepared for the installation of Exchange Server 2007 in the practices at the end of Lesson 2 in Chapter 1.
- Open Active Directory Users and Computers and create the following user accounts and add them to the security groups in the table:
- Set the password of all these accounts to P@ssw0rd and configure the password to never expire.
- Log off.
Practice 2: Installing Exchange Server Using Graphical Tools
In this practice, you will install Exchange Server 2007 using graphical tools. Even if you end up using primarily command-line and scripted installation to deploy Exchange, you will likely be using the graphical tools the first time you deploy Exchange. If you perform Practice 2, it is not necessary to perform Practice 3. To complete this practice, perform the following steps:- Log on with the Kim_Akers account.
- Insert the Exchange Server 2007 installation media. If the Exchange Server 2007 splash screen does not appear, open a command prompt, change to the drive that contains the Exchange Server 2007 installation media, and type setup.
- Verify that the first three steps under the Install category are grayed out, as shown in Figure 2-9. These steps are grayed out because you installed these components in an earlier lesson. Click Step 4: Install Microsoft Exchange.
- On the Introduction page, click Next.
- On the License Agreement page, review the license terms. Once you have reviewed the terms, select I Accept The Terms In The License Agreement and then click Next.
- On the Error Reporting page, click Next.
- On the Installation Type page, click Custom Exchange Server Installation and then click Next.
- On the Server Role Selection page, shown in Figure 2-10, select the Mailbox Role, Client Access Role, Hub Transport Role, and Unified Messaging Role options. Click Next.
- On the Client Settings page, review the information about Outlook 2003 and Entourage. Verify that No is selected and then click Next.
- The Exchange Server 2007 setup process will now perform readiness checks. As you have already installed the required components, this should produce no errors. Once the readiness checks are complete, click Install.
- The installation process will take between 20 and 50 minutes to complete, depending on the speed of the computer that you are installing it on. Exchange files will be copied to the server, and then the selected roles will be installed. 12. When all the roles have been installed, you will get a message informing you that Exchange has successfully installed with no errors, as shown in Figure 2-11. Ensure that the Finalize Installation Using The Exchange Management Console option is selected and then click Finish.
- Once the installation finishes, the Exchange Management Console will open. You will be presented with a report informing you of which servers are currently unlicensed and how long they may remain so before their functionality is diminished. Click OK to dismiss this report.
- You will then be presented with the Finalize Deployment checklist shown in Figure 2-12.
Quick Check
- According to the information on the Client Settings page of the Exchange Server 2007 Setup Wizard, what will happen if you inform the installation wizard that there are client computers running Outlook 2003 or Entourage in your organization?
Quick Check Answer
- A public folder database will be created during setup. For more information on why a public folder database is necessary for computers running Outlook 2003 or Entourage, see Chapter 4, “Configuring Public Folders.”
Practice 3: Installing Exchange Server Using the Command Line
When you have to deploy multiple Exchange multiple times, you will find it more efficient to use the command line rather than the graphical tools. In this practice, you will perform a command-line installation of Exchange Server 2003, adding exactly the same roles as were added in Practice 2. In essence, this practice achieves the same results as Practice 2 but does so using an alternate method. If you have performed Practice 2, it is not necessary to complete this practice. To complete this practice, perform the following steps:- Log on with the Kim_Akers account.
- Insert the Exchange Server 2007 installation media. If the Exchange Server 2007 splash screen does not appear, open a command prompt and change to the drive that contains the Exchange Server 2007 installation media.
- Enter the command:
setup /mode:install /roles:HubTransport,ClientAccess,Mailbox,UnifiedMessaging<
Practice 4: Assigning Users Administrative Roles
In this practice, you will assign two of the user accounts that you created in the first practice. To complete this practice, perform the following steps:- Log on to the computer on which you have installed Exchange Server 2007 with the Kim_Akers user account.
- Open the Exchange Management Console.
- Select the Organization Configuration node, right-click, and then click Add Exchange Administrator.
- On the Add Exchange Administrator dialog box shown in Figure 2-13, click Browse and navigate to the Sam Abolrous account. Select the Exchange View-Only Administrator role and then click Add.
- Click Finish to close the Completion dialog box.
- Right-click the Organization Configuration node and then click Add Exchange Administrator.
- Click Browse and navigate to the Terry Adams user account.
- Select the Exchange Server Administrator role option and then click Add.
- In the Select Exchange Server dialog box, shown in Figure 2-14, select GLAS-GOW and then click OK. .
- Click Add in the Add Exchange Administrator dialog box.
- Review the warning and then click Finish.
Quick Check
- What does the warning instruct you to do?
Quick Check Answer
- The warning instructs you to add the Terry Adams user account to the Local Administrators group on the computer hosting Exchange Server 2007.
Practice 5: Installing an SSL Certificate on Exchange Server 2007
In this practice, you will install an Enterprise Root Certificate Authority and configure it to generate SSL certificates. Although Exchange will automatically generate an SSL certificate and install it when you install the Client Access server role, clients attempting to access the server using SSL will not trust the issuing CA. By installing a CA and performing a request for an SSL certificate, this practice will simulate the steps you would take in requesting and installing an SSL certificate trusted by a third-party CA.You will then install an SSL certificate on Exchange. To complete this practice, you will need access to the Windows Server 2003 installation media. Once you have verified that you have access to the installation media, perform the following steps:
- Log on to the computer that hosts Exchange Server 2007 using the Kim_Akers account.
- From Control Panel, open Add Or Remove Programs and then click Add/ Remove Windows Components.
- Select Certificate Services. Click Yes to dismiss the warning that informs you that the computer name and domain membership cannot be changed. Click Next.
- On the CA Type page of the Windows Components Wizard, select Enterprise Root CA, as shown in Figure 2-15, and then click Next.
- On the CA Identifying Information page, enter the common name for the CA as Glasgow and then click Next.
- On the Certificate Database Settings page, review the default locations and then click Next.
- In the warning dialog box that informs you that Internet Information Services needs to be temporarily stopped, click Yes. Certificate Services will now be installed. You will be prompted for the Windows Server 2003 installation media during the installation process.
- You will be asked to enable Active Server Pages as a part of the Certificate Services installation process. Click Yes.
- On the Completing The Windows Components Wizard page, click Finish.
- Open Internet Information Services and expand the Server And Web Sites node.
- Right-click Default Web Site and select Properties.
- Click the Directory Security tab and then click the Server Certificate button. This will start the Web Server Certificate Wizard. Click Next.
- On the Modify The Current Certificate Assignment page, select Remove The Current Certificate and then click Next twice. Click Finish.
- Click the Server Certificate button again to restart the wizard and then click Next.
- Select Create A New Certificate and click Next. Select Send The Request Immediately To An Online Certification Authority and then click Next.
- Set the name for the certificate to OWA and then click Next.
- Set the organization to Tailspin Toys and the organizational unit to Exchange and then click Next.
- Leave the default common name and then click Next.
- Set the state/province to Washington and the city/locality to Redmond and then click Next twice.
- Leave the default SSL port and click Next.
- Select GLASGOW.tailspintoys.internal\glasgow as the CA to process the request and click Next twice. Click Finish.
- Click OK to close Default Website Properties.
- In Internet Explorer, open the site https://glasgow/certsrv.
- On the Security Warning About Trusted Sites List page, click Yes.
- Click Download A CA Certificate, Certificate Chain, Or CRL.
- Click Download CA Certificate and save it to the desktop.
- Open the certificate and then install it using the Certificate Import Wizard.
Practice 6: Installing the Evaluation Version of Forefront
An evaluation version of Forefront Security for Exchange Server is included with the Exchange Server 2007 installation media. Although you would normally perform message screening on an Edge Tansport server on a perimeter network, we will install this package on the computer assigned the Hub Transport server role.
To complete this practice, perform the following steps:
- Log on to the computer hosting Exchange Server 2007 using the Kim_Akers account.
- Navigate to the Forefront directory on the Exchange Server 2007 installation media and double-click Setup.exe. This will start the Microsoft Forefront Security for Exchange Server Installation Wizard, as shown in Figure 2-16. Click Next to continue.
- Review the license agreement and then click Yes.
- On the Customer Information page, click Next.
- On the Installation Location page, ensure that Local Installation is selected and then click Next.
- On the Installation Type page, ensure that Full Installation is selected, as shown in Figure 2-17, and then click Next.
- On the Quarantine Security Settings page, ensure that Secure Mode is selected and then click Next.
- Review the five randomly selected antivirus scan engines and then click Next.
- Review the information on the Engine Updates Required page and then click Next.
- On the Choose Destination Location page, review the installation location and then click Next.
- In the Select Program Folder, review the location the program icons will be installed to and then click Next.
- On the Start Copying Files page, review the installation settings and then click
- Next. The installation process will now commence.
- During the installation process, you will be asked if you would like setup to restart the Exchange Transport service. Click Next to have the service restarted.
- After the service has been restarted, click Next and then click Finish. The readme file for Forefront Security for Exchange will open automatically. Review its contents and then close the file.
- Restart the computer.
- When the computer has restarted, log back on using the Kim_Akers user account. From the Programs menu, open Forefront Server Security Administrator. Click OK in the Connect To Server dialog box to open the local instance of this program. Click OK to dismiss the License Notice dialog box.
- Click Scanner Updates under Settings.
- Click Update Now in the right-hand-side pane of Forefront Server Security Administrator when Scanner Updates is selected, as shown in Figure 2-18.
Lesson Summary
- Mailbox servers host message data. Client Access servers allow access to Mailbox servers. Hub Transport servers route message data. Edge Transport servers route messages to and from the Internet, though this can also be done by Hub Transport servers. Unified Messaging servers store voice and fax data.
- The active Clustered Mailbox, passive Clustered Mailbox, and Edge Transport server roles cannot be installed with other roles.
- Computers assigned the Edge Transport server role are located on perimeter networks. They should not be members of an Active Directory environment.
- The standard way to set up Exchange Server 2007 is using a wizard that allows you to perform either a typical install, which installs the Client Access, Mailbox, and Hub Transport roles, or a custom install, where the combination of roles is selected by the administrator. The Unified Messaging, Edge Transport, and Clustered Mailbox roles can be installed graphically only by using a custom install.
- Command-line installation allows for a greater number of configuration options than the graphic installation. The majority of setup options must be passed directly from the command line. Answer files are used primarily to set up clusters.
- Communications with Client Access servers are encrypted using SSL. Installing the Client Access server role creates a default SSL certificate, though this will not be trusted by clients.
- Clustered roles require that the host server already be a node in a cluster. Clusters can be implemented on the enterprise editions of Windows Server 2003 and Windows Server 2008. You can implement active or passive mailbox clusters.
- Load balancing can be used to ensure that computers that host the Client Access, Hub Transport, and Edge Transport roles are not overwhelmed. This is done by adding servers hosting identical roles as nodes in an NLB cluster.
- An evaluation version of Forefront Security for Exchange Server is included with the Exchange Server 2007 installation media.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1, “Installing Exchange Server.” The questions are also available on the companion CD if you prefer to review them in electronic form.- You are preparing a new deployment of Exchange Server 2007 in a single-domain environment spread over five separate Active Directory sites. Users at all sites will need speedy access to mail. Branch office sites are connected by a virtual private network (VPN) tunnel to the head office site, where you have already deployed an Edge Transport server and a server with the Hub Transport, Client Access, and Mailbox server roles. A single computer running Exchange Server 2007 will be deployed at each site. Which of the following roles should be deployed on these computers? (Choose all that apply.)
- Edge Transport
- Hub Transport
- Client Access
- Mailbox server
- Unified Messaging server
- In which of the following network locations should you deploy an Edge Transport server?
- Direct connection to the Internet
- Perimeter network
- Internal network >
- Encrypted network
- Which of the following digital certificate templates should you use when requesting and installing a digital certificate on a computer that will provide the OWA service to remote clients?
- Code signing
- SSL
- IPSec
- EFS
- Your organization has a single computer with Exchange Server 2007 installed. This Exchange Server 2007 computer hosts the Hub Transport, Client Access, and Mailbox server roles. Users in your organization, who use primarily OWA, report slow connections to the server. You examine the performance of the server and find that although only 25 percent of the disk space on the server is consumed by mailbox databases, the processor usage statistics are consistently above 80 percent. To alleviate this problem, you will install a second computer running Exchange Server 2007. If you were to deploy only a single role on that computer, removing it from the existing server, which of the roles would you deploy to improve performance?
- Hub Transport
- Client Access
- Edge Transport
- Mailbox server
- Which of the following Exchange Server 2007 setup commands will install the Client Access, Hub Transport, and Mailbox server roles on a computer in an existing Exchange 2007 organization?
- setup /mode:install /roles:ClientAccess,Mailbox,EdgeTransport
- setup /mode:install /r:C,E,M,H
- setup /mode:upgrade /r:C,E,M,H
- setup /mode:install /r:C,M,H,U
- setup /mode:install /r::Mailbox,UnifiedMessaging,ClientAccess
- Each Exchange Server computer at your single site organization is assigned only one Exchange Server role. Your organization has five computers running Exchange Server 2007. You want to deal with messages containing spam or viruses before they reach user mailboxes. Which of the following computers running Exchange Server 2007 should you deploy Forefront Security for Exchange Server on? (Choose all that apply.)
- The computer assigned the Edge Transport server role
- The computer assigned the Hub Transport server role
- The computer assigned the Client Access server role
- The computer assigned the Mailbox server role
- The computer assigned the Unified Messaging server role
No comments:
Post a Comment