Vous êtes sur la page 1sur 479

20341b-core-solutions-of-microsoft-exchange-

server-2013-v3

Copyright
Information in this document, including URL and other Internet Web site references, i
s subject to change without notice. Unless otherwise noted, the example companies, or
ganizations, products, domainnames, e-
mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-
mail address, logo, person, placeor event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting th
e rights under copyright, no part of this document may bereproduced, stored in or intr
oduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, w
ithout theexpress written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intel
lectual property rights covering subject matter in this document. Except as expressly p
rovided in any written licenseagreement from Microsoft, the furnishing of this docum
ent does not give you any license to these patents, trademarks, copyrights, or other int
ellectual property.
The names of manufacturers, products, or URLs are provided for informational purpo
ses only and Microsoft makes no representations and warranties, either expressed, imp
lied, or statutory, regarding thesemanufacturers or the use of the products with any Mi
crosoft technologies. The inclusion of a manufacturer or product does not imply endor
sement of Microsoft of the manufacturer or product. Links may beprovided to third pa
rty sites. Such sites are not under the control of Microsoft and Microsoft is not respons
ible for the contents of any linked site or any link contained in a linked site, or any cha
nges orupdates to such sites. Microsoft is not responsible for webcasting or any other f
orm of transmission received from any linked site. Microsoft is providing these links t
o you only as a convenience, and theinclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/Int
ellectualProperty/Trademarks/EN-
US.aspx are trademarks of the Microsoft group of companies. All other trademarksare
property of their respective owners.
Product Number: 20341B
Part Number: X18-52906
Released: 07/2014
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certie
d Partners for Learning Solutions and our Microsoft IT Academies to bring you a worl
d-class learning experience
whetheryoure a professional looking to advance your skills or a student preparing for
a career in IT.
Microsoft Certied Trainers and Instructors
Your instructor is a technical and instructional expert who meets ongoing certication
requirements. And, if instructors are delivering training at one of our Certied Partner
s for Learning Solutions, they arealso evaluated throughout the year by students and b
y Microsoft.
Certication Exam Benets
After training, consider taking a Microsoft Certication exam. Microsoft Certication
s validate your skills on Microsoft technologies and can help differentiate you when fi
nding a job or boosting your career.In fact, independent research by IDC concluded th
at 75% of managers believe certications are important to team performance1. Ask yo
ur instructor about Microsoft Certication exam promotions anddiscounts that may be
available to you.
Customer Satisfaction Guarantee
Our Certied Partners for Learning Solutions offer a satisfaction guarantee and we hol
d them accountable for it. At the end of class, please complete an evaluation of today
s experience. We value yourfeedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely, Microsoft Learning www.microsoft.com/learning
1 IDC, Value of Certication: Team Certication and Organizational Performance, No
vember 2006
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contributi
on toward developing this title. Their effort at various stages in the development has e
nsured that you have a goodclassroom experience.
Stan Reimer Content Developer
Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultan
t, trainer, and author. Stan has extensive experience consulting on Active Directory
and Exchange Server deployments forsome of the largest companies in Canada. Stan i
s the lead author for two Active Directory books for Microsoft Press. For the last ten
years, Stan has been writing courseware for Microsoft Learning,specializing in Activ
e Directory and Exchange Server courses. Stan has been a Microsoft Certified Train
er (MCT) for 14 years.
Damir Dizdarevic Course Designer/Content Developer
Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert
(MCSE), Microsoft Certified Technology Specialist
(MCTS), and a Microsoft Certified Information Technology Professional
(MCITP). He is amanager and trainer of the Learning Center at Logosoft d.o.o., in Sar
ajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Micro
soft platforms and he specializes in MicrosoftWindows Server, Exchange Server, se
curity, and virtualization. He has worked as a subject matter expert and author on man
y Microsoft Official Courses
(MOC) courses, mostly on Exchange and WindowsServer topics, and has published m
ore than 400 articles in various IT magazines, such as Windows ITPro . He's also a fre
quent and highly rated speaker on most of Microsoft conferences in South and Eastern
Europe. Additionally, he is a Microsoft Most Valuable Professional and a president of
MSCommunity user group in Bosnia. His blog about MS technologies can be found a
t: http://dizdarevic.ba/ddamirblog.
Siegfried Jagott Content Developer
Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Colla
boration team at Atos Germany. He is an award-
winning author of Microsoft Exchange Server 2010 Best Practices(Microsoft Press), a
nd has authored and technically reviewed several Microsoft Official Curriculum
(MOC) courses on various topics such as MOC 10165: Updating Your Skills from Mi
crosoft Exchange Server2003 or Exchange Server 2007 to Exchange Server 2010 SP1.
He has coauthored various books on Windows, Microsoft System Center Virtual Mac
hine Manager, and Exchange, and is a frequent presenter onthese topics at internationa
l conferences such as IT & Dev Connections Spring 2012 in Las Vegas. Siegfried has
planned, designed, and implemented some of the worlds largest Windows and Exch
angeServer infrastructures for international customers. He received an MBA from Op
en University in England, and has been an MCSE since 1997.
Vladimir Meloski Content Developer
Vladimir is a Microsoft Certified Trainer, an MVP on Exchange Server, and consultan
t, providing unified communications and infrastructure solutions based on Microsoft E
xchange Server, Lync Server, andSystem Center. Vladimir has 16 years of professiona
l IT experience, and has been involved in Microsoft conferences in Europe and the Un
ited States as a speaker, moderator, proctor for hands-
on labs, andtechnical expert. He has also been involved as a subject matter expert and
technical reviewer for several Microsoft Official Curriculum courses.
Robert Genes Content Developer
Robert Genes is a messaging architect and a Microsoft Certified Master for Exchange
Server 2010. As the manager of genes messaging solutions he has worked in different
Exchange Server projects in southGermany. Robert is specialized in Exchange Server
and has more than 10 years of experience.
Chris Crandall Tech Reviewer
Chris Crandall is the Principal Architect for the Messaging Practice at CB5 Solutions,
where he leads, overseas, and manages all engagements related to messaging infrastru
cture for enterprise customers ineach the Public and Private Sector. Chris is a Microso
ft Certified Master (MCM), Microsoft Certified Trainer
(MCT), Microsoft Certified IT Professional
(MCITP), and Microsoft Certified Technology Specialist
(MCTS). He is currently writing an Exchange 2013 book as a contributing Subject Ma
tter Expert
(SME). Chris served as a SME and mentor in his role as Senior Premier Field Enginee
r at Microsoft where heserved more than 30 enterprise organizations; earning numero
us awards for customer satisfaction and performance.
Martin Coetzer Subject Matter Expert
Martin Coetzer is a Portfolio Architect with the Microsoft Learning eXperiences team.
He is responsible for managing the Office 365, Exchange, Lync, SharePoint, Office a
nd Dynamics certification portfolios.Prior to this Martin was a consultant responsible
for architecting and deploying Microsoft technologies at medium to large customers a
round the world.
Contents
Title Copyright
Welcome!

Acknowledgments

About This Course About This Course


Course Materials

Virtual Machine Environment

Module 1: Deploying and Managing Microsoft Exchange Server 2013


Module Overview

Lesson 1 : Exchange Server 2013 Prerequisites and Requirements

Lesson 2: Exchange Server 2013 Deployment

Lesson 3: Managing Exchange Server 2013

Lab: Deploying and Managing Exchange Server 2013

Module Review and Takeaways

Module 2: Planning and Configuring Mailbox Servers


Module Overview

Lesson 1 : Overview of the Mailbox Server Role

Lesson 2: Planning the Mailbox Server Deployment

Lesson 3: Configuring the Mailbox Servers


Lab: Configuring Mailbox Servers

Module Review and Takeaways

Module 3: Managing Recipient Objects


Module Overview

Lesson 1 : Managing Exchange Server 2013 Mailboxes

Lesson 2: Managing Other Exchange Recipients

Lesson 3: Planning and Implementing Public Folder Mailboxes

Lesson 4: Managing Address Lists and Policies

Lab: Managing Recipient Objects

Module Review and Takeaways

Module 4: Planning and Deploying Client Access Servers


Module Overview

Lesson 1 : Planning Client Access Server Deployment

Lesson 2: Configuring the Client Access Server Role

Lesson 3: Managing Client Access Services

Lab: Deploying and Configuring a Client Access Server Role

Module Review and Takeaways

Module 5: Planning and Configuring Messaging Client Connectivity


Module Overview

Lesson 1 : Client Connectivity to the Client Access Server

Lesson 2: Configuring Outlook Web App

Lesson 3: Planning and Configuring Mobile Messaging


Lesson 4: Configuring Secure Internet Access for Client Access Server

Lab: Planning and Configuring Messaging Client Connectivity

Module Review and Takeaways

Module 6: Planning and Implementing High Availability


Module Overview

Lesson 1 : High Availability on Exchange Server 2013

Lesson 2: Configuring Highly Available Mailbox Databases

Lesson 3: Configuring Highly Available Client Access Servers

Lab: Implementing High Availability

Module Review and Takeaways

Module 7: Planning and Implementing Disaster Recovery


Module Overview

Lesson 1 : Planning for Disaster Mitigation

Lesson 2: Planning and Implementing Exchange Server 2013 Backup

Lesson 3: Planning and Implementing Exchange Server 2013 Recovery

Lab: Implementing Disaster Recovery for Exchange Server 2013

Module Review and Takeaways

Module 8: Planning and Configuring Message Transport


Module Overview

Lesson 1 : Overview of Message Transport and Routing

Lesson 2: Planning and Configuring Message Transport

Lesson 3: Managing Transport Rules


Lab: Planning and Configuring Message Transport

Module Review and Takeaways

Module 9: Planning and Configuring Message Hygiene


Module Overview

Lesson 1 : Planning Messaging Security

Lesson 2: Implementing an Antivirus Solution for Exchange Server 2013

Lesson 3: Implementing an Anti-Spam Solution for Exchange Server 2013

Lab: Planning and Configuring Message Security

Module Review and Takeaways

Module 10: Planning and Configuring Administrative Security and Auditing


Module Overview

Lesson 1 : Configuring Role-Based Access Control

Lesson 2: Configuring Audit Logging

Lab: Configuring Administrative Security and Auditing

Module Review and Takeaways

Module 11: Monitoring and Troubleshooting Microsoft Exchange Server 2013


Module Overview

Lesson 1 : Monitoring Exchange Server 2013

Lesson 2: Maintaining Exchange Server 2013

Lesson 3: Troubleshooting Exchange Server 2013

Lab: Monitoring and Troubleshooting Exchange Server 2013

Module Review and Takeaways


Course Evaluation

Lab Answer Key: Module 1: Deploying and Managing Microsoft Exchange Server 201
Lab: Deploying and Managing Exchange Server 2013

Lab Answer Key: Module 2: Planning and Configuring Mailbox Servers


Lab: Configuring Mailbox Servers

Lab Answer Key: Module 3: Managing Recipient Objects


Lab: Managing Recipient Objects

Lab Answer Key: Module 4: Planning and Deploying Client Access Servers
Lab: Deploying and Configuring a Client Access Server Role

Lab Answer Key: Module 5: Planning and Configuring Messaging Client Connectivity
Lab: Planning and Configuring Messaging Client Connectivity

Lab Answer Key: Module 6: Planning and Implementing High Availability


Lab: Implementing High Availability

Lab Answer Key: Module 7: Planning and Implementing Disaster Recovery


Lab: Implementing Disaster Recovery for Exchange Server 2013

Lab Answer Key: Module 8: Planning and Configuring Message Transport


Lab: Planning and Configuring Message Transport

Lab Answer Key: Module 9: Planning and Configuring Message Hygiene


Lab: Planning and Configuring Message Security

Lab Answer Key: Module 10: Planning and Configuring Administrative Security and Au
Lab: Configuring Administrative Security and Auditing

Lab Answer Key: Module 11: Monitoring and Troubleshooting Microsoft Exchange Serv
Lab: Monitoring and Troubleshooting Exchange Server 2013
About This Course
This section provides a brief description of the course, audience, suggested prerequisit
es, and course objectives.
Course Description
This course will provide you with the knowledge and skills to plan, deploy, manage, s
ecure, and support Microsoft Exchange Server 2013. This course will teach you how
to configure Exchange Server 2013and supply you with the information you will nee
d to monitor, maintain, and troubleshoot Exchange Server 2013. This course will also
provide guidelines, best practices, and considerations that will help youoptimize perfo
rmance and minimize errors and security threats in Exchange Server 2013.
Audience
This course is intended for people aspiring to be enterprise-
level messaging administrators. Others who may take this course include IT generalist
s and help desk professionals who want to learn aboutExchange Server 2013. People c
oming into the course are expected to have at least 3 years of experience working in th
e IT field
typically in the areas of network administration, help desk, or systemadministration. T
hey are not expected to have experience with previous Exchange Server versions.
The secondary audience for this course will be candidates that are IT professionals wh
o are looking to take the exam 70-
341: Core Solutions of Microsoft Exchange Server 2013 as a standalone, or as part oft
he requirement for the Microsoft Certified Solutions Expert (MCSE) certification.
Student Prerequisites
This course requires that you meet the following prerequisites:
Understanding of TCP/IP and networking concepts.
Understanding of Windows Server 2008 or 2012 and AD DS, including planning, designing and
Understanding of security concepts such as authentication and authorization.
Working in a team or a virtual team.
Working knowledge of Public Key Infrastructure (PKI) technologies Active Directory Certificat
Working knowledge of Domain Name System (DNS).
Course Objectives
After completing this course, students will be able to:
Perform an Exchange Server 2013 deployment and manage Exchange Server 2013
Plan for a Mailbox server role deployment and configure the Mailbox servers and mailbox databa
Manage Exchange Server 2013 recipients
Plan Client Access server deployment and configure the Client Access server roles
Plan and configure mobile messaging and secure Internet access for Client Access server
Configure highly available mailbox databases and Client Access servers
Plan and implement Exchange Server 2013 disaster recovery
Plan and configure message transport and manage transport rules
Plan message hygiene and implement an antivirus and anti-spam solution for Exchange Server 20
Manage Role Based Access Control (RBAC) permissions and split permissions
Monitor, maintain, and troubleshoot Exchange Server 2013
Course Outline
The course outline is as follows:
Module 1, Deploying and Managing Microsoft Exchange Server 2013
Module 2, Planning and Configuring Mailbox Servers
Module 3, Managing Recipient Objects
Module 4, Planning and Deploying Client Access Servers
Module 5, Planning and Configuring Messaging Client Connectivity
Module 6, Planning and Implementing High Availability
Module 7, Planning and Implementing Disaster Recovery
Module 8, Planning and Configuring Message Transport
Module 9, Planning and Configuring Message Hygiene
Module 10, Planning and Configuring Administrative Security and Auditing
Module 11, Monitoring and Troubleshooting Exchange Server 2013
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical tech
nical information in a crisp, tightly-
focused format, which is essential for an effective in-class learning experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to t
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned i
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and
Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the
Course Handbook.

Modules: include companion content, such as questions and answers, detailed demo steps and addi
s, best practices, common issues and troubleshooting tips with answers, and real-world issues and s
Resources: include well-categorized additional resources that give you immediate access to the mo
Additional Reading: Student Course files on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: includes the Allfiles.exe, a self-
extracting executable file that contains all required files for the labs and demonstration
s.

Course evaluation: at the end of the course, you will have the opportunity to complete an online ev
To provide additional comments or feedback on the course, send an email to support@mscoursewa
Virtual Machine Environment
This section provides the information for setting up the classroom environment to sup
port the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must revert the virtual machines to a snapshot
. You can find the instructions for this procedure at the end of each lab.

The following table shows the role of each virtual machine that is used in this course:

Virtual machine Role

20341B-LON-DC1 Domain controller running Windows Server 2012 in the Adatum.com domain

20341B-LON-DC1-B Domain controller running Windows Server 2012 in the Adatum.com domain (

20341B-LON-EX1-B Windows Server 2013 member server for Exchange Server 2013 installation la

20341B-LON-CAS1 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve

20341B-LON-CAS2 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve
Virtual machine Role

20341B-LON-MBX1 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-MBX2 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-SVR1 Windows Server 2012 server, member of Adatum.com domain

20341B-LON-TMG Threat Management Gateway server in Adatum.com domain

20341B-LON-CL1 Client computer running Windows 8 and Office 2013 in the Adatum.com doma

Software Configuration
The following software is installed on each student LUC-CL1 VM:
Windows Server 2012
Windows 8
Microsoft Office 2013
Exchange Server 2013, Cumulative Update 1
Windows Server 2008 R2 and Microsoft Forefront Threat Management Gateway
Course Files
The files associated with the labs in this course are located in the <install_folder>\Lab
files\LabXX folder on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same
way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum e
quipment configuration for trainer and student computers in all Microsoft Certified Pa
rtner for Learning Solutions
(CPLS)classrooms in which Official Microsoft Learning Product courseware is taught
.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better. The hard disks should
16 GB RAM
DVD drive
Network adapter
Dual Super VGA (SVGA) 17-inch monitors
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
In addition, the instructor computer must be connected to a projection display device t
hat supports SVGA 1024 x 768 pixels, 16-bit colors.
About This Course
This section provides a brief description of the course, audience, suggested prerequisit
es, and course objectives.
Course Description
This course will provide you with the knowledge and skills to plan, deploy, manage, s
ecure, and support Microsoft Exchange Server 2013. This course will teach you how
to configure Exchange Server 2013and supply you with the information you will nee
d to monitor, maintain, and troubleshoot Exchange Server 2013. This course will also
provide guidelines, best practices, and considerations that will help youoptimize perfo
rmance and minimize errors and security threats in Exchange Server 2013.
Audience
This course is intended for people aspiring to be enterprise-
level messaging administrators. Others who may take this course include IT generalist
s and help desk professionals who want to learn aboutExchange Server 2013. People c
oming into the course are expected to have at least 3 years of experience working in th
e IT field
typically in the areas of network administration, help desk, or systemadministration. T
hey are not expected to have experience with previous Exchange Server versions.
The secondary audience for this course will be candidates that are IT professionals wh
o are looking to take the exam 70-
341: Core Solutions of Microsoft Exchange Server 2013 as a standalone, or as part oft
he requirement for the Microsoft Certified Solutions Expert (MCSE) certification.
Student Prerequisites
This course requires that you meet the following prerequisites:
Understanding of TCP/IP and networking concepts.
Understanding of Windows Server 2008 or 2012 and AD DS, including planning, designing and
Understanding of security concepts such as authentication and authorization.
Working in a team or a virtual team.
Working knowledge of Public Key Infrastructure (PKI) technologies Active Directory Certificat
Working knowledge of Domain Name System (DNS).
Course Objectives
After completing this course, students will be able to:
Perform an Exchange Server 2013 deployment and manage Exchange Server 2013
Plan for a Mailbox server role deployment and configure the Mailbox servers and mailbox databa
Manage Exchange Server 2013 recipients
Plan Client Access server deployment and configure the Client Access server roles
Plan and configure mobile messaging and secure Internet access for Client Access server
Configure highly available mailbox databases and Client Access servers
Plan and implement Exchange Server 2013 disaster recovery
Plan and configure message transport and manage transport rules
Plan message hygiene and implement an antivirus and anti-spam solution for Exchange Server 20
Manage Role Based Access Control (RBAC) permissions and split permissions
Monitor, maintain, and troubleshoot Exchange Server 2013
Course Outline
The course outline is as follows:
Module 1, Deploying and Managing Microsoft Exchange Server 2013
Module 2, Planning and Configuring Mailbox Servers
Module 3, Managing Recipient Objects
Module 4, Planning and Deploying Client Access Servers
Module 5, Planning and Configuring Messaging Client Connectivity
Module 6, Planning and Implementing High Availability
Module 7, Planning and Implementing Disaster Recovery
Module 8, Planning and Configuring Message Transport
Module 9, Planning and Configuring Message Hygiene
Module 10, Planning and Configuring Administrative Security and Auditing
Module 11, Monitoring and Troubleshooting Exchange Server 2013
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical tech
nical information in a crisp, tightly-
focused format, which is essential for an effective in-class learning experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to t
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned i
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and
Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the
Course Handbook.

Modules: include companion content, such as questions and answers, detailed demo steps and addi
s, best practices, common issues and troubleshooting tips with answers, and real-world issues and s
Resources: include well-categorized additional resources that give you immediate access to the mo
Additional Reading: Student Course files on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: includes the Allfiles.exe, a self-
extracting executable file that contains all required files for the labs and demonstration
s.

Course evaluation: at the end of the course, you will have the opportunity to complete an online ev
To provide additional comments or feedback on the course, send an email to support@mscoursewa
Virtual Machine Environment
This section provides the information for setting up the classroom environment to sup
port the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must revert the virtual machines to a snapshot
. You can find the instructions for this procedure at the end of each lab.

The following table shows the role of each virtual machine that is used in this course:

Virtual machine Role

20341B-LON-DC1 Domain controller running Windows Server 2012 in the Adatum.com domain

20341B-LON-DC1-B Domain controller running Windows Server 2012 in the Adatum.com domain (

20341B-LON-EX1-B Windows Server 2013 member server for Exchange Server 2013 installation la

20341B-LON-CAS1 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve

20341B-LON-CAS2 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve
Virtual machine Role

20341B-LON-MBX1 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-MBX2 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-SVR1 Windows Server 2012 server, member of Adatum.com domain

20341B-LON-TMG Threat Management Gateway server in Adatum.com domain

20341B-LON-CL1 Client computer running Windows 8 and Office 2013 in the Adatum.com doma

Software Configuration
The following software is installed on each student LUC-CL1 VM:
Windows Server 2012
Windows 8
Microsoft Office 2013
Exchange Server 2013, Cumulative Update 1
Windows Server 2008 R2 and Microsoft Forefront Threat Management Gateway
Course Files
The files associated with the labs in this course are located in the <install_folder>\Lab
files\LabXX folder on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same
way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum e
quipment configuration for trainer and student computers in all Microsoft Certified Pa
rtner for Learning Solutions
(CPLS)classrooms in which Official Microsoft Learning Product courseware is taught
.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better. The hard disks should
16 GB RAM
DVD drive
Network adapter
Dual Super VGA (SVGA) 17-inch monitors
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
In addition, the instructor computer must be connected to a projection display device t
hat supports SVGA 1024 x 768 pixels, 16-bit colors.
About This Course
This section provides a brief description of the course, audience, suggested prerequisit
es, and course objectives.
Course Description
This course will provide you with the knowledge and skills to plan, deploy, manage, s
ecure, and support Microsoft Exchange Server 2013. This course will teach you how
to configure Exchange Server 2013and supply you with the information you will nee
d to monitor, maintain, and troubleshoot Exchange Server 2013. This course will also
provide guidelines, best practices, and considerations that will help youoptimize perfo
rmance and minimize errors and security threats in Exchange Server 2013.
Audience
This course is intended for people aspiring to be enterprise-
level messaging administrators. Others who may take this course include IT generalist
s and help desk professionals who want to learn aboutExchange Server 2013. People c
oming into the course are expected to have at least 3 years of experience working in th
e IT field
typically in the areas of network administration, help desk, or systemadministration. T
hey are not expected to have experience with previous Exchange Server versions.
The secondary audience for this course will be candidates that are IT professionals wh
o are looking to take the exam 70-
341: Core Solutions of Microsoft Exchange Server 2013 as a standalone, or as part oft
he requirement for the Microsoft Certified Solutions Expert (MCSE) certification.
Student Prerequisites
This course requires that you meet the following prerequisites:
Understanding of TCP/IP and networking concepts.
Understanding of Windows Server 2008 or 2012 and AD DS, including planning, designing and
Understanding of security concepts such as authentication and authorization.
Working in a team or a virtual team.
Working knowledge of Public Key Infrastructure (PKI) technologies Active Directory Certificat
Working knowledge of Domain Name System (DNS).
Course Objectives
After completing this course, students will be able to:
Perform an Exchange Server 2013 deployment and manage Exchange Server 2013
Plan for a Mailbox server role deployment and configure the Mailbox servers and mailbox databa
Manage Exchange Server 2013 recipients
Plan Client Access server deployment and configure the Client Access server roles
Plan and configure mobile messaging and secure Internet access for Client Access server
Configure highly available mailbox databases and Client Access servers
Plan and implement Exchange Server 2013 disaster recovery
Plan and configure message transport and manage transport rules
Plan message hygiene and implement an antivirus and anti-spam solution for Exchange Server 20
Manage Role Based Access Control (RBAC) permissions and split permissions
Monitor, maintain, and troubleshoot Exchange Server 2013
Course Outline
The course outline is as follows:
Module 1, Deploying and Managing Microsoft Exchange Server 2013
Module 2, Planning and Configuring Mailbox Servers
Module 3, Managing Recipient Objects
Module 4, Planning and Deploying Client Access Servers
Module 5, Planning and Configuring Messaging Client Connectivity
Module 6, Planning and Implementing High Availability
Module 7, Planning and Implementing Disaster Recovery
Module 8, Planning and Configuring Message Transport
Module 9, Planning and Configuring Message Hygiene
Module 10, Planning and Configuring Administrative Security and Auditing
Module 11, Monitoring and Troubleshooting Exchange Server 2013
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical tech
nical information in a crisp, tightly-
focused format, which is essential for an effective in-class learning experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to t
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned i
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and
Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the
Course Handbook.

Modules: include companion content, such as questions and answers, detailed demo steps and addi
s, best practices, common issues and troubleshooting tips with answers, and real-world issues and s
Resources: include well-categorized additional resources that give you immediate access to the mo
Additional Reading: Student Course files on the
http://www.microsoft.com/learning/en/us/companion-
moc.aspx Site: includes the Allfiles.exe, a self-
extracting executable file that contains all required files for the labs and demonstration
s.

Course evaluation: at the end of the course, you will have the opportunity to complete an online ev
To provide additional comments or feedback on the course, send an email to support@mscoursewa
Virtual Machine Environment
This section provides the information for setting up the classroom environment to sup
port the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must revert the virtual machines to a snapshot
. You can find the instructions for this procedure at the end of each lab.

The following table shows the role of each virtual machine that is used in this course:

Virtual machine Role

20341B-LON-DC1 Domain controller running Windows Server 2012 in the Adatum.com domain

20341B-LON-DC1-B Domain controller running Windows Server 2012 in the Adatum.com domain (

20341B-LON-EX1-B Windows Server 2013 member server for Exchange Server 2013 installation la

20341B-LON-CAS1 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve

20341B-LON-CAS2 Windows Server 2012 server, with Exchange Server 2013 Client Access Serve
Virtual machine Role

20341B-LON-MBX1 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-MBX2 Windows Server 2012 server, with Exchange Server 2013 Mailbox Server role

20341B-LON-SVR1 Windows Server 2012 server, member of Adatum.com domain

20341B-LON-TMG Threat Management Gateway server in Adatum.com domain

20341B-LON-CL1 Client computer running Windows 8 and Office 2013 in the Adatum.com doma

Software Configuration
The following software is installed on each student LUC-CL1 VM:
Windows Server 2012
Windows 8
Microsoft Office 2013
Exchange Server 2013, Cumulative Update 1
Windows Server 2008 R2 and Microsoft Forefront Threat Management Gateway
Course Files
The files associated with the labs in this course are located in the <install_folder>\Lab
files\LabXX folder on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same
way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum e
quipment configuration for trainer and student computers in all Microsoft Certified Pa
rtner for Learning Solutions
(CPLS)classrooms in which Official Microsoft Learning Product courseware is taught
.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better. The hard disks should
16 GB RAM
DVD drive
Network adapter
Dual Super VGA (SVGA) 17-inch monitors
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
In addition, the instructor computer must be connected to a projection display device t
hat supports SVGA 1024 x 768 pixels, 16-bit colors.
Module 1: Deploying and Managing Microsoft Exc
hange Server 2013
Contents:
Module Overview

Lesson 1: Exchange Server 2013 Prerequisites and Requirements

Lesson 2: Exchange Server 2013 Deployment

Lesson 3: Managing Exchange Server 2013

Lab: Deploying and Managing Exchange Server 2013

Module Review and Takeaways

Module Overview
Exchange Server 2013 is the new version of Microsofts email and collaboration suite.
It is a successor to Microsoft Exchange Server 2010. Exchange Server 2013 offers
many enhancements in architecture,functionality, and features for both administrators
and end users. To successfully implement Exchange Server 2013, you should know its
prerequisites, as well as how to deploy it in your existinginfrastructure. This module e
xamines how to deploy and manage Exchange Server 2013.
Objectives
After completing this module, you will be able to:
Describe Exchange Server 2013 prerequisites and requirements.
Perform an Exchange Server 2013 deployment.
Manage Exchange Server 2013.
Lesson 1
: Exchange Server 2013 Prerequisites and Requirem
ents
Before you start the of Exchange Server 2013 deployment process, you must make sur
e that your current Active Directory Domain Services
(AD DS) and network infrastructure components satisfyrequirements for an Exchange
Server deployment. In addition, you should plan hardware resources for Exchange Se
rver installation. Because Exchange Server 2013 integrates intensively with AD DS, y
ou mustextend the AD DS schema before starting the installation process. In this lesso
n, we will review the requirements for installing Exchange Server 2013.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Active Directory components and Exchange Server integration.
Describe Domain Name System (DNS) server requirements for Exchange Server 2013.
Describe software requirements for Exchange Server 2013.
Describe hardware requirements for Exchange Server 2013.
Describe infrastructure requirements for Exchange Server 2013.
Prepare AD DS for an Exchange Server 2013 deployment.
Active Directory Components and Exchange Server Integrat
ion
Active Directory information is divided into four partitions: domain, configuration, sc
hema, and application. These directory partitions are the replication units in AD DS.

Domain Partition
A domain partition contains all objects in the domains directory. Domain objects repl
icate to every domain controller in the domain, and include user and computer account
s and groups.
A subset of the domain partition replicates to all domain controllers in the forest that a
re global catalog servers. If you configure a domain controller as a global catalog serv
er, it contains a complete copy ofits own domains objects and a subset of attributes fo
r every domains objects in the forest.
Configuration Partition
The configuration partition contains configuration information for AD DS and applica
tions, including Active Directory site and site link information. In addition, some distr
ibuted applications and servicesstore information in the configuration partition. This i
nformation replicates through the entire forest, so that each domain controller retains a
replica of the configuration partition.
When application developers choose to store application information in the configurat
ion partition, the developers do not need to create their own mechanism to replicate th
e information. The configurationpartition stores each type of configuration informatio
n in separate containers. A container is an Active Directory object, similar to an organ
izational unit (OU) that is used to organize other objects.
Schema Partition
The schema partition contains definition information for all object types and their attri
butes that you can create in AD DS. This data is common to all domains in the forest,
and AD DS replicates it to alldomain controllers in the forest. However, only one dom
ain controller maintains a writable copy of the schema. By default, this domain contro
ller, known as the Schema Master, is the first domain controllerinstalled in an Active
Directory forest.
Application Partitions
An administrator can create application partitions manually, and an application can au
tomatically create partitions during its installation process. Application partitions hold
specific application data that theapplication requires. The main benefit of application
partitions is replication flexibility. You can specify the domain controllers that hold a
replica of an application partition, and these domain controllers caninclude a subset of
domain controllers throughout the forest. Exchange Server 2013 does not use applicat
ion partitions to store information.
Exchange Server 2013 and AD DS Partitions Integration
To ensure proper placement of Active Directory components in relation to computers t
hat are running Exchange Server, you must understand how Exchange Server 2013 co
mmunicates with AD DS and usesActive Directory information to function. AD DS st
ores most Exchange Server 2013 configuration information.
Forests
An Exchange Server organization and an Active Directory forest have a one-to-
one relationship. You cannot have an Exchange Server organization that spans multipl
e Active Directory forests. You also cannothave multiple Exchange Server organizatio
ns within a single Active Directory forest.
Note: In Exchange Server 2013, you can also add Office 365 domain to the Exchange
Administration Center
(EAC) console. This enables you to manage multiple organizations from a singlemana
gement console.
Schema Partition
The Exchange Server 2013 installation process modifies the schema partition to enabl
e the creation of Exchange Server-
specific objects. The installation process also adds Exchange Server-
specific attributesto existing objects. For example, the installation process updates use
r objects with additional attributes to describe storage quotas and mailbox features.
Configuration Partition
The configuration partition stores configuration information for the Exchange Server
2013 organization. Because AD DS replicates the configuration partition among all do
main controllers in the forest,configuration of the Exchange Server 2013 organization
replicates throughout the forest. The configuration partition includes Exchange Server
configuration objects, such as global settings, email addresspolicies, transport rules, a
nd address lists.
Domain Partition
The domain partition holds information about recipient objects. This includes mailbox
-enabled users, and mail-
enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-
enabled havepreconfigured attributes, such as email addresses.
Global Catalog
When you install Exchange Server 2013, the email attributes for mail-enabled and mailbox-enabled
(GAL) is generated from the recipients list in an Active Directory forests global catalog.
Exchange Server 2013 transport service access the global catalog to find the location of a recipient
Client Access servers access the global catalog server to locate the user Mailbox server and to displ
Note: Because of the importance of the global catalog in an Exchange Server organization, you mu
Exchange Server 2013 does not use Read-Only Domain Controllers (RODCs) or RODCs that youco
DNS Server Requirements for Exchange Server 2013
Each computer that is running Exchange Server must use DNS to locate AD DS and t
he global catalog servers. As a site-
aware application, Exchange Server 2013 prefers to communicate with domaincontrol
lers that are located in the same site as the computer that is running Exchange Server.

Exchange Server services use DNS to locate a valid domain controller or global catalo
g. By default, each time a domain controller starts the Netlogon service, it updates Do
main Name System ( DNS) withservice
(SRV) records that describe the server as a domain controller and global catalog serve
r, if applicable.
To ensure that the domain controller updates DNS records properly, it is essential that
all domain controllers use an internal DNS server that supports dynamic updates. Afte
r DNS records are registered,computers that are running Exchange Server can use DN
S to find domain controllers and global catalog servers.
SRV Resource Records
SRV resource records are DNS records that identify servers that provide specific servi
ces on the network. For example, an SRV resource record can contain information to
help clients locate a domaincontroller in a specific domain or site.
All SRV resource records use a standard format, which consists of several fields that c
ontain information that AD DS uses to map a service back to the computer that provid
es the service. The SRV records fordomain controllers and global catalog servers are r
egistered with different variations to allow locating domain controllers and global cata
log servers in several different ways.
One option is to register DNS records by site name, which enables computers that are
running Exchange Server to find domain controllers and global catalog servers in the l
ocal Active Directory site.Exchange Server always performs DNS resource queries fo
r the local Active Directory site first.
SRV resource records use the following format:
_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target
When a computer that is running Exchange Server is a member server, Exchange Serv
er configures it dynamically with its site each time it authenticates to AD DS. As part
of the authentication process, theregistry stores the site name. When the Exchange Ser
ver queries DNS for domain controller or global catalog server records, the Exchange
Server always attempts to connect to domain controllers that havethe same site attribut
e as the Exchange Server.
Host Records
Host records provide host name to IP address mapping. Host records are required for e
ach domain controller and other hosts that need to be accessible to Exchange Servers
or client computers. Hostrecords can use Internet Protocol version 4
( IPv4), which are A records; or Internet Protocol version 6
( IPv6) records, which are AAAA records.
MX Records
A Mail Exchanger
(MX) record is a resource record that allows servers to locate other servers to deliver I
nternet email by using the Simple Mail Transfer Protocol
(SMTP). An MX record identifies the SMTPserver that will accept inbound messages
for a specific DNS domain. Each MX record contains a host name and a preference va
lue. When you deploy multiple SMTP servers that are accessible from theInternet, you
can assign equal preference values to each MX record to enable load balancing betwe
en the SMTP servers.
You also can specify a lower preference value for one of the MX records. All message
s are routed through the SMTP server that has the lower preference value MX record,
unless that server is not available.
Note: In addition to SRV, Host, and MX records, you also might need to configure Se
nder Policy Framework
(SPF) records to support Sender ID spam filtering. In addition, some organizations use
reverse lookups as an option for spam filtering, so you should consider adding reverse
lookup records for all SMTP servers that send your organizations email.
Software Requirements for Exchange Server 2013
Exchange Server 2013 requires that some software be preinstalled before you start the
deployment process. First, you should plan for the operating system platforms that wi
ll be used for Exchange Server2013. The following operating systems are supported f
or installation of Exchange Server 2013 roles:

Windows Server 2012 Standard or Datacenter


Windows Server 2008 R2 Standard with Service Pack 1 (SP1)
Windows Server 2008 R2 Enterprise with SP1
Windows Server 2008 R2 Datacenter RTM or newer
Note: Server Core installation option is not a supported operating system option for Exchange Serv
(DAGs) in Exchange Server for high availability. You cannot upgrade Windows Server after you ha
Depending on which Exchange Server role is installed, different Windows component
s can be installed on a server. However, you do not need to install these roles and feat
ures prior to Exchange Serverinstallation because the installation process can install th
e necessary roles and features automatically.
Note: If you choose to install Windows Server roles and features during Exchange Ser
ver setup, you might be required to restart the server before Exchange server starts ins
tallation. This is expectedbehavior.
However, there are additional components that you should install manually. These co
mponents, freely available to download from Microsoft, include:
Microsoft .NET Framework 4.5 (only for Windows Server 2008 and 2008 R2).
Windows Management Framework 3.0 (already included with Windows Server 2012).
Remote Server Administration Tools (RSAT) for AD DS (can be installed with Server Manager).
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.
Microsoft Office 2010 Filter Pack SP1 64-bit or Microsoft Office 2013 Filter Pack.
Exchange Server Updates for Knowledge Base articles KB974405, KB2619234, and KB2533623
You also should ensure that the Task Scheduler service is enabled and running on the
server where you plan to install Exchange Server 2013.
Hardware Requirements for Exchange Server 2013
Determining the hardware requirements for Exchange Server 2013 is more complex th
an simply reading the specifications provided by Microsoft.

Many other factors can influence the Exchange Server hardware design, aside from th
e general specifications that provide information about minimum supported hardware
configuration.
First, the server role that is installed has a significant influence on hardware specificati
ons. For example, the Mailbox server likely requires more powerful hardware than the
Client Access server does.
Second, many organizations install all Exchange Server roles on a single computer, w
hich means that you must merge hardware requirements for each of the roles.
The processor for an Exchange Server computer must be a 64-bit architecture-
based Intel processor that supports Intel 64 architecture
(formerly known as Intel EM64T), or an AMD processor that supportsthe AMD64 pla
tform. Intel Itanium IA64 processors are not supported.
Memory
We recommend that you consider using the maximum server memory configuration w
hen deciding on the amount of RAM memory that you need for Exchange Server 2013
. Different server architectureshave different memory limits. Check the following tech
nical specifications for the server to determine the most cost-
efficient maximum memory configuration:
Memory speed. Some server architectures require slower memory modules to scale to the maximum
(DDR3 1333), or 128 GB using PC2 6400 (DDR2 800). Check with the manufacturer to ensure tha
Memory module size. Consider choosing the largest memory module size that the server supports. G
2013.
Total number of memory slots. Consider how many memory modules a specific server will support
be installed in pairs.
When you plan the amount of memory to be installed in Exchange servers, you should
follow these guidelines:
Mailbox: 8 GB minimum
Client Access: 4 GB minimum
Mailbox and Client Access combined: 8 GB minimum
Some servers experience a performance improvement when more memory slots are fil
led, while others experience a reduction in performance. Check with your hardware ve
ndor to understand this effect onyour server architecture.
Disk Drive Space
You have to consider several requirements when choosing and configuring disk drives
for an Exchange Server 2013 installation. You must have:
At least 30 GB on the drive on which you install Exchange.
An additional 500 MB of available disk space for each Unified Messaging (UM) language pack th
200 MB of available disk space on the system drive.
A hard disk that stores the message queue database on with at least 500 MB of free space.
All partitions that Exchange Server 2013 will use must be formatted with the NTFS file system.
The space required for the Mailbox server role cannot be determined without knowing
the number of mailboxes, mailbox sizes, and high-
availability requirements, among other parameters. We recommendthat you use the M
ailbox server role calculator to determine optimal hardware requirements for the Mail
box server role.
Hardware Configuration for Servers with Multiple Server Roles
When you design the hardware configuration for servers on which you install multiple
server roles, consider the following recommendations:
Plan for a minimum of two processor cores. The recommended number of processor cores is eight,
Design a server with multiple server roles to use half of the available processor cores for the Mailbo
Plan for the following memory configuration for a server with multiple server roles: 8 GB, and betw
Reduce by 20 percent the number of mailboxes per core calculation, based on the average client pro
Deploy multiple Exchange Server roles on a Mailbox server that is a DAG member, if desired. This
Infrastructure Requirements for Exchange Server 2013
Before you deploy Exchange Server 2013 in your organization, you need to ensure tha
t your organization meets AD DS and DNS requirements.
AD DS Requirements
You must meet the following AD DS requirements before you can install Exchange S
erver 2013:
The domain controller that is the schema master must have Windows Server 2012, Windows Server
(SP2). By default, the schema master runs on the first Windows domain controller installed in a for
In each of the sites where you deploy Exchange Server 2013, at least one global catalog server mus
In each site where you plan to install Exchange Server 2013, you must have at least one writable do
The Active Directory domain and forest functional levels must run Windows Server 2003, at the mi
DNS Requirements
Before you install Exchange Server 2013, you must configure DNS correctly in your
Active Directory forest. All servers that run Exchange Server 2013 must be able to loc
ate Active Directory domaincontrollers, global catalog servers, and other Exchange Se
rvers.
Preparing AD DS for Exchange Server 2013 Deployment
Before implementing Exchange Server 2013 in your environment, you must prepare A
D DS. AD DS, by default, does not have necessary classes, objects, and attributes defi
ned for the Exchange Server. Bypreparing AD DS, you extend the AD DS schema, an
d also modify configuration and domain partitions of AD DS. In addition, Exchange S
erver requires several groups and special permissions in AD DS;these are also configu
red during AD DS preparation.
You can prepare your AD DS by running the Exchange Sever 2013 Setup Wizard wit
h a user account that has the permissions required to prepare Active Directory and the
domain. To prepare the AD DSschema and configuration partition, you must use an ac
count that is a member of the Schema Admins and Enterprise Admins groups. By usin
g this type of account, the wizard automatically prepares ActiveDirectory and the dom
ain.
Alternatively, you can also prepare AD DS for Exchange Server by running the Excha
nge Server 2013 setup utility from the command line. If you want to prepare the AD
DS schema, and upgrade it to aversion supported by Exchange Server 2013, you shoul
d run either of the following setup commands: setup /PrepareSchema or setup /ps.
To execute this command, you must also be a member in theEnterprise Admins or Sch
ema Admins groups.
This command performs the following tasks:
Connect the Exchange Server to the schema master domain controller.
Import LDAP Data Interchange Format (LDIF) files to update the schema with Exchange Server 2
Set the schema version (ms-Exch-Schema-Version-Pt) to 15132.
Note: You can also prepare the schema as a part of the PrepareAD procedure, which is described
To prepare AD DS objects and the AD DS configuration partition for Exchange Serve
r 2013, you should run setup with the /PrepareAD switch, by executing the following
command:
Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
/OrganizationName:Name of
Organization
This command performs the following tasks:
Creates the Microsoft Exchange container if it does not exist; the container is created under CN=Se
Verifies that the schema has been updated, and that the organization is up to date, by checking the o
The objectVersion value for Exchange Server 2013 is 15448.
Creates all necessary objects and containers needed for Exchange Server 2013, under CN=<Organi
Creates the default Accepted Domains entry if it does not exist, based on the forest root namespace,
Assigns specific permissions throughout the configuration partition.
Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Activ
Creates the Microsoft Exchange Security Groups OU in the root domain of the forest, and assigns s
Creates the management role groups within the Microsoft Exchange Security Groups OU.
Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Gr
Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects
Prepares the local domain for Exchange Server 2013.
To perform this command, you must be a member of Enterprise Admins security grou
p, and you must run this command on the computer that is in the same domain as the s
chema master domaincontroller. If you have more than one domain, you should wait f
or a period of time after running this command, so that changes performed to AD DS
are replicated to all other domains and domaincontrollers.
At the end of this process, you should execute the setup /PrepareDomain command i
n each domain where Exchange recipients will be located. You do not need to run this
command in a domain where youran setup /PrepareAD.
Alternatively, you can also run setup /PrepareDomain:<FQDN of domain you wan
t to prepare> to prepare a specific domain, or you can run setup /PrepareAllDomai
ns or setup /pad to prepare alldomains in your organization.
This command performs the following tasks:
Creates the Microsoft Exchange System Objects container in the root domain partition in AD DS, a
Sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<ro
Creates a domain global group called Exchange Install Domain Servers in the current domain.
Assigns permissions at the domain level for the Exchange Servers USG and the Organization Mana
After all of these commands are successfully completed, your AD DS is ready for Exchange Server
Exch-Schema-Version-Pt is set to 15132.
In the Configuration naming context, verify that the objectVersion property in the CN=<your organ
In the Default naming context, verify that the objectVersion property in the Microsoft Exchange Sy
Lesson 2: Exchange Server 2013 Deployment
Deploying Exchange Server 2013 requires that you complete all of the prerequisite pla
nning steps, install the software, and then complete the post-
installation tasks. When preparing for your installation, youmust determine the type of
deployment that you are going to perform, and how will you design server role place
ment. This lesson examines the server role architecture in Exchange Server 2013, in a
dditionto various deployment scenarios.
Lesson Objectives
After completing this lesson, you will be able to:
Describe server role architecture in Exchange Server 2013.
Describe deployment options for Exchange Server 2013.
Describe hybrid-deployment considerations with Microsoft Office 365.
Describe upgrade and migration options.
Deploy Exchange Server 2013 as a virtual machine.
Describe how to install Exchange Server 2013 using the setup wizard.
Describe how to Install Exchange Server 2013 in Unattended Mode.
Install Exchange Server 2013 in Unattended Mode.
Describe and perform the Post Installation Tasks.
Troubleshoot Exchange Server installation.
Exchange Server Role Architecture in Exchange Server 2013
In Exchange Server 2013, Microsoft made major changes in the server role architectur
e. In Exchange Server 2007 and Exchange Server 2010, there were five server roles h
osting various functionalities,including:

Mailbox Server role


Client Access role
Hub Transport role
Edge Transport role
Unified Messaging role
In Exchange Server 2013, the number of server roles is greatly reduced, to only these t
wo roles:
Mailbox Server role
Client Access server role
All other roles, except the Edge Transport role
(which does not exist in Exchange Server 2013), are integrated within these two roles.
Server Roles in Exchange Server 2013
Unlike Microsoft Exchange Server 2010, in which the Mailbox Server role hosted onl
y mailbox and public folder databases and provided email storage, in Exchange Server
2013, the Mailbox Server role alsoincludes Client Access protocols, Hub Transport se
rvice, mailbox databases, and Unified Messaging components. This means that the fun
ctionality of three roles in Exchange Server 2010
(Mailbox, HubTransport, and Unified Messaging) is now integrated in only one role i
n Exchange Server 2013.
The Client Access Server role has changed in Exchange Server 2013. The Client Acce
ss server is now basically a proxy server that handles all client connections, by admitti
ng all client requests and routing themto the correct active Mailbox database. It provid
es authentication, redirection, and proxy services, and offers support for the following
client access protocols: HTTP, POP and IMAP, and SMTP.
Also unchanged is the fact that the Client Access server does not store any user data o
n itself; nor does it do any message queuing. The Client Access server role also provid
es some security functionality, byenforcing SSL in communication with clients. In so
me scenarios where the Exchange Server is deployed in multiple sites within one orga
nization, the Client Access server also can redirect the request to a moresuitable Client
Access server or proxies the connection to the right Mailbox server.
Note: The Edge Transport role is now included in Exchange Server 2013 SP1. Howev
er, you can still use the Exchange Server 2010 Edge Transport server with Exchange
Server 2013 servers.
Client Access Server
The Client Access Server in Exchange Server 2013 provides the following features:
Stateless server. In Exchange Server 2007 and 2010, most of the protocols on the Client Access ser
balancing cluster.That meant that all requests from a single Outlook Web App client had to be hand
balanced array of Client Access servers. InExchange Server 2013, this is no longer the case, and the
eceives each individual client request. By implementing this, you can use Layer 4 load balancing in
Connection pooling. As in previous releases of Exchange, the Client Access Server manages client
account that is a member of the Exchange Servers group. This allows the Client Access servers to e
wer connections to proxy therequests to the Mailbox servers than in previous versions of Exchange
Mailbox Server
In Exchange Server 2013, the Mailbox Server role provides much more functionality t
han in previous Exchange Server versions. This includes integration of the Hub Trans
port service
(previously known as theHub Transport server role) and Unified Messaging service
(previously known as the Unified Messaging server role). This is the key role for stori
ng mailbox and public folders data, as well as for UnifiedMessaging functionality and
message queuing.
The Mailbox Server role also interacts with the Client Access server, as well as with
AD DS domain controllers and global catalogs. The Mailbox Server role never comm
unicates with clients directly, as it did inprevious versions of Exchange Server. All cli
ent-based communication is performed through the Client Access server role.
Client and Server Communication in Exchange Server 2013
Because of the modifications that were made to the Exchange Server 2013 architectur
e, changes were also made to the way in which clients communicate with the Exchang
e Server, and how Exchange Server2013 roles communicate with each other and with
AD DS components.
From the client perspective, the most important connectivity change is that remote pro
cedure call
(RPC) is no longer supported as a direct client access protocol. In previous Exchange
versions, Outlookclients from an internal network were connecting to Exchange Serve
r by using RPC
(or MAPI). In Exchange Server 2013, all client connections are established by using R
PC over HTTPS. This means that allclients are connecting by using the Outlook Any
where service. This eliminates the need to have the RPC service running on the Client
Access server. In addition, you will have one fewer FQDN to manage,because all clie
nts will be using a new connection point made up of the users mailbox GUID + @ +
UPN suffix. As a result of these changes, only Outlook 2007 and newer clients suppor
t connection toExchange Server 2013.
Deployment Options for Exchange Server 2013
When you plan an Exchange Server 2013 installation, you must decide how you will o
rganize server roles, and you must choose the appropriate Exchange Server 2013 versi
on.
Exchange Server 2013 is available in both the Standard Edition and Enterprise Edition
. The Standard Edition should meet the messaging needs of most small and medium c
orporations, but it also may besuitable for specific server roles or branch offices. The
Enterprise Edition, designed for large enterprise corporations, enables you to create ad
ditional databases, and includes other advanced features. Themain difference between
Standard and Enterprise versions is that Enterprise version supports up to 50 mailbox
databases while with Standard version you can create up to five databases. The versio
n used isdetermined by product key that you enter when activating your Exchange inst
allation. You should also make sure that you select the appropriate version of client ac
cess license (CAL) from the followingoptions:
Exchange Server Standard CAL. This license provides access to email, shared calendaring, Outloo
Exchange Server Enterprise CAL. This license requires a standard CAL, and provides access to ad
list journaling, managed customemail folders, and Microsoft Forefront Endpoint Protection for E
In general, there are three deployment scenarios that you can choose from, including:
Single server deployment. In this scenario, you deploy both Exchange Server roles on a single serve
int of failure for your whole messaging system, and not having any high-availability options. If you
server Exchange deployment, it is recommended that you deploy Exchange Server inside a virtual m
V in Windows Server 2012 host. This will provide you with high availability and redundancy fo
Multiple server deployment. In the multiple-
server deployment scenario, you usually install the Client Access Server role and the Mailbox serve
ent. In scenarios where you also want to provide high availability, youshould add more machines to
(NLB) on the same set of machines. To achieve full redundancy forExchange Server, you need at le
Hybrid deployment. A hybrid deployment provides the ability to extend on-
premises Exchange Server functionality to the cloud. In this scenario, you connect your AD DS and
oving completely to an ExchangeOnline organization.
Exchange Server 2013 Hybrid Deployment with Office 365
Office 365 is a suite of four Microsoft services that are now available in an online vers
ion: Exchange Online, Lync Online, SharePoint Online, and Office Professional Pl
us. It is a subscription-based servicethat features various pricing options.
Exchange Online provides Exchange Server with email, calendar, and contacts in addi
tion to antivirus and anti-
spam protection. You can connect your existing Exchange Server 2013 organization t
o ExchangeOnline to provide rich coexistence for users. In Exchange Server 2013, it i
s possible to create a hybrid deployment between on-
premises Exchange Server and Exchange Online from Microsoft Office 365. Ahybri
d deployment offers organizations the ability to extend the user experience and admini
strative control that they have with their existing on-
premises Microsoft Exchange organization to the Office 365cloud. A hybrid deploym
ent provides you with a view of a single Exchange organization between an on-
premises organization and a cloud-
based organization. In addition, a hybrid deployment can serve asan intermediate step
to moving completely to a cloud-based Exchange organization.
A hybrid deployment of Exchange Server and Office 365 provides the following featu
res:
Mail routing with a shared domain namespace. For example, both on-premises and cloud-based or
A unified global address list, also called a shared address book. With this address list, users can vi
Free/busy and calendar sharing between on-premises and cloud-based organizations.
Centralized control of mail flow. The on-premises organization can control mail flow for the on-p
A single Outlook Web App URL for both the on-premises and cloud-based organizations.
The ability to move existing on-premises mailboxes to the cloud-based organization.
Centralized mailbox management using the on-premises Exchange Management Console.
Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based orga
Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archivin
If you want to implement Exchange Server 2013 in a hybrid deployment scenario, you
must configure two very important components to connect your on-
premises AD DS and Exchange infrastructure andOffice 365. These include:
Microsoft Federation Gateway. The Microsoft Federation Gateway is a free service that provides a
premises Exchange organization trusts Microsoft Federation Gateway. You can configure this trust
eway for your Office 365 tenant is automatically configured when youactivate your Office 365 serv
Active Directory synchronization. If you want to provide services from Exchange Online to your lo
enabled objects to the Office 365 organization, to support the unified GAL. Organizations that conf
Upgrade and Migration Options
To upgrade your existing Exchange organization to Exchange Server 2013, you canno
t directly upgrade your current Exchange Server by installing Exchange Server 2013 o
ver a previous version. Thisprocedure, which is known as an in-
place upgrade, is not supported for Exchange Server 2013. Instead, you can only upgr
ade your existing Exchange organization Exchange Server by installing ExchangeServ
er 2013 on a new server, and then you can migrate all resources from your previous E
xchange Server to Exchange Server 2013. Once the migration is complete, you can de
commission your old ExchangeServer.

Coexistence of Exchange Server 2013 and earlier versions of Exchange Server is desc
ribed in following table:
Exchange version Exc

Exchange Server 2003 and earlier versions Not s

Exchange 2007 Supp

Exchange 2010 Supp

Deploying Exchange Server 2013 as Virtual Machines


Exchange Server 2013 allows you to deploy all server roles as virtual machines. Using
virtualization for deploying servers greatly improves resource usage, and also simplifi
es deployment and management. Inaddition to evaluating the potential benefits of an u
pgrade, you also should consider the issues for deploying virtual machines in your cur
rent Exchange Server environment.

Benefits of Using Virtual Machines


Deploying Exchange 2013 servers as virtual machines provides the same advantages a
nd disadvantages as deploying other servers as virtual machines. Many organizations
are virtualizing physical servers asa way to reduce costs and to ensure that all server h
ardware is properly utilized.
Following are the benefits of deploying Exchange Servers as virtual machines:
Increases hardware utilization and decreases the number of physical servers. In many organizations
he number of deployed physical servers. This can result in significant cost savings.
Provides server-
management options that are not available for physical servers. Because virtual machines are essent
sources to the virtual machine, or move the virtual machine files to a more powerful hostserver.
Although running Exchange Servers as virtual machines can provide significant benef
its, you also need to verify that your organization has the resources and management c
apability to provide a criticalservice like messaging in a virtual environment. Impleme
nting virtualization does introduce an additional level of complexity because it require
s you to manage both the virtual Exchange Servers and the hostservers. In addition, ho
sting multiple virtual machines on a single host can increase the risk of a single physic
al server failure, resulting in the failure of multiple virtual machines.
Considerations for Deploying Exchange Server 2013 Servers as Virtual
Machines
Although running Exchange Server 2013 as a virtual machine provides certain benefit
s, you should also consider the following issues:
You can design Exchange Servers to ensure that the servers fully utilize the available hardware. For
ully utilizes all hardware resources.
One benefit of running virtual machines is that you can configure high availability within the virtua
availability solution. DAGs provide failover features that are not available in virtual machine-based
based failover clustering and migration technology, as long as the virtual machines are configured i
activated on the target node.All planned migration must either result in shutdown and full reboot, or
The storage used by the Exchange Server guest machine can be a virtual storage of a fixed size, a sm
through storage is storage that is configured at the host level and dedicated to one guest machine. T
V 3.0 to present storage from Fibre Channel SAN to a virtual machine.
You must allocate sufficient storage space for each Exchange Server guest machine on the host mac
hine. In addition, for each Exchange Server guest machine, you must allocate sufficient storage for
orage that hosts theguest virtual machines operating system. The operating system for an Exchange
t for the operating system and paging file disk requirements. For example, if the guest machine is al
You can deploy only management softwaresuch as antivirus software, backup software, and virtu
based applications, such as Exchange Server, Microsoft SQL Server, or AD DS, on the root ma
Running Exchange Servers as virtual machines can complicate performance monitoring. The perfor
One of the most common performance bottlenecks for Mailbox servers is network input/output
(I/O). When you run Mailbox servers in a virtual environment, the virtual machines must share I/Ob
e virtualmachine is almost equivalent to the I/O available to a physical server. A heavily utilized M
If you are planning to deploy Exchange Server 2013 as a virtual machine, make sure that you plan t
hardware resources to the Exchange Server virtual machine that you would assign to a physical serv
Note: Do not use virtual machine snapshots with Exchange Server deployed inside a virtual machin
Discussion: Implementing Exchange Infrastructure in a Virt
ual Environment
Discuss virtualization of Exchange and other services with the students. Lead the disc
ussion with the following questions:

Do you use virtualization in your environment?


If yes, which virtualization platform do you use?
Are you aware of the new features available in Hyper-V 3.0 in Windows Server 2012, such as the
If you are using Exchange Server, is it virtualized or not? Explain your answer.
If you plan to implement Exchange Server 2013, will you virtualize it? Explain your answer.
How to Install Exchange Server 2013 Using the Setup Wizar
d
Exchange Server 2013 can be installed by using the graphical interface-
based setup wizard or by using command line utilities. If you decide to use the graphic
al interface, you have to run the setup programfrom the installation media. However, b
efore doing so, ensure that you installed all of the prerequisites required by Exchange
Server 2013.

You will perform the following steps when you install Exchange Server 2013 with the
setup wizard:
1
On the Check for Updates page, you can choose to update the setup process with the latest files fr
.
2
On the License Agreement page, you should read your license agreement with Microsoft.
.
3
On the Recommended Settings page, you can choose if you will configure your server to report e
.
4 On the Server Role Selection page, you should select the server roles that you want to install. You
. ssary Windows roles and features that are needed for the Exchange installation that you want to pe
5
On the Installation Space and Location page, you can change the path where you want to install
.
6 On the Exchange Organization page, you can choose the name for your Exchange organization, i
. populated. On this same page, you also can choose to apply the Active Directory split-permission
7
On the Malware Protection Settings page, you can choose to disable built-in malware protection
.
8 On the Readiness Checks page, the setup procedure will inform you if there are any obstacles to t
. id not prepare your AD DS environment before starting the Exchange Server installation, the setup
Installing Exchange Server 2013 can take between 20 and 50 minutes, depending on t
he components that are installed and your server performance. After installation finish
es, you can begin to configure yourdeployment.
How to Install Exchange Server 2013 in Unattended Mode
Exchange Server 2013 installation can also be performed without using the GUI setup
wizard. By using the command line to run the setup.exe program, you can install Exc
hange Server 2013 in unattendedmode. This installation method allows you to provide
all of the answers for the setup wizard in advance, and it supports installing multiple
Exchange Servers with the same settings.

To initiate an unattended installation, you should run the setup.exe program from the c
ommand line, and provide the appropriate switches to specify your Exchange installati
on options.
Following is the syntax for an unattended installation with all available switches for se
tup.exe:
Setup.exe [/Mode:<setup mode>] [/IAcceptExchangeServerLicenseTerms]
[/Roles:<server roles to install>] [/InstallWindowsComponents]
[/OrganizationName:<name for the new Exchange organization>]
[/TargetDir:<target directory>] [/SourceDir:<source directory>]
[/UpdatesDir:<directory from which to install updates>]
[/DomainController:<FQDN of domain controller>]
[/AnswerFile:<filename>] [/DoNotStartTransport] [/LegacyRoutingServer]
[/EnableErrorReporting] [/NoSelfSignedCertificates]
[/AddUmLanguagePack:<UM language pack name>]
[/RemoveUmLanguagePack:<UM language pack name>]
[/NewProvisionedServer:<server>]
[/RemoveProvisionedServer:<server>] [/ExternalCASServerDomain:<domain>]
[/MdbName:<mailbox database name>] [/DbFilePath:<Edb file path>]
[/LogFolderPath:<log folder path>] [/Upgrade]
You do not have to provide a value for each of these switches. You only need to inclu
de the switches that pertain to your installation scenario and the level of detail that yo
u want to provide.
The following is a list of the most commonly used switches:/Mode. Controls what the setup progr
/roles. Specifies which roles you want to install. If you specify multiple roles, you must separate t
/OrganizationName. Specifies the name you want to give to the new Exchange Server organizatio
/TargetDir. Specifies the folder in which Exchange Server 2013 will be installed. Default: %%pro
/DomainController. Specifies which domain controller that the setup program will be read and wr
The following are examples of commands that can be used for unattended installations
:
Setup.exe /mode:Install /role:ClientAccess,Mailbox /OrganizationName:MyOrg
/IAcceptExchangeServerLicenseTerms
This command installs the Client Access server role, the Mailbox server role, and the
management tools to the default installation location, and provides the organization na
me of MyOrg.
Setup.exe /r:CA,MB /IAcceptExchangeServerLicenseTerms
This command installs the Client Access server role, the Mailbox server role, and the
management tools to the default installation location.
Setup.exe /role:ClientAccess,Mailbox /UpdatesDir:"C:\ExchangeServer\New
Patches"
/IAcceptExchangeServerLicenseTerms
This command updates ExchangeServer.msi with updates from the specified directory
, and then installs the Client Access server role, Mailbox server role, and the manage
ment tools. If a language pack bundleis included in this directory, the language pack is
also installed.
Setup.exe /mode:Install /role:ClientAccess /AnswerFile:c:\ExchangeConfig.txt
/IAcceptExchangeServerLicenseTerms
This command installs the Client Access server role by using the settings in the Excha
ngeConfig.txt file.
Demonstration: Installing Exchange Server 2013
Demonstration Steps
1.On LON-DC1, attach D:\Program Files\Microsoft
Learning\20341\Drives\ExchangeServer2013CU1.iso as a DVD drive.
2.Open Windows PowerShell.
3.Navigate to D: drive. Type .\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /Or
4.Switch to LON-EX1.
5.Map D:\Program Files\Microsoft Learning\20341\Drives\ExchangeServer2013CU1.iso as a D
6.Open Windows Explorer and navigate to D:\.
o Run setup.exe
o Dont check for updates
o Select to install both Mailbox and Client Access roles
o Dont disable malware scanning
o Start the prerequisite check.
o Restart the computer and rerun setup.exe.
Post-Installation Tasks
After finishing the Exchange Server installation, you may need to perform additional s
teps to finalize the server deployment.

Configuring Exchange Server Security


Security is important for all of the servers in your deployment. However, security is e
ven more important for computers that are running Exchange Server. For most organi
zations, messaging is a critical partof the network. People rely on messaging to perfor
m their jobs, and sensitive and private information is often sent through and stored in t
he messaging system. Computers that are running Exchange Serverall communicate w
ith the Internet in some way, which is not the case with many other servers. Even Mail
box servers with no direct Internet communication are exposed to messages that origin
ally came fromthe Internet.
Use the following steps to secure computers that are running Exchange Server 2013:
Restrict physical access. Like all servers, physical access to a computer that is running Exchange Se
Restrict communication. You can use firewalls to restrict the communication between servers, and b
server (if deployed) or other SMTP gateway must be available to anonymous Internet connections,
Reduce the attack surface. To limit software flaws that hackers can use, eliminate unnecessary softw
xposed to the Internet.
Restrict permissions. Evaluate who has permissions to manage Active Directory in your organizatio
Reduce delegated AD DS management permissions in a more granular way if you do not want all o
Configure Additional Software
Before you install any additional software, ensure that Microsoft certifies it for use wit
h Exchange Server 2013. Failure to verify certification for Exchange Server 2013 coul
d result in data or availability loss.Products specifically designed for use with Exchan
ge Server 2013 take advantage of new features.
Some of the additional software you might want to install or configure includes:
Antivirus software. You can choose to use Forefront Online Protection or a third-party antivirus s
Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial email m
party anti-spam solutions. You can also use the anti-spam solution built into Exchange Server 201
Backup software. To back up Exchange Server 2013 servers, you must deploy backup software th
Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center Opera
(Operations Manager). Operations Manager allows you to proactively monitor andmanage your E
Troubleshooting Exchange Server Installation
Although the Exchange Server setup process rarely fails, if you fulfill all prerequisites
, there are some situations when you need to troubleshoot the Exchange installation. D
uring setup process, ExchangeServer installation performs very detailed logging. Exch
ange setup logs are located in C:\ExchangeSetupLogs folder. File ExchangeSetup.log
log file contains information about the status of prerequisite andsystem-
readiness checks that Exchange Server performs before the installation begins. This lo
g also contains information about every task that occurs during the Exchange Server s
etup, and is the mostcomplete log available for troubleshooting installation errors.
Other .msilog or
.ps1 files may exist in this folder, depending on which roles are installed on this server
.
Some common installation problems and solutions are:
Insufficient disk space. Your server might not have the necessary disk space to install Exchange Se
Missing software components. Your server might not have all of the required software components
Incorrect DNS configuration. Exchange Server 2013 relies on global catalog servers to perform ma
iag tool. To resolve the problem, ensure that the Exchange server and domain controllers are all usi
Incorrect domain functional level. All domains with Exchange Server 2013 recipients or servers mu
l.
Insufficient Active Directory permissions. When you install Exchange Server 2013, you need suffic
se Admins and Schema Admins groups.
Insufficient Exchange permissions. To install Exchange Server 2013 into an existing organization, y
Lesson 3: Managing Exchange Server 2013
After Exchange Server 2013 is installed, you need to manage your Exchange deploym
ent. Exchange administrators can manage Exchange Server by using a new web-
based graphical interface called the EAC,or by using Exchange Management Shell. E
xchange users can manage a set of available options by using the Outlook Web App in
terface. This lesson examines each of these Exchange Server 2013management techni
ques.
Lesson Objectives
After completing this lesson, you will be able to:
Manage Exchange Server 2013.
Describe EAC.
Manage User Mailbox properties with Outlook Web App.
Describe Windows PowerShell.
Describe Windows PowerShell Syntax.
Describe how to access help in Windows PowerShell.
Describe Exchange Management Shell.
Perform Management Shell Administration Examples.
Use Exchange Administration Tools to Manage Exchange.
Managing Exchange Server 2013
Exchange Server 2013 supports several methods for managing your server and client s
ettings. Unlike Exchange Server 2010 and older versions, in which management was p
rimarily performed by using theMMC-
based Exchange Management console, Exchange Server 2013 does not provide an M
MC-based console for configuration management.

Instead, Exchange Server 2013 uses a new web-based console called EAC.
Full management of Exchange Server 2013 can also be performed by using Exchange
Management Shell, a Windows PowerShell-
based console that provides all available options for managing yourExchange Server.
Because several management options are not available in the EAC, some advanced tas
ks must be performed using the Exchange Management Shell.
Users also can manage some of their mailbox settings through Outlook Web App. Thi
s is also a web-
based interface that enables users to configure available options for their mailboxes an
d connecteddevices. Users are allowed to configure only a subset of available options.
It is important that you follow appropriate management techniques when performing s
pecific administrative tasks. For example, if you want to create mailboxes for several
users at the same time, it will bemuch more efficient to do that through Exchange Man
agement Shell than by using EAC.
What Is EAC?
The EAC is the new, web-
based console that is used for managing your Exchange Server 2013 deployment. It is
graphical console that allows you to manage both an on-
premises Exchange Server and anExchange Online or hybrid Exchange deployment. T
his console is a replacement for the Exchange Management console
(which exists in Exchange Server 2007 and 2010) and for the Exchange Control Panel
(ECP).

The EAC has several advantages over the MMC-


based console that was used in previous versions of Exchange. Because the EAC is a
web-
based console, it is much faster and more responsive than theExchange Management c
onsole. The EAC allows you to administer both Exchange on-
premises and Exchange Online deployments from the same place. EAC can be access
ed from a web-
browser interfacefrom both an internal network and the Internet. However, if you wan
t to disable Exchange management from outside your network, you can partition acces
s from the Internet/Intranet from within the ECP IISvirtual directory to allow or disall
ow management features. This enables you to permit or deny access to users trying to
access the EAC from the Internet outside of your organizational environment, while st
illallowing access to an end-users Outlook Web App Options.
You can access EAC by using the same URL syntax as used in older versions. It is loc
ated in the ECP virtual directory. When you sign-
in to EAC, you are provided with the ability to manage the followingcomponents of y
our Exchange infrastructure:
Recipients. In this node, you manage mailboxes, groups, resource mailboxes, contacts, shared mailb
Permissions. This node contains options for managing administrator roles, user roles, and Outlook W
Compliance Management. The Compliance Management Center is used for managing In-Place eDi
Organization. This node includes tasks related to the Exchange Organization, including Federated s
Protection. Exchange Server 2013 includes built-in antimalware functionality, and the Protection C
Mail Flow. In this node, you manage rules, delivery reports, accepted domains, and email address p
Mobile. On this place in EAC console, you can manage mobile devices that you allow to connect to
Public Folders. Unlike previous Exchange Server versions, in which public folder administration w
Unified Messaging. The Unified Messaging center is where you manage UM dial plans and UM IP
Servers. The Servers Center is where you will manage your Mailbox and Client Access servers, dat
Hybrid. The Hybrid Center is where you will access Hybrid setup and configuration.
Because the EAC is now a web-
based management console, you will need to access it through your web browser usin
g the ECP virtual directory URL. To find the ECP virtual directory URL that provides
accessto the EAC, run the following command:
Get-ECPVirtualDirectory | Format-List InternalURL,ExternalURL
Use the InternalURL or ExternalURL value in your web browser to launch the EAC.
Managing User Mailbox Properties with Outlook Web App
In Exchange Server 2013, users can manage their accounts and mailboxes by using th
e Outlook Web App interface. When users Sign in to Outlook Web App they can see e
mail and related items, and theycan also choose to manage their mailbox settings.

This allows all mailbox users to configure most of their mailbox settings, including:
Outlook Web App settings such as email signatures and out-of-office messages.
Manage inbox rules for automatic message management.
Perform message tracking of messages sent or received from their mailbox.
Manage site mailboxes where they are members.
View and manage mobile devices that have connected to their mailboxes.
Manage text-messaging notifications.
View group memberships and request to join public groups.
Recover deleted messages.
Manage block and allow lists.
Change their password.
Manage applications for Outlook Web App.
This enables users to perform some of the tasks that were previously dedicated only to
administrators, thus giving users greater control over the appearance and performance
of their mail system.
What Is Windows PowerShell?
Windows PowerShell is a command-
line management interface that can be used to configure Windows Server 2012 and pr
oducts such as System Center 2012, Exchange Server 2013, and MicrosoftSharePoint
Server 2013. This management interface, which provides an alternative to the GUI
management tool, enables administrators to:

Create automation scripts.


Perform batch modifications.
Access settings that might be unavailable or more difficult to configure in the GUI.
GUI can be inefficient for tasks that you have to perform repeatedly, such as creating
new user accounts. By building administrative functionality in the form of Windows P
owerShell commands, you can selectthe right method for a given task.
As you become more comfortable with Windows PowerShell, you may use it in place
of other low-
level administrative tools that you may have used in the past. For example, Windows
PowerShell has accessto the same features that can be accessed by VBScript, but in m
any cases, Windows PowerShell provides easier ways to perform the same tasks.
Windows PowerShell also may change the way you use Windows Management Instru
mentation (WMI). Windows PowerShell can wrap task-
specific commands around the underlying WMI functionality.When you use Windows
PowerShell with WMI, your work is simplified because Windows PowerShell provid
es easy-to-use, task-based commands.
Although Windows PowerShell is an excellent command-
line tool for performing specific tasks, it also offers additional functionality. Windows
PowerShell can manage Windows Server roles and features, andit can be used to prov
ision, manage, and report on various objects, directories, and components.
Windows PowerShell Syntax
Windows PowerShell uses commands, known as cmdlets, to perform specific tasks. T
he naming convention for a cmdlet includes a verb or action, followed by a hyphen, a
nd then a noun or subject.

For example, to retrieve a list of users, you would use the cmdlet Get-
User. This standardized naming convention is designed to enable users to more easily
remember how to perform administrative tasks.For example, to change the settings of
a mailbox, you would use the cmdlet Set-Mailbox.
Optionally, one or more parameters can be used with a cmdlet to modify its behavior
or specify settings. When you type a cmdlet on a command line, the parameters are en
tered after the cmdlet name. Eachparameter that is used must begin with a hyphen, an
d if multiple parameters are entered, they must be separated by a space.
Not all cmdlets use the same parameters. Some cmdlets have parameters that are uniq
ue to their functionality. For example, the Move-Item cmdlet includes the -
Destination parameter to specify the locationwhere the object will be moved; whereas
the Get-ChildItem cmdlet has the
Recurse parameter. There are several kinds of parameters, including the following:
Named. Named parameters are the most commonly used parameters, and they can require a value
Destinationparameter and the exact destination where the item will be moved.
Switch. Switch parameters modify the behavior of the cmdlet, but they do not require any addition
Recurse parameter without specifying a value of$True.
Positional. Positional parameters are parameters that can be omitted and can still accept values ba
EventLog EventLog System to retrieve information from the System event log. However, becau
EventLog System toobtain the same results. When the EventLog parameter is not present, the cm
Parameters that are common to many cmdlets include options to test the actions of the
cmdlet or to generate verbose information about the execution of the cmdlet. Commo
n parameters include:
-Verbose. This parameter displays detailed information about the performed command. You should
-WhatIf. This parameter displays the outcome of running the command without actually running it.
-
Confirm. This parameter displays a confirmation prompt before executing the command. This is he
Additional Reading: For additional information on cmdlet verbs, see the following lo
cation: http://go.microsoft.com/fwlink/?LinkId=290957.
Accessing Help in Windows PowerShell
Whether you are an experienced professional or are new to Windows PowerShell, the
cmdlet Help documentation provides a rich source of information. To access the Help
documentation, use the Get-Helpcmdlet
(or its alias, help) followed by the cmdlet name, or enter the cmdlet name followed by
the help parameter. Get-
Help includes the following parameters to adjust the Help content that is displayed:

-Detailed. Displays more detailed help than the default option displays.
-Examples. Displays only the examples for using the cmdlet.
-Full. Displays advanced help and usage examples.
-Online. Opens a web browser to the cmdlet documentation on the Microsoft website.
Windows PowerShell 3.0 includes the ability to download the latest help document fr
om Microsoft. To view help documentation locally, you must use the Update-
Help cmdlet. Also new in WindowsPowerShell 3.0 is the Show-
Command cmdlet. This cmdlet helps users who are new to PowerShell to interact wit
h the input and output options for a cmdlet by using a graphical interface.
The Get-
Command cmdlet returns a list of all locally available cmdlets, functions, and aliases.
You can use it to discover new cmdlets by using wildcard searches. For example, to r
eturn a list of all cmdlets thatinclude VM in the cmdlet name, you could run Get-
Command *VM*.
What Is Exchange Management Shell?
The Exchange Management Shell and the Exchange Management Console run on top
of the Windows PowerShell version 3.0 command-line interface.

These tools also use cmdlets, which are commands that run within Windows PowerSh
ell. Each cmdlet completes a single administrative task, and you can combine cmdlets
to perform complex administrativetasks.
In Exchange Management Shell, there are more than 700 cmdlets that perform Exchan
ge Server management tasks, and even more non-
Exchange Server cmdlets exist in the basic Windows PowerShell shelldesign.
Exchange Management Shell is more than just a command-
line interface that you can use to manage Exchange Server 2013. Exchange Managem
ent Shell is a complete management shell that offers acomplex and extensible scriptin
g engine that has sophisticated looping functions, variables, and other programmatic f
eatures, so that you can quickly create comprehensive administrative scripts.
When you run cmdlets in the Exchange Management Shell, role-based access control
(RBAC) is used to determine whether you have the required permissions to run the cm
dlets. RBAC enables you to assigngranular permissions to administrators, as well as s
cope of objects that can be modified, and more closely align the roles that you assign
users and administrators to the actual roles they hold within yourorganization. Since al
l Exchange Server 2013 administration tools run Exchange Management Shell cmdlet
s to make changes to the Exchange environment, RBAC permissions are consistently
applied acrossall administration tools.
Exchange Management Shell Administration Examples
In Exchange Management Shell, you can also use the get-
help command to access Help for any cmdlet. For example, if you want to learn about
the available options for Set-Mailbox cmdlet, you will typeget-help Set-
Mailbox. If you want to access extended help, you can type get-help Set-Mailbox
detailed. And if you want to view a list of examples of usage for the Set-
Mailbox cmdlet, you can type get-help Set-Mailbox examples.

When you type a cmdlet, it is very useful to use the TAB key. Exchange Management
Shell supports command completion by using the TAB key. All you must do is type th
e first few letters of a cmdlet, andthen press the TAB key to complete the command. If
several cmdlets begin with the same letters, you can continue pressing the TAB key t
o browse through all cmdlets.
Each command that makes a change in Exchange Management Shell can be ended wit
h the
WhatIf parameter, which instructs the cmdlet to simulate the actions that it would tak
e on the object. By usingthe -
WhatIf parameter, you can view the changes that would occur without actually makin
g those changes.
You can also use the
Confirm parameter if you are about to run a command that affects multiple objects. T
he -
Confirm parameter forces the cmdlet to pause processing and requires the administrat
or toacknowledge what the cmdlet will do before processing continues.
If you expect that output of your cmdlet will be too long, you can direct the output to
a text file. For example, you can type Get-Mailbox | Format-List > file.txt.
Examples of Exchange Management Shell commands include:
Enable-Mailbox -Identity adatum\Bart -Database MailboxDatabase. This command enables a m
(Bart) with the domain and alias combination adatum\Bartby creating a mailbox in the mailbox data
New-MailboxExportRequest -Mailbox Bart -FilePath \\LON-
EX1\PSTFileShare\Bart_Mailbox.pst. This command retrieves the contents of the mailbox with t
Get-MailboxStatistics -Database MailboxDatabase. This command retrieves the mailbox statistic
New-MailboxDatabase -Name MailboxDatabase -Server LON-Ex1. This command creates a ma
Get-ExchangeServer -Status | Format-
List. This command retrieves a detailed list of all existing servers, and forces a call to update the se
New-DynamicDistributionGroup -Name DDG -Alias DDGAlias -OrganizationalUnit OU -Inc
based dynamic distribution group namedDDG that is located in the OU and has the alias DDGAlias
New-MoveRequest -Identity 'user1'-TargetDatabase Executives. This command creates a move
Demonstration: Using Exchange Administration Tools to M
anage Exchange
Demonstration Steps
1. On LON-EX1, review the options in the Exchange Admin Center.
2. Create the mailbox for the user Aidan.
3. Sign in to Outlook Web App as Aidan.
4. Review the options in Outlook Web App for a non-administrative user.
5. From the Exchange Management Shell execute following cmdlets:
Get-Command *mailbox*
Get-Mailbox Aidan | Format-List alias,*quota
Enable-MailContact -Identity "John Woods" -Alias woods -ExternalEmailAddress woods@adatum
Get-MailboxStatistics -Server LON-EX1
Get-Recipient -RecipientType UserMailbox
New-MailboxDatabase -Name AdatumExec -Server LON-EX1
Lab: Deploying and Managing Exchange Server 20
13
Scenario
You are working as a messaging administrator in the A. Datum corporation. Your org
anization is preparing to install its first Exchange Server 2013 server. As an initial tas
k, you will deploy Exchange Server2013 in a test environment. Before installing Exch
ange Server 2013 in the test environment, you must first verify that the AD DS is read
y for the installation. You also must verify that all computers that will runExchange S
erver 2013 meet the prerequisites for installing Exchange. Once the environment is pr
epared, you will deploy Exchange Server 2013.
Objectives
Evaluation of requirements and prerequisites for Exchange Server 2013 deployment
Exchange Server 2013 deployment
Exchange Server 2013 management
Lab Setup
Estimated time: 60 minutes
Virtual machines 20341B-
20341B-

User Name Adatum\Ad

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1-B, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-EX1-B.
Exercise 1: Evaluating Requirements and Prerequisites for an Exchange
Server 2013 Installation
Scenario
The Active Directory administrators at A. Datum have prepared a test AD DS environ
ment for the Exchange Server 2013 deployment. The server administration team has d
eployed a Windows Server 2012server that you can use to deploy the first Exchange S
erver 2013 server in the test organization. You must verify that the Active Directory e
nvironment and the server meet all prerequisites for installingExchange Server 2013.
The main tasks for this exercise are as follows:
1. Evaluate the Active Directory Requirements
2. Evaluate the DNS requirements
Task 1: Evaluate the Active Directory Requirements
1.On LON-DC1, evaluate whether the domain controller requirements are met:
a. Use Active Directory Users and Computers to evaluate whether the domain and forest functio
b. Use Adsiedit.msc to evaluate whether the Exchange schema changes are applied.
Task 2: Evaluate the DNS requirements
1. On LON-EX1, verify that the DNS settings are configured appropriately.
2. Ping the domain controller LON-DC1.adatum.com to verify network connectivity.
3. Start the Nslookup utility from Windows PowerShell.
4. Type set type=all.
5. Perform an nslookup search for the _ldap._tcp.dc._msdcs.adatum.com SRV record.
6. Verify that an SRV record for lon-dc1.adatum.com is returned.
7. Close Window PowerShell.
Results: After completing this exercise, the students will have evaluated the AD DS r
equirements.
Exercise 2: Deploying Exchange Server 2013
Scenario
After evaluating the Exchange Server 2013 requirements, you are ready to begin the d
eployment process. You must first prepare AD DS, and then perform a single server E
xchange installation. For evaluationpurposes, all roles will be installed on a single ser
ver. At the end, you will verify whether the core Exchange services and components a
re installed correctly.
The main tasks for this exercise are as follows:
1. Preparing AD DS for Exchange Server 2013 deployment
2. Performing Exchange Server 2013 installation on a single server
3. Verify Exchange Server installation
Task 1: Preparing AD DS for Exchange Server 2013 deployment
1. On LON-DC1, attach C:\Program Files\Microsoft
Learning\20341B\Drives\ExchangeServer2013CU1.iso to the virtual machine.
2. On LON-DC1 open a Windows PowerShell window. Switch to D:\.
3. Execute the proper command to prepare AD DS for your Exchange Server installation.
.\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:Adatum
4. Wait until the process completes.
5. Close Windows PowerShell.
Task 2: Performing Exchange Server 2013 installation on a single server
1.On LON-EX1, attach C:\Program Files\Microsoft
Learning\20341\Drives\ExchangeServer2013CU1.iso to the virtual machine.
2.Install the Windows features for Exchange server, by typing:
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Fe
Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model,
Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redire
Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor
WMI, Windows-Identity-Foundation, and press Enter. (If you do not want to type this command
3.After roles are installed, restart the server.
4.Sign in to LON-EX1 as Adatum\Administrator with the password Pa$$w0rd, and start Exchang
a. Do not check for updates.
b. Select the options to install both Client Access and Mailbox Server roles.
c. Do not disable malware protection.
d. Ensure that prerequisites are met.
e. Install the Exchange server. Wait until the installation completes. It can take 30 to 40 minutes
f. On the Setup Completed page click finish.
g. Restart LON-EX1 and sign in as Adatum\Administrator with the password Pa$$word
Task 3: Verify Exchange Server installation
1.On LON-EX1, from Server Manager, open the Services console.
2.Review the status for each Exchange Server service. Ensure that all services that are set for automa
3.Using File Explorer, browse to C:\Program Files\Microsoft\Exchange Server\v15. This list of fo
4.Using Internet Explorer, open https://lon-ex1.adatum.com/owa.
5.Sign in to Outlook Web App as Adatum\Administrator with the password Pa$$w0rd. Send a ne
6.Close Outlook Web App.
Results: After completing this exercise, the students will have deployed Exchange Ser
ver 2013.
Exercise 3: Managing Exchange Server 2013
Scenario
You have Exchange Server 2013 deployed in the test environment, and you want to ex
plore the Exchange Server 2013 management tools. You are interested in exploring th
e functionality that exists in thenew EAC, and also in Outlook Web App and Exchang
e Management Shell.
The main tasks for this exercise are as follows:
1. Explore Exchange Server 2013 Administration Center
2. Manage Exchange Server with Exchange Management Shell
3. Explore Outlook Web App
4. To prepare for the next module
Task 1: Explore Exchange Server 2013 Administration Center
1. On LON-EX1, open Internet Explorer.
2. Sign in to https://lon-ex1.adatum.com/ecp as Adatum\Administrator with the password Pa$
3. Create a new mailbox for the existing user Aidan Delaney.
4. Create a new open distribution group called Adatum News.
5. Sign out of the EAC.
Task 2: Manage Exchange Server with Exchange Management Shell
1.On LON-EX1, use Exchange Management Shell to perform the following tasks:
a. List all of the users from the Adatum.com domain.
b. Enable the mailbox for the user Robert.
c. List all mailboxes in Adatum.com.
d. Set the warning quota to 200 MB, and configure the prohibit send quota to 250 MB for all ma
e. Enable mailboxes for all users in the IT organizational unit.
Task 3: Explore Outlook Web App
1. On LON-EX1, open Internet Explorer and sign in to Outlook Web App at https://lon-ex1.adat
2. Send a test email to the administrator.
3. Join the Adatum News group.
4. Create a signature for Aidan Delaney.
5. Change the theme for the Outlook Web App interface.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1-B, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-EX1-B.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have explored Exchange ma
nagement tools.
Question: What should you install on Windows Server 2012 before starting the Excha
nge Server 2013 installation?
Question: How can you perform an Exchange Server installation?
Question: How can you verify whether the Exchange installation is successful?
Module Review and Takeaways
Best Practice
Always plan for Exchange server resources before starting an installation process.
Consider deploying Client Access Server role and Mailbox server role on separate servers.
Monitor Exchange services and logs with monitoring software such as SCOM 2012.
Learn how to use Exchange Management Shell.
Install Windows Server roles and features required for Exchange Server prior to installation of Ex
Common Issues and Troubleshooting Tips
Common Issue T

Setup.exe /PrepareAD fails

Review Question(s)
Question: Which server role in Exchange Server 2013 handles the message transport?
Question: How do Outlook clients from an internal network connect to Exchange Ser
ver 2013?
Question: On what is the EAC built?
Tools
EAC
Exchange Management Shell
Module 2: Planning and Configuring Mailbox Serve
rs
Contents:
Module Overview

Lesson 1: Overview of the Mailbox Server Role

Lesson 2: Planning the Mailbox Server Deployment

Lesson 3: Configuring the Mailbox Servers

Lab: Configuring Mailbox Servers

Module Review and Takeaways

Module Overview
The key component of the Microsoft Exchange Server 2013 infrastructure is the Mai
lbox server, which hosts mailbox databases and addresses books, handles message tra
nsport and routing, and providesunified messaging services. When you plan an Excha
nge Server 2013 deployment, it is very important to consider all aspects of your deplo
yment that can affect the Mailbox server role design. In this module,we will talk about
planning and configuring of the Mailbox server role.
Objectives
After completing this module, you will be able to:
Describe the Mailbox server role.
Plan for a Mailbox server role deployment.
Configure the Mailbox servers.
Lesson 1 : Overview of the Mailbox Server Role
The Mailbox server role provides a storage solution for most of the data with which E
xchange Server works. It hosts user mailboxes, public folders, address lists, and other
types of data. In Exchange 2013,most functionality, such as message transport and uni
fied messaging, is located on the Mailbox server role; therefore, it is very important to
properly plan and deploy this role.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the Mailbox server role in Exchange Server 2013.
Describe how the Mailbox server role interacts with client servers and the Client Access server ro
Describe the mailbox store in Exchange Server 2013.
Describe database log considerations.
Describe how the mailbox database is updated.
Describe storage options for the mailbox databases.
Describe how to import and export data from the mailbox database.
The Mailbox Server Role in Exchange Server 2013
In Exchange Server 2013, the Mailbox server does much more than it did in Microsoft
Exchange Server 2010. In Exchange Server 2010, the Mailbox server hosts databas
es and provides email storage.

In Exchange Server 2013, the Mailbox server also hosts Client Access protocols, Tran
sport service components, mailbox databases, and Unified Messaging components.
Although clients never communicate directly with the Mailbox server, this server inter
acts actively with the Active Directory Domain Services
(AD DS) components and Client Access server. It uses theLightweight Directory Acc
ess Protocol
(LDAP) to locate and access information about recipients, servers, and organization c
onfiguration information that is stored in AD DS.
The Mailbox server also participates in high-
availability configurations through Database Availability Groups
(DAGs). This concept provides high availability at a database level by implementing
multiple copieson the same database over different mailbox servers. A DAG is a grou
p of up to 16 Mailbox servers that hosts a set of databases and provides automatic data
base-level recovery from failures that affectindividual servers or databases.
Most of the functionality for internal message transport and routing, previously hosted
on the Hub Transport server, is now located on the Mailbox server role. The Hub Tra
nsport service, running on theMailbox server role, handles all internal Simple Mail Tr
ansfer Protocol
(SMTP) mail flow, and performs message categorization and content inspection. In ad
dition to this service, there are two more transportservices that run on the Mailbox ser
ver role: Mailbox Transport Submission and Mailbox Transport Delivery. These two s
ervices communicate with the Hub Transport service to send messages to other server
s,and also with the mailbox database to retrieve or submit data to the database.
The Unified Messaging server role, which previously existed as a separate server role,
is now also integrated with the Mailbox server role.
Note: The Mailbox server role in Exchange Server 2013 also hosts public folder mail
boxes. Unlike in Exchange Server 2010, public folders do not use separate databases o
r a separate replicationmechanism. For more details about public folders in Exchange
Server 2013, see Module 3.
The Mailbox server role in Exchange Server2013 includes the following new features:
In an evolution of the Exchange Server 2010 DAG, the transaction log code has been refactored fo
Servers can be in different locations to support enhanced site resiliency.
Exchange Server 2013 now hosts some Client Access components, including the transport compo
The Exchange store has been rewritten in managed code to improve performance in additional I/O
Each Exchange Server 2013 database now runs under its own process.
How the Mailbox Server Role Interacts with Clients and the
Client Access Server
In addition to its communication with AD DS, the Mailbox server role communicates
intensively with the Client Access server. This communication always takes the same
paths, even when the Client Accessserver role is installed on the same server as the M
ailbox server role.
Because the clients never communicate directly with the Mailbox server, the Client A
ccess server accepts client requests and sends them to the Mailbox server. The Front E
nd Transport service, which runs onthe Client Access server, accepts and sends messa
ges from the Internet, and then forwards them to the Hub Transport service running on
the Mailbox server.
The Client Access server also returns the data
(content of the client mailbox) from the Mailbox server to the clients. In addition, the
Client Access server uses NETBIOS file sharing to access the offline addressbook
(OAB) data from the Mailbox server role. This data is then served to the clients throug
h the OAB virtual directory on the Client Access server. The Client Access server also
sends messages, free/busydata, and client profile settings between the client server an
d the Mailbox server.
In previous Exchange Server versions, such as Microsoft Exchange Server 2007 and
Exchange Server 2010, internal clients had a direct Messaging Application Program I
nterface
(MAPI) communication withthe Mailbox Server role in some scenarios. For example,
when the client was accessing public folders in Exchange Server 2010, it was commu
nicating directly with the Mailbox server role. In Exchange Server2007, the internal cl
ients were directly communicating with the Mailbox server role, by using MAPI, for a
ll scenarios.
In Exchange Server 2013, clients no longer communicate directly with the Mailbox se
rver role; therefore, both internal and external client communication is proxied throug
h the Client Access server. The ClientAccess server uses LDAP or the Name Service
Provider Interface
(NSPI) to contact the Active Directory server and retrieve the users Active Directory
information.
The Mailbox Store in Exchange Server 2013
In Exchange Server 2013, the primary component of the mailbox store is the mailbox
database. Unlike in previous Exchange server versions, in which public folder databas
es were also present, ExchangeServer 2013 works only with the mailbox databases.

Mailbox databases contain the data, data definitions, indexes, checksums, flags, and ot
her information that constitute mailboxes in Exchange Server 2013. Mailbox database
s hold data that is private to anindividual user, and contain mailbox folders generated
when a mailbox is created for that user. The mailbox database can be hosted on a singl
e server, or it can be distributed across multiple Mailbox serversif DAGs are deployed
.
The mailbox database is stored in a database file, also known as an Exchange database
(.edb) file. However, this is not the only file that is related to the mailbox database. Ex
change Server 2013 uses a set ofdata files to host and maintain the mailbox database.
These files are:
Mailbox database (.edb file). This is the main repository for mailbox data. This file is directly acces
Transaction log (.log file). Each operation that should be performed on a database, such as sending
(in an
.edb file). Until the transaction is committed to the mailbox database, the only existence of this data
of transactionlogs.
Checkpoint file
(.chk). Checkpoint files store data that indicate when a transaction is successfully committed to the
E will start with the transaction that is present in the log file, but is not yet written to checkpoint file
bytes in size anddoes not grow.
Temporary file (Tmp.edb). This is a temporary location used for processing transactions. Tmp.edb c
Reserve log files
(E##res0001.jrs - E##res000A.log per database, where ## is the log prefix). These files are used to
te new transactions to disk. When Exchange Server 2013 runs out of disk space, it writes the curren
thedatabase. The reserved transaction logs are always 1 MB each.
Although it is important to understand the purpose of each mailbox database file, you
will interact directly with these files only rarely. Exchange Server automatically mana
ges these files, so they do notrequire administrator intervention, except in cases of dat
abase backup and restore.
Database Log File Considerations
Each change that is performed on an Exchange Server mailbox database must be logg
ed in a transaction log file prior to modification of the database. After each transaction
is logged to the transaction logfile, it can be written to the .edb file.

To enhance performance, changes performed on the database are usually available to


users right after they are recorded to the transaction log file.
Exchange Server also caches transactions in RAM memory. This is done for both redu
ndancy and performance reasons. If the database stops, or if the server crashes or expe
riences any other system outage,Exchange Server scans the log files and reconstructs
and applies any changes not yet written to the database file. This process is referred to
as replaying log files.
The transaction log is not just one file, but instead is a series of log files. Each transact
ion log file is exactly 1,024 KB in size. After a transaction log file becomes full, ESE
closes it, renames it, and opens a newtransaction log file.
The naming syntax for the transaction log file is Enn0000000x.log, where nn refers to
a two-
digit number known as the base name or log prefix, and x is the sequential number of t
he log file. It is important toknow that log files are numbered in a hexadecimal system
, not in a decimal system. For example, the log file that comes after E0000000009.log
is not E0000000010.log, but E000000000A.log.
Transaction log files are not deleted automatically. Usually, when a database is backe
d up, the backup software deletes the transaction log files. Because a mailbox databas
e cannot be backed up in the wayother files can, it is very important to have Exchange
-
aware backup software that will properly handle transaction log files when performing
backup and restore operations. If the transaction log files are notdeleted regularly, the
y can fill up the disk space, which can cause Exchange services to stop working. We d
o not recommend manually deleting transaction log files, because that approach can in
terfere withyour regular backup procedure.
You can configure Exchange Server to perform circular logging. When the circular lo
gging option is enabled, transaction log files will be overwritten after the transactions
from the log file are committed tothe mailbox database. However, this approach is not
recommended in a production environment, because it affects the ability to back up a
nd restore to the mailbox database. For example, if you havecircular logging enabled,
you can recover data only up to the time when you performed the last full backup of y
our database. If you do not use circular logging, then you are able to use incremental b
ackups,and you also have the ability to restore the database from the incremental back
up. By default, circular logging is disabled.
To properly maintain transaction logs as well as the mailbox database, we recommend
that you follow these guidelines:
Regularly perform Exchange Server backups with Exchange-aware backup software.
Move transaction logs to a dedicated drive that supports heavy write load.
Place transaction log files on a redundant disk array, using redundant array of independent disks
(RAID) technology. We recommend that you use a RAID 1 volume. However, if you protect your m
Ensure that the volume that hosts the transaction log files has enough free disk space to store all file
Do not use compression on drives that store transaction log files.
Do not use circular logging, except in a test environment.
How Are Mailbox Databases Updated?
Although database modification is an automated process, it is not directly visible to th
e administrator or the end user. It is important that you understand how the database is
being modified during normaloperations.
The following process takes place when a Mailbox server receives a message:
1 The Mailbox server receives the message. This occurs when the Hub Transport service on the Mai
. x Transport service.
2
Before the message is written to the databases, the Mailbox server writes the message to the curren
.
3
The Mailbox server writes the transaction from the memory cache to the appropriate database.
.
4
The Mailbox server updates the checkpoint file to indicate that the transaction was committed succ
.
5
Client servers can access and read the message in the database.
.
Storage Options for the Exchange Server 2013 Mailbox Serv
er Role
Exchange Server 2013 supports various hardware technologies for disk storage, includ
ing Serial Advanced Technology Attachment (SATA), Solid-state drive
(SSD), and Serial Attached small computer systeminterface (SCSI), known as SAS
(Serial Attached SCSI) or iSCSI drivers. When selecting which storage solution to use
, the goal is to ensure that the storage will provide the performance that your environm
entrequires. In Exchange Server 2013, disk I/O is further reduced compared to previou
s versions of Exchange Server.
This enables you to use less expensive, slower disks and storage systems without any
significant decrease in performance. When choosing a storage technology for Exchan
ge Server, the most commonchoices are, DAS, SAN, or RAID.
DAS
Direct attached storage
(DAS) is any disk system that is physically connected to your server. This includes ha
rd disks inside the server or those that are connected by using an external enclosure. S
ome externalenclosures include hardware-
based RAID. For example, external disk enclosures can combine multiple disks in a R
AID 5 set that appear to the server as a single large disk.
In general, DAS provides good performance, but it provides limited scalability becaus
e of the units physical size. You must manage direct attached storage on a server-by-
server basis. Exchange Server 2013performs well with the scalability and performanc
e characteristics of DAS.
DAS provides the following benefits:
Lower-cost Exchange Server solution. Direct attached storage usually provides a substantially lowe
Easy implementation. Direct attached storage typically is easy to manage, and requires very little tra
Distributed failure points. Each Exchange server has separate disk systems, so the failure of a singl
SAN
A storage area network
(SAN) is a network dedicated to providing servers with access to storage devices. A S
AN provides advanced storage and management capabilities, such as data snapshots a
nd highperformance. SANs use either Fibre Channel switching or Internet SCSI
(iSCSI) to provide fast and reliable connectivity between storage and applications. Fib
re Channel switching or iSCSI allows many serversto connect to a single SAN.
Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Most S
ANs use it because Fibre Channel is used specifically for SANs, and it is the fastest ar
chitecture available.
SANs are complex and require specialized knowledge to design, operate, and maintai
n. Most SANs also are more expensive than DAS options.
SANs provide the following benefits:
A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requireme
sized deployments. However, you should test all hardware configurations thoroughly before deploy
Highly scalable storage solutions. Messaging systems are growing continually and require larger sto
o your Exchange server.
Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers t
Enhanced backup, recovery, and availability. SANs use volume-mirroring and snapshot backups. B
For cost-
conscious SAN implementations, iSCSI may be a viable option. An iSCSI network en
capsulates SCSI commands in TCP/IP packets over standard Ethernet cabling and swi
tches. You should implementthis technology only on dedicated storage networks that
are 1 gigabit per second (Gbps) or faster.
RAID
To provide redundancy on any storage options, you have to use RAID technology. RA
ID can be used to provide better disk performance or fault tolerance. The most commo
n RAID options are:
RAID 0 (striping). Increases read and write performance by spreading data across multiple disks. H
RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Rea
RAID 5
(striping with parity). Increases fault tolerance by spreading data and parity information across thre
disks are used to store parity information.
RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This pro
RAID 6
(striping with double parity). Increases fault tolerance by spreading data and parity information acro
pically is slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID
RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved perfo
disk situation, RAID 1+0 performs better and is more fault tolerant than RAID 0+1.
Just a bunch of disks
(JBOD). JBOD is a collection of disks that have no redundancy or fault tolerance. JBOD solutions a
s with DAGs.
Importing and Exporting Data from a Mailbox Database
In some scenarios, you might want to export data from the users database or import d
ata to the users database. For example, because of compliance or legal reasons, you
may be required to exportmailbox content from a specific user to a personal storage fil
e
(.pst) file. For other purposes, you might want to perform a snapshot of a specific mail
box.

In yet another scenario, you might want to import data from a


.pst file from a legacy application to a users mailbox on the Exchange Server. For exa
mple, if a user was using a Windows Mail application, all ofthe users data was being
stored in a .pst file. It is common to import data from the users
.pst file to the users new mailbox on the Exchange Server, or to the users archive ma
ilbox.
In Exchange Server 2013, you can use the New-MailboxImportRequest or New-
MailboxExportRequest cmdlets to import or export data from the users mailbox. Re
quests for mailbox import or exportmust be executed from the Exchange Management
Shell. After you run one of these cmdlets, the process is completed asynchronously b
y the Microsoft Exchange Mailbox Replication service. This servicetakes advantage o
f the queuing and throttling frameworks to optimize Exchange performance during im
port or export operations.
Note: To use the New-MailboxImportRequest or New-
MailboxExportRequest cmdlets, the Mailbox Import Export role must be assigned
to you. By default, this role is unassigned.
Exchange Server 2013 includes a personal folders file
(.pst) provider, so it can natively read and write .pst files. The
.pst files can be stored locally or they can reside on a shared folder. However, if you a
reusing share folders as a
.pst location, you must ensure that you grant read/write permissions to the Exchange T
rusted Subsystem group for the specific shared folder.
Exchange Server 2013 supports only Unicode files created by Office Outlook 2007,
Outlook 2010 and newer versions. Data from a
.pst file can be imported to a users mailbox or to an online archive if it isenabled for a
users mailbox. In addition, Exchange Server 2013 can import or export multiple
.pst files at the same time, which can speed up the process. However, the import or ex
port process can takeseveral hours to complete, depending on the file size and network
bandwidth.
Note: The maximum supported size for a .pst file is 50 gigabytes
(GB). If a mailbox that you want to export is larger than 50 GB, you can create multip
le
.pst files. You can use filters to specify selectedfolders for export instead of the entire
mailbox. You can also include or exclude specific folders using the IncludeFolders or
ExcludeFolders parameters.
When you import data from a
.pst file, you must ensure that the mailbox exists prior to starting the import process. Y
ou can import data to a different user account than the one from which it was exported
.
Demonstration: Importing Data to a Users Mailbox
Demonstration Steps
1. Log on to Outlook Web App (OWA) as Adatum\Aidan.
2. Ensure that In-Place Archive mailbox is empty. Sign out of Outlook Web App.
3. Open the Exchange Management Shell on LON-MBX1.
4. Type New-ManagementRoleAssignment Role "Mailbox Import Export" User Administ
5. Restart Exchange Management Shell.
6. Type the following: New-MailboxImportRequest -Mailbox Aidan -IsArchive -FilePath \\LO
7. After the import completes, On LON-CAS1, sign in to Outlook Web App as Adatum\Aidan, an
Lesson 2: Planning the Mailbox Server Deployment
Planning for the Mailbox Server role deployment is a key part of the Exchange Server
infrastructure planning. Before you deploy an Exchange Server 2013 Mailbox server,
you should plan for hardware andstorage to accommodate the needs of your environm
ent. You also should plan and design the mailbox database layout and high-
availability options. Some special considerations apply if you decide tovirtualize your
Mailbox servers. In this lesson, we will discuss Mailbox server deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Plan hardware and storage for the mailbox servers.
Design mailbox databases.
Plan high availability for the mailbox servers.
Describe considerations for virtualizing mailbox servers.
Describe considerations for planning mailbox databases.
Describe the Exchange Mailbox Server Role Requirements Calculator.
Use the Exchange Mailbox Server Role Requirements Calculator.
Verify Mailbox server role performance.
Planning Hardware for the Mailbox Server Role
Unlike the Client Access server, which does not have a large hardware footprint, the
Mailbox server can have fairly high hardware requirements in scenarios in which it ho
sts large numbers of mailboxes. Onthe other hand, you might not need very powerful
hardware if you are implementing Exchange Server in small to medium-
sized companies. In either case, it is very important to properly plan hardwarerequire
ments for the Exchange Mailbox server role.

CPU Requirements
Exchange Server 2013 requires a 64-bit processor and a 64-
bit operating system. Exchange Server 2013 supports two specific processor architect
ures: AMD64 and Intel Extended Memory 64 Technology. Itdoes not support Itanium
processors.
Exchange Server 2013 can take advantage of multicore processors, which can process
multiple tasks at the same time. A typical server processor has four or more cores.
The number of processor cores required for a Mailbox server varies, depending on the
number of mailboxes and how intensely the mailboxes are used. For average usage, a
single processor core can supportapproximately 1,000 active mailboxes. Average usag
e is defined as a user who sends 10 messages a day and receives 40 messages a day. If
the processor supports hyper-threading, we recommend that youdisable hyper-
threading. Hyper-
threading causes problems in capacity planning and offers little performance improve
ment.
Memory Requirements
The memory requirements for Exchange Server 2013 vary, depending on the number
of mailboxes and how intensely the mailboxes are used. The minimum recommended
RAM for a Mailbox server is 8 GB.A server that combines multiple roles should have
a minimum of 8 GB of RAM.
When calculating the memory required for your Mailbox server, take the minimum m
emory required, and then add additional memory for each user based on their messagi
ng volume. For each 50 messagesper day sent or received, you should allocate 3 mega
bytes
(MB) per user. For example, if the average user in your organization sends and receiv
es 100 messages per day, then you should allocate 6 MB peruser, in addition to the mi
nimum RAM for your Mailbox server configuration.
Planning Storage for the Mailbox Server Role
For many users, access to email is critical for them to perform their jobs, because ema
il is used both for communication internally with colleagues, and externally with partn
ers and customers. The amount ofdata that is kept in mailboxes continues to grow, and
all of this data must be searchable.

New generations of hard disks are getting larger, but spin rates and seek times are not
improving.
Sequential read rates are increasing as a result of greater data density, but random acc
ess read rates are staying the same. Exchange Server 2013 takes advantage of the incr
easing disk size, so that you canoffer larger mailboxes to users without increasing cost
or decreasing performance.
With the I/O improvements in Exchange Server 2013, you can use larger and less exp
ensive disks in many scenarios. Disk I/O relates to the number of mailboxes that are st
ored on a disk, rather than thevolume of mailbox data that is stored on the disk. Large
mailboxes reduce the disk I/O requirements for a Mailbox server because they reduce
the number of mailboxes that are stored on a disk. Fewermailboxes on a disk results in
lower disk I/O.
As a result of lower disk I/O, you can consider using large 7,200 RPM disks rather tha
n smaller, faster 15,000-RPM disks. A typical 7,200-
RPM disk stores between 1 and 3 terabytes. A typical 15,000-
RPMdisk stores less than 1 terabyte. The 7,200-
RPM disks are significantly less expensive per GB.
In Exchange Server 2013 you can store personal archives and primary mailboxes in se
parate databases. This is beneficial if you want to have different backup strategies for
personal archives and primarymailboxes. However, this can result in unbalanced disk
I/O. The disks that are storing databases with primary mailboxes will experience relati
vely high I/O, while the disks that are storing databases withpersonal archives will hav
e relatively low disk I/O. Keeping the primary mailboxes smaller allows you to place
a higher number of mailboxes on the same set of disks, which can also increase disk I/
O. Keepinga personal archive in the same database as the primary mailbox results in s
imilar disk I/O because you have only large mailboxes.
Because of the storage improvements that were introduced in Exchange Server 2010 a
nd are also supported in Exchange Server 2013, you can consider using less expensive
and slower types of disk storage,which you might not have been able to consider for
previous versions of Exchange Server. However, you still need to test the storage conf
iguration that you select to ensure it meets your needs. Consider thefollowing:
Replicated database copies increase the amount of storage space required. If your organization uses
Slower disks cost much less per GB than faster disks. The reduced disk I/O requirements of Exchan
RPM disks of equal size with the SATA or SAS interface. SAS disks cost slightly more than SATA
Direct attached storage (DAS) is less expensive than a storage area network
(SAN). As a result, DAS is preferable if you use DAGs to create multiple replicated copies of data.
you have a SAN with available space, then youmight prefer to use the SAN for the higher reliability
You can consider JBOD if you have three or more replicas of a database in a DAG. JBOD provides
Some organizations have a significant investment in SANs for all server storage. If you use a SAN,
used, we recommend having two database copies.
An Internet small computer system interface
(iSCSI) SAN typically has lower performance than a Fibre Channel SAN, but it also is much less ex
Use RAID to increase the redundancy of the disk system if there are less than three database copies
performing RAID option, because it has the speed of a striped set and the redundancy of mirroring.
torage configuration of Mailbox servers. This spreadsheet contains many calculationsto help you ac
oft website.
Additional Reading: More information about Storage Configuration Options for Exc
hange Server 2013 can be found at: http://go.microsoft.com/fwlink/?LinkId=290958.
Database Design for Mailbox Databases
To design Mailbox services, you must identify the information required for both mailb
oxes and public folders. Typically, the information you gather helps you to determine
the size of databases that need tobe accommodated, and the processing load that those
databases will place on the mailbox servers.

To design mailbox databases, you must consider the following factors related to mailb
oxes:
Number of users. A larger number of users typically increases disk utilization.
Frequency of usage. Higher frequency usage typically increases disk utilization.
Size of mailboxes. Larger mailboxes combined with a higher number of users increases overall da
Service level agreements (SLAs). To meet the recovery requirements, you may need to keep datab
In previous versions of Exchange Server, such as Exchange Server 2007, we recomme
nded that log files and databases be kept on separate disks. This meant that if the disk
failed and the database was lost,you still had the log files available after a restore. The
refore, you could replay them to recover messages received since the last backup. In E
xchange Server 2013, the same recommendation still applies insmall environments tha
t do not use DAGs. However, if there are multiple replicated copies of a database, you
do not need to keep the transaction logs and databases separate because a different re
plica isused for recovery instead of recovering from a backup.
In Exchange Server 2013, one best practice is to locate multiple databases on a single
logical unit number
(LUN), because the disk I/O is random. You can separate transaction logs onto differe
nt physicaldisks to increase performance, but this is not necessary typically. In most c
ases, because Exchange Server 2013 has lower I/O requirements, you can keep transac
tion log files and database files on the samevolume without affecting performance.
You can separate log files from database files for recoverability when using backups.
By storing database files and log files on separate volumes or disks, you can replay tra
nsaction logs after a databaserestore when the database was lost due to a failed volum
e or disk.
Disk-Space Considerations
When you calculate the disk-
space requirements for a database on a Mailbox server, you need to consider more tha
n just the mailbox databases. In most cases, you may want to enable indexing ondatab
ases to speed up searches. Each index uses approximately 5% of the mailbox database
disk space. This index is placed in the same location as the database.
Single-
item recovery retains deleted messages in a database for a specified period of time. W
hen you enable single-item recovery, the database size increases.
You also should include personal archives when planning mailbox databases. A perso
nal archive is typically used for longer-
term retention of mailbox content. If you enable personal archives, the databasesize m
ay increase.
You can use a recovery database in a variety of recovery scenarios to extract mailbox
data. To use a recovery database, you must have sufficient disk space available to rest
ore the database and transactionlogs.
Planning Mailbox Servers for High Availability
Using a DAG is required to implement high availability of mailbox databases. A DAG
allows you to replicate mailbox databases to multiple servers. If the server that is serv
icing the clients fails, a replica onanother server in the DAG begins to service the clie
nt requests.
Considerations for implementing DAGs include:
Mailbox database names must be unique in the Exchange Server 2013 organization. This may requi
The storage path must be identical for all copies of a database. This means that all members of a DA
DAG implementation uses the Windows Server operating system failover clustering feature. This is
08 Datacenter operating system editions to support failover clustering. However, DAGs are support
DAGs can be managed from within Exchange Server 2013 management tools. This simplifies the p
In Exchange Server 2013, DAGs can also be used to make public folders available. Because public
A server that is a member of a DAG can have additional server roles installed. For example, a serve
Virtualizing Mailbox Server Considerations
All Exchange Server 2013 server roles can be virtualized. A virtualized implementatio
n of Exchange Server 2013 is supported when running on one of the following virtuali
zation platforms:

Windows Server 2008 R2 with Hyper-V technology


Microsoft Hyper-V in Windows Server 2008 R2
Windows Server 2012
Microsoft Hyper-V in Windows Server 2012
Any third-party hypervisor that has been validated under the Windows Server Virtualization Valid
When implementing Exchange Server 2013 on a virtual machine, you should consider
the following:
When Exchange Server 2013 is running on a virtual machine, it has the same hardware performanc
uires 16 GB of memory, then a virtualized version of that server also requires 16 GB of memory.
You should not install any additional software on the physical root partition of the server that hosts
Do not use dynamic memory. Exchange Server 2013 uses caching in memory to improve performa
Do not allocate virtual processors to virtual machines at a ratio higher than two virtual processors p
Some considerations for storage are as follows:
Dynamically expanding virtual disks are not supported. This is because of performance concerns as
Differencing or delta mechanisms such as snapshots are not supported. This is because the snapshot
An Exchange Server virtual machine must use a virtual hard disk that has a size at least 15 GB plus
st machine is allocated 8 GB of memory, the minimum disk space needed for the guest operating sy
Test virtual disk performance to be sure that it meets your needs. Virtual disk performance is typica
Pass-through storage and iSCSI storage are both supported. However, iSCSI storage has reduced pe
V on Windows Server 2008 R2, but they must be enabled in the parent partition and the virtual mac
You can use the virtual machine high availability that is provided by your virtualizatio
n environment with Exchange Server 2013. This is supported even for servers that are
part of a DAG. Some considerationsfor virtual machine high availability are:
The virtual machines must not save and then restore state when migrated between hosts. All migra
V live migration technology inWindows Server 2008 R2 and Windows Server 2012. Alternatively
Online migration methods must be supported by the hypervisor vendor.
If a virtual machine or host fails, the virtual machine must be restarted on an alternate host with a
Considerations for Planning Mailbox Databases
When planning a mailbox database deployment, the first critical decision is whether o
rganizations will be deploying DAGs or whether they will choose to implement standa
lone servers without any highavailability solution. This decision will have a significan
t impact on how the database and storage solution will be implemented.
Considerations for Planning Mailbox Database Deployments Without D
AGs
When organizations choose not to implement DAGs, the planning process for mailbox
database deployment is similar to the planning process for non-
high available deployments in previous Exchangeserver versions. With this deployme
nt, organizations need to be aware that in case of any type of failure, their messaging s
olution will face downtime, and that they will have to restore their data and servicesus
ing carefully planned backup procedures and strategies.
If your company chooses not to implement DAGs, then the following recommendatio
ns apply:
Backup policies. Because you only have one copy of the database, backup and restore becomes you
Mailbox database size. The maximum database size should be determined by the capacity of the ba
Database and transaction log locations. With a single copy of the databases, it is important that the d
Storage solution. With a single copy of the database, providing redundancy at the storage level is ve
e fault tolerance for transaction logs and databases, and RAID 10 for transaction logs if there is high
Considerations for Planning Mailbox Database Deployments with DAGs
When organizations choose to implement DAGs, the planning process for the mailbox
database deployment changes. When databases are stored on multiple servers, users
may not even be aware of aserver or database failure, as the databases can be automati
cally mounted on another server. These companies might choose not to perform backu
p and instead use Exchange Native Data Protection toprotect their data. If your compa
ny chooses to deploy DAGs, then the following recommendations apply:
Backup policy. With DAGs, high availability is provided by having multiple database copies, so ba
es completely.
Mailbox database size. Because of the decreased importance of backup and recovery, the primary c
ments Calculator recommends up to 2 terabytes (TB) for databases when DAGs are used.
Database and transaction log locations. With multiple database copies, separating the databases and
organization, you should enable circular logging to prevent transaction logs from filling up the disk
Storage solution. With multiple database copies that provide redundancy, it is less important to con
ll more likely use JBOD.
Common Considerations for Planning Mailbox Database Deployments
When designing the mailbox database deployments, there are factors that apply regard
less of whether or not you deploy DAGs. These factors include:
Considerations for number of databases deployed. Consider deploying multiple databases, rather th
Having multiple databases gives more flexibility to Exchange Server administrators, as they can co
Considerations for naming databases. Beginning with Exchange Server 2010, databases are no long
the organization, including databases on the legacy servers. Therefore, as a best practice, you shoul
o Server name
o Active Directory site name (for the site resilience case)
o Physical data center name (for the site resilience case)
o Exchange organization name
What Is an Exchange Mailbox Server Role Requirements Ca
lculator?
To enable administrators and systems designers to perform Exchange Server Mailbox
role planning as accurately as possible, Microsoft provides a tool that helps you estim
ate requirements for your mailboxserver based on your current environmental properti
es. This tool is the Exchange Mailbox Server Role Requirements Calculator. It is a ma
cro-
enabled Excel spreadsheet that collects user inputs, and based onthose inputs, calculat
es various requirements for Exchange Server Mailbox Server role implementation.

Note: The Exchange Mailbox Server Role Requirements Calculator is a free downloa
d, and is available here: http://go.microsoft.com/fwlink/?LinkId=290959 Currently, on
ly the version for ExchangeServer 2010 is available. However, it is also applicable to
Exchange Server 2013.
To open and use the tool, you must have Microsoft Excel 2007, Microsoft Excel 2
010, or Microsoft Excel 2013 installed. The calculator is divided into the following
sections (worksheets):
Input
Role Requirements
Activation Scenarios
Distribution
LUN Requirements
Backup Requirements
Log Replication Requirements
Storage Design
We recommend that you only fill out your data in the first
(Input) worksheet. Based on that input, the tool calculates the requirements for the Ma
ilbox server role and presents them on the other sheets. Onthe input sheet, you provide
data in the following categories:
User profile: the message profile, the mailbox size, and the number of users.
High-availability architecture: the number of database copies you plan to deploy, whether the soluti
Server's CPU platform.
Storage architecture: the disk capacity/type and storage solution.
Backup architecture: choose whether to use the hardware or software Volume Shadow Copy Servic
Network architecture: the utilization, throughput, and latency aspects.
Note: The tool comes with some pre-
populated data in the Input sheet. This data is a sample configuration, and any data points entered in
Demonstration: Using the Exchange Mailbox Server Role Re
quirements Calculator
This demonstration uses a modified version of the Exchange Server 2010 Exchange M
ailbox Server Role Requirements Calculator.
Note: Ensure that you download and use the Exchange Server 2013 version when calc
ulating hardware requirements for Exchange Server 2013 servers.
Demonstration Steps
1. On LON-CL1, open File Explorer, navigate to C:\Files, and then double click E2013Calc.xlsm
2. In the E2013Calc, on the Input sheet, enter the following values for each section:
Exchange Environment Configuration
o Server Multi-Role Configuration (MBX+CAS): Yes
o Server Role Virtualization: Yes
o High Availability Deployment: Yes
o Number of Mailbox Servers Hosting Active Mailboxes / DAG: 4
o Number of Database Availability Groups: 2
Mailbox Database Copy Configuration
o Total Number of HA Database Copy Instances (Includes Active Copy) within DAG: 3
o Total number of Lagged Database Copy Instances within DAG: 1
Exchange Data Configuration
o Mailbox Moves/Week Percentage: 1%
o LUN Free Space Percentage: 15%
Tier-1 User Mailbox Configuration
o Total Number of Tier-1 User Mailboxes/Environment: 500
o Projected Mailbox Number Growth Percentage: 5%
o Total Send/Receive Capability/ Mailbox/Day: 50 messages
o Average Message Size (KB): 50
o Mailbox Size Limit (MB): 1024
o Personal Archive Mailbox Size Limit (MB): 2048
o Deleted Item Recovery Window (Days): 20
o Single Item Recovery: Enabled
o Calendar Version Storage: Enabled
Backup Configuration
o Backup Methodology: Software VSS Backup/Restore
o Backup Frequency: Weekly Full / Daily incremental
o Database and Log Isolation Configured: Yes
o Backup/Truncation Failure Tolerance: 3
o Network Failure Tolerance (Days): 0
Primary Datacenter Disk Configuration
o Database: 1000 GB, 7.2K RPM SAS 3.5
o Log: 500 GB, 7.2K RPM SAS 3.5
o Restore LUN: 1500 GB, 7.2K RPM SAS 3.5
3. In the E2013Calc, click the Role Requirements tab.
4. Review the calculated requirements provided on this sheet.
5. Click the Distribution Sheet.
6. Click the Fail Server button for each server. Observe where the databases will be distributed.
7. Click Export DAG Scripts button.
8. In the Storage Calculator Export Scripts window, click OK twice.
9. Click the LUN Requirements sheet. Review the calculated requirements provided on this shee
10. Click the Backup Requirements sheet. Review the calculated requirements provided on this sh
11. Click the Replication Requirements sheet. Review the calculated requirements provided on th
12. Click the Storage Design sheet. Review the calculated requirements provided in this sheet.
Verifying Mailbox Server Role Performance
To design a test plan for Mailbox server performance, you need to accurately understa
nd how the server will be used. This includes factors such as the number of mailboxes
, the number of messages userswill send, and the type of clients that will be accessing
the mailboxes. If you do not accurately understand the load that will be placed on the
server, you cannot ensure that server performance will meet yourneeds.

When you create your test environment, you should ensure that it replicates the condit
ions in your production environment as closely as possible. This means that you shoul
d be using identical hardware,software, and drivers on the test system and production
system.
To test server performance, it is impossible to completely replicate the users in a prod
uction environment. However, Microsoft provides two tools that you can use to gener
ate simulated loads on the server:
Exchange Load Generator (LoadGen). You can use this tool to create a simulated load of MAPI,
(IMAP), POP3, and Simple Mail Transfer Protocol (SMTP) clients on your Exchange servers. You
Jetstress. You can use this tool to verify disk performance by simulating the Exchange Server data
Lesson 3: Configuring the Mailbox Servers
One of the most important tasks that you will perform after your initial Exchange Serv
er 2013 deployment is configuring the Mailbox servers. You should secure the Mailbo
x server as much as possible, planand configure the appropriate storage, and then creat
e and configure the mailbox databases. In this lesson, we will discuss configuration of
the mailbox servers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe initial configuration tasks for the Mailbox servers.
Configure iSCSI storage.
Create and manage the mailbox databases.
Initial Mailbox Server Configuration Tasks
There are several tasks that you should complete after you install Exchange Server 20
13, and before putting it into production.

Complete the following steps after deploying the Mailbox server role:
Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the se
in role groups or create custom role groups to delegate permissions. This reduces the Exchange Ser
Create and configure databases. Exchange Server 2013 uses mailbox databases to store messages a
Configure high availability. Exchange Server 2013 uses DAGs to provide high availability for mail
Configure public folders. If you are migrating from a previous Exchange Server version, you should
Configure recipients, including resource mailboxes. The Mailbox server role manages all user mail
Configure the offline address book. Outlook 2007 (and newer) clients support retrieving offline add
Implement an antivirus solution. We recommend highly that you implement and configure an antiv
Configuring iSCSI Storage in Windows Server 2012
iSCSI is a protocol that supports access to remote, SCSI-
based storage devices over a TCP/IP network. iSCSI carries standard SCSI commands
over IP networks to facilitate data transfers over intranets and tomanage storage over
long distances. You can use iSCSI to transmit data over LANs, WANs, or even over t
he larger Internet.
iSCSI relies on standard Ethernet networking architecture, and use of specialized hard
ware such as a host bus adapter
(HBA) or network switches is optional. iSCSI uses TCP/IP
(typically, TCP port 3260). Thismeans that iSCSI enables two hosts to negotiate
(session establishment, flow control, and packet size, for example) and then exchange
SCSI commands by using an existing Ethernet network. By doing this,iSCSI takes a p
opular, high-
performance, local storage bus subsystem architecture and emulates it over LANs and
WANs, creating a SAN.
Unlike some SAN protocols, iSCSI requires no specialized cabling; it can be run over
existing switching and IP infrastructure. However, the performance of an iSCSI SAN
deployment can be severely decreasedif it is not operated on a dedicated network or su
bnet, which we recommend as a best practice.
Note: Although you can use a standard Ethernet network adapter to connect the server
to the iSCSI storage device, you can also use dedicated HBAs.
An iSCSI SAN deployment includes the following components:
IP network. You can use standard network interface adapters and standard Ethernet protocol networ
(Gbps), and should provide multiple paths to the iSCSI target. We recommend that you use a dedica
iSCSI targets. ISCSI targets present or advertise storage, similar to controllers for hard disk drives o
level iSCSI targets as part of their storage devices hardware. Other devices or appliances, such as W
which is effectively a driver for the iSCSI protocolas a role service.
iSCSI initiators. The iSCSI target displays storage to the iSCSI initiator (also known as the client),
iSCSI Qualified Name
(IQN). IQNs are unique identifiers that are used to address initiators and targets on an iSCSI networ
owever, if name resolution on the iSCSI network is a possible issue, iSCSI endpoints (bothtarget an
The iSCSI initiator service has been a standard part of the operating system since Win
dows Server 2008. Before Windows Server 2012, the iSCSI Software Target, however
, needed to be downloaded andinstalled optionally. Now, it is integrated as a role servi
ce into Windows Server 2012. The new features in Windows Server 2012 include:
Authentication. You can enable Challenge-Handshake Authentication Protocol
(CHAP) to authenticate initiator connections or enable reverse CHAP to allow the initiator to auth
Query initiator computer for ID. This is only supported with Windows 8 and Windows Server 201
iSCSI Target Server
The iSCSI target server role service provides for software-based and hardware-
independent iSCSI disk subsystem. You can use the iSCSI target server to create iSCS
I targets and iSCSI virtual disks. You canthen use the Server Manager to manage thes
e iSCSI targets and virtual disks.
The iSCSI target server included in Windows Server 2012 provides the following func
tionality:
Network/diskless boot. By using boot-
capable network adapters or a software loader, you can use iSCSI targets to deploy diskless servers
es, such as a Hyper-V server farm or High Performance Computing (HPC)clusters.
Server application storage. Some applications, such as Hyper-
V and Exchange Server, require block storage. The iSCSI target server can provide these applicatio
Heterogeneous storage. An iSCSI target server supports iSCSI initiators that are not based on Wind
Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to b
Enabling the iSCSI target server to provide block storage takes advantage of your exis
ting Ethernet network. No additional hardware is needed. If high availability is an imp
ortant criterion, consider setting upa high-availability cluster. With a high-
availability cluster, you will need shared storage for the cluster
either hardware Fibre Channel storage or a serial attached SCSI
(SAS) storage array. An iSCSI targetserver is directly integrated into the failover clust
er feature as a cluster role.
iSCSI Initiator
The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service a
nd installed by default. To connect your computer to an iSCSI target, you only have to
start the service and configure it.
Demonstration: Configuring iSCSI Storage for the Mailbox
Server Role
Demonstration Steps
1.On LON-DC1, start Server Manager, start the Add Roles and Features Wizard, install the follow
o File And Storage Services (Installed)\File and iSCSI Services (Installed)\iSCSI Target Se
2.On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and th
3.Create a New iSCSI Virtual Disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk1
o Size: 2 GB
o iSCSI target: New
o Target name: lon-mbx1
o Access servers: LON-MBX1
4.On the View results page, wait until the creation is completed, and then click Close.
5.Create a New iSCSI Virtual Disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk2
o Size: 500 MB
o iSCSI target: lon-mbx1
6.Run iSCSI Initiator on LON-MBX1.
7.Connect to the portal at address 172.16.0.10.
8.Add the connection to the list of favorite targets.
Creating and Managing Mailbox Databases
One of the first things that you should do after you deploy your Exchange Server 2013
infrastructure is create mailbox databases, or configure settings on the existing mailb
ox database. Exchange Server2013 comes with one mailbox database that is created b
y default. It is located on a system drive, and it provides initial storage for the adminis
trator mailbox and system mailboxes.

In most cases, you will not use the default mailbox database unless you have a small a
nd low-
demand environment. Otherwise, you will have to create a new mailbox database on t
he supported storage.
We recommend that you do not remove the default mailbox database, because it conta
ins system mailboxes. However, you can rename it so that it follows your naming con
vention.
You can create a mailbox database from both the Exchange Administration Center
(EAC) or from the Exchange Management Shell. However, advanced management of
existing databases can be done onlyfrom the Exchange Management Shell.
When you create a mailbox database from the EAC, you need to specify the mailbox d
atabase name, the server that will host the database, and paths for the database file and
logs. By default, each databaselocation is within the Exchange Server installation dire
ctory, but we recommend that you change this because you should host the databases
on a dedicated volume.
If you want to create a mailbox database by using the Exchange Management Shell, y
ou should use the New-
MailboxDatabase cmdlet. When creating a mailbox database, this cmdlet provides yo
u withmore options and parameters than the Exchange Administration Center.
When you open properties of the mailbox database in the EAC, you can configure opti
ons on the following tabs:
General: Use this tab to configure only the database name. All other settings and properties are rea
only, but you can see when the last backup of the database was performed, on which server thedatab
Maintenance: Use this tab to configure the journal recipient for the database and the maintenance s
at it does not mount on startup.
Limits: On this tab, you configure mailbox size and retention limits. You can configure limits wher
ms and mailboxes.
Client Settings: This tab has only one configurable option, and that is the offline address book (OA
To view the full list of properties for the mailbox database, run following cmdlet:
Get-MailboxDatabase Identity MailboxName | FL
For advanced management and configuration of the mailbox database, use the Set-
MailboxDatabase cmdlet.
If you want to move the mailbox database files to another location, you must use the E
xchange Management Shell. You cannot use the Set-
MailboxDatabase cmdlet to move the mailbox database; youmust use the Move-
DatabasePath cmdlet. The following is an example of the Move-
DatabasePath cmdlet:
Move-DatabasePath Identity MailboxDatabaseName EdbFilePath E:\DB1\DB1.edb

LogFolderPath G:\Logs\DB1
This example shows the database with the name MailboxDatabaseName moving to th
e path E:\DB1\DB1.edb, and the log files moving to G:\Logs\DB1.
Demonstration: Creating and Managing Mailbox Databases
Demonstration Steps
1.Open Disk Management on LON-MBX1.
2.Bring online and initialize the three new disks.
3.Make a simple volume on each disk, and format it with NTFS.
4.Name the volume on Disk 1 as DB2
5.Name the volume on Disk 2 as Logs.
6.In the EAC window, create new mailbox database with following properties:
o Database name: DB2
o Database file path: E:\DB2\DB2.edb
o Log folder path: F:\Logs\DB2
7.Set the properties for the new database by executing the following cmdlet: Set-MailboxDatabase
ProhibitSendQuota 2.2GB.
8.Dismount and remount the DB2 database.
Lab: Configuring Mailbox Servers
Scenario
After performing a test deployment, A. Datum is now planning the deployment of Exc
hange Server 2013 in a production environment. First, they want to summarize all req
uirements and all availableresources, and then plan for the Mailbox server deployment
. After the deployment, you need to configure the storage attached to the servers, and t
hen configure the mailbox databases. After theconfiguration tasks, you need to export
data from the users mailbox to the .pst file.
Objectives
Plan configuration for the mailbox servers.
Configure storage for the mailbox servers.
Create and configure the mailbox databases.
Lab Setup
Estimated time: 75 minutes
Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1
20341B-LON-CL1

User Name Adatum\Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1, 20341B-LON-CAS1, and 20341B-LON-CL1.
Exercise 1: Planning Configuration for Mailbox Servers
Scenario
Use the Mailbox server role calculator to design the Exchange infrastructure for A. Da
tum. You must fulfill the following requirements:
A. Datum has to provide mailboxes for 5,000 users. The number of mailboxes grows by a factor o
All users must be provided with 1-GB mailboxes. In addition, each user must have an online archi
The average message size is 75 KB, and the total number of sent/received messages per mailbox p
All deleted messages should have a retention period of 30 days, with single-item recovery enabled
A. Datum plans to deploy four Mailbox servers.
Mailbox databases should be highly available.
Each database should have three total instances: 1 active instance, 1 passive instance, and 1 lagged
Approximately 2% of mailboxes are moved per week.
Databases and logs should be separated.
A. Datum plans to implement a third-party backup solution. Backups will be performed on a week
Currently, A. Datum has only one datacenter, and at this time the company is not plan
ning for a site-resilient solution. Servers for Exchange currently have 1,000-
GB disks for databases, 500-GB disks fortransaction logs, and 1,500-
GB disks for Restore LUN. A. Datum also plans to leverage virtualization as much as
possible.
Note: This lab uses a modified version of the Exchange Server 2010 Exchange Mailb
ox Server Role Requirements Calculator. Ensure that you download and use the Exch
ange Server 2013 version whencalculating hardware requirements for Exchange Serve
r 2013 servers.
The main tasks for this exercise are as follows:
1. Analyze requirements for the A. Datum Exchange Server deployment
2. Use the Exchange Mailbox Server Role Requirements Calculator
3. Analyze output from the Exchange Mailbox Server Role Requirements Calculator
4. Discuss the solution with the instructor and the class
Task 1: Analyze requirements for the A. Datum Exchange Server deployment
Read the Lab and Exercise scenario. Summarize the requirements from the exercise scenario.
Task 2: Use the Exchange Mailbox Server Role Requirements Calculator
1. On LON-CL1, open File Explorer, navigate to C:\Files and open the E2013Calc.xlsm file. On
2. Based on requirements from lab and exercise scenario, fill in the appropriate fields on the Input
Task 3: Analyze output from the Exchange Mailbox Server Role Requirements C
alculator
1. In the E2013Calc, click on Role Requirements tab.
2. Review calculated requirements provided in this sheet.
3. Click the Distribution Sheet.
4. Click the Fail Server button for each server. Observe where databases will be distributed.
5. Click Export DAG Scripts.
6. In the Storage Calculator Export Scripts window, click OK twice.
7. Click the LUN Requirements sheet. Review the calculated requirements provided in this sheet
8. Click the Backup Requirements sheet. Review the calculated requirements provided in this sh
9. Click the Replication Requirements sheet. Review the calculated requirements provided in thi
10. Click the Storage Design sheet. Review the calculated requirements provided in this sheet.
11. Open File Explorer, and navigate to C:\Files.
12. Right-click the CreateMBDatabases.ps1 file, and select Edit. Review the content of the script
13. Right click the CreateMBDatabaseCopies.ps1 file, and select Edit. Review the content of the
14. Right-click the Diskpart.ps1 file, and select Edit. Review the content of the script that is gener
15. Close the Windows PowerShell ISE window.
Task 4: Discuss the solution with the instructor and the class
1. Discuss the solution provided by the Exchange Mailbox Server Role Requirements Calculator w
2. Change the values on the Input tab of the Exchange Mailbox Server Role Requirements Calcul
Results: After completing this exercise, the students will have created a plan for their
mailbox server configuration.
Exercise 2: Configure Storage on the Mailbox Servers
Scenario
Currently, the Mailbox server has no locally attached storage for the mailbox database
. You have available iSCSI storage that should be used for the mailbox databases and l
ogs. These drives will be sufficientfor the initial deployment at A. Datum, but the orga
nization expects to add several additional iSCSI drives during the deployment.
You need to configure Windows Server 2012 to connect to the iSCSI drives, and confi
gure storage for the mailbox databases and logs.
The main tasks for this exercise are as follows:
1. Create and Configure iSCSI target and drives
2. Connect Exchange Server to the storage
3. Configure storage
Task 1: Create and Configure iSCSI target and drives
1.On LON-DC1, open Server Manager, start the Add Roles and Features Wizard, and install the fo
o File And Storage Services (Installed)\File and iSCSI Services (Installed)\iSCSI Target Se
2.On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and th
3.Create a New iSCSI Virtual Disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk1
o Size: 2 GB
o iSCSI target: New
o Target name: lon-mbx1
o Access servers: LON-MBX1
4.On the View results page, wait until the creation is completed, and then click Close.
5.Create a New iSCSI Virtual Disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk2
o Size: 2 GB
o iSCSI target: lon-mbx1
6.Create a New iSCSI Virtual Disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk3
o Size: 500 MB
o iSCSI target: lon-mbx1
Task 2: Connect Exchange Server to the storage
1. On LON-MBX1, open Server Manager, and then from the Tools menu start the iSCSI Initiato
2. Connect to the portal at address 172.16.0.10.
3. Add the connection to the list of favorite targets.
Task 3: Configure storage
1. On LON-MBX1, from Server Manager, open Disk Management.
2. Bring online and initialize the three new disks.
3. Make a simple volume on each disk, and format it with NTFS.
4. Name the volume on Disk 1 as DB1.
5. Name the volume on Disk 2 as DB2.
6. Name the volume on Disk 3 as Logs.
Results: After completing this exercise, the students will have configured iSCSI stora
ge for their mailbox databases and logs.
Exercise 3: Creating and Configuring Mailbox Databases
Scenario
When installing the Mailbox server role, a default mailbox database is created on the s
erver. You need to modify the location and configuration of the default mailbox datab
ase to meet the corporatestandards. The database should have a warning limit set to 0.
9 GB, prohibit send at 1.0 GB, and prohibit send and receive at 2.2 GB.
In addition to the default mailbox database, you also need to create a new mailbox dat
abase to meet the deployment requirements. The new mailbox database should be plac
ed on the iSCSI drive, and itshould have circular logging enabled. You also need to se
t different limits and retention time periods from the default database. After setting the
limits and retentions, you need to export the mailbox ofAidan Delaney to a .pst file.
The main tasks for this exercise are as follows:
1. Configure Mailbox Settings for the Existing Mailbox Database
2. Create and configure additional mailbox databases
3. Export mailbox data to the .pst file
4. To prepare for the next module
Task 1: Configure Mailbox Settings for the Existing Mailbox Database
1.On LON-MBX1, open Internet Explorer and type https://lon-cas1.adatum.com/ecp, and press E
2.Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.Set the properties for Mailbox Database 1 as follows:
o Issue a warning at (GB): 0.9
o Prohibit send at (GB): 1
o Prohibit send and receive at (GB): 1.3
o Keep deleted items for (days): 30
4.Open the Exchange Management Shell.
5.Note the database names by executing the Get-MailboxDatabase cmdlet.
6.Move the database by executing the cmdlet: Move-DatabasePath Identity Mailbox Database
EdbFilePath E:\DB1\DB1.edb LogFolderPath G:\Logs\DB1.
7.Verify that both the database file and logs are moved to the new location.
Task 2: Create and configure additional mailbox databases
1.In the EAC window, create a new mailbox database with the following properties:
o Database name: DB2
o Database file path: F:\DB2\DB2.edb
o Log folder path: G:\Logs\DB2
2.Set the properties for the new database by executing the following cmdlet: Set-MailboxDatabase
ProhibitSendQuota 2.2GB.
3.Dismount and remount the DB2 database.
Task 3: Export mailbox data to the .pst file
1. On LON-MBX1, in the Exchange Management Shell window, execute the following cmdlet: N
2. Restart the Exchange Management Shell.
3. Export Aidans mailbox by executing the following cmdlet: New-MailboxExportRequest -Ma
4. Make sure the status is complete by using the Get-MailboxExportrequest cmdlet.
5. Verify that aidan.pst file exists in the shared folder.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have their mailbox databases
created and configured.
Question: What is the purpose of the Exchange Mailbox Server Role Requirements C
alculator?
Question: Can you move existing mailbox databases to a different path by using the E
AC?
Question: What must you do before you can export the users mailbox to the .pst file?
Module Review and Takeaways
Best Practice
Use the Exchange Server Mailbox Server Role Calculator when planning for Mailbox server depl
Always provide high availability for Mailbox servers.
Do not use circular logging on mailboxes in production.
Consider using Exchange native data protection.
Review Question(s)
Question: Why would you choose to use SATA drives instead of a SAN or small com
puter system interface (SCSI) drives for your Mailbox servers?
Question: Your organization needs to determine which storage solution to deploy for
the new Exchange Server 2013 messaging environment. What information should you
consider when selecting thehardware?
Tools
Exchange Mailbox Server Role Calculator
Exchange Administration Center
Exchange Management Shell
Module 3: Managing Recipient Objects
Contents:
Module Overview

Lesson 1: Managing Exchange Server 2013 Mailboxes

Lesson 2: Managing Other Exchange Recipients

Lesson 3: Planning and Implementing Public Folder Mailboxes

Lesson 4: Managing Address Lists and Policies

Lab: Managing Recipient Objects

Module Review and Takeaways

Module Overview
In any messaging system, you need to create recipients and configure them to send an
d receive email. As a Microsoft Exchange Server messaging administrator, you ofte
n must create, modify, or deleterecipient objects. Therefore, it is essential that you hav
e a good understanding of recipient management.
This module describes how you can manage recipient objects, address policies, and ad
dress lists in Microsoft Exchange Server 2013.
Objectives
After completing this module, students will be able to:
Manage Exchange Server 2013 mailboxes.
Manage other Exchange Server 2013 recipients.
Implement public folders.
Configure address lists and policies.
Lesson 1
: Managing Exchange Server 2013 Mailboxes
Two of the most common tasks that Exchange Server administrators perform are creat
ing and configuring email recipients. As organizations hire new employees, or employ
ees change positions within theorganization, the Exchange administrators need to mak
e sure that the users have the messaging functionality that they require. Most users in
an organization will use Exchange Server mailboxes, althoughExchange Server 2013
also provides various other mailbox options that can be configured.
This lesson provides an overview of the different types of Exchange Server 2013 mail
boxes, and describes how to manage each type of mailbox.
Lesson Objectives
After completing this module, the students will be able to:
List the different recipient objects in Exchange Server 2013.
Describe user mailboxes.
Create and configure user mailboxes.
Move mailboxes.
Describe resource mailboxes.
Create and configure resource mailboxes.
Describe site mailboxes.
Describe shared mailboxes.
Configure shared mailboxes.
Describe linked mailboxes.
Types of Exchange Server Recipients
Exchange Server recipients are any objects within the Active Directory Domain Servi
ces (AD DS) forest that have been configured with an email address.

When AD DS objects are configured with an email address, they appear in the Global
Address List (GAL). Exchange Server 2013 supports the following recipient types:
User mailboxes. A mailbox that you assign to an individual user in your Exchange Server organizat
Mail contacts. Contacts that contain information about people or organizations that exist outside an
Mail users. Users who have an AD DS user account but have an external email address. All messag
(SID). This allows the user account to access resources in the AD DS environment.
Resource mailboxes
(room mailboxes and equipment mailboxes). A resource mailbox is configured for objects such as m
Shared mailboxes. A mailbox that is used by multiple users rather than one primary user. Organizat
Mail-enabled security and distribution groups. You can use a mail-enabled AD DS security group o
enabled AD DS distribution group object to distribute messages to a group of recipients.
Dynamic distribution groups. A distribution group that uses a Lightweight Directory Access Protoc
Linked mailboxes. Regular mailboxes that are associated with individual users in a separate, trusted
Remote mailboxes. Mailboxes that are located in the Exchange Online environment. In a hybrid Exc
Site mailboxes. Mailboxes that include both an Exchange Server mailbox and a Microsoft ShareP
Managing Mailboxes

Creating Mailboxes
Most mailboxes in an Exchange Server organization are regular mailboxes associated with a user ac
ate the mailbox with an existing AD DS user account, or you can create a new AD DS account whe
Mailbox cmdlet. To configure an existing user account with a mailbox, use the Enable-Mailboxcm
You can choose a specific mailbox database for the mailbox, or accept the default, which means tha
You can assign an address book view to the mailbox.
If you create or enable the user mailbox using the Exchange Management Shell, you c
an assign other attributes to the mailbox.
Configuring Mailboxes
After creating the mailbox, you can configure all other settings on the mailbox using t
he EAC or the Exchange Management Shell. The following table lists some of the mai
lbox configuration options available:
Tab Configuration settings.

general
User names and custom attributes.

mailbox usage
Displays the last logon information.

Configure mailbox size limits and retention settings.

contact information
Configure information such as address and phone number.

organization
Configure the title, department, company, and manager settings.

email address
Configure the email addresses assigned to the mailbox.

Can include Single Mail Transfer Protocol (SMTP), Exchange Unified Messaging addresses, or a

mailbox features
Configure the policies that apply to the mailbox.

Configure the phone and voice features, including enabling and disabling features, and configurin

Configure mail flow settings including delivery options, message size, and delivery restrictions.

member of
View the groups to which the user account belongs.

MailTip
Configure MailTip for the mailbox to be displayed when users add this recipient as a message rec

mailbox delegation
Configure Send As, Send on Behalf of, and Full Access permissions to the user mailbox.

To change an existing mailbox, use the Set-Mailbox cmdlet


Note: You can modify some attributes for multiple mailboxes at one time in the EAC.
To do this, select multiple mailboxes in the List view. The details pane will display th
e Bulk Edit options that areavailable for the mailboxes. Note that not all settings can b
e modified using this process.
Demonstration: Creating and Configuring Mailboxes
In this demonstration, you will see how to create and configure user mailboxes using t
he EAC and the Exchange Management Shell.
Demonstration Steps
1. On LON-CAS1, in Internet Explorer connect to https://lon-cas1.adatum.com/ecp. Sign in as A
2. In the Exchange Management Console, run the New Mailbox Wizard, and create a new user ac
(OU), andcreate the mailbox in the Research mailbox database.
3. Review the settings available on Alice Ciccus mailbox.
4. Delete Alice Ciccus mailbox.
5. Disable Anil Elsons mailbox.
6. On LON-DC1, in Active Directory Users and Computers, verify that Alices account has been d
Note: Deleting the mailbox deletes the specified user account and mailbox. Disabling the mailb
7. On LON-CAS1, open the Exchange Management Shell.
8. Use the Enable-Mailbox cmdlet to assign a mailbox in the Research mailbox database to Anil
9. Use the Get-User and Enable-Mailbox cmdlets to create mailboxes for all users in the Develop
Demonstration: Moving Mailboxes
One common task Exchange administrators perform is moving mailboxes. You may n
eed to move mailboxes to another mailbox database on the same Exchange server, to a
mailbox database on anotherExchange server, or to a mailbox database on an Exchan
ge Server in another Exchange organization. In Exchange Server 2013, you can move
mailboxes one at a time or create migration batches to movemultiple mailboxes at one
time.
In this demonstration, you will see how to move individual mailboxes, and how to con
figure and monitor migration batches.
Demonstration Steps
1. Move April Reagans mailbox from Mailbox Database 1 to the Research mailbox database usin
2. Move multiple mailboxes by creating a migration batch.
What Are Resource Mailboxes?
Resource mailboxes are specific types of mailboxes that you can use to represent meet
ing rooms or shared equipment, and you can include them as resources in meeting req
uests. The AD DS user accountthat is associated with a resource mailbox is disabled.
You can create two different types of resource mailboxes in Exchange Server 2013:

Room mailboxes. Resource mailboxes that you can assign to meeting locations, such as conferenc
Equipment mailboxes. Resource mailboxes that you can assign to resources that are not location-s
You can include both types of resource mailboxes as resources in meeting requests, w
hich provides a simple and efficient way for users to book these resources. After creati
ng the resource mailbox, you mustconfigure properties such as location and size. Thes
e attributes are useful for enabling users to search for meeting rooms that meet their re
quirements.
Configuring Resource Booking Settings
When you configure a resource mailbox, you can also configure settings that determin
e how the resource mailbox will respond to meeting requests. You can configure resou
rce mailboxes to automaticallyprocess incoming meeting requests for all users, or you
can restrict who can book the meeting room. You can configure delegates who have to
approve all meeting requests, and you can also configure theresource mailbox to acce
pt only certain types of meetings. For example, you can configure a conference room t
o automatically accept incoming meeting requests but not accept recurring meeting re
quests.
When you create a resource mailbox using the EAC, you can configure the following
settings that define how the mailbox will accept meeting requests.

Tab Settings

delegates You can configure the resource mailbox to automatically process meeting requests for all users, or you can

booking options You can configure:

Whether the mailbox will accept repeating or recurring meetings.


Tab Settings

Whether the mailbox can only be booked for meetings during regular working hours (8 a.m. to 5 p.m.

How many days in advance users can book meetings.

Whether to automatically decline meetings that extend beyond the maximum booking time.

How long meetings can be booked for the mailbox.

Additional text that will be sent to the user when they book a meeting with the mailbox.

In addition to the settings available in the EAC, you also can configure many addition
al settings for how the resource mailbox will respond to meeting requests. These settin
gs are configured by using the set-
calendarprocessing cmdlet. Some of the options available are:

Configuration option

Allow conflicting meetings.

Allow certain users to request meetings that do not follow the policies regarding maximum lead time or maximum meeting lim

Prevent the meeting room from automatically accepting meeting requests.

Considerations for Planning Resource Mailboxes


When you design how meeting requests will be accepted, consider the following:
Who can schedule a resource. You might accept the default settings for most resources in the organ
ay want to restrict who can book meetings in the conference room.
When users can schedule the resource. You may want to set restrictions on the time of day when m
The automatic acceptance policy for the meeting resource. By default, all resource mailboxes are co
g resource for the same time.
Demonstration: Creating and Managing Resource Mailboxe
s
In this demonstration, you will use the Exchange Management Console to:
Create and configure a resource mailbox.
Configure a delegate for a resource mailbox.
Demonstration Steps
1.On LON-CAS1, in the EAC, create a new room mailbox with the following information:
o Name: Conference Room 1
o Email address: ConferenceRoom1
o Organizational unit: Sales
o Location: London
o Capacity: 20
o Mailbox database: Mailbox Database 1
2.After creating the room mailbox, modify the properties to:
o Change the lead time for booking meetings to one year.
o Send the text You have successfully booked Conference Room 1 to users who book the me
3.On LON-CL1, signed in as Aidan, open Outlook 2013 and create a new Meeting Request. Invite th
Note: If necessary, complete the Welcome to Microsoft Outlook 2013 wizard.
4.Send the meeting request and verify that the resource accepted the invitation.
5.On LON-CAS1, in the EAC, access the Conference Room 1 properties.
6.Add Amr Zaki as a delegate for the resource mailbox.
7.Verify that the delegate has to accept the meeting request for the room mailbox.
What Are Site Mailboxes?
One issue that users face when they work collaboratively is that information can be st
ored in several different locations. Users who are working on the same project might n
eed to exchange emails related tothe project, and they might also need to access share
d documents stored on file shares or on a SharePoint Server 2013 site.

Site mailboxes in Exchange Server 2013 provide a more integrated experience for use
rs who need to collaborate. Site mailboxes enable users to access both documents stor
ed on SharePoint 2013 and emailstored in an Exchange Server 2013 mailbox using the
same client interface.
Understanding How Site Mailboxes Work
A site mailbox provides integration between a SharePoint site and an Exchange mailb
ox. For example, a group of users may be working on a project that requires email co
mmunication as well as a documentreview process. With site mailboxes, users can sen
d and read email messages in the site mailbox. Users can also post documents and revi
ew documents on the SharePoint site.
The benefit of site mailboxes is that users can access both types of content from a sing
le interface. Site mailboxes are available in Outlook 2013 and can be used to view bot
h the email messages in themailbox and the documents stored in SharePoint. The sam
e content can also be accessed directly from the SharePoint site. With site mailboxes,
Exchange stores the email, providing users with the same emailconversations that they
use every day for their own mailboxes. SharePoint stores the documents and provides
advanced document management tools such as version control.

Configuring Site Mailboxes


Site mailboxes are managed through SharePoint. To implement site mailboxes, you m
ust configure Secure Sockets Layer
(SSL) and configure OAuth authorization between the SharePoint 2013 server and the
Exchange Server 2013 server.
Once the integration is configured, administrators or users with delegated permissions
can create site mailboxes on the SharePoint server by using the Site Mailbox applicati
on. Outlook users can then addthe site mailbox to their Outlook 2013 profile.
Managing Site Mailboxes with Policies
You can manage site mailboxes using both Exchange Server 2013 policies and ShareP
oint 2013 policies.
In Exchange, you can configure site mailbox quotas by using the SiteMailboxProvisi
oningPolicy cmdlets in the Exchange Management Shell. You can configure the maxi
mum size for the site mailbox, andthe maximum message size that can be sent to the
mailbox.
In SharePoint, you can configure policies for those who can create site mailboxes, and
you can configure SharePoint Lifecycle policies to manage the lifecycle of a site mail
box. For example, you can create alifecycle policy in SharePoint that automatically cl
oses all site mailboxes after six months. When the lifecycle application in SharePoint
closes a site mailbox, the site mailbox is retained in SharePoint for adefined period of
time. The mailbox can then be reactivated by the mailbox user or by a SharePoint adm
inistrator.
After the retention period, the Exchange site mailbox in the mailbox database will hav
e the prefix MDEL: added to the mailbox name to indicate that it has been marked for
deletion. The mailboxes are notautomatically removed from Exchange; you must man
ually remove these site mailboxes.
Managing Compliance
Site mailboxes can be part of the In-
Place eDiscovery scope in SharePoint 2013 when you perform keyword searches agai
nst user mailboxes or site mailboxes. In addition, you can put a site mailbox on legalh
old.
Note: For detailed information on how to configure site mailboxes, see the Configure
site mailboxes in SharePoint Server 2013 page at http://go.microsoft.com/fwlink/?Lin
kId=290960.
What Is a Shared Mailbox?
Many organizations need to have multiple users access the same mailbox. For exampl
e, an organization may provide an email address such as info@adatum.com on a publi
c web site. The organization maywant to have several users monitor the mailbox assoc
iated with this email address to ensure prompt replies to potential customers. In previo
us versions of Exchange Server, you could create a mailbox forthis purpose, and then
give multiple users access to this mailbox.

Exchange Server 2013 simplifies the process of creating this type of mailbox by provi
ding shared mailboxes. A shared mailbox is a special type of user mailbox in which th
e user account associated with themailbox is a disabled account, and other users are gr
anted access to the mailbox. To gain access to the mailbox, users with the required per
missions sign into their own mailboxes, and then open the sharedmailbox by adding th
e shared mailbox to their Outlook profile or by accessing the mailbox through Outloo
k Web App.
Note: When a users Outlook profile is configured in cache mode, all mailboxes to wh
ich the user has Full Access permissions will be downloaded and cached on the local
machine. This behavior canbe modified so that only the primary mailboxes and non-
mail folders such as the Calendar, Contacts, and Tasks folders for the other mailboxes
are cached. You can edit the registry or use GroupPolicy Objects to configure this sett
ing. For more information, see http://go.microsoft.com/fwlink/?LinkId=290961 for de
tails.
In Exchange Server 2013, creating a shared mailbox is a single-
step process using the EAC or the Exchange Management Shell. You can create a shar
ed mailbox and grant users Full Access and Send Asmailbox permissions when you cr
eate the mailbox.
When you grant a user Full Access permission to the shared mailbox, the delegated us
er can log on to the mailbox, and view and manage all messages in the mailbox. Grant
ing Full Access permissions doesnot grant the delegated user the right to send mail as
the selected mailbox. To allow a user to send mail from a delegated mailbox, you mus
t also assign Send As permissions. When a user with Send Aspermissions sends a mes
sage from the delegated mailbox, any message sent from the mailbox will appear as if
it were sent by the mailbox owner.
Note: You also can enable delegated users to access regular mailboxes rather than cre
ating shared mailboxes. When you configure delegate access to a regular mailbox, you
also can grant a Send onBehalf Of permission. This permission allows a delegated us
er to send messages from the mailbox, but the From: address in any message sent by t
he delegate shows that the message was sent by thedelegate on behalf of the mailbox
owner.
Demonstration: Creating a Shared Mailbox
In this demonstration, you will see how to configure a shared mailbox, and access the
mailbox using Outlook 2013 and Outlook Web App.
Demonstration Steps
1.On LON-CAS1, in the EAC, create a new shared mailbox with the following information:
o Display name: Sales Information
o Email address: salesInfo
o Assign Full Access permission to Aidan Delany and Amr Zaki.
o Mailbox database: Mailbox Database 1
2.On LON-CAS1, log on to Outlook Web App as Administrator. and send a message to the Sales In
3.On LON-CL1, logged in as Aidan, switch to Outlook 2013, and verify that the Sales Information f
4.Reply to the message sent to the Sales Information mailbox.
5.Access Outlook Web App as Amr, and open the Sales Information mailbox.
What Are Linked Mailboxes?
Linked mailboxes provide mailboxes for users whose primary accounts are located in
a separate, trusted forest. Users with a linked mailbox sign in to their local AD DS do
main using the local credentials, andthose credentials are then used to access a mailbo
x in an Exchange organization in a different forest.

Linked mailboxes can be useful in the following two scenarios:


Organizations deploy Exchange in a resource forest. When organizations deploy Exchange in a reso
(called account forests).
Organizations use linked mailboxes in a merger or acquisition scenario. In this scenario, both organ
ns. The users from one of the organizations can be configured with linked mailboxes in the other or
When configuring a linked mailbox, the user account that is used to access the linked
mailbox does not exist in the forest where Exchange is deployed. When you create the
linked mailbox, a disabled useraccount is created in the domain where Exchange is de
ployed and associated with the linked mailbox. The user account from the account for
est is granted full control of the mailbox.
To implement linked mailboxes, perform the following steps:
Configure a one-way trust in which the domain where Exchange is deployed trusts the domain wh
way trust is required.
Make sure that the user account exists in the account forest before you create a linked mailbox. Yo
In addition to configuring the one-way trust, you also should consider creating a two-way trust be
way trust is not required, but the account that creates the linked mailboxmust have permissions to
way trust, you will need to provide account forest administrator credentials when you create thelin
Lesson 2: Managing Other Exchange Recipients
Exchange Server 2013 provides several other types of recipients besides the various ty
pes of mailboxes. These recipients include distribution groups, which are used to send
mail to groups of recipients andassign permissions in an Exchange Server organizatio
n, and mail contacts and mail users. This lesson provides an overview of these recipie
nt types and describes how to manage them.
Lesson Objectives
After completing this lesson, you will be able to:
Describe distribution groups.
Create and configure distribution groups.
Configure self-service management of distribution groups.
Manage mail contacts and mail users.
Configure site mailboxes.
What Are Distribution Groups?
Distribution groups in Exchange Server are mail-enabled groups. When you mail-
enable a group, Exchange Server 2013 assigns an email address to the group, and the
group by default is added to the GAL.You can use mail-
enabled groups to allow users to send email to multiple recipients. Mail-
enabled security groups also allow you to assign permissions simultaneously to multip
le users for Exchange Serverobjects, such as shared mailboxes and public folders.

In Exchange Server 2013, you can create two types of mail-enabled groups:
Universal security groups. Universal security groups in AD DS are used to assign permissions to
Universal distribution groups. Universal distribution groups in AD DS can only be used to group
Dynamic Distribution Groups
Exchange Server 2013 also supports dynamic distribution groups. Dynamic distributio
n groups are mail-enabled group objects that do not have a pre-
configured list of members. Instead, the membershiplist for dynamic distribution grou
ps is calculated each time a message is sent to the group.
When you configure a dynamic distribution list, you can define the group membership
based on various filters and conditions. For example, you might create a dynamic dist
ribution list that includes all usersin a specific building, or that includes all users locat
ed in a specific organizational unit. When an email message is sent to a dynamic distri
bution group, the Exchange Server queries a global catalog server forall recipients in t
he organization that match the criteria defined for that group. The Exchange Server th
en populates the group based on the query, and delivers the mail to the users.
Demonstration: Creating and Configuring Distribution Gro
ups
In this demonstration, you will see how to configure various types of distribution grou
ps.
Note: You cannot mail-
enable an existing universal distribution or security group in the EAC. To mail-
enable an existing group, use the Enable-DistributionGroup cmdlet.
Demonstration Steps
1.On LON-CAS1, connect to the EAC, and sign in as Adatum\administrator.
2.Create a new distribution group with the following settings:
o Display name: Sales Managers
o Alias: SalesManagers
o Organizational unit: Sales
o Members: Bonnie Kearney, Dennis Bye
o Owner approval is required: Closed
o Choose whether the group is open to leave: Closed
3.Create a new security distribution group with the following settings:
o Display name: IT Managers
o Alias: ITManagers
o Organizational unit: IT
o Members: April Reagan, Magnus Hedlund
o Owner approval is required: Selected
4.Configure the group to require message moderation, assign Amr Zaki as the moderator, and config
5.Create a dynamic distribution group with the following settings:
o Display name: Developers
o Alias: Developers
o Organizational unit: Development
o Owner: Administrator Members include everyone in the Development group
Implementing Self-Service Distribution Group Management
In some organizations, managing distribution groups can be complex and time consu
ming.

Distribution groups membership lists might need to be updated frequently, and it mig
ht not be clear which users should be added to the different distribution groups. Busin
ess-
unit administrators or projectleaders are often the best people to determine who should
be added to specific distribution groups. In some cases, organizations may want to gr
ant users the ability to add themselves to certain distributiongroups.
Exchange Server 2013 provides the following options for enabling self-
service distribution group management:
Assign non-
Exchange administrators as distribution group owners. With this option, Exchange administrators w
he group properties in Outlook or through the Outlook Web App.
Note: In Exchange Server 2013, you can only add individual mailboxes as owners of a distribution
Enable open distribution-group memberships. You can configure distribution groups to enable user
oFor security distribution groups, you can configure the group to require owner approval to join gro
oFor distribution groups that are not security groups, you can configure the group membership as o
he group, and they will be joined to the group when the owner approves the request.
Enable users to create and manage their own distribution groups. You also can enable users to creat
ent policy and enable the MyDistributionGroups role. This option gives users permission to create m
Configuring Group Naming Policies
If you enable users to create their own groups, you may still want to maintain some co
ntrol of the names assigned to the distribution groups. You can configure a group nam
ing policy to manage namesassigned to distribution groups created by users. In the gro
up naming policy, you can configure a prefix and suffix that will be added to the name
for a distribution group when it is created. You also canblock specific words from bei
ng used. With a group naming policy configured, users provide the display name for t
he group, and then the prefix or suffix that you have defined in the group naming poli
cy isapplied to the group.
Demonstration: Configuring Self-
Service Distribution Group Management
In this demonstration, you will see how to configure two different options for self-
service group management. You will examine how to create a group that has an open
membership list, and validate thatusers can join this group without owner approval. Y
ou will also see how to create a group naming policy, and enable users to create and m
anage their own groups.
Note: In this demonstration, you are granting all users the right to create distribution g
roups by editing the Default Role Assignment Policy. To limit which users can create
distribution groups, create acustom role assignment policy that grants permission to cr
eate distribution groups, and then assign that role assignment policy to selected users.
Demonstration Steps
1. On LON-CAS1, log on to EAC and create a new distribution group named TechDiscussion wit
2. In LON-CL1, connect to Outlook Web App and log on as Amr.
3. Access the Outlook Web App Options page, and verify that Amr can join the TechDiscussion d
4. On, LON-CAS1, in the EAC, create a new distribution group naming policy that assigns a suffi
5. Enable the MyDistributionGroups option for the Default Role Assignment Policy.
6. In LON-CL1, connect to Outlook Web App, and log on as Aidan.
7. Access the Outlook Web App Options page, and create a new distribution group named EXAdm
8. Verify that the group naming policy is applied.
Managing Mail Contacts and Mail Users
Mail contacts are mail-enabled AD DS contacts.

These contacts contain information about people or organizations that exist outside yo
ur Exchange Server organization. You can view mail contacts in the GAL and other a
ddress lists, and you can add themas members to distribution groups. Each contact has
an external email address, and all email messages that are sent to a contact are autom
atically forwarded to that address.
If multiple people within your organization contact a trusted external person, you can
create a mail contact with that persons email address. This allows Exchange Server u
sers to select that person from theGAL for sending email.
Mail Users
Mail users are similar to mail contacts. Both have external email addresses; both conta
in information about people outside your Exchange Server organization, and both can
be displayed in the GAL and otheraddress lists. However, unlike mail contacts, mail u
sers have AD DS logon credentials and a security identifier
(SID) that enable them to access network resources to which they are granted permissi
on.
If a person external to your organization requires access to resources on your network,
you should create a mail user instead of a mail contact for that individual. For exampl
e, you might want to create mailusers for short-
term consultants who require access to your server infrastructure, but who will use the
ir own external email addresses.
In another scenario, you can create mail users for whom you do not want to maintain a
n Exchange Server mailbox. For example, after an acquisition, the acquired company
may maintain its own messaginginfrastructure, but it may also need access to your net
works resources. For those users, you might want to create mail users instead of mail
box users.
Lesson 3: Planning and Implementing Public Folder
Mailboxes
One significant change in Exchange Server 2013 is the way that public folders are imp
lemented. In previous versions of Exchange Server, public folders were stored in a de
dicated public folder database.Public folder databases could not be replicated in a data
base availability group
(DAG), so they used public folder replication to provide high availability and redunda
ncy. In Exchange Server 2013, publicfolders are now stored in regular mailbox databa
ses rather than being stored in dedicated databases.
This lesson provides an overview of how public folders are implemented in Exchange
Server 2013 and describes how to create and manage public folders.
Lesson Objectives
After completing this lesson, you will be able to:
Describe public folders implementation in Exchange Server 2013.
Manage public folders.
Configure public folder mailboxes and public folders.
Describe considerations for implementing public folders.
Using Public Folders in Exchange Server 2013
Public folders were available in all previous versions of Exchange Server. Many orga
nizations use public folders as a means of sharing information between groups of user
s. With public folders, multiple userscan access a shared folder in Outlook.
In Exchange Server 2013, the underlying architecture for public folders has changed e
ntirely without significantly changing the user experience with public folders. In Exch
ange Server 2013:
Public folders are stored in a special type of mailbox called a public folder mailbox. In previous ver
lic folder mailbox stores the public folder hierarchy as well as the public folder contents.
Public folder mailboxes can be stored in mailbox databases that are part of a DAG. In previous vers
n provide high availability for the public folder deployment using the same mechanism as the one u
Public folders are spread across multiple public folder mailboxes. In previous versions of Exchange
eate public folders and store the public folders in different mailboxes, which can be located on Mai
Note: An important difference between public folder replication in previous versions of Exchange S
change Server, you can have multiple copies of the public folder contents, and public folder replica
master process. In Exchange Server 2013, you can only store the public folder contents in one mailb
nts still only access the mailbox in the active copy of the database.
Public folders are accessed by clients only for Outlook 2007 or later. In Exchange Server 2013, Out
To implement public folders in Exchange Server 2013, you first must create a primary
public folder hierarchy mailbox. The primary public folder mailbox contains the only
writeable copy of the public folderhierarchy. After creating the primary public folder
mailbox, you can create additional public folder mailboxes as secondary public folder
mailboxes. The secondary public folders will contain read-
only versionsof the public folder hierarchy.
After creating the primary public folder mailbox, you can begin creating public folder
s. By default, all public folders are created in the primary public folder mailbox. If yo
u create a secondary public foldermailbox, you can create public folders in the second
ary public folder mailbox only if you create the public folder using the new-
publicfolder cmdlet with the mailbox parameter.
Managing Public Folders
After you create the public folder mailboxes and public folders, you might need to per
form several additional management tasks on the public folders.

Configure Public Folder Permissions


In Exchange Server 2013, administrative permissions to manage public folders are ena
bled through Role Based Access Control
(RBAC). To grant users permission to manage public folders, you must addthem to th
e Public Folder Management role group.
Many organizations also configure public folder client permissions or access rights for
users. These permissions are used to restrict the actions users can perform in the publi
c folder. Client permissions havenot changed compared to previous versions of Excha
nge Server. You can assign permissions to users by using roles such as Owner, Publis
hing Editor, or Author. These roles include multiple types of access.For example, the
Publishing Editor role has the Create items, Read items, Create subfolders, Folder visi
ble, Edit own, Edit all, Delete own, and Delete all permissions. You also can assign cu
stom permissions byusing a variety of the access rights.
You can configure client permissions in the EAC by selecting the public folder and th
en clicking Manage under Folder permissions. You can also configure client permiss
ions by accessing the public folderproperties in Outlook, or by using the Add-
PublicFolderClientPermission and Remove-
PublicFolderClientPermission cmdlets.
When you create a public folder, it automatically inherits the same client permissions
as the parent public folder. When you change the permissions on a parent folder, you
have the option to enforce thepermission change for all subfolders. The default permis
sions assigned to new root folders are Author for authenticated users and None for ano
nymous users.
Mail-enable Public Folders
Mail-
enabling a public folder assigns an SMTP address to it and lists it in the GAL. Users c
an then post messages to the public folder by sending email messages to it. When a pu
blic folder is mail-
enabled,you can configure additional settings on the public folder such as email addre
sses and mail quotas. You can mail-
enable a public folder in the EAC by selecting the public folder and then clicking Ena
bleunder Mail settings. You can also use the Enable-MailPublicFolder cmdlet.
Manage Quota Limits and Retention Settings
You can manage the default quota limits and retention settings for all public folders in
the organization by using the Set-
OrganizationConfig cmdlet. You also can configure these settings on individualpubli
c folders by using the Set-PublicFolder cmdlet.
Monitor public folders
Exchange Server 2013 provides several cmdlets that can be used to monitor and mana
ge public folders:
Get-
PublicFolderItemStatistics. Displays information about items within a specified public folder. The
Get-PublicFolderStatistics. Displays statistical information about all public folders, such as folder
Get-PublicFolderMailboxDiagnostics. Displays event-level information about a public folder mai
Update-PublicFolderMailbox. Used to update the hierarchy for public folders.
Demonstration: Creating and Configuring Public Folders
In this demonstration, you will see how to create and configure public folders in Exch
ange Server 2013. You will also see how to configure public folder permissions in the
EAC.
Demonstration Steps
1. On LON-CAS1, in the EAC, create two new public folder mailboxes, PFMBX1 and PFMBX2
2. Create a public folder named Departments.
3. Create a child public folder to the Departments public folder named IT.
4. Open the Exchange Management Shell and use the Get-PublicFolder cmdlet to view the prope
5. Use the New-PublicFolder cmdlet to create the Research public folder as a subfolder under th
6. Configure the Administrator account as the Owner of the Departments folder and all subfolder
Migrating Public Folders to Exchange Server 2013
Because of the entirely new architecture for Exchange Server 2013 public folders, it is
more complicated to migrate public folders from previous versions of Exchange Serv
er than it was in older versions. Tocomplete the migration, you must copy the contents
of public folders from Exchange Server 2007 Service Pack 3 (SP3) Update Rollup 10
(RU10) or Exchange Server 2010 SP3 to the Exchange Server 2013public folder mail
boxes, and then switch all access to public folders to the new environment. Exchange
Server 2013 provides several new *PublicFolderMigrationRequest cmdlets, in addit
ion to severalPowerShell scripts, to help you complete the migration. These cmdlets u
se the Microsoft Exchange Mailbox Replication Service to perform the migration.

The high-
level steps to complete the public folder migration from Exchange Server 2010 are list
ed below. You can use the same steps to migrate public folders from Exchange Server
2007.
1 Prepare the environment for the migration. To prepare the environment, perform the following step
. a. On the Exchange Server 2010 SP3 server, take a snapshot of the current public folder deploymen
PublicFolder, Get-PublicFolderStatistics, and Get-PublicFolderClientPermission cmdlets to
b.On the Exchange Server 2010 SP3 server, verify that there is no previous record of a successful o
c. On the Exchange Server 2013 server, verify that there are no existing public folder migration req
d.Ensure that there are no existing public folders on the Exchange Server 2013 servers.
2 Prepare the public folder mapping file. This step includes:
. a. On the Exchange Server 2010 or Exchange Server 2007 server, generate the comma-separated va
PublicFolderStatistics.ps1 script to create the mapping file that maps the folder name to the fol
b.Create the Folder-to-
Mailbox mapping file. This file will be used to create the correct number of public folder mailbo
to-mailbox mapping file.
3
Create the public folder mailboxes on the Exchange 2013 server. Verify that the public folder mail
.
4
Start the migration request. On an Exchange Server 2013 Mailbox server, run the New- PublicFol
.
5 Lock down the public folders on the previous versions of Exchange Server for final migration. Du
. the Set-OrganizationConfig -PublicFoldersLockedForMigration:$true command on an Excha
6 Finalize the public folder migration. In the final step, run the Set-
. PublicFolderMigration cmdlet and set the PreventCompletion flag to false. Then resume the pu
ou complete the migration, all clients willneed to access the public folders on the Exchange Server
ed.
Note: This topic provides a high-level description for the process of migrating public folders from
Considerations for Implementing Public Folders
Because of the entirely new architecture for public folders in Exchange Server 2013, y
our planning process for implementing public folders will differ considerably from the
process you used with previousversions of Exchange Server. Some of the factors that
you should consider when planning the public folder deployment include:

In previous versions of Exchange Server, organizations with Exchange Servers in multiple location
public folder mailbox. If your organization has multiple locations, you will need to plan the locatio
Planning the distribution of public folder contents may be complicated in organizations with a very
reate multiple public folder mailboxes and distribute the public folder contents across the mailboxe
n as the users who access thepublic folder contents or decrease the mailbox size.
Generally, public folder access has not changed for users. Users will still use their Outlook clients t
ant change for public folder users is that they will not be able to access public folders using Outlook
ut that change is transparent tothe users.
We recommend that you locate the primary hierarchy mailbox in a mailbox database with multiple
Lesson 4: Managing Address Lists and Policies
In many messaging systems, you might host multiple SMTP domains, and therefore y
ou would need to manage the email addresses assigned to the Exchange Server recipie
nts. To make sure that recipientshave the appropriate email addresses, you can create
and apply email address policies.
In large organizations, the GAL may contain thousands of recipients. Finding a specifi
c recipient in that list can be complicated. To simplify the process of finding recipient
s, you can configure address lists.
In this lesson, you will learn how to configure email address policies and address lists.
Lesson Objectives
After completing this lesson, you will be able to:
Describe address lists.
Configure address lists.
Configure offline address books.
Describe address book policies.
Configure address book policies.
Describe email address policies.
Configure email address policies.
What Are Address Lists?
Address lists are used to group recipient objects based on a LDAP query for specific
AD DS attributes. You can use address lists to sort the GAL into multiple views, whic
h makes it easier to locate recipients.This is especially helpful for very large or highly
segmented organizations.

You can configure address lists with recipient filters that determine which objects belo
ng in each address list. Address lists are evaluated every time a mail-
enabled account is modified to determine on whichaddress lists it should appear.
Example 1
Consider a company that has two large divisions and one Exchange organization. One
division, named Fourth Coffee, imports and sells coffee beans. The other division, Co
ntoso, Ltd., underwrites insurancepolicies. Because of the different nature of each busi
ness, the employees rarely communicate with each other.
To make it easier for employees to find recipients who exist only in their division, you
can create two new custom address lists, one for Fourth Coffee and one for Contoso,
Ltd. When employees search forrecipients in their division, these custom address lists
allow them to select only the address list that is specific to their division. However, if
an employee is unsure about the division in which the recipientexists, the employee ca
n search within the GAL that contains all recipients in both divisions.
Example 2
You can use subcategories of address lists, which are known as hierarchical address li
sts. For example, you can create an address list that contains all recipients in Vancouv
er and another address list thatcontains all Redmond recipients. You also can create an
other list called Research and Development within the Vancouver address-
list container, which contains all employees who work in VancouversResearch and D
evelopment department. This allows employees to more easily find the information th
ey need.
Demonstration: Configuring Address Lists
In this demonstration, you will see how to create and configure address lists.
Demonstration Steps
1. On LON-CAS1, in the EAC, create a new address list called AllDepartments that includes only
2. Create another child address list under AllDepartments named Research that contains only use
3. On LON-CL1, in Outlook 2013, force a download of the offline address book.
4. Verify that the Research address list is listed and that it contains the correct users.
Configuring Offline Address Books
The offline address book is used by Outlook clients when you configure the clients to
use a cached mode Outlook profile, or when the client is in offline mode. The offline a
ddress book is cached on the localclient so that users can search the GAL when sendin
g messages.
The default offline address book contains the entire GAL, which includes all recipient
s in the Exchange organization. You can create additional GALs and add them to a cu
stom offline address book.
By default, the offline address book is generated on a Mailbox server only once each d
ay at 5 a.m. This means that any additions, deletions, or changes made to mail-
enabled recipients are only committed tothe offline address book once daily, unless yo
u modify the schedule to generate the offline address book more frequently.
The process of generating and distributing the offline address book consists of the foll
owing components:
Offline address book generation process. To create and update the offline address book, the Offline
(OABGen) service runs on the Mailbox server that hosts the Organizational mailbox. TheOABGen
tAccess\OAB folder.
Note: You can identify the Mailbox server that hosts the Organization mailbox by running the Get-
like "*oab*"} command. The only wayto move the offline address book generation to another Exc
OAB virtual directory. The OAB virtual directory is the distribution point Microsoft Office Outlook
s server, and under the Exchange Back End website on Mailbox servers. By default, the OAB virtua
Autodiscover service. Autodiscover service was introduced in Exchange Server 2007 as a feature th
RL for Outlook clients.
OAB distribution. When clients need to download the offline address book, the client sends a reque
ributed directly from the Mailbox server to the client.
Offline Address Book Size Considerations
The size of the offline address book may be a concern in large organizations that have
large directories, or in organizations that have deployed Office Outlook in cached mo
de. Offline address book sizes canvary from a few megabytes to a few hundred megab
ytes. The following factors can affect the size of the offline address book:
Usage of certificates in a company. The higher the number of public key infrastructure (PKI) certifi
(KB) to threeKBs. They are the single largest contributor to the offline address book size.
Number of AD DS mail recipients.
Number of AD DS distribution groups.
Information that a company adds to AD DS for each mailbox-enabled or mail-
enabled object. For example, some organizations populate the address properties for each user; othe
Note: Previous versions of Exchange Server supported a variety of versions of the Offline Address
What Are Address Book Policies?
Address book policies can limit the information that users see in their GAL. Some org
anizations require that certain users be prohibited from seeing all of the other users in
the GAL. For example, a largeinvestment company may have several divisions that ar
e competitors in selected markets, and allowing communication between investors in e
ach division may violate trading laws. Other organizations thathave extremely large G
ALs may want to limit the size of the offline address book for users. Limiting what us
ers can see in the GAL is called GAL segmentation.

In Exchange Server 2013, you can use address book policies to configure GAL segme
ntation. When configuring an address book policy, you assign a GAL, an offline addre
ss book, a room list, and one ormore address lists to the policy. You then can assign th
e address book policy to mailbox users, which means that the users can only see the o
bjects in the GAL that are part of their policy.
Note: Address book policies provide a virtual segmentation of the GAL, and not a leg
al separation. This means that users may sometimes be aware of other recipients in the
organization that are notpart of their address book policy. For example, a distribution
group that is included in the address book policy may include recipients from other ad
dress book policies. If one of those recipients hasan out-of-
office message configured, the out-of-
office message will be sent to anyone who sends to the distribution group.
Address book policies are only applied when the users mailbox is located on an Exch
ange Server 2010 Service Pack 3
(SP3) or Exchange Server 2013 server. If you update the address book policy, the clie
ntsmust reconnect their mailboxes before the new policy is applied. If a client accesse
s the global address list through other means, such as a direct LDAP query to a global
catalog server, the address bookpolicy does not apply.
Demonstration: Configuring Address Book Policies
Address book policies contain the following lists:
One GAL
One offline address book
One room-address list
One or more address lists
In this demonstration, you will see the following steps that are required to configure a
n address book policy for users in the Research department at A. Datum:
Create a global address list for the Research department.
Create a new offline address book for the Research department.
Create the address book policy.
Note: In this demonstration, you will use the default All Rooms address list rather than create a cu
Demonstration Steps
1. On LON-CAS1, if required, open the Exchange Management Shell.
2. Use the following commands to create the address book policy and assign the policy to all users
New-GlobalAddressList -Name ResearchGAL -RecipientFilter {(Department eq
Research)}
Update-GlobalAddressList -Name ResearchGAL
New-OfflineAddressBook -Name "ResearchOAB" -AddressLists "ResearchGAL"
New-AddressBookPolicy -Name ResearchABP -AddressLists \AllDepartments\Research -
OfflineAddressBook ResearchOAB -GlobalAddressList ResearchOAB -RoomList "\All Room
Get-Mailbox -OrganizationalUnit Research | Set-Mailbox -AddressBookPolicy ResearchABP
3. On LON-CL1, sign out, and then sign in as Allie using the password Pa$$w0rd.
4. Open Outlook 2013 and configure Allies profile.
5. Verify that Allie can only see other members of the Research department in the GAL.
What Are Email Address Policies?
For a recipient to send or receive email messages, the recipient must have an email ad
dress. Email address policies generate the primary and secondary email addresses for r
ecipients in an Exchangeorganization so that they can receive and send email.

You must create an accepted domain so that a domain in an email address policy funct
ions properly. An accepted domain is an SMTP namespace that you configure in the E
xchange organization so that theExchange servers will accept messages sent to that S
MTP namespace.
By default, the Exchange Server contains an email address policy that assigns one or
more email addresses to every mail-
enabled user. This default policy specifies the recipients alias as the local part of thee
mail address and uses the default accepted domain. The local part of an email address
is the name that appears before the @ symbol. However, you can configure how your
recipients email addressesdisplay. To specify additional email addresses for all recipi
ents or just a subset of recipients, you can modify the default policy or create addition
al email address policies.
Creating an Email Address Policy
Exchange Server applies an email address policy to multiple recipients based upon an
OPATH filter. OPATH is a querying language designed to query object-
data sources. The filter defines the search scope inthe AD DS forest and the attributes
that are used to filter the GAL.
The new Email Address Policy Wizard provides a standard list of recipient scope filte
rs. These include:
All recipient types. Select this check box if you do not want to filter recipient type.
Users with Exchange mailboxes. Select this check box if you want your email address policy to ap
Mail users with external email addresses. Select this check box if you want your email address p
on.
Resource mailboxes. Select this check box if you want your email address policy to apply to Excha
Mail contacts with external email addresses. Select this check box if you want your email addres
Mail-enabled groups. Select this check box if you want your email address policy to apply to secu
You can also configure a rule that can filter the recipients to which the email address p
olicy will apply. Using this option, you can filter the recipients based on the following
categories:
Recipient container. Use this to filter the recipient list based on the organization unit where the rec
State or province. Select this check box if you want the email address policy to include only recipi
Company. Select this check box if you want the email address policy to include only recipients in s
Department. Select this check box if you want the email address policy to include only recipients i
Custom attributes. There are 15 custom attributes for each recipient. There is a separate condition
When creating an email address policy, you can use the following email address types
:
Default SMTP email address. Default SMTP email addresses are commonly used email address typ
Custom SMTP email address. If you do not want to use one of the default SMTP email addresses, y
mail address.

Variable Value

%g Given name (first name)


%i Middle initial

%s Surname (last name)

%d Display name

%m Exchange alias

%xs Uses the x number of letters of the surname. For example if x=2, the first two letters of the surna

%xg Uses the x number of letters of the given name. For example, if x=2, the first two letters of the gi

Non-SMTP email address. Exchange Server 2013 supports a number of non-SMTP address types in
Demonstration: Configuring Email Address Policies
In this demonstration, you will see how to modify the default email address policy and
how to create a new email address policy.
Demonstration Steps
1. On LON-CAS1, in the EAC, modify the default email address policy to add the firstname.lastn
2. Create a new accepted domain for Sales.adatum.com.
3. Create an email address policy that applies the email address first name first initial of last name
4. Examine the email addresses assigned to Adam Barr and Arlene Huff and verify that the email
Lab: Managing Recipient Objects
Scenario
You are the messaging administrator for A. Datum Corporation. A. Datum has purcha
sed a new company named Trey Research. The Trey Research mailboxes will be hoste
d on your Exchange Server 2013environment, but they must maintain a unique identit
y within the organization. All Trey Research users should use the TreyResearch.net S
MTP domain to send and receive email. Trey Research users should beable to view on
ly other users in the Trey Research business group.
You need to implement the messaging environment for the Trey Research users.
Lab Setup
Estimated time: 60 minutes
Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1
20341B-LON-CL1

User Name Adatum\Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
.
2
In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
.
3
In the Actions pane, click Connect. Wait until the virtual machine starts.
.
4 Sign in using the following credentials:
. o User name: Adatum\Administrator
o Password: Pa$$w0rd
5
Repeat steps 2 to 4 for 20341B-LON-MBX1 and 20341B-LON-CAS1.
.
6 Repeat steps 2 and 3 for 20341B-LON-CL1. Do not log on until directed to do so.
. Note: In some cases, messages sent in this lab may not be delivered immediately. You may notice
er labs:
1
On LON-MBX1, open the Exchange Management Shell.
.
2
Type Test-ServiceHealth, and press Enter. Verify that all required services are running. If the serv
.
3
Type Restart-Service MSExchangeSubmission, and press Enter.
.
4
Type Restart-Service MSExchangeDelivery, and press Enter. Check to see if the message has be
.
5
If not, type Restart-Service MSExchangeTransport, and press Enter. Check to see if the messag
.
6
If the messages are still not being delivered, restart the Microsoft Exchange Active Directory To
.
Exercise 1: Configure Trey Research Recipients
Scenario
You have received a script and a
.csv file that you will use to create the recipients for the Trey Research users. Howeve
r, you also need to configure other recipient objects for the Trey Research users, such
asdistribution groups and resource mailboxes. The project team has requested that you
create the following recipient objects:
Create AD DS user accounts and mailboxes using a script provided by the project team.
Create room mailboxes and configure the mailboxes so only Trey Research users can book meeting
Configure a shared mailbox for the Sales department at Trey Research.
Configure distribution groups that include different departments at Trey Research.
Configure a dynamic distribution list that includes Trey Research and A. Datum users who are work
The main tasks for this exercise are as follows:
1. Create the Trey Research AD DS objects
2. Create the Trey Research mailboxes
3. Create the Trey Research distribution groups
Task 1: Create the Trey Research AD DS objects
1. On LON-CAS1, from Server Manager open the Active Directory Module for Windows Powe
2. Run the TreyResearchSetup.ps1 script from the e:\Labfiles\Mod03 folder.
3. Verify that the Trey Research OUs, users, and groups are created.
Task 2: Create the Trey Research mailboxes
1.On LON-CAS1, open the Exchange Management Shell and run the following commands:

To Run

Create a mailbox database for Trey Research users New-Mailbo


Restart the Microsoft Exchange Information Store service on LON-MBX1 Invoke-Com
{Restart-Ser

Mount the database Mount-Data

Create mailboxes for all Trey Research users Get-User O

Mail-enable all Trey Research groups Get-Group

2.On LON-CAS1, open Internet Explorer and connect to https://LON-CAS1.adatum.com/ecp.


3.Sign in as Adatum\administrator using the password Pa$$w0rd.
4.Create a room mailbox with the following settings:
o Room name: TR_Room1
o Email address: TR_Room1
o Organizational unit: click Browse, click TreyResearch, and then click OK
o Location: Harrow
o Capacity: 20
o Mailbox database: TreyResearchDB
o Delegates: Charlotte Weiss
5.Enable all TreyResearch users to book meetings without moderation by running the Set- Calendar
6.Create a shared mailbox with the following settings:
o Display name: TreyResearch Sales
o Email address: TreyResearchSales
o Full access permission: TR_Sales
o Mailbox database: TreyResearchDB
Task 3: Create the Trey Research distribution groups
1.On LON-CAS1, in the EAC, create a new distribution group with the following settings:
o Display name: Trey_SalesMgrs
o Alias: TreySalesMgrs
o Organizational unit: TreyResearch\Sales
o Members: Florence Flipo, Sidney Higa
o Owner approval is required: Closed
2.Choose whether the group is open to leave: Closed
3.Create another distribution group with the following settings:
o Display name: TreyResearchNews
o Alias: TreyResearchNews
o Organizational unit: TreyResearch
o Members: none
o Owner approval is required: Open
o Choose whether the group is open to leave: Open
4.On LON-
CAS, in the Exchange Management Shell, change to the E:\Labfiles\Mod03 folder and then run th
o $users=import-csv .\TreyResearchIntegrationTeam.csv
o foreach ($i in $users) {set-mailbox Identity $i.alias CustomAttribute1 TreyResearch
5.On LON-CAS1, in the EAC, create a new dynamic distribution group with the following settings.
o Display name: TreyIntegration
o Alias: TreyIntegration
o Organizational unit: TreyResearch
o Owner: Administrator
o Recipient container: Adatum.com
o Custom attribute 1: TreyResearch Integration Project Team
Results: In this exercise, you created AD DS user and group accounts for Trey Resear
ch, created a room mailbox with custom permissions, and configured a shared mailbo
x. You also configureddistribution groups for the Trey Research users.
Exercise 2: Configure Address Lists and Policies for Trey Research
Scenario
Your second step in integrating Trey Research users into the A. Datum Exchange serv
er environment is to create the address lists and policies required to ensure that the Tre
y Research users have the requiredfunctionality and separation of user information. To
do this, you need to:
Configure TreyResearch.net as an accepted domain.
Create an email address policy for Trey Research users.
Create an address list for Trey Research users.
Create an address book policy for Trey Research users.
Validate the Trey Research deployment.
The main tasks for this exercise are as follows:
1. Configure TreyResearch.net as an accepted domain
2. Configure an email address policy for Trey Research users
3. Configure an address list for TreyResearch users
4. Configure an address book policy for Trey Research users
5. Validate the deployment
Task 1: Configure TreyResearch.net as an accepted domain
On LON-CAS1, in the EAC, create a new accepted domain called TreyResearch using the doma
Task 2: Configure an email address policy for Trey Research users
On LON-
CAS1, in the EAC, create a new email address policy named TreyResearch Email that assigns a p
Task 3: Configure an address list for TreyResearch users
On LON-CAS1, in the EAC, create a new address list named TreyResearch that includes all reci
Task 4: Configure an address book policy for Trey Research users
On LON-C

To Run

Create a global address list that includes only Trey Research users. New-Globa

Update the Trey Research GAL. Update-Glo

Create a new offline address book for the Trey Research GAL. New-Offlin

Create a new room address list for all resource mailboxes in the TreyResearch OU. New-Addre
Resources

Update the TreyResearchRooms address list. Update-Ad

Configure the TreyResearchOAB to be distributed through the LON- CAS1 and LON-MBX1virtual directories. Set-OfflineA
(Exchange

Update the TreyResearchOAB offline address book. Update-Off

Create a new address book policy that groups the Trey Research components. New-Addre
TreyResear

Assign the TreyResearchABP to all mailboxes in the TreyResearch OU. Get-Mailbo

Task 5: Validate the deployment


1. On LON-CAS1, in the EAC, verify that the TreyResearchABP has been assigned to Aaron Nic
2. On LON-CL1, sign in as Adatum\Aaron using the password Pa$$w0rd.
3. Open Outlook 2013 and configure Aarons profile.
4. Create a new email message.
5. Review the recipients visible in the global address list. Verify that only Trey Research recipient
6. Send a message to the Trey_SalesMgrs distribution group.
7. Create and send a new meeting request and invite Cindy White and the TR_Room1 as a resourc
8. Connect to OWA and verify that you cannot join the Trey_SalesMgrs distribution group but tha
9. In Outlook, send a message to the TreyIntegration group.
10. Log on to OWA as TreyResearch\Aidan using the password Pa$$w0rd. Verify that Aidan recei
Results: In this exercise, you created an email address policy and address list for Trey
Research. You also created an address book policy for Trey Research and validated t
he deployment.
Exercise 3: Configure Public Folders for Trey Research
Scenario
A. Datum has not implemented public folders, but Trey Research users have used pub
lic folders in the past
and would like to continue using them. You need to create a public folder infrastructur
e for Trey Research users, and ensure that only Trey Research users have access to the
public folders.
The main tasks for this exercise are as follows:
1. Create the public folder mailbox
2. Create the public folders
3. Configure public folder permissions
4. Validate the public folder deployment
5. To prepare for the next module
Task 1: Create the public folder mailbox
1. On LON-CAS1, in the EAC, create a new public folder mailbox named PFMBX1. Create the r
Task 2: Create the public folders
1. On LON-CAS1, in the EAC, create a new public folder named TreyResearch.
2. In the TreyResearch public folder, create a sub-folder named Research.
Task 3: Configure public folder permissions
1. On LON-CAS1, in the EAC, assign the TR_IT group as the owner of the TreyResearch public f
2. Assign the AllTreyResearch author permission to the public folders.
Task 4: Validate the public folder deployment
1. On LON-CL1, in Outlook 2013, verify that Aaron can access the public folders.
Task 5: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: In this exercise, you will have created public folder mailboxes for Trey Rese
arch and verified that users can access the mailboxes.
Question: How would you ensure that meeting requests to room mailboxes are validat
ed manually before being approved?
Question: How would you give access to allow a user to send messages from another
mailbox without giving the user access to the mailbox contents?
Module Review and Takeaways
Best Practice
If you have a large number of users in your organization, spend some time learning ho
w to manage recipients using the Exchange Management Shell and scripts. This will s
ave you a significant amount oftime once you are comfortable with using the comman
ds.
Review Question(s)
Question: A company has two large divisions and one Exchange Server organization.
Employees in the two divisions rarely communicate with each other. What can you d
o to reduce the number ofrecipients the employees of each division see when they ope
n the Exchange address list?
Question: An organization has a large number of projects that leverage distribution gr
oups. Managing group members takes considerable time. You need to reduce the time
that the help desk staffspends managing groups so that they can work on other issues.
What should you do?
Question: You employ contractors who need an email address from your company. T
he contractors should not be able to log onto your network, but you want the contracto
rs to appear in the GAL.The company needs to enable the contractors to receive these
messages in their current third-party mailboxes. What should you do?
Real-world Issues and Scenarios
Supplement or modify the following best practices for your own work situations:
Define clear naming conventions and adhere to them. Naming conventions help identify the locatio
Test global changes prior to making them in a production environment. Changes to global settings,
Module 4: Planning and Deploying Client Access Se
rvers
Contents:
Module Overview

Lesson 1: Planning Client Access Server Deployment

Lesson 2: Configuring the Client Access Server Role

Lesson 3: Managing Client Access Services

Lab: Deploying and Configuring a Client Access Server Role

Module Review and Takeaways

Module Overview
Microsoft Exchange Server 2013 provides access to user mailboxes for many differe
nt clients. All messaging clients access Exchange Server mailboxes through a Client
Access server. Because of theimportance of this server role, you must understand how
to plan, deploy, and configure it to support various client types. This module provides
details on how to plan and implement the Client Access serverrole in Exchange Serve
r 2013.
Objectives
After completing this module, you will be able to:
Plan Client Access server deployment.
Configure the Client Access server roles.
Manage Client Access services.
Lesson 1
: Planning Client Access Server Deployment
The first step in deploying client access to Exchange Server mailboxes is planning the
Client Access server deployment and configuration. You must consider several factors
when designing deployment,including the hardware configuration and how you will p
rovide access to the services enabled on the Client Access server. This lesson describe
s how to plan Client Access server deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the Client Access server role in Exchange Server 2013.
Describe the hardware and software requirements for Client Access server.
Plan Client Access server deployment.
Describe how Client Access server works.
Describe how Outlook clients connect to their mailboxes.
Describe how Client Access server works with multiple sites.
Plan client connectivity for Client Access server.
What Is the Client Access Server Role?

The Client Access server role in Exchange Server 2013 is one of two key roles for the
entire messaging infrastructure. In fact, it is a mandatory component for each Exchang
e Server deployment.
The primary purpose of the Client Access server role is to accept and handle client co
nnections and server Simple Mail Transfer Protocol (SMTP)-
based connections, and proxy these connections to theMailbox server.
The Client Access server also authenticates client connections, and provides content fr
om the Mailbox server role to the clients. In Exchange Server 2013, clients cannot init
iate a connection to the Mailboxserver directly, in any scenario. All connections are ro
uted through the Client Access Server, which provides proxy services, and in Unified
Messaging
(UM) scenario redirection, to the Mailbox server role. TheClient Access server accept
s SMTP connections from other SMTP servers on the Internet, and also establishes S
MTP connections to the other SMTP servers on the Internet.
Unlike a Mailbox server, the Client Access server does not store any user data; nor do
es it perform any kind of message queuing. The Client Access server sends and accept
s messages to and from theInternet by using its Front End Transport service, but it doe
s not have the ability to accept and store messages for later delivery. Front End Transp
ort service should not be confused with, or mistakenlyidentified as a replacement for
Hub or Edge Transport server role from previous Exchange Server versions. It is simp
ly a proxy for both client and server connections; actual email processing, and sending
andreceiving, happens on the Mailbox server role.
The Client Access server also provides services for messaging security. For clients, it
provides Secure Sockets Layer (SSL)-
based communication and authentication. The Client Access server also provides anti-
malware and anti-
spam functionality as SMTP traffic passes through it. The Client Access servers Fron
t End Transport service cannot inspect message content, but it has complete access to t
he SMTP protocolconversation, so it can filter messages based on connections, domai
ns, senders, and recipients. In addition, unlike Exchange Server 2010, which did not h
ave an integrated anti-
malware solution, ExchangeServer 2013 allows you to configure anti-
malware options for virus scanning. You should note that the Client Access server in
Exchange Server 2013 does not have a transport agent for connection filteringthat is e
nabled by default. You can create a transport agent if you need one.
Hardware and Software Requirements for the Client Access
Server
When you plan a Client Access server deployment, you should consider general Exch
ange Server hardware and software requirements. If you choose to deploy a Client Ac
cess server together with theMailbox server role, you should follow the hardware requ
irements for the Mailbox server, as it is a more resource-
intensive role. If you choose to deploy the Client Access server on a separate server, t
he samesoftware requirements that are discussed in this course will apply; however, y
ou should design the Client Access server and Mailbox server hardware separately.
The Client Access server does not store any user data, so you do not have to provide s
eparate storage for it. However, because this role is critical in an Exchange Server infr
astructure, you should make surethat the Client Access servers hard drive is redundan
t
(for example, in mirror configuration). We also recommend that you deploy more than
one Client Access server, if possible. If you deploy the ClientAccess server on the vir
tual machine, ensure that the machine is highly available.
Consider the following guidelines when designing the Client Access server configurat
ion:
There is no specific recommended processor configuration for Client Access servers. However, we
The recommended memory configuration depends on the number of client connections and the tran
(RAM) for ClientAccess servers is 2 gigabytes (GB) of RAM per processor core, with a minimum o
The Client Access server is not a hard disk-
intensive application, so you do not have to implement fast and expensive hard drives for it. You sh
The Client Access server requires a fast network connection to Mailbox servers and global-
catalog servers. If you have a large number of internal Microsoft Office Outlook clients, the netw
gigabits-per-second (Gbps) network cards.
As a general guideline, you should deploy one Client Access server for every four Mailbox servers.
Planning Client Access Server Deployment
When you plan your Client Access server deployment, you must meet certain require
ments to ensure a successful installation. In addition, there are options for deploying C
lient Access servers in scenarioswhere servers require high availability, or when multi
ple sites are deployed.
Requirements for Client Access Server Deployment
When you deploy Client Access servers, you must meet the following requirements:
You must have one Client Access server in each Active Directory site where you have Mailbox serv
If your Active Directory Domain Services (AD DS) forest includes multiple domains, each site m
Client Access servers should have a fast network connection to domain controllers and global-catal
If users must access their mailboxes from the Internet through the Client Access server, then the ser
Note: Because the server running the Client Access server role must be a member server in an Acti
t.
Options for Client Access Server Deployment
The Client Access server role performs a critical function in your Exchange Server or
ganization. The following options are available when you deploy the Client Access se
rver role:
You can deploy the Client Access server role on the same computer where the Mailbox server role
You can deploy the Client Access server role on a dedicated server. This deployment provides addi
You can deploy multiple servers running the Client Access server role. To provide high availability
Note: You can install Client Access servers on Mailbox servers that are database availability group
(DAG) members. However, just adding the Client Access server to a DAG member does notprovid
hardware load balancer for the Client Access server in this scenario.
How Does a Client Access Server Work?
In Exchange Server 2013, all messaging clients connect to a Client Access server whe
n accessing an Exchange Server mailbox. The main purpose of the Client Access serv
er is to accept, authenticate, and proxyor redirect client connections, while also handli
ng SMTP message traffic with other SMTP servers. However, the Client Access serve
r works differently in Exchange Server 2013 compared to the same role inMicrosoft
Exchange Server 2007 and Exchange Server 2010.
One of the most significant changes is the way that Client Access servers communicat
e with clients and the Mailbox server. In previous versions of Exchange Server, intern
al clients used Messaging ApplicationProgramming Interface
(MAPI) remote procedure call
(RPC) to connect to the Client Access server or Mailbox server, while external clients
used the RPC over HTTPS, HTTPS, POP3, or IMAP4 protocol.
In Exchange Server 2013, MAPI over RPC is the primary protocol that Outlook uses,
and it is now always packed inside HTTPS
(also known as RPC over HTTPS or Outlook Anywhere), regardless of how theclient
connects. The connection from the client to the mailbox still goes through the Client
Access server, which proxies the RPC over HTTPS connection from the client to the
Mailbox server.
Exchange Server 2013 Service Pack 1 introduced a new connection protocol for Outlo
ok 2013 SP1 clients called MAPI over HTTP. MAPI over HTTP moves connectivity t
o a true HTTP request/response patternand no longer requires two long-
lived TCP connections to be open for each session between Outlook and Exchange. T
his change reduces the number of concurrent TCP connections established between th
eclient and server. MAPI over HTTP generates a maximum of 2 current connections g
enerating one long-lived connection and an additional on-demand short-
lived connection.
MAPI over HTTP improves the reliability and stability of the Outlook and Exchange
connections by moving the transport layer to the industry-
standard HTTP model. This allows a higher level of visibility oftransport errors and e
nhanced recoverability. Additional functionality includes support for an explicit pause
-and-
resume function. This enables supported clients to change networks or resume fromhi
bernation while maintaining the same server context. Implementing MAPI over HTTP
does not mean that it is the only protocol that can be used for Outlook to access Exch
ange. Outlook clients that are notMAPI over HTTP capable can still use Outlook Any
where (RPC over HTTPS) to access Exchange through a MAPI-
enabled Client Access server.
The following diagram shows how a Client Access server works.

FIGURE 04.1: HOW DOES A CLIENT ACCESS SERVER WORK?


Note: To better understand how these connections work, you should understand the fo
llowing key components that participate in this process:
MAPI. This is the set of protocol commands that Outlook clients use to interact with the mailbox se
RPC. This is the transport through which MAPI commands are issued to the Mailbox server.
HTTPS. This is the transport protocol, and it securely wraps MAPI/RPC commands that are distribu
On the Client Access server in Exchange Server 2010, the RPC/HTTP proxy is the Int
ernet Information Services
(IIS) component that terminates HTTP traffic. Once the HTTP traffic is terminated, th
e RPC trafficon the rest of network path is allowed. However, when the Client Access
server in Exchange Server 2013 terminates the HTTPS traffic, it decrypts it and inspe
cts MAPI/RPC commands. Then the traffic is re-
encrypted back with HTTPS, and sent to the Mailbox server. Next, the traffic hits the
RPC proxy endpoint on the Mailbox server IIS. This endpoint component strips off th
e HTTPS, and then MAPI commandsare executed on the Mailbox server with a RPC.
The server, based on the parameters contained within RPC request, should find and se
nd the correct endpoint on the Mailbox server when the client RPC overthe HTTPS co
nnection reaches the Clients Access server.
In a manner similar to the connections from Outlook clients, POP3 and IMAP are pro
xied to the appropriate services on the Mailbox server role. SMTP connections from o
ther SMTP servers are inspected andthe Client Access Server proxies them to the Tran
sport component on the Mailbox server. The Client Access server UM Call Router co
mponent redirects clients to the UM component on the Mailbox Serverrole only for U
nified Messaging communication.
Connecting Outlook Clients to Mailboxes

In Exchange Server 2007, internal clients used the Mailbox server FQDN to connect t
o the mailbox by using MAPI RPC. This was the last Exchange Server version in whi
ch clients directly connected to theMailbox server. In Exchange Server 2010, internal
clients moved to the Client Access server, and they used the Client Access server FQ
DN (or Client Access array name) to connect to their mailboxes.
On a Mailbox server, the RpcClientAccessServer property of each mailbox database
was populated with the value of the Client Access array. Note that the Client Access a
rray did not necessarily require two ormore servers; you could create it with just one.
This property value was distributed to the clients through the Autodiscover process, w
hich automatically configured the client profile in Outlook to connect tothe proper Cli
ent Access array and locate its mailbox.
Exchange Server 2013 no longer uses FQDNs of Client Access servers or arrays to loc
ate user mailboxes. Instead, Client Access server uses the GUID that is assigned to the
user mailbox. When the clientconnects to the Client Access server and requests the m
ailbox content, the Client Access server performs a query on AD DS to determine the
details of the client mailbox based on mailboxs GUID. Thesedetails include data abo
ut the mailbox server that hosts the user mailbox.
The Client Access server then uses RPC over HTTPS or MAPI over HTTPS to conne
ct to the Mailbox server and then retrieve the users data. Because of this approach, w
hen configuring an Outlook profile forthe user, the server name will not be Client Acc
ess server
(or Client Access server array) anymore. Instead, the connection point is the string tha
t is a unique identifier of the mailbox. It contains the mailboxGUID and domain name
part that is the primary domain name for the user.
A unique mailbox identifier is user specific. This information uniquely identifies the u
ser and the mailbox. This is effectively the target for the RPC requests that the user m
akes in Outlook. In addition, thisinformation is used to enable the Client Access serve
r to find the appropriate Mailbox server for the user at any time. From the Outlook per
spective, the unique mailbox identifier is actually the Mailbox server,because that is th
e endpoint for the connection.
With this approach, a Client Access server is no longer as tightly connected to a specif
ic Mailbox server as it was in prior Exchange Server versions that used the RpcClient
AccessServer property. This changeprovides greater flexibility in deployment and ma
nagement.
By switching to RPC over HTTPS
(or MAPI over HTTPS) connections only for the clients, the Client Access server bec
omes more lightweight. It no longer must have the RPC Client Access service installe
d.Benefits of this design can also be applied to site-
resilience scenarios, in that administrators no longer must handle different namespace
s when performing failover. Because the mailbox GUID and UserPrincipal Name
(UPN) are unique through the forest, a client connection can be established without re
ferring to a specific Client Access server.
How Does a Client Access Server Work with Multiple Sites?

Deploying Client Access servers in an environment with multiple AD DS sites adds c


omplexity to deployment planning, particularly when you consider the options for pro
viding Internet access to those ClientAccess servers.
In a single-
site scenario, the Client Access server communicates directly with Mailbox servers.
However, in multiple-
site scenario, things can work differently. In previous Exchange Server versions, such
as the 2007 or 2010 versions, in a multiple-
site scenario, Exchange Server directed clients to a ClientAccess server located in the
same site as the Mailbox server, or a Client Access server in a remote site proxied a re
quest to a Client Access server in the same site as the Mailbox server.
Exchange Server 2013 simplifies this process. When the client connects to the Client
Access Server in one site, and its Mailbox server is in another site, the Client Access S
erver will proxy the client connectionto the appropriate Mailbox server, without the ne
ed to first contact Client Access Server in the same site where users Mailbox server is
located.
This works the same way in scenarios where you have a single Internet access point, o
r each site has its own Internet access point. The difference is that in scenarios where
you have an Internet access point foreach site that hosts Exchange servers, you will ha
ve to maintain multiple public names, one for each Client Access Server that is publis
hed to the Internet. In addition, you must configure an external URL foreach Client A
ccess server. You must also make sure that clients can resolve the URL name in the D
omain Name System
(DNS) and can connect to the Client Access server using the appropriate protocol.
Note: In the case of a mixed Exchange Server environment, this connection path migh
t not always work the same way. For example, if you have multiple AD DS sites, whe
re Exchange Server 2013 isdeployed in Internet-
facing site while a previous version of Exchange Server
(such as 2007 or 2010) is deployed in another site, then Client Access Server 2013 wil
l proxy the client connection to theClient Access server in the site where the users M
ailbox server resides.
In addition, using a proxy will not work for POP3 or IMAP4 messaging clients. These
clients must connect to a Client Access server in the same Active Directory site as the
user's Mailbox server.
Planning Client Connectivity for Client Access Server

Exchange Server 2013 supports different types of clients, although client support has
changed from the prior version. The most significant change is that Microsoft Office
Outlook 2003 is no longersupported as Exchange client software. In addition, email
clients on the Mac operating systems that require Distributed Authoring and Versionin
g
(DAV), such as Entourage 2008 for Mac RTM and Entourage2004, are not supported.
In Exchange Server 2013, the following clients are supported natively:
Outlook 2013
Outlook 2010 SP1 with the April 2012 Cumulative Update
Outlook 2007 SP3 with the July 2012 Cumulative Update
Entourage 2008 for Mac, Web Services Edition
Outlook for Mac 2011
You also can connect to the Exchange Server 2013 Client Access server from email a
pplications that are using POP3 and IMAP4 protocols. These protocols are disabled b
y default, so you must enable andconfigure them before connecting clients. However,
you cannot achieve full Exchange Server functionality with these protocols, so we rec
ommend that you use the natively supported clients listed above.
Clients also can connect to the Exchange Server by using the Microsoft Exchange A
ctiveSync protocol. Clients that are using ActiveSync are predominantly mobile plat
forms, such as Windows Phone 7and newer clients. ActiveSync clients also use HTTP
S to connect to Client Access server, so no additional configuration is needed on the C
lient Access server side, except for configuring ActiveSync policies, ifneeded.
Note: Mail application in Windows 8 also uses ActiveSync protocol to connect to the
Exchange Server.
Lesson 2: Configuring the Client Access Server Role
After you deploy a Client Access server in your Exchange infrastructure, you must co
nfigure options to optimize its settings to meet your needs. You should configure nam
espaces and certificates, as well assecurity and authentication options. Because the Cli
ent Access server is communicating with servers and clients on the Internet, you shoul
d pay special attention when configuring this aspect. In this lesson,you will see how to
configure the Client Access server role.
Lesson Objectives
After completing this lesson, you will be able to:
Configure Client Access server options.
Configure Namespaces on the Client Access server.
Configure Certificates on the Client Access server.
Secure the Client Access server.
Configure Authentication on the Client Access server.
Configure the Client Access server for Internet access.
Configure POP3 and IMAP4 Client Access.
Configuring Client Access Server Options
After you initially deploy a Client Access server role, there are several options that yo
u should configure before you place the Client Access server in production. You can c
onfigure the Client Access serverfrom the Exchange Management Shell, or by using t
he Exchange Administration Center
(EAC). In the EAC, you can configure options in the following categories on the Clie
nt Access server:
Virtual Directory settings. These setting are used to configure each of virtual directories that the Cli
Certificates. We recommend highly that organizations deploy a public or internally published certif
signed certificates. The Certificates pane in the EACallows you to manage certificates and create ne
Mobile device settings. The Client Access server also manages options for mobile devices. You can
Mail flow. Administrators can use this node in the EAC to manage the transport component that res
Antimalware protection. Because the Client Access server includes malware filtering, the EAC allo
Outlook Anywhere options. You can configure options for external and internal host name and auth
Configuring Namespaces on a Client Access Server

Before deploying Exchange Server 2013, you must consider how you will implement
your external namespaces. A namespace is a logical structure represented by a DNS d
omain name, such as adatum.com.The decisions you make about your DNS namespac
e affect the following:
DNS configurations
Digital certificates
Client configurations
Selecting a Namespace Model
Align your namespaces with your site configuration. In particular, consider implement
ing a separate namespace for each site that contains an Internet-
facing Client Access server. You can configure ExchangeServer 2013 according to on
e of the following organizational models:
Centralized data center. In this scenario, all Exchange servers are located within one physical site w
model does not support site resilience through using multiple data centers.
Single namespace with proxy sites. Only one site contains an Internet-
facing Client Access server. Consequently, this model uses only one namespace. With this model, y
facing Client Access server, many users will access theirmailboxes using a proxy.
Single namespace and multiple sites. Each site may have an Internet-facing Client Access server, or
facing Client Access servers. In this model, the sites use onenamespace. As a reminder, because the
Regional namespaces. This model consists of multiple physical sites and multiple namespaces. For
duces proxying, but there are more DNS records and certificates to manage. In addition, you must c
Multiple forests. This model consists of multiple forests that have multiple namespaces. An organiz
Configuring Certificates on the Client Access Server

Because of the importance of using SSL secure network traffic between Client Access
servers and messaging clients, you must ensure that you deploy the appropriate certifi
cates on the Client Access servers.You secure all client connections to the Client Acce
ss server using SSL.
Note: By default, the Client Access server is configured with a self-
signed certificate that is not trusted by clients. You should remove this certificate and
install a certificate from a trusted CertificateAuthority (CA).
Identifying the source of the certificates is one of the most important considerations w
hen planning the use of certificates. Exchange Server 2013 can use self-
signed certificates, certificates issued by a publicCA, or certificates issued by a private
CA. Each type of certificate has advantages and disadvantages, which are described b
elow.
Using a Public CA provides the following benefits:
Client computers internally and on the Internet already trust the root CA, so certificates can be cha
The public CA provides full certificate and certificate-revocation management services.
The primary disadvantage of using a public CA is that certificates issued by public C
As are more expensive than self-
signed certificates or certificates issued by internal CAs.
Companies that choose to use an internal CA to deploy certificates to the Exchange Se
rver will experience the following benefits:
Revocation is managed internally, so certificates can be centrally revoked if a private key is comp
By managing your own CA, you have more flexibility in how you manage certificate distribution.
Internally issued certificates also have some disadvantages, including:
Implementing an internal CA can be complicated, and the complexity can introduce security proble
Although certificates issued by internal CAs are free, the cost of implementing and managing a CA
Client computers that are not members of an internal Active Directory domain do not automatically
Self-signed certificates can be deployed without any Public Key Infrastructure
(PKI). When you install Exchange 2013, a self-
signed certificate is automatically created for each Exchange Server computer.Howev
er, there is no centralized revocation list. If the private key of the certificate is compro
mised, each relying party must be notified manually to change to a new certificate and
stop relying on the existingone.
In an Exchange Server 2013 environment, you can use the self-
signed certificates for internal communication. You also can use these certificates to s
ecure client connections to Client Access servers in test orevaluation scenarios. Howe
ver, because none of the client computers trusts this certificate, we do not recommend
this solution for a production environment. Instead, you should consider obtaining ace
rtificate from a public CA or internal CA for all Client Access servers.
In most cases, you should deploy a certificate issued by a public CA if users access th
e Client Access server from the Internet. If only computers that are members of the int
ernal domain access the ClientAccess server, you could consider using an internal, or
private, CA. By deploying an enterprise CA, you can automate the process of distribut
ing and managing certificates and certificate-revocation lists.
Note: If you plan to enable Federated Sharing, you must obtain a certificate for your I
nternet-accessible Client Access servers from a public trusted CA.
Certificates on Mailbox Server Role
In Exchange Server 2013, the Mailbox Server role also comes with self-
signed certificates preinstalled. By default, HTTP, Microsoft Exchange ActiveSync, P
OP3, and IMAP4 communication between and amongthe Mailbox servers and Client
Access server, domain controllers, and global catalog servers is encrypted by using SS
L. However, because clients are not connecting directly to the Mailbox server, it is not
accessible from the Internet, it is not necessary to replace these certificates with public
certificate. You can choose to replace a certificate on the Mailbox server role with int
ernally issued certificates, but it is notmandatory.
Planning the Certificate Names
To make sure that clients can connect to the Client Access server using SSL without r
eceiving an error message, the names on the certificate must match the names that the
clients use to connect to the server.For example, if your users connect to the Outlook
Web App site using a URL such as https://mail.adatum.com/owa, and they connect to
the IMAP4 server using a name such as IMAP.adatum.com, you mustmake sure that t
he certificates you use support both server names. In addition, if you enable Autodisco
ver access from the Internet, your certificate also must support a name such asAutodis
cover.adatum.com. Autodiscover is used to configure Outlook and mobile device prof
ile settings automatically.
You can implement this configuration by using the following options:
Obtain a separate certificate for each client protocol that requires a unique name. This may require m
Configure all clients to use the same server name. For example, you could configure all clients to u
Obtain a certificate with multiple subject alternative names. Most public CAs support the use of mu
bject alternative name.
Use a certificate with a wildcard name. Most public CAs also support the use of wildcards in the ce
Not all clients support wildcard certificates. Deploying wildcard certificates is conside
red a security risk in many organizations because the certificate can be used for any se
rver name in the domain. If thiscertificate is compromised, all host names for the orga
nization also are compromised.
Demonstration: Creating a Certificate Request on a Client A
ccess Server
Demonstration Steps
1.Open Exchange Admin Center (EAC) on LON-CAS1, and sign in as Adatum\Administrator.
2.Click certificates in the feature pane,
3.Start the wizard to create a new Exchange certificate.
4.Provide mail.adatum.com for the friendly name.
5.Provide mail.adatum.com as the value for web services.
6.Fill in the following fields as follows:
a. Organization name: A.Datum
b. Department name: IT
c. Country/Region name: United States
d. City/Locality: Seattle
e. State/Province: WA
7.Save the request to \\lon-cas1\C$\windows\temp\certreq.req.
Securing a Client Access Server

In many organizations, the Client Access server is accessible from the Internet for Out
look Anywhere, Outlook Web App, or Exchange ActiveSync clients. Therefore, it is c
ritical that you make sure that theClient Access server that faces the Internet is as secu
re as possible.
Securing Communications Between Clients and Client Access Servers
To encrypt the network traffic between messaging clients and the Client Access server
, you must secure the network traffic using SSL. To configure the Client Access serve
r to use SSL, complete the followingsteps:
1.Obtain and install a server certificate on the Client Access server. Ensure that the certificate name
2.Secure the following virtual directories:
o Autodiscover
o Exchange Control Panel (ECP)
o Exchange Web Services (EWS)
o Microsoft-Server-ActiveSync
o Offline Address Book (OAB)
o Outlook Web App (OWA)
o Windows PowerShell
By default, all of these virtual folders are configured to require SSL, after the Exchang
e Server Client Access server role is installed. We recommend that you do not change
this.
Configuring Secure Authentication
Exchange Server 2013 provides several authentication options for clients communicat
ing with the Client Access server. If the server has multiple authentication options ena
bled, Exchange Server 2013negotiates with the client to determine the most secure aut
hentication method that both support.
Standard Authentication Options
The following standard authentication options are available on the Client Access serve
r:
Integrated Windows authentication. This is the most secure standard authentication option. When y
packages installed on the client computer to obtain the logged-
on users user name and password.Unencrypted authentication information is not transferred across
Digest authentication. Digest authentication secures the password by transmitting it as a hash value
Basic authentication. Basic authentication transmits passwords in clear text over the network. There
on is not supported, so user credentials are never automatically passed over Basic authentication.
Forms-Based Authentication
Forms-
based authentication is available only for Outlook Web App and EAC. When you use
this option, it replaces the other authentication methods. This is the preferred authentic
ation option for OutlookWeb App because it provides enhanced security. When you u
se forms-
based authentication, Exchange Server uses cookies to encrypt the user logon credenti
als in the client computer's web browser. Trackingthe use of this cookie allows Excha
nge Server to time out inactive sessions. Automatic inactive session time-
out is valuable because it protects user accounts from unauthorized access if users lea
ve theirsession logged on while they are away from their computers.
The time that elapses before an inactive session times out varies depending on the co
mputer type selected during logon. If you choose a public or shared computer, the sess
ion times out after 15 minutes ofinactivity. If you choose a private computer, the sessi
on times out after 12 hours of inactivity.
Instead of a pop-up screen, forms-
based authentication creates a logon web page for Outlook Web App. You can modify
the logon page by configuring the logon prompt
(user name, domain\user name,or user principal name), language, graphics, and text.
User credentials entered into the Outlook Web App logon page are transmitted in clea
r text, similar to the way that these credentials are transmitted inbasic authentication.
However, forms-
based authentication requires the use of SSL, which encrypts the user credentials as th
ey are transmitted over the network.
Forms-
based authentication is enabled by default for both Outlook Web App and EAC.
Protecting the Client Access Server with an Application-Layer Firewall
To provide an additional layer of security for network traffic, and to protect the Client
Access server, deploy an application-
layer firewall or reverse proxy between the Internet and the Client Access server.Appl
ication-layer firewalls provide the following benefits:
You can configure the firewall as the endpoint for the client SSL connection. The firewall can decry
You can offload SSL decryption to the firewall. If you do not require that all connections on your in
encrypt itbefore sending the traffic to the Client Access server. This means that the Client Access se
If you use Forefront Threat Management Gateway 2010 as the application-layer firewall, you can c
based authentication. Thismeans that only authenticated connections will be allowed in to the intern
Note: Threat Management Gateway 2010 is not fully supported for publishing Exchange Server 20
Configuring the Client Access Server for Internet Access

To enable access to the Client Access server from the Internet, you need to complete t
he following steps:
1 Configure the external URLs for each of the required client options. You can configure all of the C
. By default, the external URL is blank. For Internet-
facing Client Access servers, the external URL should be configured to use the name published in
etting should remain blank.
2 Configure external DNS name resolution. For each Client Access server that you are exposing to t
. et DNS zone for your organization. If you are using different host names for each Client Access se
3 Configure access to the Client Access server virtual directories. Each of the client access methods
. layer firewall that filtersclient requests based on the virtual directory, you need to ensure that all vi
4 Implement SSL certificates with multiple subject alternative names. If you are using multiple host
. erver names listed in the subject alternative name extension.
5 Plan for Client Access server access with multiple sites. If your organization has multiple locations
. If you choose not to make the Exchange Servers in specific sites accessible from the Internet, you
accessible Client Access server. If you do decide to make a sites Client Access server accessible f
o Configure a unique external URL for the Client Access servers that are accessible from the In
o Ensure that the host records for each site are added to the appropriate DNS zone.
o Configure the firewalls and SSL certificates for each site.
Configuring POP3 and IMAP4 Client Access
By default, Exchange Server 2013 supports POP3 and IMAP4 client connections, but
these services are set to start manually. If you want to enable user access for these prot
ocols, you must start the servicesand configure them to start automatically.
You can use the services console to do this, or you can use Exchange Management Sh
ell.
To use Exchange Management Shell, on the computer running the Client Access serve
r role, you should run the following cmdlets:
Set-service msExchangePOP3 -startuptype automatic
Start-service msExchangePOP3
On the computer running the Mailbox server role, you should run the following cmdle
ts:
Set-service msExchangePOP34BE -startuptype automatic
Start-service msExchangePOP3BE
Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following setti
ngs:
Bindings. Enables the configuration of the local server addresses that will be used for unencrypted o
Authentication. Enables the configuration of supported authentication options. Support options incl
Connection. Enables the configuration of server settings, such as time-out settings, connection limit
Retrieval. Enables the configuration of the message formats used for these protocols, and enables y
User access. On each user account, you can enable or disable access for the POP3 and IMAP4 proto
Lesson 3: Managing Client Access Services
The Client Access servers in Exchange Server 2013 provide several services for Offic
e Outlook clients. These services are usually enabled by default for Outlook clients on
the internal network, but you mayneed to modify some of the settings. In addition, yo
u can make some of these services available to Outlook clients that connect to the Exc
hange Servers from outside the deployment. In this case, you mustenable these feature
s and make sure that they are configured correctly.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the services provided by the Client Access server.
Describe Autodiscover.
Configure and manage Autodiscover.
Describe the Availability service.
Describe MailTips.
Configure MailTips.
Services Provided by the Client Access Server

In Exchange 2013, the Client Access server role provides critical services for all mess
aging clients, including Office Outlook clients. The following is a list of services that t
he Client Access server role provides:
Autodiscover. This service configures client computers that are running Outlook 2007 or newer ver
The Autodiscover process configures the Outlook client profile, including the Mailbox server, Avai
Availability. This service is used to make free/busy information available for Outlook 2007 (and ne
MailTips. This feature provides notifications for users regarding potential issues with sending a mes
Offline Address Book download. The Client Access server makes OAB available through a Web ser
EAC. The EAC is a webbased management interface that can be used to manage Exchange Server
Exchange Web Services. Exchange Web Services enables client applications to communicate with t
es clients can integrate Outlook data into line-of-business applications.
Outlook Anywhere. Outlook Anywhere enables Outlook 2007 or newer-version clients to access the
What Is Autodiscover?

The Autodiscover service in Exchange Server 2013 simplifies client configuration in


Office Outlook 2007, 2010, and 2013. Autodiscover provides configuration informati
on that Outlook requires to create aconfiguration profile for the client.
Outlook clients can also use the Autodiscover service to repair Exchange Server conn
ection settings, or if the user mailbox is moved to a different server. The Autodiscover
service provides profile settings toOutlook 2007, 2010, and 2013 clients and supporte
d mobile devices based on the users email address and password.
Note: Providing only an email address and the password for automatic configuration
with Autodiscover, will work only when the users email address is equal to users UP
N. If that is not the case, theuser will have to provide correct user name and domain n
ame.
As part of creating the profile, Autodiscover provides information for the client to loc
ate various web services, such as the Availability service, UM settings, and offline ad
dress books (OABs).
How Autodiscover Works
Outlook client connects to Exchange Server 2013 in the following manner:
1 When you install the Client Access server role, a Service Connection Point
. (SCP) is configured automatically in AD DS for the Client Access server. The SCP helps Outlook
the Autodiscover site scope parameter. TheAutodiscover uniform resource identifier
(URI) and the Autodiscover site scope parameter. The site scope parameter specifies one or more o
tes with Outlook clients. SCP is used only by clients that are domain joinedand connected to intern
2 When Outlook 2007 or a newer version start for the first time on a domain-
. joined computer, Outlook retrieves the user name or the users email address and password, and th
3 If Outlook is running on a domain-
. joined computer, Outlook then uses the information from SCP to locate the Autodiscover service o
our domain, then the client looks for the Autodiscover host in DNS. After thatOutlook is redirected
4
The request that the client makes to the Client Access server is actually the HTTP POSTS comman
.
5
The Client Access server provides the Autodiscover information to the client. The information inc
.
6
Outlook downloads and applies the required configuration information from the Autodiscover serv
.
7
Outlook then uses the appropriate configuration settings to connect to Exchange Server 2013.
.
The place where Autodiscover information is generated may differ depending on whic
h Exchange Server version is the client mailbox. When the client connects to the Clien
t Access server 2013 with anAutodiscover request, either because SCP directs it there
or it is sent by using DNS, Client Access server will do one of the following:
If the client mailbox is on Exchange Server 2007, Client Access Server 2013 will send the request
If the client mailbox is on Exchange Server 2010, Client Access Server 2013 proxies the request t
Supported Clients and Protocols
Autodiscover supports the following clients and protocols:

Client

Office Outlook

Outlook Anywhere

Exchange ActiveSync

Entourage 2008, Exchange Web Services Edition

Note: Exchange Server 2013 supports Autodiscover for Exchange ActiveSync Servic
e clients. However, the Exchange ActiveSync Service client must be running Window
s Phone 7 or newer versions tosupport this feature.
Configuring and Managing Autodiscover
By default, the Autodiscover settings for internal clients are automatically configured,
and Outlook 2007 or newer clients are automatically configured to use the appropriat
e services. In some cases, you maywant to modify the default settings. For external cli
ents, you must configure the appropriate DNS settings to ensure that external clients c
an locate the Client Access server that is accessible from the Internet.
Configuring the Autodiscover Settings
To enable Autodiscover, you must have at least one Client Access server that is runni
ng the Autodiscover service. When you install the Client Access server role, the Auto
discover virtual directory is createdautomatically in IIS.
To manage Autodiscover settings, you must use the following Exchange Management
Shell cmdlets:
Set-ClientAccessServer. Configures the Autodiscover SCP.
New-AutodiscoverVirtualDirectory. Creates a new Autodiscover virtual directory.
Remove-AutodiscoverVirtualDirectory. Removes an Autodiscover virtual directory.
Set-OutlookProvider. Configures an Office Outlook provider.
Get-OutlookProvider. Locates an Office Outlook provider or providers in the virtual directory.
Generally, you should not modify Autodiscover settings in default Exchange configur
ation. However, there are some scenarios where you might need to do this. For examp
le, if you have a hardware loadbalancer with a virtual IP pointing to an address such a
s mail.adatum.com, you can change the internal URI to use mail.adatum.com rather th
an the Client Access server names.
Configuring Autodiscover for Multiple Sites
If your organization has deployed Exchange Servers in multiple Active Directory sites
, you should consider configuring site affinity for the Autodiscover service. To use sit
e affinity, you specify which ActiveDirectory sites are preferred for clients to connect
to a particular Autodiscover service instance. Usually, Autodiscover site affinity is use
d in scenarios where connectivity is poor between all of your sites andyou would like
Outlook clients to utilize Autodiscover services on a Client Access server to which the
clients have good connectivity. In another scenario, if you have acceptable connectivi
ty between your sites,you still may prefer that your Outlook clients utilize Autodiscov
er services on a Client Access server in a site that is local to the clients.
To configure site affinity, use the cmdlet as shown in the following example:
Set-ClientAccessServer -Identity "ServerName"
-AutodiscoverServiceInternalURI "https://VAN-EX1/autodiscover/autodiscover.xml"
-AutodiscoverSiteScope "HeadOffice"
This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to
use the VAN-EX1 server.
Configuring DNS to Support Autodiscover
To enable external clients to locate the appropriate Client Access servers, you must co
nfigure DNS with the correct information. When the Outlook client attempts to locate
the Client Access server, it first triesto locate the SCP information in the AD DS. If th
e client is outside the network, Active Directory is not available. Therefore, the client
queries DNS for a server name based on the SMTP address that the userprovides. Offi
ce Outlook queries DNS for the following URLs:
https://<e-maildomain/autodiscover/autodiscover.xml
https://autodiscover.e-maildomain/autodiscover/autodiscover.xml
To enable Autodiscover, you must configure a DNS record on the external DNS serve
r that the client uses, to provide name resolution for that request. The DNS record sho
uld point to a Client Access serverthat is accessible from the Internet, or to a reverse p
roxy server, such as Forefront TMG, that is used to publish the Client Access server.
Using the Test E-
mail AutoConfiguration Feature in Outlook 2007 and newer versions
You can use the Test E-
mail AutoConfiguration feature in Outlook to test whether Autodiscover is working c
orrectly. To perform this test, hold the Ctrl button and click on the Outlook icon in the
notificationarea, and then click Test E-mail AutoConfiguration.
You also can use the Exchange Management Shell cmdlet Test OutlookWebServices t
o test the Autodiscover settings on a Client Access server. For a very useful tool for te
sting Autodiscover functionalityfrom outside, go to https://www.testexchangeconnecti
vity.com/. This is an official Microsoft testing tool that you can use to test Autodiscov
er for ActiveSync and Outlook connectivity. It can be used for anon-
premises Exchange Server, and can also be used to test service availability in Microso
ft Office 365.
What Is the Availability Service?

Exchange Server 2013 uses the Availability service to make free/busy information ava
ilable to Outlook 2007 or newer clients, and to Outlook Web App clients. The Availab
ility service replaces the public folderused to store free/busy information in previous E
xchange Server versions.
In Outlook, the component Scheduling Assistant allows you to see attendees free tim
e slots in their calendars without attendees actually sharing their calendars with you.
The Scheduling Assistant uses the Availability service to:
Retrieve live free/busy information for Exchange Server 2007, Exchange Server 2010, or Exchang
Retrieve live free/busy information from other Exchange Server 2007, Exchange Server 2010, or
View the working hours of attendees.
Show meeting-time suggestions.
Note: Only Outlook 2007 or newer versions and the Outlook Web App use the Availability servic
How the Availability Service Works
The Availability service provides free/busy information through the following process
:
1
When you start the Scheduling Assistant in Outlook 2007 or newer clients, or in the Outlook Web
.
2
The Client Access servers Availability service queries Active Directory to determine the user mai
.
3 If the mailbox is in a different site than the one where Client Access server is located, the request i
. d. The Availability service combines the free/busy information for all invited users, and presents it
You also can configure the Client Access server to query the Availability service in a
different Exchange Server 2013 organization. This allows you to share scheduling inf
ormation between Exchange Serverorganizations.
Deploying the Availability Service
The Availability service is deployed by default on all Client Access servers and does n
ot require configuration, except in scenarios where you are integrating the free/busy in
formation from multiple forests.Autodiscover delivers the service location for the Ava
ilability service to Outlook 2007 or newer clients. The Availability service is located a
t the following website: http://servername/EWS.
What Are MailTips?

MailTips are informative messages displayed to users before they send a message. Ma
ilTips inform a user about issues or limitations with the message the user intends to se
nd. Exchange Server 2013analyzes the message, including the list of recipients to whi
ch it is addressed. If it detects a potential problem, it notifies the user through MailTip
s prior to sending the message. With the help of theinformation provided by MailTips,
senders can adjust the message they compose to avoid undesirable situations or non-
delivery reports (NDRs).
Types of MailTips
Exchange Server 2013 provides several default MailTips, including:
Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if the
Automatic Replies. This MailTip displays the first 250 characters of the automatic reply configured
Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrict
External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a d
Large Audience. This MailTip displays if the sender adds a distribution group that has more than th
You also can configure custom MailTips in the Exchange Management Shell. You ca
n assign a custom MailTip to any recipient. For example, you could configure a custo
m MailTip for a recipient who is on anextended leave, or for a distribution group in w
hich all members of the group will be out of the office. Alternately, you can create a c
ustom MailTip for a distribution group that explains the purpose of thegroup and thus
reduces its misuse. When you configure a custom MailTip, it displays when a user co
mposes a message for a specified recipient.
Note: MailTips are available only in Exchange Server 2010 and 2013 Outlook Web A
pp, or when using Microsoft Office Outlook 2010 or newer versions. MailTips are not
available in Outlook 2007.
How MailTips Work
MailTips are implemented as a Web service in Exchange Server 2013. When a sender
composes a message, the client software makes an Exchange Web service call to the E
xchange Server 2013 server with theClient Access server role installed, to get the Mail
Tips list. The Exchange Server 2013 server responds with the list of MailTips that app
ly to that message, and the client software displays the MailTips to thesender.
The senders following actions trigger MailTips to be evaluated or updated:
Adding a recipient.
Adding an attachment.
Replying to the sender, or replying to all.
Opening a message from the drafts folder, if that message is already addressed to recipients.
When the Client Access server is queried, it compiles the list of applicable MailTips a
nd returns all of them at one time. This way, all MailTips are displayed to the user at t
he same time. The Client Access serveruses the following process to compile MailTip
s for a specific message:
1.The mail client queries the web service on the Client Access server for MailTips that apply to the r
2.The Client Access server gathers MailTip data:
o The Client Access server queries the AD DS, and reads group metrics data.
o The Client Access server queries the mailbox server to gather the Recipient Out-of-
Office and Mailbox Full MailTips. If the recipient's mailbox is on another site, then the Clien
3.The Client Access server returns MailTips data back to the client.
Note: Several MailTips are available when the Outlook client is offline. To enable this functionali
(OAB) was redesigned in Exchange Server 2013 toinclude some of the information required by M
while the Outlook client is offline. MailTips that will not work offline are the Invalid I
nternal Recipient, the Mailbox Full, and the Recipient Out-of-Office MailTips.
Limitations on MailTips
MailTips are subject to the following restrictions:
When a message is addressed to a distribution group, the MailTips for individual recipients that are
umber of external recipients in the distribution group.
If the message is addressed to more than 200 recipients, MailTips for individual mailboxes are not e
Custom MailTips are limited to 250 characters.
Demonstration: Configuring MailTips
Demonstration Steps
1. In the EAC on LON-CAS1, click recipients in the feature pane.
2. Select to manage Mailboxes.
3. Open properties for April Reagan.
4. Configure MailTip for this user with the text: This person is on extended leave.
5. Log on to Outlook Web App as ADatum\Don.
6. Create a new message to April, and ensure that MailTip appears.
Lab: Deploying and Configuring a Client Access Se
rver Role
Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organi
zation has decided to deploy Client Access servers so that the servers are accessible fr
om the Internet for a variety ofmessaging clients. To make sure that the deployment is
as secure as possible, you must secure the Client Access server, and you also must co
nfigure a certificate on the server that will support the messagingclient connections. In
addition, you have to verify options on the Client Access server, and configure Mailti
ps for a few users.
Objectives
Configure certificates on the Client Access server.
Configure Client Access server options.
Configure MailTips.
Lab Setup
Estimated time: 60 minutes
Virtual machines 20341B-LON-
20341B-LON-
20341B-LON-

User Name Adatum\Admi

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1 and 20341B-LON-CAS1.
Exercise 1: Configuring Certificates for the Client Access Server
Scenario
As a messaging administrator in A. Datum Corporation, you have deployed the Excha
nge Server environment, and you are now working on configuring the Client Access s
ervers. The organization hasdecided to use a certificate from the internal CA to secure
all client connections to the server. You need to enable this configuration, and then y
ou must make sure that Outlook clients can still connect to theserver.
The main tasks for this exercise are as follows:
1. Make a certificate request on Exchange Server
2. Issue a certificate from an internal CA
3. Assign a certificate to Exchange services
Task 1: Make a certificate request on Exchange Server
1.On LON-CAS1, open Internet Explorer, type https://lon-cas1.adatum.com/ecp, and press Enter.
2.Sign in as Adatum\administrator with the password Pa$$w0rd.
3.Click the servers node, click on Certificates and start the wizard for creating a certificate request.
4.Provide mail.adatum.com as a friendly name for a certificate.
5.Do not use wildcard certificates.
6.Provide the name mail.adatum.com for all values that are not defined.
7.Ensure that the certificate request contains the following domain names: mail.adatum.com, lon-ca
8.Fill in additional data as follows:
a. Organization name: A.Datum
b. Department name: IT
c. Country/Region name: United States
d. City/Locality: Seattle
e. State/Province: WA
9.Save certificate request to \\lon-cas1\C$\windows\temp\certreq.req.
Task 2: Issue a certificate from an internal CA
1. On LON-DC1, restart the certificate service.
2. On LON-CAS1, open File Explorer and navigate to C:\windows\temp.
3. Open the certificate request file with Notepad, and copy all content to the clipboard.
4. Connect to http://lon-dc1.adatum.com/certsrv as Administrator with the password Pa$$w0r
5. Choose to perform an advanced certificate request.
6. Paste the certificate request content (from step 2) in to the appropriate field, and select Web Ser
7. Save the certificate.
8. Open File Explorer, and create a new folder called cert on the C:\ drive. Share the folder, and g
9. Copy the certificate file to the cert folder.
Task 3: Assign a certificate to Exchange services
1. On LON-CAS1, open the EAC.
2. Import the mail.adatum.com Exchange certificate that you issued in Task 2. Import the certific
3. Assign the certificate to IIS service.
Results: After completing this exercise, the students will have a certificate installed o
n the Exchange Server Client Access server.
Exercise 2: Configuring Client Access Services Options
Scenario
To prepare the Client Access server, you need to perform several configuration tasks,
such as configuring the external access domain and POP3 service. The external email
domain name should bemail.adatum.com. You need to make sure that POP3 users can
connect securely, and that connection limits should be applied as well as proper mess
age formatting You also need to verify authenticationoptions for virtual directories on
the Client Access server.
The main tasks for this exercise are as follows:
1. Configure Client Access server options
2. Verify authentication options on Client Access server
Task 1: Configure Client Access server options
1.In the EAC, set the external domain name to mail.adatum.com for LON-CAS1.
2.Open LON-CAS1 settings, and set the following for POP3 users:
a. Maximum connections: 100
b. Maximum connections from a single IP address: 20
c. Maximum connections from a single user: 2
Task 2: Verify authentication options on Client Access server
1.On LON-CAS1 in EAC, navigate to servers, and then click virtual directories.
2.Verify authentication options for the following virtual directories:
a. Autodiscover
b. ecp
c. PowerShell
d. Microsoft-Server-ActiveSync
e. OAB
3.Do not make any changes.
Results: After completing this exercise, the students will have configured Client Acce
ss server.
Exercise 3: Configuring Custom MailTips
Scenario
To reduce the number of users who require support, A. Datum is evaluating implemen
tation of MailTips. You have been asked to configure some test deployments that impl
ement MailTips, and you mustverify that MailTips can be enabled in multiple languag
es.
The main tasks for this exercise are as follows:
1. Configure MailTips
2. Test MailTips
3. To prepare for the next module
Task 1: Configure MailTips
1. On LON-CAS1, open EAC, and navigate to Mailboxes.
2. Select April Reagan mailbox object.
3. Set the MailTip text for April to be Test e-mail tip for April.
4. Open Exchange Management Shell, and set an email tip for Aidan by executing the following
Set-Mailbox Identity Aidan Mailtip this is english mail tip MailtipTranslation (FR: Ces
la lague francaise)
Task 2: Test MailTips
1. Open Internet Explorer, and type https://lon-cas1.adatum.com/owa
2. Sign in as Adatum\Don with the password Pa$$w0rd.
3. Accept defaults for time and language.
4. Open new mail window, and type April Reagan in the To text box.
5. Verify that the email tip appears.
6. Open new mail window and type Aidan Delaney in the To text box.
7. Verify that email tip appears in English.
8. Sign out from Outlook Web App, and sign in as Adatum\Amr.
9. Select to Francais (France) as the OWA language.
10. Open a new mail window, and type Aidan Delaney in the To text box.
11. Verify that the e-mail tip appears in French.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1 and 20341B-LON-MBX1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Question: Why do we recommend that a certificate be issued from an internal CA to Client Acces
Question: Which service on the Client Access server supports certificate-based authentication?
Module Review and Takeaways
Best Practice
If possible, make the Client Access server highly available or redundant.
Provide a public certificate for Client Access server that is exposed to the Internet to avoid trust is
Do not place Client Access server in the perimeter network. Use an application-layer firewall and
Make sure that the Client Access server has a fast and reliable connection to the Mailbox server an
Review Question(s)
Question: What is the main difference between the Client Access server role in Excha
nge Server 2010 and Exchange Server 2013?
Module 5: Planning and Configuring Messaging Clie
nt Connectivity
Contents:
Module Overview

Lesson 1: Client Connectivity to the Client Access Server

Lesson 2: Configuring Outlook Web App

Lesson 3: Planning and Configuring Mobile Messaging

Lesson 4: Configuring Secure Internet Access for Client Access Server

Lab: Planning and Configuring Messaging Client Connectivity

Module Review and Takeaways

Module Overview
Planning and configuring client connections is one of the most important tasks that yo
u must perform when you implement a Microsoft Exchange Server implementation.
Microsoft Exchange Server 2013supports various types of clients and connections fr
om desktop and laptop computers, and from mobile devices; it also supports web-
based access for many Internet browsers. In this module, we focus onplanning and co
nfiguring the services that provide access to Microsoft Exchange clients. Specifically,
this module describes Microsoft Outlook Web App and mobile messaging and how t
o securely accessthe Internet from Client Access server.
Objectives
After completing this module, you will be able to:
Describe the client services Exchange Server 2013 provides.
Configure Outlook Web App.
Plan and configure mobile messaging.
Configure secure Internet access for Client Access server.
Lesson 1
: Client Connectivity to the Client Access Server
The primary function of the Client Access server role in Exchange Server 2013 is to a
ccept, authenticate, and proxy client connections from both an internal network and th
e Internet. The Client Access server isable to accept, authenticate, and proxy client co
nnections by providing several services to clients, such as Outlook Web App, Outlook
Anywhere, MAPI over HTTPS, and Exchange ActiveSync. Familiaritywith these
technologies is essential when you plan and configure client connectivity.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Outlook Web App.
Describe Outlook Anywhere.
Describe MAPI over HTTPS.
Describe Exchange ActiveSync.
Describe Outlook Web App Light.
Describe how you can connect non-Outlook clients to Client Access server.
What Is Outlook Web App?

Outlook Web App is an Exchange Server 2013 service that enables users to access the
ir mailboxes through a web browser. The feature set in Outlook Web App closely mi
mics the features available inMicrosoft Outlook 2013, and provides features that ar
e not available in previous Outlook versions.
In some cases, for example, when you do not have a locally installed email client, it m
ay be possible to use Outlook Web App in place of Outlook 2010 or Outlook 2013.
Features of Outlook Web App
Outlook Web App provides most of the features that are available when using the full
Outlook 2013 client. Some of these features enable users to:
Read and respond to messages.
Book meetings, and view the Calendar.
Create and edit Contacts and Tasks.
Read attachments that have been rendered into HTML content on the server.
Configure personal settings such as signatures, out-of-office messages, and junk email settings.
Change passwords.
Configure mobile device settings.
Create and edit server-side rules.
Access public folders.
Use Secure/Multipurpose Internet Mail Extensions (S/MIME) to sign and encrypt email, and to re
Recover deleted items.
Create and edit personal distribution lists.
Outlook Web App is redesigned in Exchange Server 2013 to include features such as
chat, text messaging, enhanced calendar and people parts, mobile phone integration, a
nd enhanced conversation view.Outlook Web App now also includes external applicat
ions such as Bing Maps, Suggested Appointments, and Action Items. These applicat
ions integrate with Outlook 2013 and Outlook Web App, and theyextend the informati
on and functionality of messages and calendar items. In addition, Outlook Web App n
ow provides offline access capability.
The most important new features in Outlook Web App, compared to Outlook Web Ap
p in Microsoft Exchange Server 2010, include:
The integration of Web Apps in the Outlook Web App interface.
Enhancements to the People feature. It is now possible to link multiple entries for the same person a
Improvements to the Calendar which that enable users to see multiple calendars in one or a merged
Enhancements to the interface used on tablets and smartphones.
In Exchange Server 2013, these features are accessible from an expanded set of web b
rowsers, including Microsoft Internet Explorer 9.0 or newer, Firefox, Safari, and Goo
gle Chrome.
Benefits of Outlook Web App
Outlook Web App provides many important benefits for an organization, including:
All communication between the Outlook Web App client and the Client Access server is sent using
(SSL) protocol. This meansthat you can easily configure firewalls or reverse proxies to enable Inter
Outlook Web App does not require you to deploy or configure a messaging client. All client compu
RL.
Outlook Web App in Exchange Server 2013 also provides access to some features that are available
g Outlook 2010 or later.
What Is Outlook Anywhere?

Outlook Anywhere is a feature that has existed in Exchange Server since Exchange Se
rver 2003 Service Pack 2. In the older Exchange Server versions, this feature was re
ferred to as remote procedure call (RPC) over HTTP(S).
By using Outlook Anywhere, an Office Outlook 2007 or newer client can use RPCs e
ncapsulated in an HTTPS packet to connect to a server that is running Exchange Serve
r 2013 Client Access Server. TheWindows RPC-over-
HTTP proxy component, which Outlook Anywhere clients use to connect, wraps RPC
s with an HTTP layer. This enables traffic to pass through network firewalls without r
equiring RPC portsto be opened.
Configuring Outlook Anywhere in Exchange Server 2013
Outlook Anywhere functionality is enabled by default in Exchange Server 2013. This
is a change from previous versions of Exchange, which usually only external clients u
sed Outlook Anywhere. In ExchangeServer 2013 internal clients also connect by usin
g this method.
There is no need to enable or deploy Outlook Anywhere, but it must be properly confi
gured. You should install an appropriate SSL certificate on your Client Access server
role, and configure the externaldomain name system
(DNS) name to be used when connecting from the Internet.
Outlook Anywhere has several benefits, including:
Users can access Exchange servers from the Internet, the same way they access it from an internal
The same URL and namespace can be used for Outlook Anywhere, Outlook Web App, and Activ
The same certificate is used for Outlook Anywhere, Outlook Web App, and ActiveSync.
The user is always authenticated within Outlook client and cannot access data if unauthenticated.
There is no need to use a virtual private network (VPN) to access Exchange servers across the Inte
If Outlook Web App and Exchange ActiveSync are deployed with SSL, there is no need to open a

Although the configuration of Outlook Anywhere is a fairly simple process, you shoul
d validate its functionality before placing it into production. You can test end-to-
end client connectivity for OutlookAnywhere and TCP-
based connections by using the Test-
OutlookConnectivity PowerShell cmdlet. You also can use the Microsoft Exchange C
onnectivity Analyzer web-based application.
What is MAPI over HTTPS?

MAPI over HTTPS is a new transport used to connect Outlook and Exchange. MAPI
over HTTPS was introduced with Exchange Server 2013 Service Pack 1 and Outlook
2013 Service Pack 1. It is the long termreplacement for RPC over HTTP connectivity
(Outlook Anywhere). MAPI over HTTPS removes the complexity of Outlook Anywh
eres dependency on the legacy RPC technology.
MAPI over HTTPS moves connectivity to a true HTTP request/response pattern and n
o longer requires two long-
lived TCP connections to be open for each session between Outlook and Exchange. T
he twoRPC_DATA_IN and RPC_DATA_OUT connections are no longer required for
each RPC over HTTPS session. This change reduces the number of concurrent TCP c
onnections established between the client andserver. MAPI over HTTPS generates a
maximum of two current connections generating one long-
lived connection and an additional on-demand, short-lived connection.
Outlook Anywhere also added to the complexity by essentially double wrapping all of
the communications with Exchange. MAPI over HTTPS removes the RPC encapsulat
ion within HTTP packets sent acrossthe network; thereby, making MAPI over HTTPS
a better understood and more predictable HTTP payload.

An additional network level change is that MAPI over HTTPS decouples the client/ser
ver session from the underlying network connection. With Outlook Anywhere connect
ivity, if a network connection waslost between client and server, the session was inval
idated and had to be reestablished all over again, which is a time-
consuming and expensive operation. In MAPI over HTTPS when a network connectio
n islost the session itself is not reset for 15 minutes and the client can simply reconnec
t and continue where it left off before the network level interruption took place. This i
s extremely helpful for users whomight be connecting from low quality networks.
Additionally in the past, an unexpected server-
side network outage would result in all client sessions being invalidated and a surge of
reconnections being made to a mailbox server. Depending on thenumber of Outlook c
lients reconnecting, the re-
establishing of so many RPC over HTTPS connections might strain the resources of th
e mailbox server, and possibly extend the outage in scope
(to Outlookclients connected to multiple servers) and time, caused by a single server-
side network outage.
Configuring MAPI over HTTPS
MAPI over HTTPS is not enabled by default for an Exchange organization and theref
ore needs to be enabled if the servers and clients meet the following prerequisites:
Clients have to run Outlook 2013 Service Pack 1.
Client Access servers and Mailbox servers must be updated to Exchange Server 2013 Service Pac
.NET Framework 4.5.1 must be deployed on all the Exchange servers not running Windows Serve
Once your organization meets the prerequisites you can enable MAPI over HTTPS by
performing the following steps:
1. Setting the MAPI over HTTPS virtual directory configuration for Authentication methods, Inte
2. Ensuring the certificates are set up correctly according the Virtual Directory URL configuration
3. Ensuring the server rules are set up correctly on load balancers, reverse proxies, and firewalls to
4. Enabling the MAPI over HTTPS for your organizations by running the following command: Se
Enabling MAPI over HTTPS is a fairly straightforward process, but you should still v
alidate that is working in production. You can test end-to-
end client connectivity for MAPI over HTTPS by using the Test-
OutlookConnectivity PowerShell cmdlet and specifying the ProbeIdentity paramete
r as OutlookMapiHttpSelfTestProbe.
What Is Exchange ActiveSync?
Exchange ActiveSync is an XML-
based protocol that enables mobile devices to communicate over HTTP
(or HTTPS) with an Exchange Server. The protocol is designed for the synchronizatio
n of email,contacts, calendar, tasks, and notes from an Exchange server to a mobile de
vice with a supported mobile platform
(also known as mobile operating system). ActiveSync protocol also provides mobile-
devicemanagement and policy controls. The Exchange ActiveSync communication pr
ocess is optimized to function over both high-latency and low-
bandwidth networks, such as General Packet Radio Service
(GPRS)or EDGE, but it can also benefit from high speed networks such as 3G or LTE
.
By default, Exchange ActiveSync is available for all users after you install a Client Ac
cess server. ActiveSync has evolved in many versions over the last 12 years. ActiveSy
nc is implemented in Exchange Server2013 and the Microsoft mobile operating syste
ms Windows Phone 7 and Windows Phone 8.
The connection established by using the ActiveSync protocol is very similar to Outloo
k Anywhere. One difference between Exchange ActiveSync and Outlook Anywhere, a
part from the client connection type,is the device that is used to view the email. With
Outlook Anywhere, the end device is a mobile computer, which can be a member of t
he internal Active Directory Domain Services
(AD DS) and can bemanaged as an AD DS member. With Exchange ActiveSync, the
end device is a mobile client, which cannot be a member of the local domain.
Note: Windows 8 is not only a mobile platform, but also a desktop operating system
with a built-
in email application that uses ActiveSync to connect to the Exchange Server.
Microsoft has licensed the ActiveSync protocol to most mobile platform vendors, suc
h as Google, Apple, and Symbian. Because of this licensing arrangement, most of tod
ays mobile platforms supportActiveSync; however, not all platforms support every A
ctiveSync feature. Each mobile platform vendor can choose the functionalities that it
will implement in its mobile platform.
What Is Outlook Web App Light?

Outlook Web App Light is a smaller version of Outlook Web App. You can use it for
mobile platforms that either do not support Exchange ActiveSync, or on which Active
Sync is not enabled on the ExchangeServer side. This is a lightweight web-
based email client intended for use from HTML-
compatible mobile browsers on mobile devices such as smart phones and tablets. It us
es a very simple HTML4 based UIwhich works in most Internet browsers in existence
.
Outlook Web App Light is fully based on the Outlook Web App architecture. Because
it works
within Outlook Web App, it uses all of the segmentation flags that exist in Outlook W
eb App, and some subset of Outlook Web App settings.
Outlook Web App Light enables users to:
Access email, calendar, contacts, tasks, and the global address list (GAL).
Access email subfolders.
Compose, reply to, and forward email messages.
Create calendar, contact, and task items.
Handle meeting requests.
Set the time zone and automatic-reply messages for when users are out of the office and not availa
Outlook Web App Light uses the same public session time-
out values that Outlook Web App uses. It is important to note that there is no logoff fu
nctionality in Mobile Outlook Web App, because thesystem does not rely on the fact t
hat the browser will forget the stored password after the default time-out value.
You can access the Outlook Web App light version by accessing the Outlook Web Ap
p URL with mobile browser or browser that does not support the full version of Outlo
ok Web App.
Connecting Non-Outlook Clients to the Client Access Server

In some scenarios, non-


Outlook clients need to be connected to the Exchange Server. This occurs in organizat
ions that employ an email client other than Microsoft Office on client machines.
Exchange Server supports client connections from non-
Outlook clients. The functionality achieved is not always comparable.
Companies that do not have Outlook deployed on client machines can alternatively us
e Outlook Web App instead of the locally installed client software.
This provides a consistent user experience that is very similar to the Outlook user exp
erience, but is not quite as robust. Alternatively, you can connect existing email applic
ations to Exchange using POP3 orIMAP4 protocols. These protocols are set to be start
ed manually, by default in Exchange installations, but you can start them by setting co
rresponding services to automatic state. Be aware that ExchangeServer 2013 requires t
hat a POP3 connection be established over a secure channel, so it must be set in email
client software.
If client machines have Windows 8 deployed, you can use an integrated Mail applicati
on to connect to the Exchange Server by using ActiveSync protocol. This also provide
s a good user experience, althoughthe Mail application is very simple and provides fe
w options.
Lesson 2: Configuring Outlook Web App
Besides using the Outlook client software, the most common way to access a mailbox
on an Exchange Server is through Outlook Web App. Outlook Web App is a web-
based application that provides a full-
featured client experience for accessing mailbox content. You can access it from both
internal and external networks and have the same user experience. However, you can
configure many options for OutlookWeb App to make it more secure and to provide a
positive user experience.
Lesson Objectives
After completing this lesson, you will be able to:
Describe configuration options for Outlook Web App.
Describe Outlook Web App policy.
Configure Outlook Web App options and policies.
Describe and use integrated applications in Outlook Web App.
Describe Office Web Apps Server integration.
Describe Outlook Web App offline access.
Enable and use Outlook Web App offline access.
Configuring Options for Outlook Web App

Although Outlook Web App is available automatically on Client Access servers, you
must configure Outlook Web App to support your users specific requirements.
Configuration Tasks for Outlook Web App
When using the Exchange Administration Center
(EAC) to configure Outlook Web App, you can perform the following tasks:
Install and configure a SSL server certificate to enable SSL for all client connections.
Define internal and external URLs for accessing Outlook Web App from an internal network and fr
Set authentication options. You can choose among basic, integrated, digest, and form-based authent
Configure the Outlook Web App virtual directory. When you install the Client Access server role, a
(IIS) websiteon the Client Access server. In most cases, you will not have to modify the Outlook W
Configure features available in Outlook Web App. You can enable or disable specific Outlook Web
ionally, you can configure the same settings in Outlook Web App at the policy level, and then selec
Configure File Access settings. You can configure file access behavior based on the type of comput
OWAVirtualDirectory cmdlet with the parameters AllowedFileTypes, AllowedMimeTypes, Blocke
A full set of options for Outlook Web App is available in Exchange Management Shell. The Set-
OwaVirtualDirectory cmdlet must be used to define the properties of the OWA virtual directory on
oAllowedFileTypes. The AllowedFileTypes parameter specifies the extensions of file types that the
oBlockedFileTypes. The BlockedFileTypes parameter specifies a list of extensions of attachments t
oChangePasswordEnabled. The ChangePasswordEnabled parameter controls whether users are allo
oLogonFormat. The LogonFormat parameter specifies the type of logon format for Outlook Web A
oIRMEnabled. The IRMEnabled parameter specifies whether the Information Rights Management (
oRedirectToOptimalOWAServer. This parameter, when set to $true, causes Outlook Web App to us
You can also manage several Outlook Web App options in the EAC, by navigating to Outlook Web
What Is Outlook Web App Policy?

Outlook Web App policy enables administrators to set Outlook Web App behavior for
a specific user or users. OWA policy is an object that enables you to configure a set o
f options for Outlook Web Appand assign these options to a specific users mailbox.
After you assign an Outlook Web App policy, all settings from the policy will be appli
ed for that specific user when he or she uses the Outlook Web Appinterface.
The Outlook Web App policy can be configured within the Exchange Administration
Center by navigating to Permissions and then clicking on Outlook Web App Policie
s tab. By clicking the New button, anOWA policy is created but not immediately assig
ned to a mailbox. When creating new Outlook Web App policy, you can specify the f
ollowing settings:
Policy name. Enter a descriptive name for the policy.
Communication-management options. Specify whether users will be able to use instant messag
Information-management options. Enable or disable Public Folders, Journaling, Notes, Search F
Security options. Configure junk email filtering, and specify whether users are prevented from ch
User-experience options. Set options for Outlook Web App themes, premium client, and email si
Time-management options. Specify whether users can update the Calendar, Tasks, Reminders, a
Direct file access and web-ready document-viewing options. Select options for public and priv
Offline Access. Indicate whether the offline Outlook Web App (discussed later in this lesson) can
After you set up an Outlook Web App policy, you must assign it to a user mailbox. Th
is can be accomplished by opening the user mailbox properties, navigating to Mailbo
x Features > Email Connectivity,and then selecting the Outlook Web App Mailbox
Policy to assign to the user. If you want to assign an Outlook Web App policy to multi
ple users simultaneously, use the Exchange Management Shell cmdletSet-
CASMailbox. For example, if you want to set a policy called External Users Policy to
user AidanD, you should type:
Set-CASMailbox identity AidanD@adatum.com OwaMailboxPolicy:External
Users Policy
Demonstration: Configuring Outlook Web App Options and
Policy
Demonstration Steps
1. Sign in to Exchange Administration Center (EAC) on LON-CAS1, as Adatum\Administrator.
2. Edit settings for Outlook Web App (Default Web Site).
3. Set the external URL for Outlook Web App virtual directory to be https://mail.adatum.com.
4. Disable Journaling and Themes functionalities in Outlook Web App.
5. Disable Direct file access in Public or shared computer.
6. Create a new Outlook Web App policy.
7. Name the policy External Users Policy.
8. Disable options for Instant messaging, Text messaging options, Recover deleted items, and dire
9. Apply the policy to the user Adam Barr.
Integrated Applications in Outlook Web App

To enhance the users experience with Outlook Web App, Microsoft has implemented
some additional applications in the OWA interface. The purpose of these applications
is to recognize a users needsbased on the message content.
By default, the following applications are installed in the OWA interface:
Bing Maps. This application searches for addresses in your email messages. If it finds text that look
(This is limited to selected countries).
Suggested Appointments. This application looks for phrases in your messages that suggest or propo
Unsubscribe. This application is activated on messages from subscription message feeds, and enabl
Action Items. This application looks for possible task suggestions in your emails. If a task suggestio
Administrators can use the Exchange Administration Center to manage the application
s available to users in the organization. In the Exchange Administration Center, you s
hould click the organization andthen click on Apps tab. You can disable default applic
ations and add new ones, and you can choose to add applications from either the Offic
e Store, a URL, or a file.
Demonstration: Using Apps in Outlook Web App
Demonstration Steps
1.On LON-CL1, open Internet Explorer and sign in to Outlook Web App as Administrator.
2.Send new email to Aidan Delaney with the following text:
o Are you available to meet with me tomorrow at 10:00 AM? Meeting location is Microsof
3.Sign out, and then sign in to LON-CL1 as Aidan.
4.Open Outlook 2013.
5.Click on the message from the Administrator.
6.Verify that the Bing Maps and Suggested Meetings tabs are present in the email body.
What Is Office Web Apps Server Integration?

In previous versions of Exchange Server, such as Exchange 2010, attachments on ema


il messages opened either by using a locally installed application or by using web-
ready document viewing technology (for Microsoft Office formats).
Web-
ready document viewing enables users to open and see the content of Office document
s even if they do not have a locally installed set of Office applications.
In Exchange Server 2013, Outlook Web App provides enhanced attachment managem
ent. This includes rich attachment preview functionality and the ability for users to mo
dify attachments online. Forexample, if you received Word documents as an email att
achment in Exchange Server 2010, you were able to see it in the Exchange Server 201
0 version of Outlook Web App, but you could not modify itscontent unless you had W
ord installed locally.
By implementing the Office Web Apps Server integration with Exchange Server 2013
, users who do not have Office installed locally can now open and modify email attach
ments by using Office Web Appssuch as Word, Excel, and PowerPoint.
Office Web Apps Server integration is available to all Exchange Online customers. Fo
r Exchange deployed on-
premises, you need to deploy Office Web Apps Server to enable this, and then integrat
e yourlocally installed version of Exchange with the Office Web Apps Server. Your lo
cally deployed Office Web Apps Server must be accessible from the Internet so that b
oth internal and external OWA users canuse it when handling attachments.
To use Office Web Apps Server to render attachments in Outlook Web App, you must
specify the Office Web Apps Server URL. You must use the Set-
OrganizationConfig cmdlet to configure the URL.
For example, let us assume that your Office Web Apps Server is available at the follo
wing location: https://Server1.adatum.com/hosting/discovery.
You should type the following cmdlet in the Exchange Management Shell to configur
e integration with a locally installed Exchange Server:
Set-OrganizationConfig -WACDiscoveryEndPoint
https://office.adatum.com/hosting/discovery
You also can control whether the users on public or private computers can use the Off
ice Web Apps Server integration when they sign in to Outlook Web App.For example,
if you want to enable the OfficeWeb Apps Server integration on private computers, y
ou can use the following cmdlet:
Set-OwaVirtualDirectory "LON-CAS01\owa (Default Web Site)" -
WacViewingOnPrivateComputersEnabled $true
Using Outlook Web App in Offline Mode

In Exchange Server 2013, Outlook Web App can work in an offline mode. This means
that users can sign in to Outlook Web App and access mailbox content even when the
y are not connected to anExchange Server. Everything that the user does in the mailbo
x is synchronized with the Exchange Server as soon as the connection to Exchange is
re-
established. This also provides an improved experience forusers who work on a slow
or intermittently connected network because it enables the user to work faster.
In previous versions of Exchange Server, users could not use Outlook Web App offlin
e. The only way to use email in offline mode was to configure an Outlook client to wo
rk offline. Users did this by cachingthe users mailbox in an
.ost file on a local computer. This has changed with Exchange Server 2013 because of
its ability to use Outlook Web App in an offline mode.
Offline Outlook Web App is enabled on a computer-by-
computer basis. This means that the user should enable it on each computer where he
or she wants to use this feature. We recommend that offlineOutlook Web App be enab
led only on private computers, for security reasons, in part because the user mailbox is
stored on a local computer in browser cache. Internet Explorer will store cached mail
boxdata in %systemdrive%\Users\%username%\AppData\Local\Microsoft\Inter
net Explorer\Indexed DB. You also can manage this cache from the Internet Explore
r option called Cache and databases.When you open Internet Explorer Options, you s
hould click Settings on the General tab, and then click on Caches and databases. Fr
om here you can delete the cache
(and basically disable Outlook WebApp Offline) or change notification settings for ca
che size.
Administrators can control which users are able to use offline Outlook Web App by i
mplementing Outlook Web App policies.
The functionality that Offline Outlook Web App provides is most similar to the capabi
lities provided by phone clients that run Exchange Active Sync. Part of the mailbox co
ntent is cached locally on thecomputer, just as it is cached on smartphones.
Users can perform following actions while working offline in Outlook Web App:
Access email stored in the Inbox, Drafts, or other folders (up to 15) viewed within the last three da
Access Calendar (the previous month up to a year in advance).
Access Contacts.
Send messages and Calendar invitations.
Delete messages.
Receive active reminders (for the last two months).
Accept or decline meeting requests.
Set flags and categorize messages.
Offline Outlook Web App has certain limitations. For example, you cannot access you
r online archive, team folders, or tasks. You also cannot perform full-
text search in your mailbox. To use Outlook WebApp offline, you should use Internet
Explorer 10 or newer, Google Chrome 17 or newer, or Safari 5 or newer.
You can use Exchange Management Shell to specify the computers that will be allowe
d to use OWA Offline Access. You should use the Set-
OWAVirtualDirectory cmdlet with the AllowOfflineOn switch.The AllowOfflineO
n parameter specifies which computers can use Outlook Web App in Offline mode. T
he possible values include PrivateComputersOnly, NoComputers, or AllComputer
s. The value is setto AllComputers by default. If you set the value to PrivateComput
ersOnly, only users who log into Outlook Web App using the Private option will be a
ble to use Outlook Web App in Offline mode.
Demonstration: Enabling and Using Outlook Web App in Of
fline Mode
Demonstration Steps
1. On LON-CL1, sign in to OWA as Adatum\Aidan.
2. In Outlook Web App options, turn on offline access.
3. In Hyper-V Manager, temporarily disconnect LON-CL1 from the network.
4. Open Internet Explorer of LON-CL1, and open the https://lon-cas1.adatum.com/owa.
5. Verify that you can access mailbox content.
6. Send a test email to Administrator while working offline.
7. Reconnect LON-CL1 to the network.
8. On LON-CAS1, log on to OWA as Administrator.
9. Verify that you received an email that Aidan sent from the Outlook Web App offline mode.
Lesson 3: Planning and Configuring Mobile Messagi
ng
Using smartphones and tablets for messaging has become very popular. Many smartp
hone users use their devices intensively for email, calendar, tasks, and other purposes.
By using the ActiveSync protocol,Exchange Server 2013 provides a reliable platform
for connecting various types of mobile devices. This protocol not only provides functi
onality for mobile devices, but also enables administrators to secureand manage these
devices.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how Exchange ActiveSync works.
Describe the supported features in Exchange ActiveSync.
Describe direct push.
Describe remote wipe.
Describe mobile device quarantine.
Manage mobile devices with Exchange ActiveSync policies.
Describe options for mobile device management in the Exchange Server Administration Center.
Manage mobile devices using Outlook Web App.
Describe alternatives for mobile device management.
Discussion: Using Mobile Devices in Business Environments

This discussion focuses on the current use of mobile devices in business environments
, and associated management and security techniques.
Discuss the following questions:
Do you use mobile devices (smartphones and tablets) in your business environment?
Which mobile platform do you primarily use in your company? On what did you base your decisi
What services, such as, email, calendar, tasks, and notes, do you use on mobile devices?
Are you connecting mobile devices to your company infrastructure, or do you use cloud-based ser
Do you have any security policies enforced for mobile devices that connect to your environment?
Do you have any management technology implemented for mobile devices?
Do you use ActiveSync?
How Exchange ActiveSync Works
Most mobile platforms now support ActiveSync protocol for messaging, calendar, con
tacts, and tasks. By using ActiveSync protocol, a mobile device can securely connect t
o an Exchange Server andsynchronize its data. The connection from the mobile device
to the Exchange Server is established securely by using HTTPS. Most devices that su
pport ActiveSync can also use Autodiscover, so they are ableto automatically configur
e most of the settings on the mobile devices by using following process:
1 The user begins the configuration of the
. Active Sync account on a mobile device by entering an email address and password.
2
Based on the users email address, the mobile device connects to the DNS server, and looks for the
.
3
The mobile device uses an HTTPS connection to connect to the Autodiscover service virtual direc
.
4 The Autodiscover service sends the XML response through the firewall over SSL. This XML resp
. Note: Because mobile devices use HTTPS to connect to the Exchange Server, each device must tr
e device. You can manually import various ways depending on the mobile platform you used.
How ActiveSync-Based Clients Connect to the Exchange Server
When users connect to the Client Access server with a mobile device, the following pr
ocess occurs:
1
The Exchange ActiveSync client uses HTTPS to connect to the Microsoft-Server-ActiveSync virtu
.
2 If the users mailbox is on a Mailbox server in the same site as the Client Access server, then the C
. Mailbox server in the appropriate site.
3 If Exchange Active Sync is supported from the operating system on the mobile device, it can use D
. t HTTPS connection to the Client Access server, resulting in instant message retrieval and real-tim
Once the client has established the ActiveSync connection to the Exchange Server, it
downloads contacts, calendar items, emails, and other configured items. On most platf
orms, you can choose how manydays of calendar and email messages you will sync to
the device. This data is synchronized with the Exchange Server in one of two ways--
either automatically if Direct Push is enabled, or manually by the user.
Note: The data that a user syncs from the Exchange Server to his or her mobile device
stays on the device even when the connection to Exchange is not available. For this re
ason, it is very importantthat devices are secured.
Supported Features in Exchange ActiveSync
The ActiveSync protocol provides many features and functionalities. Some of the mos
t important features of Exchange ActiveSync in Exchange Server 2013 include:
Support for HTML-formatted messages.
Support for follow-up flags on messages.
Conversation grouping of email messages.
Ability to synchronize or not synchronize an entire conversation.
Synchronization of Short Message Service (SMS) messages with a user's Exchange mailbox.
Support for viewing message reply status.
Support for fast message retrieval.
Meeting attendee information.
Enhanced Exchange Search.
PIN reset.
Enhanced device security through password policies.
Autodiscover for over-the-air provisioning.
Support for setting automatic replies when users are away, on vacation, or out of the office.
Support for task synchronization.
Direct Push.
Support for availability information for contacts.
Global address list (GAL) photos. Images stored in an Active Directory server of the user who has
Message Diffs. A means of sending only the new portion of an email and avoiding redundant info
Information Rights Management (IRM) over Exchange Active Sync. A method to apply digital rig
Exchange ActiveSync is licensed to many different mobile operating system manufact
urers. You can use ActiveSync to connect your mobile device to an Exchange Server,
Windows Phone 7 (or later), iOS 4 (ornewer), and Android version 2
(and newer) mobile devices. However, not all devices support the same set of ActiveS
ync features. Exchange ActiveSync features are dependent on the operating system ve
rsionrunning on the mobile device. You need to verify which features are supported o
n your mobile device.
Note: Because most tablet devices also run a mobile operating system, they also use
ActiveSync protocol to connect to the Exchange Server.
What Is Direct Push?

Direct Push is a feature built into Microsoft Exchange Server 2013 that keeps a mobil
e device current over a cellular or Wi-
Fi network connection. It provides notification to the mobile device when newcontent
is ready to be synchronized to the mobile device. The client then initiates synchronizat
ion to download the new items.
You establish Direct Push by using the following steps:
1.The mobile device issues a longstanding
HTTPS request to the server. This request is known as a PING. The PING leaves an HTTPS conne
2.If new items arrive or items are changed, the server sends a response to the device that includes the
3.If the response is not empty, the mobile device issues a synchronization request, synchronizes with
4.When the user makes a change on the mobile device, the device uses the existing HTTPS connecti
To enable Direct Push to work through your firewall, you must open TCP port 443. T
his port is required for ActiveSync communication, and it must be opened between the
Internet and the Client Accessserver.
In addition to opening ports on your firewall, you should increase the time-
out value on your firewall to the value of 15 minutes to 30 minutes for optimal Direct
Push performance. The maximum length ofthe HTTPS request is determined by the fo
llowing settings:
The maximum time-out value that is set on the firewalls that control the traffic from the Internet to
The firewall time-out values that are set by the mobile service provider.
A short time-out value causes the device to initiate a new HTTPS request more frequently. This ca
What Is Remote Wipe?

When an ActiveSync connection is established between a mobile device and an Excha


nge Server, the mobile device stores part of the data from the users mailbox. The mo
bile device also stores the usersdomain credentials, which are the user name and pass
word needed to authenticate to the Client Access Server. If a device is lost or stolen, t
hat data can be compromised.
Because the risk of losing a mobile device is especially high, you must secure data on
mobile devices. You can secure mobile devices by enforcing an ActiveSync policy tha
t specifies password requirementsfor the device. However, this does not prevent data f
rom being compromised when devices are lost or stolen.
For cases when a device is lost or stolen, Exchange Server provides an option called R
emote Wipe. When this command is issued, it deletes all data on the phone and storag
e cards, and resets all settings tofactory defaults. Restoring settings to factory defaults
prevents any unauthorized user from accessing your account data or data cached on th
e device. If you are performing a remote device wipe on a mobilephone in your posses
sion, and you want to keep the data on the storage card, remove the storage card befor
e you initiate the remote device wipe.
Note: Many newer smartphones do not have removable storage, so keep in mind that
Remote Wipe will destroy all data on the device.
The Remote Wipe command can be issued from the user of a specific mobile device,
by using the Outlook Web App interface, or by having the administrator use the Exch
ange Administration Center or theExchange Management Shell. However, the Remote
Wipe command will only be accepted by the device if it still has connection with the
Exchange server, either by data (3G, LTE, or similar mobile data service)or by Wi-
Fi. If connection is lost
(for example, the subscriber identity module, or SIM, card is removed or ActiveSync
account is removed manually on the device), Remote Wipe will not work. In this case,
youmust ensure that you issue a Remote Wipe command as soon as possible.
Note: After a remote device wipe, data recovery is very difficult. However, no data-
removal process leaves a device as free from residual data as when it is new. It may sti
ll be possible to retrieve datafrom a device using sophisticated tools.
What Is Mobile Device Quarantine?

Microsoft Exchange Server 2013, with the latest version of ActiveSync protocol, offer
s some new features in the area of mobile device management for both users and admi
nistrators. As an administrator,you can create allow lists, block lists, and quarantine lis
ts that specify which mobile devices are allowed to access your Exchange mailboxes.
This allows you to identify the devices that users can connect to theExchange Server.
For example, you can specify that only devices that are running a Windows Phone 7 o
r newer operating system can connect to the Exchange Server.
This capability is achieved by defining the device access state for each mobile device t
hat connects to the Exchange Server. A device access state is the status of a particular
device. You can control deviceaccess states in several ways, and a mobile device will
behave differently in each access state. The access state of a device can be one of the f
ollowing:
Allowed. In the Allowed access state, a mobile device can synchronize through Exchange ActiveSy
tiveSync-configured mailbox policies. This is the default state for all devices, because Exchange Se
Blocked. If the device access rule specifies a device that should be blocked, that device cannot conn
mail message from the Exchange Server that indicates that the mobile device was blocked from acc
If this is the case, the user cannot receive an email message that indicates that the mob
ile device was blocked from accessing his or her mailbox. However, the mobile devic
e information displayed in OutlookWeb App shows that it is blocked due to the device
s failure to apply the Exchange ActiveSync mailbox policies.
Quarantined. When a mobile device is in a quarantined state, it is allowed to connect to the Exchang
he user's mailbox. The user will receive a single email message that tells him or her that the mobile
e devices arequarantined. A device will remain in quarantined state until the administrator decides w
You can create and manage ActiveSync device access rules by using the Exchange Ad
ministration Center or the Exchange Management Shell.
Securing Mobile Devices with Mobile Device Mailbox Policie
s

Mobile clients such as Exchange ActiveSync clients are difficult to secure. Because th
e devices are small and portable, they are susceptible to being lost or stolen. At the sa
me time, they may contain highlyconfidential information. The storage cards that fit in
to mobile device expansion slots can store increasingly large amounts of data. While t
his data-storage capacity is important to the mobile-
device user, italso heightens the concern about data falling into the wrong hands.
Mobile clients also are difficult to manage using centralized policies because the devic
es might rarely, or never, connect to the internal network. The devices also do not req
uire Active Directory accounts, soyou cannot use Group Policy Objects
(GPOs) to manage the client settings.
Implementing Mobile Devices Mailbox Policy
Mobile Device Mailbox Policy provides one option for securing mobile devices. Whe
n you apply the policy to a user, the mobile device automatically downloads the polic
y the next time the device connectsto the Client Access server. Exchange ActiveSync l
ets you force password requirements to a mobile device, and to configure several othe
r security options. All of these settings are mandatory, which meansthat if they are app
lied, users cannot change them from the client side.
Mobile Device Mailbox polices are applied on a user-by-
user basis, which means you can create different policies for different users. However,
the policies can be applied only to the level that the mobiledevice supports. Policy set
tings that the mobile platform does not support on the client side are ignored. Each use
r is assigned a default policy that does not enforce any security settings. You can creat
e anew policy and declare it as the default policy so it will be automatically applied to
all user accounts. To ensure that mobile devices are as secure as possible, you should
configure Mobile Device Mailboxpolicies that require device passwords, and encrypt t
he data stored on the mobile device.
When implementing Mobile Device Mailbox Policy, you can configure the following
options:
This is the default policy. Enables you to set policy as the default one and apply it to all users.
o Allow mobile devices that do not fully support these policies to synchronize. Enables devices tha
Require a password. Enables you to specify password requirements.
Allow simple passwords. Enables users to use passwords such as 1111 or 1234.
Require an alphanumeric password. Requires a password that includes both numbers and letters.
Require encryption on device. Requires the storage on a device to be encrypted.
Password must include this many character sets. Specifies how many different character sets a pass
Minimum password length. Specifies the minimum characters in the password.
Number of sign-
in failures before device is locally wiped. Specifies the number of wrong attempts to enter device pa
same as that of a remote device wipe. The device is returned to its factory default condition.When a
Require sign-in after device has been inactive. Specifies the time, in minutes, of device inactivity af
Enforce password lifetime (days). Specifies the maximum time a password can be used on device.
Password recycle count. Specifies how many different passwords a user must use before repeating o
Demonstration: Reviewing Options for Mobile Device Mana
gement in the Exchange Server Administration Center
Demonstration Steps
1. In the EAC, open the mobile pane.
2. Configure options to quarantine all devices until the administrator decides if they will be allowe
3. Configure that administrator receives the message when the device is in quarantine.
4. Configure new device access rule with the option: Quarantine Let me decide to block or al
Alternatives for Mobile Device Management

Exchange Server 2013 provides options for enforcing security settings on mobile devi
ces through mobile device mailbox policies. However, because there are no options fo
r managing and provisioningmobile devices, you usually have the ability to perform th
e following tasks:
Preconfigure mobile devices with company-defined options.
Deploy configuration profiles to mobile devices over the air.
Deploy applications to mobile devices over the air.
Control hardware and software behavior on mobile devices.
Deploy updates to mobile devices from a single administration point.
Enforce security options for mobile devices.
Currently, there is no single administration software or platform that can perform man
agement of every type of mobile platform. Each mobile platform vendor provides its o
wn management solution, orthird-party companies provide on-premises or web-
based solutions for mobile device management that are usually based on client softwar
e being deployed on mobile devices.
For Microsoft mobile platforms, the only mobile platform that supports full managem
ent capabilities is Windows Mobile 6.5 with Mobile Device Management Server 2008
. However, this platform will nolonger be developed. The newest release of Windows
Phone platform, version 8, supports greater management capabilities than Windows P
hone 7.
You also can use cloud-
based services such as Windows InTune for managing mobile devices. Windows Intu
ne connects with the Exchange server installed on-
premises and provides you the ability to createmobile device policies. Some capabiliti
es for mobile device management are also integrated in System Center Configuration
Manager.
Lesson 4: Configuring Secure Internet Access for Cli
ent Access Server
Exchange Server 2013 provides access to user mailboxes from a wide variety of client
s. In many cases, these clients may be located outside the corporate network and may
be accessing the user mailboxesthrough an Internet connection. Because the Exchange
servers cannot provide this functionality without being accessible from the Internet, it
is important that the connections from the Internet be as secure aspossible. This lesso
n describes how to configure secure access to the Exchange servers from the Internet.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Exchange Server security guidelines.
Secure Internet access components.
Deploy Exchange Server 2013 for Internet access.
Secure Client Access traffic from the Internet.
Secure simple mail transfer protocol (SMTP) connections from the Internet.
Describe the benefits of using a reverse proxy.
Exchange Server Security Guidelines

The Exchange Server 2013 design makes it secure when you deploy it. Many of its fea
tures, such as server roles, Kerberos version 5 authentication, and self-
signed certificates, ensure that the servers present aminimal attack surface and facilitat
e encryption for most network traffic sent to and from Exchange servers.
To maintain Exchange Server security, organizations should implement regular proces
ses to monitor and validate the Exchange Server configuration.
Apply Security and Software Updates
One of the most critical components for maintaining Exchange Server security is to in
stall all security updates as soon as possible after their release; this includes both the o
perating system updates and theExchange Server updates.
Before you update the installation, test the deployment of all software updates on your
Exchange servers. To do this, you need a test environment that emulates your product
ion environment.
Avoid Running Additional Software on Exchange Servers
One way to reduce an Exchange servers attack surface is to avoid running unnecessar
y software on the server. Ideally, you should dedicate the Exchange server to Exchang
e server roles. The only additionalsoftware that you should install are utilities, such as
antivirus software and server-management tools.
Install and Maintain AntiVirus Software
Virtually all organizations deploy antivirus software to guard against malicious email.
You also should deploy file-
level antivirus software on the Exchange servers to ensure that the servers are secure f
romvirus attacks. Exchange Server 2013 comes with an antimalware functionality buil
t in. You can use the antimalware functionality as a messaging security solution.
Enforce Strong Passwords in Your Organization
If you enable remote access to your Exchange Server organization, attackers from out
side the organization can use brute-
force password attacks to attempt to compromise user accounts. Therefore, it is veryi
mportant that you define and enforce password policies for all user accounts. This incl
udes mandating the use of strong passwords. A password is strong if it meets several r
equirements for complexity thatmake it difficult for attackers to guess. These passwor
d requirements include rules for password length and character categories.
By establishing strong password policies for your organization, you can help prevent a
n attacker from impersonating users, and thereby prevent the loss, exposure, or corrup
tion of sensitive information.
Secure Internet Access Components

Exchange Server 2013 enables users to access their mailboxes from many different ty
pes of messaging clients and from almost anywhere. To provide secure access for the
messaging clients, you need tounderstand the types of access each client type requires.
Client Access to Exchange Servers
The following list describes the services that clients can use to access Exchange server
s from the Internet:
Outlook Anywhere. Outlook 2007 and newer clients required access to the remote procedure call (R
(EWS), and online address book virtual directories on a Client Access server.Outlook 2010 or newe
Access to Autodiscover. Autodiscover provides automatic configuration for Outlook and ActiveSyn
Microsoft Outlook Web App. Outlook Web App provides access to Outlook Web App and Exchang
Microsoft Exchange ActiveSync. ActiveSync provides access to the Microsoft-Server-
ActiveSync virtual directory on a Client Access server and access to the Autodiscover virtual direct
Internet Message Access Protocol version 4rev1 (IMAP4). IMAP4 provides access to the IMAP4 se
Post Office Protocol 3 (POP3). POP3 provides access to the POP3 service on a Client Access serve
(Port 25 or 587).
Options for Configuring Internet Access
Several options are available to provide access to the Client Access and transport serv
ers. The most common options include:
Virtual Private Network (VPN). Some organizations require that all clients use a VPN to connect to
party solution. By enabling VPN access, users can access all resources on the internal network, incl
on also simplifies the network perimeter configuration because you only enable a single option fora
(NAP). However, the VPN solution also limits theoptions that users have for accessing their email.
Firewall configuration. Virtually all organizations have firewalls that protect their internal networks
an SMTP server for IMAP4 and POP3 clients. Implementing a firewall solution means that messag
on, this can complicate themessaging client configuration.
For example, users may connect to the Exchange servers from the internal network usi
ng the actual server name, but may need to use a more generic name, such as mail.con
toso.com, when connecting to theserver from the Internet. You may need to instruct us
ers to use the two server names, or you may need to configure the internal Domain Na
me System (DNS) zone to provide name resolution to the moregeneric name.
Configuring firewalls to provide access to the Exchange servers is easy, but it does rai
se potential security issues. Standard firewalls can filter network traffic based on sour
ce and destination IP addresses andports, but they cannot analyze the contents of the n
etwork packets. A standard firewall may use reverse Network Address Translation
(NAT), but still forward the packets directly to the Client Access server.This means th
at the traffic that the firewall forwards to the internal Exchange servers may contain m
alicious code that it did not detect.
Reverse proxy configuration. As an alternative to the standard firewall, you can use a reverse proxy
layer firewall, to enable access to the internal Exchange servers. When you configure areverse prox
he internal network. When you use a reverse proxy, you must configure messaging clients to use a s
Deploying Exchange Server 2013 for Internet Access

When you deploy Exchange Server 2013 so that it is accessible from the Internet, you
must deploy all server roles on the internal network. The recommended deployment fo
r Exchange Server 2013 Internetaccess includes two firewalls in a back-to-
back firewall scenario, which enables you to implement a perimeter network between
the two. An external firewall faces the Internet and protects the perimeternetwork. Yo
u then deploy an internal firewall between the perimeter and internal networks.
Note: Exchange Server 2013 SP1 now provides the Edge Transport Server role, altho
ugh it is still possible to use of Edge Transport Server role from Exchange Server 201
0. If you decide to use EdgeTransport server from Exchange Server 2010 or 2013 SP1
, you can use settings from the table below. If you choose to use a third-
party SMTP gateway instead of Edge Transport Server, somemodifications might be n
eeded.
Configuring External Firewalls for Internet Access
An organizations Internet-
facing or external firewall protects the perimeter network. The firewall can be configu
red to accept packets based on source and destination IP addresses and ports. To supp
ort theExchange Server deployment, the external firewall must be configured with the
following firewall rules:

Destination port Address

25 Source address: All Destination address: Edge Transport server May also need to configure the extern

443 Source address: All Destination address: External IP address of the internal firewall

110, 995 Source address: All Destination address: External IP address of the internal firewall Only required for

143, 993 Source address: All Destination address: External IP address of the internal firewall Only required for

587 Source address: All Destination address: External IP address of the internal firewall Only required if P

Configuring Internal Firewalls for Internet Access


The internal firewall may be another standard firewall or a reverse proxy. To support t
he Exchange Server deployment, configure the internal firewall with the following fir
ewall rules:

Destination port Address

25 Source address: Edge Transport server Destination address: Mailbox server May also need to configu

443 Source address: Internal IP address of the external firewall Destination address: Client Access server

110, 995 Source address: External IP addresses Destination address: Client Access server Only required for PO
Destination port Address

143, 993 Source address: External IP addresses Destination address: Client Access server Only required for IM

587 Source address: External IP addresses Destination address: Client Access Server Only required if POP

50636 Source address: Mailbox servers on the internal network Destination address: Edge Transport server R

3389 Source address: Administrator computers on the internal network Destination address: Edge Transpor

Edge Transport servers also listen on port 50389 for unencrypted Lightweight Directo
ry Access Protocol
(LDAP) connections. This port is used only for administering the Active Directory Li
ghtweight DirectoryServices
(AD LDS) instance on the Edge Transport server using standard LDAP tools. Howeve
r, this port does not have to be open on the internal firewall.
Securing Client Access Traffic from the Internet

You should implement the following recommendations to ensure that your organizatio
ns client connections are as secure as possible:
Create and configure a server certificate. By default, all Client Access servers are configured with s
(CA) or from an internal CA. If you use an internal enterprise CA, the certificates will be trusted by
Require SSL for all virtual directories. With Exchange Server 2013, you can configure all of the Cl
Enable only required Client Access methods. You should enable access to only the Client Access o
se virtual directories through the firewall. If your organization does not require POP3 or IMAP4 acc
Require secure authentication. Forms-based authentication is the most secure authentication mechan
based authentication, and may need to use either basic authentication or authentication by Microsof
multifactor authentication. For example, you can require that all client computers use atrusted certif
Enforce remote-
client security. One of the difficulties in ensuring client access security is that you may not have con
e authentication for client connections, you can restrict which clients can access the Exchangemailb
ntingcertificate-based Internet protocol security (IPSec) authentication for client connections.
Require TLS/SSL for IMAP4 and POP3 access. To help secure communications between your POP
(TLS) or SSL to encrypt all authentication and message-access traffic.
Implement an application-
layer firewall or reverse proxy. To provide additional security, place an application layer firewall or
s code.
Note: Using Microsoft Forefront Threat Management Gateway 2010
(TMG) for Exchange Server 2013 web services publishing is not supported by default,
since TMG does not have a publishingwizard for Exchange Server 2013. However, y
ou can use publishing wizard for Exchange Server 2010 to publish Exchange Server 2
013. After you configure publishing rules, you must manually modifyaddress for logo
ff page.
Securing SMTP Connections from the Internet

If you enable POP3 and IMAP4 connections from the Internet to your Client Access s
ervers, you must provide a means by which those clients can send email using SMTP.
As part of ensuring security for yourClient Access deployment, you also need to ensur
e secure SMTP connectivity.
Providing SMTP Connectivity for POP3 and IMAP4 Clients
Clients can use POP3 and IMAP4 to retrieve messages from user mailboxes; however,
they cannot use these connections to send messages.
To enable these clients to send email, you must configure the clients to use an SMTP s
erver that relays the messages to both internal and external recipients.
To enable the POP3 and IMAP4 clients to send email, you must configure a SMTP Re
ceive connector to require authentication, and to accept SMTP connections from the I
nternet. By requiring authentication,only users with valid accounts in the Exchange Se
rver organization can relay messages through the server.
If you are using an Edge Transport Server or a third-
party SMTP Gateway, you should be aware that you cannot use an Edge Transport ser
ver to accept authenticated SMTP connections, and then use it torelay SMTP message
s from POP3 and IMAP4 clients.
You can configure a SMTP Receive connector on an Edge Transport server that uses
port 587, and you can configure the Receive connector to accept authenticated connec
tions. However, you cannotconfigure the connector to authenticate the client connecti
ons using the users internal Active Directory account.
Securing SMTP Connections
By default, Exchange Server 2013 provides the following receive connectors:
Client Frontend works on port 587, and it accepts secure connections, with TLS applied.
Client Proxy works on port 465, and it accepts connections from Client Access servers. This con
Default Frontend works on port 25, and it accepts connections from SMTP senders over port 25
Default servername works on port 2525, and it accepts connections from Mailbox servers runnin
Outbound Proxy Frontend works on port 717, and it accepts messages from a Send Connector o
These connectors are discussed with more details in later modules. To secure the SMT
P connections, complete the following steps:
1 Enable TLS for SMTP client connections. You can configure the SMTP Receive connector to requ
. configure all clients to use TLS.
2 Use the Client Frontend connector
. (port 587), and configure two SMTP Receive connectors. The Default FrontEnd receive connector
connect to the connector. However, by using the Client Receiveconnector, you can avoid using the
3 Ensure that anonymous relay is disabled. All receive connectors must block anonymous relays, and
. Note: In some cases, you may need to enable anonymous relay to allow internal applications to se
h the server.
Enable IMAP4 and POP3 selectively. If only some users in your organization require
POP3 and IMAP4 access, then disable this option on all other mailboxes.
Benefits of Using A Reverse Proxy

You may want to use a reverse proxy server to manage incoming requests to a Client
Access server. A reverse proxy server provides the following advantages over a direct
connection to a Client Accessserver:
Security. The reverse proxy server provides an extra protective layer between the network and exter
Application-layer filtering. Most reverse proxy servers also can operate as application-layer firewal
layer filtering enables the proxy to open up the entire TCP/IP packet and inspect theapplication data
cation to the destination server. Firewalls that are capable of application-layer filtering can stop dan
SSL bridging. If you must encrypt communication between the reverse proxy server and the Client
ss server. This protects the Client Access server from direct access from the Internet, enables the re
Load balancing. A reverse proxy server can distribute the traffic that is destined for a single URL to
balancing features when you publish OutlookWeb App and Outlook Anywhere. Outlook Web App
(the same unique cookie provided by the server in each response) to the same server. Outlook Anyw
(source) IP address to the same server. Other Exchange services and features, such as Exchange Ac
SSL offloading. Instead of configuring the Client Access server to provide SSL encryption, you can
ect the data packets and apply filters before they reach the Client Access server. If you offload SSL
Lab: Planning and Configuring Messaging Client C
onnectivity
Scenario
A. Datum is planning its client connectivity solution for Exchange Server 2013. The c
ompany has several
different types of clients, and it needs to find an appropriate solution for each, while st
aying compliant with the organizations security policy.
As A. Datums Exchange administrator, you need to propose and implement a solutio
n for client connectivity. You also must ensure that connections from the Internet are
as secure as possible.
Objectives
Plan client connectivity.
Configure Outlook Web App and Outlook Anywhere.
Configure Exchange ActiveSync.
Publish Exchange Server 2013 through Threat Management Gateway 2010.
Lab Setup
Estimated time: 75 minutes

Virtual machines 20341B-LON-


20341B-LON-
20341B-LON-
20341B-LON-
20341B-LON-

User Name Adatum\Admi

Password Pa$$w0rd

For this lab, you will use the available virtual-


machine environment. Before you begin the lab, you must complete the following step
s:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1, 20341B-LON-CAS1, 20341B-LON-TMG, and 2034
Exercise 1: Planning Client Connectivity
Scenario
To enable access to email, your organization must provide appropriate connectivity op
tions for users connecting from both its internal network and an external network
(Internet). Internal clients are runningon the Windows 8 operating system. Some clien
ts have Outlook 2010 installed, while others have either Outlook 2003 or no Outlook c
lient. A. Datum does not plan to buy any new client licenses at this pointin time.
Several users are using mobile computers in the office and while they are out of the of
fice. These computers are domain members, and all have Windows 8 and Outlook 201
0 installed.
A majority of the clients have mobile devices, mostly smartphones and tablets. They a
re using mostly Windows Phone 7.5 and Windows Phone 8 devices, but a number of c
lients are using Android 4 and iOS5-
based devices. A few have older Symbian devices.
The security officer at A. Datum Corporation has defined the following security requir
ements for email access that must be implemented in this solution:
Internal clients must use an encrypted connection to the email server.
External clients must be able to check their email from any computer, including computers located
To enable mobile devices to connect to your network, you must be able to control their security opt
Each user must have a password protected device to access your network.
All devices that connect from an external network should have an A. Datum Root CA certificate ins
Administrators must be able to manage mobile devices. It is desirable, but not mandatory, that they
Each user must have the ability to delete content of his mobile device if it is lost.
Your proposed solution for client connectivity must address all of these requirements.
The main tasks for this exercise are as follows:
1. Read and analyze scenario requirements
2. Propose a solution for client connectivity
3. Discuss your solution with the class
Task 1: Read and analyze scenario requirements
1. Read the exercise scenario, and analyze the requirements from both a functionality and security
Task 2: Propose a solution for client connectivity
Propose a solution for client connectivity for both internal and external clients. Use th
e following questions as a guideline when making a solution:
1. Which client platforms should you support for internal clients?
2. Which client platforms should you support for external clients?
3. What concerns do you have regarding internal clients?
4. What concerns do you have regarding external clients?
5. How will you address the requirement for client connection encryption?
6. What solution will you propose for internal clients?
7. What solution will you propose for external clients?
8. How will you address the requirements for attachment downloading on public computers?
9. How do you plan to force security requirements to mobile devices?
10. How do you plan to deploy the A. Datum Root CA certificate to client devices (both computers
11. Is there a way to control hardware features of mobile devices?
12. Can you implement certificate-based authentication for mobile devices?
13. How will you implement the requirement for deleting content from a lost mobile device?
Task 3: Discuss your solution with the class
Present your proposed solution. Discuss alternative solutions with the other students a
nd the instructor.
Results: After completing this exercise, the students will have created a plan for client
connectivity.
Exercise 2: Configuring Outlook Web App and Outlook Anywhere
Scenario
A. Datum Corporation has several users who work regularly from outside the office. T
hese users should be
able to check their email from any client computer, including client computers located
in public areas. You must ensure that users cannot download attachments while they
are on public computers, and thatthey cannot recover deleted messages by using the O
utlook Web App interface.
You also should disable the instant messaging and text messaging options in the Outlo
ok Web App interface. To achieve this, you must configure Outlook Web App policie
s, apply them to users that areaccessing email from the Internet, and verify that the set
tings have been successfully applied. These users will be identified with a Custom Att
ribute 1 set to external.
You also should enable Outlook Anywhere for users with mobile computers, and Offli
ne Outlook Web App for users that do not have Outlook installed but are using mobile
computers.
The main tasks for this exercise are as follows:
1. Configuring Outlook Web App policies
2. Configuring Outlook Anywhere
3. Enabling and using Offline Outlook Web App
Task 1: Configuring Outlook Web App policies
1. On LON-CAS1, on the Start screen click Internet Explorer.
2. Browse to https://lon-cas1.adatum.com/ecp.
3. Sign in to the EAC as Adatum\Administrator with the password Pa$$w0rd.
4. In the EAC, in the permissions node, choose to create new Outlook Web App policy. Name t
5. In a new Outlook Web App policy, configure options to prevent users from using Direct file acc
6. Apply the new policy to the user Adam Barr.
7. Apply the new policy to the user Aidan by using Exchange Management Shell.
8. Use the Exchange admin center to set the attribute Custom Attribute 1 to a value of externa
9. Assign External Users Policy to these users by typing the following command in Exchange M
get-mailbox filter {CustomAttribute1 eq external} | Set-CASMailbox - OwaMailboxP
10. Verify that the policy is applied to Brad Sutton, Chad Niswonger, and Danielle Durrer.
Task 2: Configuring Outlook Anywhere
1. On LON-CAS1, in Exchange admin center, configure the external name for Outlook Anywh
Task 3: Enabling and using Offline Outlook Web App
1. On LON-CL1, click to the desktop, open Internet Explorer and type https://lon-cas1.adatum.c
2. In the Options menu in OWA, select to turn on offline access.
3. Add the OWA URL to Favorites in Internet Explorer.
4. Sign out of Outlook Web App and close Internet Explorer.
5. Using Hyper-V Manager console, disconnect the network adapter for LON-CL1 from the netwo
6. Try to open OWA from Internet Explorer, and verify that you can access the content of your ma
7. Send a test email to the administrator.
8. Reconnect LON-CL1 to the network.
9. Verify that the administrator has received the email that you sent while using OWA offline.
Results: After completing this exercise, students will have Outlook Web App and Out
look Anywhere configured.
Exercise 3: Configuring Exchange ActiveSync
Scenario
A. Datum Corporation has many users who use smart-
phone devices to access their mail. The clients are
using mostly Windows Phone 7.5 and Windows Phone 8 devices, but a number of clie
nts are using Android and iOS-
based devices, and a few have older Symbian devices. You need ensure that these user
scan access their mailboxes by using Exchange ActiveSync. You also must ensure tha
t their connections are secure, and that consistent settings are applied to each device. T
he following requirements must befulfilled on each mobile device:
An alphanumerical password must be used on the device.
The password must include at least two different character sets.
The minimum password length must be five characters.
Users can type the wrong password a maximum of four times before the device is wiped.
Each device should be locked after five minutes of inactivity.
In addition to these requirements, A. Datums security policy specifies that each new
mobile device that connects to the organizations Exchange Server must be quarantine
d first, and then manually allowedor blocked after the Exchange administrator has revi
ewed the request. You also should find a way to install a root certificate on the mobile
device and configure SSL security.
The main tasks for this exercise are as follows:
1. Plan a mobile device deployment
2. Configure mailbox policies for mobile devices
3. Configure device access rules
Task 1: Plan a mobile device deployment
Based on the exercise scenario, propose a plan for mobile device management from an
Exchange Server aspect. You can use the following questions as a guideline:
o Because many different device platforms will be accessing your Exchange Server, what are you
o How will you achieve the requirement that settings be consistent on each mobile device?
o How will you implement the password requirements on your mobile device?
o How will you implement the requirements for quarantine?
Task 2: Configure mailbox policies for mobile devices
1.Open the EAC on LON-CAS1.
2.Navigate to mobile in feature pane.
3.Create a new mobile device mailbox policy and name it Adatum Mobiles.
4.Set the new policy as the default policy.
5.Specify the following options in the policy:
o Require an alphanumeric password
o Number of character sets included in a password: 2
o Minimum password length: 5
o Number of sign-in failures before device is wiped: 4
o Require sign-in after device has been inactive for: 5
6.Save the policy.
Task 3: Configure device access rules
1. On LON-CAS1, in EAC, navigate to mobile->mobile device access in the menu.
2. Select Quarantine Let me decide to block or allow later.
3. Select the option to email the administrator when a device is in quarantine.
4. Create a new device access rule.
5. Configure the rule so that all devices are quarantined when they first connect.
6. Cancel the creation of device access rule.
Results: After completing this exercise, the students will have configured mobile devi
ce options and policies.
Exercise 4: Publishing Exchange Server 2013 through TMG 2010
Scenario
After you configured all the client connectivity options, you need to securely publish
your Client Access server to the Internet. You can choose the Threat Management Gat
eway (TMG) 2010 as a solution toperform that task.
The main tasks for this exercise are as follows:
1. Publish Exchange web-based services through TMG 2010
2. Publishing rule testing
3. To prepare for the next module
Task 1: Publish Exchange web-based services through TMG 2010
1. On LON-CAS1, use Windows PowerShell to export webmail.adatum.com certificate with priva
2. On LON-TMG machine, import the certificate from \\LON-CAS1\C$\CAS1.pfx save it to Com
3. On the LON-TMG machine, in the Forefront TMG console, start the wizard to publish Excha
4. Choose to publish OWA on Exchange Server 2010.
5. Use the public name webmail.adatum.com.
6. Create new HTTPS listener, and configure it to use webmail.adatum.com certificate.
7. Configure authentication for users to be HTML form.
8. Configure authentication delegation to be Basic.
9. On LON-CAS1, configure OWA virtual directory to use the external name https://webmail.ad
10. On LON-CAS1, configure ECP virtual directory to use external name https://webmail.adatum
11. Restart IIS on LON-CAS1.
12. Switch to LON-TMG and open Properties of OWA rule.
13. On Application Settings tab in Published server logoff URL type /owa/logoff.owa.
(Note: you are doing this because TMG 2010 does not have publishing rule for Exchange 2013
14. Test the rule. You should have green check marks for these two URLs.
Task 2: Publishing rule testing
1. On the host machine, open settings for 20341B-LON-CL1 machine, and connect it to Private N
2. Log on as Adatum\Administrator to LON-CL1 machine.
3. Change the IP address of the LON-CL1 machine to 131.107.0.2. Set the default gateway to 131
4. Open hosts file on LON-CL1 from location c:\windows\system32\drivers\etc\hosts. Choose t
5. At the bottom of the hosts file, type 131.107.0.1 webmail.adatum.com. Save the file.
6. From Internet Explorer navigate to https://webmail.adatum.com/owa. Log on as Adatum\Ad
7. Verify that you can access mailbox content. Click Settings, and then click Options. Verify that
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, 20341B-LON-TMG, and 203
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.You must now move the subnet object currently associated with the Swindon site to the London si
a. On LON-DC1, click Server Manager.
b. In Server Manager, click Tools and then click Active Directory Sites and Services.
c. In Active Directory Sites and Services, click Subnets.
d. Right-click 172.16.0.128/25 and then click Properties.
e. In the 172.16.0.128/25 Properties dialog box, in the Site list, click London and then click O
f. Close Active Directory Sites and Services.
g. Close Server Manager.
9.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, students will have Exchange Server 2013 pub
lished through TMG 2010.
Question: What is the main purpose of Outlook Web App policies?
Question: What is the prerequisite for using Offline Outlook Web App?
Module Review and Takeaways
Best Practice
Always configure Outlook Web App policy for public and private computers.
Use OWA Offline only on trusted computers.
Analyze security considerations for each mobile platform before you decide which platforms you
Always configure policies for mobile devices so that password is required on a device.
Common Issues and Troubleshooting Tips
Common Issue

Users get a warning when accessing Outlook Web App page from the Internet

Users cannot connect with mobile devices to Exchange Server

Review Question(s)
Question: What should you use for secure access to Client Access server from Interne
t?
Tools
Exchange Administration Center
Exchange Management Shell
Forefront Threat Management Gateway
Module 6: Planning and Implementing High Availab
ility
Contents:
Module Overview

Lesson 1: High Availability on Exchange Server 2013

Lesson 2: Configuring Highly Available Mailbox Databases

Lesson 3: Configuring Highly Available Client Access Servers

Lab: Implementing High Availability

Module Review and Takeaways

Module Overview
Messaging systems are considered a critical business tool in most organizations. Outa
ges of even a few hours reflect poorly upon the IT departments, and can result in sales
losses or business reputationdamage. High availability helps ensure that messaging sy
stems built on Microsoft Exchange Server 2013 can survive the failure of a single se
rver, or even multiple servers. You can implement highavailability for all the server ro
les in Exchange Server 2013.
This module describes the high-
availability technology built into Exchange Server 2013, and some of the outside facto
rs that affect highly available solutions.
Objectives
After completing this module, you will be able to:
Describe high availability in Exchange Server 2013.
Configure highly available mailbox databases.
Configure highly available Client Access servers.
Lesson 1
: High Availability on Exchange Server 2013
High availability is a commonly used term that refers to a specific technology or confi
guration that promotes service availability. Although many technologies and configur
ations can lead to highly availableconfigurations, they are not by themselves truly hig
hly available. Careful design and planning must be performed to ensure a high-
availability solution.
In this lesson, you will review high availability and some of the factors that go into de
signing and deploying a highly available solution.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the components of high availability.
Describe a database availability group (DAG).
Explain how database availability groups (DAGs) work.
Describe high availability with Client Access servers.
Explain transport high availability.
Explain high availability with Edge Transport server.
Describe site resilience.
Discuss virtualization high-availability technologies versus Exchange Server high-availability tech
Components of High Availability

When an application such as Exchange Server 2013 requires high availability, you nee
d to consider more than just the application components. All of the infrastructure and
services that the application relieson also must be highly available.
You must consider the following additional components when planning for high avail
ability.
Data Center Infrastructure
The room that stores the server must have sufficient power and cooling capacity, and t
hat capacity also must be highly available. You can make power highly available by e
nsuring that an alternate powersource, such as a battery or a generator, is available wh
en the electrical utility experiences outages. You can make cooling capacity highly av
ailable by using multiple cooling units with sufficient capacity tokeep the data center
cool when one unit fails. In cases of a catastrophic failure, you can use an alternate dat
a center location.
Server Hardware
To make server hardware highly available, there must be redundant components in the
server. Redundant components can include power supplies, network adapters, process
ors, and memory. Error-correction code
(ECC) memory helps to resolve minor errors in memory.
Storage
To make storage highly available on a single server, you can use a version of Redunda
nt Array of Independent Disks
(RAID). RAID uses parity information to ensure that a server can survive the loss of a
t leastone hard drive, without losing any data. If multiple servers are available, you ca
n replicate data between servers. This allows the data to survive the loss of an entire s
erver, rather than just a hard drive.
Network Infrastructure
To make a local area network
(LAN) highly available, you must introduce redundant components. Within a LAN, th
is typically means redundant switches. Even moderately priced switches include redun
dantconfigurations. To make the network connectivity for any individual computer fa
ult tolerant, you must configure redundant network interface cards on the computer. T
his is a standard feature in most mid-
level and higher servers. High availability for a wide area network
(WAN) is typically the responsibility of the WAN service provider. However, if you a
re using private links for your WAN, you can createredundant paths through the WAN
.
Internet Connectivity
For highly available Internet access, you must have redundant Internet connectivity. I
deally, you should use two different Internet service providers
(ISPs) and two different physical connectivity methods. Forexample, one ISP could be
land based, and the other wireless. If you use these methods, it is unlikely that a probl
em affecting one ISP would affect the other. Many firewalls and routers are capable of
usingone connection for Internet connectivity and failing over to another if the primar
y service fails. For incoming email, you must use multiple mail exchange
(MX) resource records, with one record pointing to theIP address allocated by each IS
P.
Network Services
Active Directory Domain Services (AD DS) and Domain Name System
(DNS) service are the two services that must be highly available to support highly ava
ilable Exchange Server 2013 organizations. Tomake AD DS servers highly available,
you should have multiple domain controllers and global catalog servers. Depending o
n the size of a location, multiple domain controllers and global catalog servers mayres
ide in a single location. To make internal DNS servers highly available, you must hav
e multiple DNS servers with DNS information synchronized between them. By defaul
t, the DNS zones for AD DS areActive Directory integrated, and are replicated among
all DNS servers in the forest.
What Is a Database Availability Group?

A database availability group


(DAG) is a collection of servers that provides the infrastructure for replicating and act
ivating database copies. The DAG uses continuous replication to each of the passived
atabase copies within the DAG. DAGs:
Require the Windows Server 2008 R2 or Windows Server 2012 failover clustering feature, altho
(EAC) orExchange Management Shell. Even though a DAG requires the failover clustering feature
ailure-detection scenarios, such as a server failure.
Use an improved version of the continuous replication technology that was introduced in Microsoft
Note: DAGs also can use third-party replication instead of continuous replication.
Allow you to add and remove Mailbox servers at any time. You do not need to decide on the DAG
Because DAGs use a subset of the Windows failover clustering feature such as cluster heartbeat, Ex
Allow you to move a single database between servers in the DAG without affecting other databases
Allow up to 16 copies of a single database on separate servers. You can add up to 16 servers to a D
B\Mailbox Database 1\ on LON-MBX01, then you must also store it in D:\Mailbox\DB\Mailbox D
Define the boundary for replication, because only servers within the DAG can host database copies
Prohibit you from adding an Exchange Server 2010 to an Exchange Server 2013 DAG.
Note: In Exchange Server 2013, the basic concept of a DAG is the same as in Microsoft Exchang
Understanding How Database Availability Groups Work

The active database copy uses continuous replication to keep the passive copies synch
ronized based on their replay lag-
time setting. A DAG leverages the Windows Server operating system failover-
clustering feature.
However, it relies on the Active Manager component to maintain the status of all DA
G-hosted databases. The following are database characteristics:
A single database can failover or switchover between Mailbox servers that are members of a DAG
At any given time, a copy is either the replication source or the replication target, but not both.
A server may not host more than one copy of a given database.
Not all databases must have the same number of copies. In a 16-node DAG, one database can hav
Database failovers occur when failures cause the active database to go offline. Either a
single server failure or something specific to a database can cause the failure. A switc
hover occurs when an administratorintentionally coordinates moving the active databa
se from one server to another.
Understanding How High Availability Works with Client Ac
cess Servers

You configure high availability for Client Access servers by adding at least two Client
Access servers to your Active Directory site. Exchange Server 2013 Client Access ser
vers are now stateless. This means thata client request no longer needs to use the same
Client Access server, and can use any server.
This allows you to use the following options in order to distribute the load between th
e Client Access servers:
DNS round robin. To use a DNS round robin, you must configure an A record for your client comm
menting a Geo-
DNS, so that the client servers always get the Client Access server IP address that is located closest
ormally usedwhen you cannot use Network Load Balancing (NLB) by having a multi-role server th
Network Load Balancing. Windows Server 2012 provides a feature called Network Load Balancing
(VIP) in addition to the regular IP address to every member of the NLB cluster. The NLB feature th
en the servers that are still operating correctly. This option provides a server-basedfailover because
based load balancerbut still want to put high availability in place.
Hardware-based load balancing. Similar to a NLB, a hardware-based load balancer uses a VIP to w
based load balancer that also can be extended beyond the Windows based NLB limit, which is 16 c
availability, but also is the most expensive onebecause it requires you to purchase a hardware load b
To load balance Client Access servers, you must perform the following steps:
1.Deploy multiple Client Access servers in a site.
2.Use either hardware-based or software-based Network Load Balancing (NLB) to create a cluster.
3.Add the name for the network load-balanced cluster into DNS. For example, add a host (A) resour
Note: In Exchange Server 2010, you were required to configure a client access array in Exchange
Understanding How Transport High Availability Works

Transport high availability in Exchange Server 2013 is more than just a means of ensu
ring message redundancy. Exchange Server 2013 attempts to guarantee message redu
ndancy by combining two features,Shadow redundancy and Safety Net
(known as Transport dumpster in Exchange Server 2010). Shadow redundancy creates
a redundant copy of the message on another server before the message isaccepted or a
cknowledged. Safety Net stores messages that were successfully processed by the Tra
nsport service on Mailbox servers.
Shadow Redundancy
Shadow redundancy is a feature that Exchange Server 2010 introduced that ensures a
copy of a message is available if a mailbox server crashes before messages have been
committed to the databases.Exchange Server 2013 improves this feature by automatic
ally creating a redundant copy of any message it receives, before it acknowledges succ
essful receipt to the sending SMTP server.
In Exchange Server 2013, it no longer matters if a sending server supports shadow red
undancy because now a shadow copy is automatically created every time. By default,
a shadow copy of a message isremoved after two days.
The main goal of shadow redundancy is to always have two copies of a message withi
n a transport high-
availability boundary while the message is in transit. This boundary is one of the follo
wing:
A DAG, for Mailbox servers that are members of a DAG. This includes a DAG that spans multipl
An Active Directory site, for mailbox servers that do not belong to a DAG.
Where and when the redundant copy of the message is created depends on where the
message originated and where it is going. There are three major determining factors:
Messages received from outside a transport high-availability boundary.
Messages sent outside a transport high-availability boundary.
Messages received from the mailbox transport submission service from a mailbox server within th
Note: Shadow redundancy never tracks shadow messages across a transport high-availability bou
How Shadow Redundancy Works
The following is an example of how shadow redundancy works in a DAG:
1
An SMTP server connects to the Transport service on a mailbox server where the active database o
.
2 The transport service opens a new Simple Mail Transfer Protocol
. (SMTP) session to a transport service on another mailbox server in the same DAG to create a redu
essage, and the mailbox server that holds it is theshadow server for the primary server. The messag
3 After the message is successfully transmitted to the shadow server, the server acknowledges receip
. Note: If the Mailbox server is not member of a DAG, any mailbox server in the same Active Direc
When Shadow Messages are Removed
When the server successfully transmits the message to the database, the server updates
the discard status of the message when the delivery completes. The discard status is e
ssentially a message thatcontains of list of messages that are being monitored. A succe
ssfully delivered message does not need to be kept in a shadow queue. Once the shado
w server knows the primary server has successfullytransmitted the message to the next
hop, the shadow server moves the shadow message from the shadow queue into the S
afety Net.
How Message Recovery Works
When a mailbox server experiences an outage due to a hardware failure, each mailbox
server that has shadow messages queued for that mailbox server will assume ownersh
ip of those messages. When theserver comes back online again, it will try to resubmit
the messages. All messages are then redelivered to their destinations. This results in d
uplicate delivery of the messages. However, Exchange Serverautomatically detects du
plicate messages and will not add them to the database again. Only the messages that
are not already in the database will be added.
Safety Net
Safety net is a special message queue available in the Transport service on every Mail
box server. This queue stores by default up to two days of messages that were success
fully delivered to a mailboxdatabase. Safety net protects against mailbox server failure
s when transaction logs have been lost. If a failure occurs and some transaction logs ar
e not replicated to the passive copy, you can use safety netto redeliver messages.
Safety net is improved in Exchange Server 2013 in the following ways:
Safety net is now redundant and uses Shadow Redundancy to provide a Shadow Safety Net queue o
submit requests become shadow resubmit requests, and messages are redelivered from the shadow s
Safety net no longer requires DAGs. It essentially uses the same server that is used for shadow redu
How Safety Net Works
Safety net works as follows when shadow redundancy is finished:
1.The transport service on the primary server processes the primary message. The Mailbox Transpor
2.The shadow server frequently polls the primary server for the discard status of the primary messag
Understanding How High Availability Works with Edge Tra
nsport Servers

The Edge Transport server role is now available in Exchange Server 2013 SP1. You c
an still use an Exchange Server 2007 or 2010 Edge Transport server, which are fully s
upported. The functionality for highavailability remains the same with Exchange Serv
er 2013 and 2013 SP1 as in Exchange Server 2007 or 2010.
To make the Edge Transport server role highly available, you can install a second Edg
e Transport server and configure EdgeSync. For external message delivery, no additio
nal configuration is required. Formessage reception, you must configure an additional
mail exchange
(MX) record for the second Edge Transport server. If both MX records have the same
priority, then incoming messages are load balancedbetween the two Edge Transport se
rvers.
To provide network redundancy for message delivery to the Internet, you can use two
Internet service providers
(ISPs). Many firewalls are capable of failing over to a second Internet connection whe
n theprimary connection fails. To receive messages on the second Internet connection,
you must create additional MX records.
If your Exchange Server organization has multiple points of contact with the Internet
and multiple locations with Edge Transport servers, this does not provide redundancy
for outgoing messages. Messagesare delivered only on the lowest-
cost path. If the Edge Transport servers on the least-
cost path are unavailable, the messages are queued on a Mailbox server for delivery to
the Edge Transport server.Routing paths are not recalculated based on availability.
What Is Site Resilience?

Site resilience is the ability of the messaging system to survive a site failure, and to co
ntinue functioning through the use of an alternate data center. In some cases, the altern
ate data center is a site that isdedicated only to disaster recovery. In other cases, the alt
ernate data center might be another company site that is in use, but has sufficient capa
city to handle services for the failed location.
A DAG is capable of existing across multiple subnets. This means that a DAG can exi
st across multiple Active Directory sites. This is a major improvement from previous
versions of Exchange Server 2010,which required you to extend a subnet across a WA
N link.
Site resilience exists only for Mailbox servers. Any other required server roles must al
ready exist in the site or they will not fail over. For example, Client Access servers sh
ould already exist in the alternate datacenter. Other services, such as DNS, domain co
ntrollers, and global catalog servers, also must be available in the alternate data center.
Discussion: Virtualization High-
Availability Technologies versus Exchange High-
Availability Technologies for Mailbox Servers

Discuss virtualization high-availability technologies versus Exchange Server high-


availability technologies for Mailbox servers. Lead the discussion with the following
questions:
Do you currently use virtualization for maintaining high availability of Exchange Server 2010 Ma
What are the advantages and disadvantages of using virtualization versus DAGs?
Which of these approaches would you recommend: virtualizing mailbox servers on multiple hosts
Lesson 2: Configuring Highly Available Mailbox Dat
abases
Historically, the Mailbox server role has been the most complex and critical compone
nt in a highly available Exchange Server deployment. Although this remains true to so
me extent, in Exchange Server 2013the complexity of deploying a highly available ma
ilbox server is reduced. The DAG configuration also reduces the likelihood that admin
istrators will configure a mailbox server cluster improperly.
Lesson Objectives
After completing this lesson, you will be able to:
Plan software and hardware components for DAGs.
Describe Active Manager.
Describe continuous replication.
Describe how database availability groups protect databases.
Create and configure a DAG.
Configure databases for high availability.
Describe lagged mailbox database copies.
Describe the failover process.
Describe how you can perform DAG monitoring and management.
Monitor replication health.
What Is a Quorum?

The quorum maintains the logic so that a cluster knows which node is active, and whi
ch nodes are passive. In addition, the quorum decides which passive node will be activ
ated if the active node fails. Thefailover-
cluster quorum configuration, as used by the Exchange Server 2013 DAG, determines
the number of failed nodes, or failed storage and network components that the cluster
can sustain while itcontinues to function.
A quorum prevents two sets of nodes from operating simultaneously as the failover cl
uster.
Simultaneous operation could occur when network problems prevent one set of nodes
from communicating with another set of nodes. Without a quorum mechanism, each s
et of nodes could continue tooperate as a failover cluster, causing a partition within th
e cluster.
To prevent problems caused by a split in the cluster, failover clusters use a voting algo
rithm to determine whether the cluster has enough votes to maintain a quorum. Becaus
e a given cluster has a specific setof nodes and a specific quorum configuration, the cl
uster determines how many votes are required. If the number of votes drops below the
majority, the cluster cannot start. Nodes will continue to listen forthe presence of othe
r nodes, in case another node appears again on the network. However, the nodes will n
ot function as a cluster until a consensus is reached.
For example, if there are five votes in the cluster, the cluster continues to function as l
ong as there are at least three available votes. The source of the votes in Exchange Ser
ver 2013 can be a node or a witnessfile share. When a majority of the votes is not avai
lable, or when only half of the votes are available, the cluster will not start. In addition
, when the majority drops below half of the available votes, ExchangeServer 2013 will
dismount the databases.
Note: Exchange Server 2013 also supports placing the witness server in another site.
Windows Server 2012 Quorum Configurations
Windows Server 2012 provides the four quorum configurations: node majority, node a
nd file share majority, node and disk majority, and no majority: disk only. However, E
xchange Server 2013 onlysupports node and file share majority. In the node and file s
hare majority configuration, each cluster node plus a designated file share
(also referred to as a witness server in Exchange Server 2013) can vote.The cluster onl
y functions with a majority of the votes, meaning that more than half of the votes are a
vailable. If an active cluster loses communication with more than half of its votes, it w
ill stop functioning.
Configuring Non-Voting Cluster Nodes
In Windows Server 2012, you can configure nodes that do not have a vote in the clust
er to maintain a quorum. You can configure Failover Cluster Manager using the Confi
gure Cluster Quorum Wizard.Exchange Server 2013 supports this configuration; howe
ver, you should carefully consider whether you should use it.
For example, consider the site-
resiliency scenario that provides additional local failures if the quorum is lost. In this s
cenario, there are five DAG members, three in the primary site, and two in the failover
site.If needed, you can remove the votes of the two members in the failover site. This
is possible because if the secondary site fails, you still have one additional failure in y
our local site before the cluster will shutdown if the quorum is lost.
Planning Software and Hardware Components for Database
Availability Groups
When you implement a DAG, you must ensure that you meet several very specific req
uirements.
You need to consider the requirements related to general configuration, operating syst
em version, network configuration, and DAG configuration.
General Configuration
The general requirements for implementing a DAG are:
DNS must be implemented with a host record for each Exchange server. Dynamic updates for DN
Each Mailbox server must be a member of the same domain. It is not possible to have Mailbox se
The Mailbox servers that are members of a DAG cannot also be domain controllers. This configur
The computer name for the Mailbox server must be unique, and must be 15 characters or fewer.
Operating System Version
All members of a DAG must run the same operating system version. All DAG membe
rs must be running either Windows Server 2008 R2 or Windows Server 2012. You ca
nnot combine the two operatingsystem versions within the same DAG. The join to the
DAG will fail if you try to join two different versions of the operating system.
A DAG is based on the use of failover clustering in Windows Server. Only the Enterp
rise or Datacenter versions of Microsoft Windows Server 2008 R2 or the Standard a
nd Datacenter versions of WindowsServer 2012 include failover clustering. Therefore,
you can use only these operating system versions for DAG members.
Network Configuration
The network configuration requirements include the following:
One network adapter is supported; however, we recommend two network adapters. This allows yo
(MAPI) network and a separate replicationnetwork.
Latency between DAG members must be less than 500 milliseconds. This is important when you
You can use Internet Protocol version 6 (IPv6) only if Internet Protocol version 4 (IPv4) also is co
Automatic Private Internet Protocol Addressing (APIPA) is not supported for DAG members.
DAG Configuration
In addition to the physical network and IP addressing requirements for the DAG mem
ber servers, the DAG itself has the following requirements:
The DAG must have at least one IP address on the MAPI network. This address can be static or dy
If the DAG is expanded across multiple subnets, then the DAG must have an IP address on each s
The name of the DAG and the name of each DAG member must be 15 characters or less, and mus
Witness Server
Failover clustering in Windows Server 2012 uses the concept of a quorum for decisio
n making in the cluster. In clusters with a shared disk, connectivity to the shared disk
can be used to define which nodespotentially should be active in the cluster. In a DAG
, there is no central disk.
A DAG requires the use of a witness server for a node and a file-
share majority quorum. The witness server functions as an additional DAG member fo
r determining the quorum; however, it is only used whenthere is an even number of m
embers in the DAG. The witness server is a file share located on a server that is not a
DAG member.
The quorum for a DAG determines which members participate in replications, and wh
ich can mount databases. For example, if one computer in a DAG loses network com
munication, that computer is notpart of the quorum and cannot mount databases.
We recommend that you configure the witness server on a Client Access server in the
Exchange Server organization. The additional load on the server is minimal, and it is a
lready under the control of theExchange Server management group. The witness serve
r does not need to run the same version of Windows Server as the members of the DA
G.
If the DAG witness server is not an Exchange server, then you need to add the Exchan
ge Trusted Subsystem group as a member of the local Administrators group on the wit
ness server.
What Is Active Manager?
To manage mailbox database replication and activation, Exchange Server 2013 includ
es a component called Active Manager, which runs as a function of the Microsoft Exc
hange Replication service
(MSExchangeRepl.exe). Active Manager replaces the resource model and failover ma
nagement features integrated into Windows failover clustering that Microsoft Excha
nge Server 2003 and Exchange Server2007 used. To simplify the architecture, Active
Manager runs on all Mailbox servers, even if the server is not part of a DAG.
Active Manager runs on all of the DAG members either as the Primary Active Manag
er or a Standby Active Manager. The Primary Active Manager is the Active Manager
in a DAG that controls which copies willbe active and which will be passive. It is resp
onsible for processing topology change notifications, and for reacting to server failure
s. The DAG member that acts as the Primary Active Manager is always themember th
at currently owns the default cluster group. To identify the Primary Active Manager,
we recommend that you use the Get-DatabaseAvailabilityGroup <DAG Name> -
Status | Format-
ListName, PrimaryActiveManager cmdlet, rather than using the Windows Failover
Clustering tools. If the server that owns the default cluster group fails, the PAM functi
on automatically moves to the serverthat takes ownership of the default cluster group.
The Standby Active Manager function has an active, not passive role. It provides infor
mation about which server hosts the active copy of a mailbox database. The Standby
Active Manager detects localdatabase and Microsoft Exchange Information Store fail
ures, and reacts to them by requesting that the Primary Active Manager initiate a failo
ver when a copy is available. A Standby Active Manager does notdetermine a failover
target; nor does it update a databases location state for the Primary Active Manager.
Each Standby Active Manager accesses the state of the active database copy so that it
can redirectClient Access server requests. The Primary Active Manager also performs
the functions of the Standby Active Manager role on the local system.
What Is Continuous Replication?

Continuous replication was introduced for Mailbox servers in Exchange Server 2007,
and Exchange Server 2010 continued to use continuous replication. Since the release
of Exchange Server 2010 Service Pack1
(SP1), there are two more available options for continuous replication: file mode and c
ontinuous replication block mode.
Continuous Replication File Mode
Continuous replication creates a passive database copy on another Exchange Server c
omputer in the DAG, and then uses asynchronous log shipping to
maintain the copies. The continuous replication file mode process includes the follo
wing steps:
1. The Mailbox server role with the active database writes the active log, and then closes it.
2. The Replication Service replicates the closed log to the servers that host the passive databases.
3. Because each copy of the database is identical, the transaction logs are inspected and then repla
In Exchange Server 2013 seeding, you are no longer required to use the active copy as
the source for the seed. In addition, in Exchange Server 2013, you can perform seedin
g from passive databases. If ahealthy copy of the database is available on any server, t
he Exchange Server can replay the transaction logs against a common, valid data set.
You can seed the data in the following ways:
Automatically.
Manually, from the active or passive copies using the Update-MailboxDatabaseCopy cmdlet.
Manually, by copying the database files.
Continuous replication occurs over TCP sockets. Continuous replication occurs as foll
ows:
1.The target, or passive node notifies the active instance which transaction logs it expects.
2.The source responds with the required transaction log files.
3.After Exchange Server 2013 copies the log files, it places them in the target inspector directory for
4.Log inspection verifies that the data is physically sound, and inspects the header. If the log passes
5.After Exchange Server 2013 saves the transaction log to the target log directory, the information st
Continuous Replication Block Mode
Continuous replication block mode was introduced in Exchange Server 2010 SP1. B
lock mode reduces the exposure of data loss on failover by replicating the Extensible
Storage Engine
(ESE) log buffer,which writes to the passive database copies in parallel to writing the
m locally. Block mode automatically becomes active when continuous replication file
mode is up to date with the database copies. Thecontinuous replication block mode pr
ocess is as follows:
1.Once in block mode, any block of data written to the ESE log buffer on the Exchange Server that h
2.When the ESE log buffer is full, the final block is sent to the passive databases, and a transactional
3.When the Exchange Servers hosting the passive databases receive the final block that fills up their
4.When the Exchange server with the active database fails, but the replication log buffer is not yet fu
Replication transport is identical when file mode is enabled or disabled. The benefit of
block mode is that it can reduce the differences between the active copy and the passi
ve copy, while also reducing boththe possibility of data loss during a failover and the t
ime it takes to perform a switchover.
Configuring a Database Availability Group
To configure a DAG, you must understand the different settings that are available. So
me of these settings, such as the DAG IP address, are required for every configuration
. You can consider other settings,such as network compression settings, when you wa
nt to fine-
tune your DAG configuration. To plan your DAGs correctly, you must understand the
purpose of each configuration setting available, so thatyou can decide if you require it
for your own Exchange organization.
In the Exchange Management Console, the following settings are available:
Witness Server. The server that you want to use as witness server. As a best practice, we recommen
Witness Directory. The directory that will be used to store file share witness data.
Alternative Witness Server. The server that you can use in another data center that you will enable w
Alternative Witness Directory. The directory that you will use to store file share witness data on the
Database availability group IP addresses. One or more IP addresses assigned to the DAG. You can
(DHCP) serverto get an IP address automatically. In addition to the DAG name, this is the only requ
DAG Networks
A DAG network is a collection of one or more subnets that Exchange Server uses for
either replication traffic or MAPI traffic. Although Exchange Server supports one net
work adapter and path, werecommend a minimum of two DAG networks. In a two-
network configuration, you typically dedicate one network to replication traffic and th
e other network to MAPI traffic.
You can configure replication in the EAC.
Note: If you disable replication on a DAG network to preserve it for MAPI traffic, thi
s does not automatically prevent the replication traffic from using the network. If no o
ther network is available,replication traffic will automatically use the other DAG netw
ork.
When you implement a DAG across multiple sites, you need to configure the DAG ne
tworks. A DAG supports multiple subnets on the MAPI network, and on the replicatio
n network. Therefore, subnets donot need to span a WAN link.
When you configure the multisite DAG, you must collapse the networks that are auto
matically enumerated when you add servers to the DAG into one MAPI network and
one or more replication networks.However, if you configure multiple networks, there
can be no routing between the MAPI network and the replication network, or between
replication networks.
DAG Network Compression
DAGs provide built-
in compression for network traffic. This is based on an algorithm called XPRESS, whi
ch is the Microsoft implementation of the LZ77 algorithm. The following options are
used to configureDAG network compression:
Disabled. Network traffic is not compressed.
Enabled. Compression is used for replication and seeding.
InterSubnetOnly. This is the default setting in which compression is only used when replicating ac
SeedOnly. Compression is used only for seeding.
You can configure DAG network compression using the following cmdlet:
Set-DatabaseAvailabilityGroup <DAG name> -NetworkCompression <Option>
DAG Network Encryption
You can configure DAG network communication encryption in the following ways:
Disabled. Network traffic is not encrypted.
Enabled. Network traffic for replication and seeding is always encrypted.
InterSubnetOnly. This is the default setting in which network traffic is encrypted when replicating
SeedOnly. Network traffic is only encrypted for seeding.
You can configure DAG network encryption using the following cmdlet:
Set-DatabaseAvailabilityGroup <DAG name> -NetworkEncrytion <Option>
Third-Party Replication Mode
By default, a DAG is designed to use the built-
in continuous replication feature to replicate mailbox databases among servers in the
DAG. If your organization uses a third-party data-
replication solution thatsupports the third-
party replication API in Exchange Server 2013, you also can configure the DAG to us
e your third-party solution instead of the built-in replication feature. You use the New-
DatabaseAvailabilityGroup cmdlet to configure the DAG to use a third-
party replication solution. It can only be disabled by removing and re-
creating the DAG.
Configuring Databases for High Availability
Creating a DAG is only the first step to providing database availability. You must crea
te and configure additional database copies. Not only can you create a database copy i
nitially, but an administrator alsocan create one at any time. You can distribute databa
se copies across Mailbox servers in a flexible and granular way. You can replicate one
, some, or all mailbox databases on a server in several ways.
You must specify the following information when creating a mailbox database copy:
The name of the database you are copying.
The name of the Mailbox server that will host the database copy.
An activation preference number. This is referred to as a preferred list sequence number, and it repr
The amount of time
(in minutes) for the log replay delay. This is the replay lag time, which specifies how long to wait b
The amount of time
(in minutes) for log truncation delay. This is the truncation lag time, which specifies how long to w
What Are Lagged Mailbox Database Copies?

A lagged mailbox database copy is a database that uses a delayed replay lag time to co
mmit the log files to the database. This allows you to go back to a point in time
(a maximum of 14 days). By delayingthe replay of logs in to a database, you have the
capability to recover it to a point in the past.
Lagged database copies can protect you from the extremely rare logical corruption typ
es of cases, which include the following:
Database Logical Corruption
This is when the database pages checksum matches, but the data on the pages is logica
lly wrong. It can occur when the ESE attempts to write a database page and the operat
ing system storage stack returnssuccess even though the data either never makes it to
disk or gets written to the wrong place. This behavior is called lost flush. To prevent l
ost flushes, ESE includes a lost-
flush detection mechanism in thedatabase with the single page restore feature.
Store Logical Corruption
This indicates that data is added, deleted, or modified in a way that is not accepted by
the user, so the user views it as a corruption. Typically, this is caused by a third-
party application that issues a series ofvalid MAPI operations against the store. An ex
ample is a corrupt archiving solution that changes all user message items. Single-
item recovery or retention hold provides some protection against this casebecause all c
hanged items are kept and therefore can be restored. However, particularly when large
amounts of data is changed, it might be easier to recover the database to a point back
in time before thecorruption occurred.
Rogue Admin Protection
This is when the organization seeks protection against malicious or rogue administrato
rs. This mainly protects against administrators who intentionally add, change, or remo
ve data from the system in a waythat users find undesirable. To protect against this, th
e lag database copies can be placed on a server that is under separate administrative co
ntrol. Lagged database copies have been enhanced in ExchangeServer 2013 in the foll
owing way:
Automatic log play down. Lagged copies can now implement their log files to a certain extent using
s that page patching is required for a lagged copy, the logs will automatically replay into the lagged
ly available copy for aspecific period of time. You can enable automatic log play down for your lag
Simpler activation with Safety Net. Lagged copies leverage Safety Net so therefore recovery or activ
Understanding How Transport High Availability Works topicearlier in this module.
You can configure a lagged database in the EAC or in the Exchange Management She
ll.
Demonstration: How to Create and Configure a Database A
vailability Group
In this demonstration, you perform the following:
Pre-stage the cluster network object for a database availability group (DAG).
Create a new DAG.
Add members to a DAG.
Add a mailbox database copy for Mailbox Database 1.
Demonstration Steps
1. On the LON-
DC1 machine, in Active Directory Users and Computers, create a computer object named DAG
(ADATUM\LON-MBX1$) computer account.
2. Switch to LON-CAS1, open Internet Explorer, and access the EAC. Create a Database Availab
3. Add LON-MBX1 and LON-MBX2 to DAG1.
4. Add a database copy on LON-MBX2 for Mailbox Database 1.
Understanding the Failover Process

A failover occurs when service to the existing active database copy is compromised in
some way.
This can occur when the server that hosts the active database goes offline, when somet
hing causes the active database to dismount, or when the server loses network connect
ivity. A switchover occurs whenan administrator manually moves the active database
from one server to another. The main difference between the failover process and the
switchover process is that the failover process occurs automaticallywhen the service f
ails, while the switchover is a manual process.
During a switchover, you can choose which database will be mounted, or let Active M
anager choose the best copy to mount. During a failover, the Active Manager makes t
his decision.
When a failure affecting the active database occurs, Active Manager uses several sets
of selection criteria to determine which database copy to activate. In Exchange Server
2013, this process is called bestcopy and server selection
(BCSS). While selecting the best copy to activate, Active Manager:
Creates a list of database copies that are potential candidates for activation.
Ignores and removes from the list any database copies that are unreachable or are administratively b
Sorts the resulting list by using the copy queue length as the primary key. If the servers are configu
Attempts to locate a mailbox database copy on the list that has a status of Healthy, DisconnectedAn
e various combinations of settings such as content indexing status, copy queue length, and replay qu
Database Failovers. When a highly available mailbox database failure occurs, the PAM attempts to
(RPCs) to the server that hosted the active copy of the mailbox database that is being activated. The
used to copy any missing log files tothe copy selected by Active Manager for activation.
After the ACLL process completes, the configured AutoDatabaseMountDial value is consulted. Th
oBestAvailability. This value allows the database to be automatically mounted if the copy queue len
ttempts to replicate the remaining logs to the passive copies and mount the database. This is the de
oGoodAvailability. This value allows the database to be automatically mounted immediately after a
y and mount the database.
oLossless. This value does not allow a database to mount automatically until all logs generated on t
If the number of lost logs is within the configured AutoDatabaseMountDial value, Act
ive Manager issues a mount request to the store. If the number of lost logs falls outsid
e the configuredAutoDatabaseMountDial value, Exchange Server 2013 evaluates the
next mailbox database copy in the sorted list and repeats the evaluation. If no database
s meet the configured AutoDatabaseMountDialsetting, an administrator must manuall
y mount the database and accept that the loss of data is larger than the AutoDatabase
MountDial setting. You use the Set-
MailboxServer cmdlet to configure theAutoDatabaseMountDial setting for each DA
G node.
It may seem counterintuitive to list the BestAvailability as allowing for 12 missing tra
nsaction logs, and GoodAvailability as only allowing six. In this case, however, availa
bility refers to the database beingmounted and available, not to the possibility of lost d
ata. In most cases, data loss is less acceptable than service loss. You must decide whet
her to keep the database available by allowing it to mount despitepotential data loss, o
r to leave it unavailable and wait for manual recovery of missing log files.
The Active Manager behaves differently when you configure a lossless setting. In this
case, it sorts the resulting list in ascending order by using the ActivationPreference val
ue as the primary key. If you useany value other than lossless for the AutoDatabaseM
ountDial, the Active Manager sorts using the copy queue length.
Planning, Monitoring, and Managing a Database Availabilit
y Group

In larger organizations, DAG management is likely to be restricted to a relatively smal


l group of administrators. This group understands all of the design parameters that nee
d to be considered when youcreate and manage DAGs and database copies. You can d
elegate these permissions using role-based access control
(RBAC). RBAC is the permission model for Exchange Server 2013, and is explained i
n moredetail in Module 10.
To create and manage DAGs, you must be part of either the Organization Managemen
t role group or the Database Availability Groups management role. To create and man
age database copies, you must bepart of either the Organization Management role gro
up or the Database Copies management role.
Monitoring
One unique challenge when you manage DAGs is that in a well-
designed system, you may not notice the failover of a database from one DAG membe
r to another. One way that you can monitor DAGmembers is by using Microsoft Sys
tem Center Operations Manager 2012
(SCOM). SCOM 2012 proactively monitors servers, and can notify administrators wh
en errors and events occur.
Exchange Server 2013 provides the following options for monitoring DAG status:
CheckDatabaseRedundancy.ps1. This script checks the redundancy of replicated databases, and it g
Get-MailboxDatabaseCopyStatus. Use this cmdlet to view status information about a specific mailb
Test-ReplicationHealth. Use this cmdlet to perform a variety of tests, and to report back status for v
CollectOverMetrics.ps1. This script collects statistics and information about switchovers and failov
block mode, and more details from the replication and replay pipeline. It also features enhanced rep
CollectReplicationMetrics.ps1. This script collects statistics about replication in real time while the
Event logs. In addition to events in Windows logs, there are also Exchange Server specific event log
Exchange Server 2013 provides the following cmdlets for server maintenance:
Get-ServerComponentState. This cmdlet shows all the components of an Exchange server and t
Set-ServerComponentState. This cmdlet performs server switchovers, and takes mailbox servers
Note: For examples on how to use the monitoring tools included in Exchange Server 2013, see M
Demonstration: How to Monitor Replication Health
Demonstrate how to use the Exchange Management Console and Exchange Managem
ent Shell to review the available information regarding database replication health.
In the demonstration, show how to view the health status of the database copies in the
EAC or Exchange Management Shell.
Demonstration Steps
1.On the LON-CAS1, in the EAC, show details pane of Mailbox Database 1.
2.Open Exchange Management Shell and run the following cmdlets:
o Test-ReplicationHealth
o Get-MailboxDatabaseCopyStatus Server LON-MBX1
3.Run the following script:
o CheckDatabaseRedundancy.ps1 MailboxDatabaseName Mailbox Database 1,
Lesson 3: Configuring Highly Available Client Acces
s Servers
When you consider high availability with Exchange Server 2013, in addition to focusi
ng on mailbox servers, database copies or DAGs, you also must make sure that the Cli
ent Access servers are highlyavailable so that you can attain your required service lev
els.
Lesson Objectives
After completing this lesson, you will be able to:
Plan software and hardware components for highly available Client Access servers.
Describe Network Load Balancing (NLB).
Consider options for implementing high availability for Client Access servers.
Configure options for highly available Client Access servers.
Planning Software and Hardware Components for Highly A
vailable Client Access Servers

All clients use Client Access servers to access mailboxes. If a Client Access server is
not available in an Active Directory site, users can access a Client Access server in an
other site.
If the users on the Internet connect to Client Access servers in a single main Active Di
rectory site, and those requests are proxied to other Active Directory sites, the failure
of Client Access servers in the mainsites prevents access to those proxied sites. Conse
quently, high availability becomes critical for the main site that proxies the requests.
To enable high availability for Client Access servers, you first must deploy multiple C
lient Access servers. Next, you need to configure either hardware-
based NLB or software-based NLB
(such as the WindowsServer 2012 Network Load Balancing feature). You also can cre
ate multiple A records in DNS for your Client Access servers, and you can configure r
ound-robin DNS. Round-
robin DNS enables you todistribute network connections across the different Client A
ccess servers, but it does not provide load balancing or automatic failover.
Load balancing spreads client requests between the Client Access servers. If one Clien
t Access server becomes unavailable, then requests are handled by the remaining Clie
nt Access servers.
All Client Access servers should be configured with the same digital Secure Sockets L
ayer
(SSL) certificate. This is because all Client Access servers use the name specified in t
he Client Access server array.
Internet Users
For Internet users, you need to consider redundant Internet connections as part of your
design. You can have two separate Internet Service Providers
(ISPs), and allow access through both ISPs to the ClientAccess servers in your organiz
ation. If one ISP experiences a failure, users can access their mailbox content by using
the alternate ISP at a different domain name.
Alternatively, if you configure each Active Directory site to be available directly from
the Internet, the failure of a single Internet connection affects connectivity only to on
e Active Directory site. This mitigatesthe damage caused by failure, but it does not pr
ovide complete redundancy.
What Is Network Load Balancing?

Network Load Balancing


(NLB) enhances the availability and scalability of server applications such as those us
ed on the Web server, File Transfer Protocol
(FTP), firewall, proxy, virtual private network (VPN),and other servers.
A single computer running Windows Server can provide a limited level of server relia
bility and scalable performance. With NLB, you can group up to 32 host computers in
a NLB cluster to provide loadbalancing and redundancy. Because any server in an N
LB cluster can respond to a client request, both the application files and the data on all
servers must be identical.
You should be aware that hosts in a NLB cluster do not share data. Usually, this mean
s that you either use a separate, back-
end server to store data or provide a way to synchronize the data on the Webservers.
However, this requirement limits the applications that are suitable for load balancing.
Sometimes, these applications are called stateless.
Key Benefits of Network Load Balancing
NLB hosts in a cluster communicate among the other hosts to provide the following k
ey benefits:
Scalability. NLB allows you to scale network services to meet client demand. You can add new ser
balancing cluster do not need to be based on identical hardware.
High availability. NLB supports high availability by redirecting incoming network traffic to workin
omatically retries the failed connections, and the clients experience a delay of only a few minutes b
(TCP/IP) as its network protocol and isassociated with a specific TCP or User Datagram Protocol (U
Performance. NLB supports server performance scaling by distributing incoming network traffic am
mple, a web browser might obtain each of the multiple images on a single Web page from different
Considerations for Implementing Highly Available Client Ac
cess Servers

The following considerations should be taken into account when you implement highl
y available Client Access servers:
Management of digital certificates is performed by the Client Access Server. All digital certificates
Know what protocols should be handled by your Client Access servers. It is important to enable the
o Exchange ActiveSync
o POP3
o IMAP4
o EWS
o Outlook Anywhere
Use a hardware or software network load balancer for a service-aware, high-availability configurati
You can configure the load balancers to use layer 4 or layer 7 load balancing. When using layer 7 lo
ort layer. Exchange Server 2013 does not require session affinity. Layer 4 load balancing without se
Always try to deploy Client Access servers with similar hardware, memory, and performance, so th
Demonstration: Configuring Options for Highly Available C
lient Access Servers
In this demonstration, you will see how to configure a DNS round-
robin for the two Client Access servers LON-CAS1 and LON-CAS2.
Demonstration Steps
1. On the LON-DC1, open DNS Manager.
2. Create a new host named webmail.adatum.com and add IP addresses 172.16.0.21.
3. Create a new host named webmail.adatum.com and add IP addresses 172.16.0.22.
Lab: Implementing High Availability
Scenario
You are the messaging administrator for A. Datum Corporation. You have completed
the basic installation for four Exchange Server 2013 servers. Now you must complete
the configuration so that they arehighly available. This basically requires you to confi
gure your mailbox databases as well as your Client Access servers to be highly availa
ble, and to test if an automatic failover works.
Objectives
The students will be able to implement high availability in the Exchange Server 2013
environment.
Lab Setup
Estimated time: 90 minutes

Virtual machines 20341B-LON-


20341B-LON-
20341B-LON-
20341B-LON-
20341B-LON-
User Name Adatum\Admi

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5.You must now move the subnet object currently associated with the Swindon site to the London si
a. On LON-DC1, click Server Manager.
b. In Server Manager, click Tools and then click Active Directory Sites and Services.
c. In Active Directory Sites and Services, click Subnets.
d. Right-click 172.16.0.128/25 and then click Properties.
e. In the 172.16.0.128/25 Properties dialog box, in the Site list, click London and then click O
f. Close Active Directory Sites and Services.
g. Close Server Manager.
6.Repeat steps 2 to 4 for 20341B-LON-MBX1, 20341B-LON-MBX2, 20341B-LON-CAS1, and 20
Exercise 1: Creating and Configuring a Database Availability Group
Scenario
To complete the Mailbox server high-
availability configuration, create a database availability group
(DAG), and make the Mailbox Database 1 database highly available.
The main tasks for this exercise are as follows:
1. Pre-stage the cluster network object for a DAG
2. Create a DAG and add mailbox servers to the DAG
3. Create a mailbox database copy
4. Verify successful completion of copying a database
5. Suspend and resume a database copy
Task 1: Pre-stage the cluster network object for a DAG
1.On LON-DC1, in Server Manager, and then open Active Directory Users and Computers.
2.In Active Directory Users and Computers, enable Advanced Features.
3.In the left pane, expand Adatum.com, and create a computer object named DAG1 in Computers
4.Change DAG1s security settings as follows:
o Exchange Trusted Subsystem group: Allow Full control
o LON-MBX1 (ADATUM\LON-MBX1$): Allow Full control
5.Disable the DAG1 computer account.
Task 2: Create a DAG and add mailbox servers to the DAG
1.Switch to LON-CAS1. Open Internet Explorer, and type https://lon-cas1.adatum.com/ecp, and s
2.In the EAC, create a new Database Availability Group using the following settings:
o Database availability group name: DAG1
o Witness server: LON-CAS1
o Witness directory: C:\FSWDAG1
o Database availability group IP addresses: 172.16.0.33
3.Manage DAG membership for DAG1, and add the following servers:
o LON-MBX1
o LON-MBX2
Task 3: Create a mailbox database copy
1. In the EAC, click databases.
2. For Mailbox Database 1, add a mailbox database copy to LON-MBX2.
Task 4: Verify successful completion of copying a database
1.In tabs, click Refresh, and wait until the details pane shows Mailbox Database 1\LON-
MBX2 as Passive Healthy. This might take several minutes and up to several hours depending on
2.View details for Mailbox Database 1\LON-MBX2 and verify the following:
o Status: Healthy
o Content index state: Healthy.
Task 5: Suspend and resume a database copy
1. In the EAC, suspend Mailbox Database 1\LON-MBX2.
2. Resume Mailbox Database 1\LON-MBX2. If the Resume button is not available, wait and the
Results: After completing this exercise, students will have pre-
staged a cluster network object in Active Directory, created a DAG, added two Mailb
ox servers to the DAG, and made a database highlyavailable. Students also will have s
uspended a database copy and resumed it.
Exercise 2: Deploying Highly Available Client Access Servers
Scenario
You decide to implement software Network Load Balancing
(NLB) to load balance LON-CAS1 and LON-
CAS2 for Client Access server connections. You will use the IP address 172.16.0.6 as
the virtual IPaddress that handles the mail.adatum.com namespace for your client serv
er connections. Now you must complete the configuration to achieve this.
The main tasks for this exercise are as follows:
1. Install the Network Load Balancing feature on Client Access servers
2. Create a load-balanced Client Access server cluster
3. Create a DNS record for the virtual IP address
Task 1: Install the Network Load Balancing feature on Client Access servers
1.Switch to LON-CAS1.
2.In Server Manager, in Add Roles and Features Wizard, add the following feature:
o Network Load Balancing
3.Switch to the LON-CAS2 virtual machine, in Server Manager, in Add Roles and Features Wizar
o Network Load Balancing
Task 2: Create a load-balanced Client Access server cluster
1.Switch to LON-CAS1, and in Server Manager, open Network Load Balancing Manager.
2.In the Network Load Balancing Manager, create a new Cluster with the following settings:
o HOST: LON-CAS1
o Cluster IP Address: 172.16.0.6, Subnet mask: 255.255.0.0
o Full Internet name: Webmail.adatum.com
3.Add the following host to cluster Webmail.adatum.com:
o LON-CAS2
Task 3: Create a DNS record for the virtual IP address
1.Switch to LON-DC1, and in Server Manager, open DNS.
2.In the DNS Manager, under Adatum.com, create a new host with the following settings:
o Name: Webmail
o IP address: 172.16.0.6
Results: After completing this exercise, the students will have installed and configure
d NLB, and created a DNS record for their load-balanced virtual IP address.
Exercise 3: Testing the High-Availability Configuration
Scenario
To verify that your high-
availability configuration works as expected, you will check Client Access server and
DAG failover.
The main tasks for this exercise are as follows:
1. Simulate failure on LON-CAS1 and verify Microsoft Outlook Web Access functionality
2. Enable LON-CAS1 and simulate a LON-CAS2 failure
3. Verify high availability of the database copies
4. To prepare for the next module
Task 1: Simulate failure on LON-
CAS1 and verify Microsoft Outlook Web Access functionality
1. Switch to LON-CAS1, and in Network Load Balancing Manager, stop LON-CAS1(Ethernet)
2. Switch to LON-DC1, open Internet Explorer and type https://webmail.adatum.com/owa, and
3. You should now see your Inbox. This indicates that LON-CAS2 is currently serving as the Clie
Task 2: Enable LON-CAS1 and simulate a LON-CAS2 failure
1. Switch to the LON-CAS1 virtual machine, then in Network Load Balancing Manager, start LO
2. Switch to the Host machine, in Hyper-V Manager, turn off 20341B-LON-CAS2.
3. Switch to the LON-DC1 virtual machine. In Internet Explorer, click Refresh (F5), and sign in a
4. In Outlook Web App, verify that you can access folders such as Sent Items. This verifies that L
Task 3: Verify high availability of the database copies
1. Switch to LON-CAS1, and in the EAC, verify that Mailbox Database 1\LON-MBX1 is Active
2. Switch to the Host machine, in Hyper-V Manager, turn off 20341B-LON-MBX1.
3. Switch to the LON-CAS1 virtual machine. In Internet Explorer, click Refresh (F5) and verify i
MBX1 shows as Passive ServiceDown, and Mailbox Database1\LON-MBX1 shows as Acti
4. Switch to the LON-DC1 virtual machine, and in Internet Explorer and Outlook Web App, verif
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-CAS2, 20341B-LON-MBX1, and 20
Note: Although some of the servers are not running, you must still revert them.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have tested their high-
availability configuration.
Question: When do you need to pre-
stage the cluster network object for a database availability group?
Question: In the lab, one mailbox server failed. How did the other mailbox server ach
ieve a quorum?
Module Review and Takeaways
Best Practice
When selecting a witness server for a DAG, you should prefer a Client Access server
over a file server.
Common Issues and Troubleshooting Tips
Common Issue

You cannot add an Exchange server to a DAG.

When you add a server to a DAG, replication of the database fails.

Review Question(s)
Question: Your DAG has two mailbox servers
(nodes) and one witness server. When will you lose quorum and be unable to mount th
e databases automatically?
Module 7: Planning and Implementing Disaster Rec
overy
Contents:
Module Overview

Lesson 1: Planning for Disaster Mitigation

Lesson 2: Planning and Implementing Exchange Server 2013 Backup

Lesson 3: Planning and Implementing Exchange Server 2013 Recovery

Lab: Implementing Disaster Recovery for Exchange Server 2013

Module Review and Takeaways

Module Overview
Backing up Exchange server data on a regular basis is an essential part of your general
Exchange server administration. Data backup enables you to restore the data at a later
date, either in the event of dataloss or corruption, or for test purposes.
Backing up Exchange server is a relatively simple task, but the backup regime is deter
mined by factors such as backup hardware, backup windows durations, and restore co
nstraints. Service Level Agreements
(SLAs) play a major part in determining backup regimes. If, for example, your SLA f
or Exchange server specifies that Exchange services must not be down for more than t
wo hours during a disaster, yourbackup regime must be designed and performed with t
his goal in mind.
Exchange Server 2013 contains backup and restore features such as Exchange Native
Data Protection that you should consider before using the traditional backup-to-
tape approach that organizationscurrently use. This module describes backup and rest
ore features of Exchange Server 2013, and the details that you need to consider when
you create a backup plan.
Objectives
After completing this module, you will be able to:
Plan disaster mitigation.
Plan and implement Exchange Server 2013 backup.
Plan and implement Exchange Server 2013 recovery.
Lesson 1 : Planning for Disaster Mitigation
Disaster mitigation helps you to avoid the need for disaster recovery. It also allows yo
u to recover data much faster than you would with a full system restore. Exchange Ser
ver 2013 has improved the disastermitigation methods that are available to administrat
ors, with new features such as database availability groups (DAGs).
This lesson provides an overview of the options available in Exchange Server 2013 th
at enable you to mitigate the effects of a disaster without restoring backups. The lesso
n also describes those scenarioswhere backups are still required.
Lesson Objectives
After completing this lesson, you will be able to:
Identify data-loss scenarios.
List data-loss mitigation features.
Plan a disaster mitigation strategy.
Describe the relationship between disaster recovery and high availability.
Describe Exchange Server Native Data Protection.
Describe when Exchange Server Native Data Protection is appropriate.
Describe the timelines for disaster recovery.
Identify scenarios that require backup and restore.
Identifying Data-Loss Scenarios
When you identify risks, you first must consider all of the potential data-
loss scenarios that can affect users work. In an Exchange environment, possible data-
loss scenarios include lost item, lost mailbox, lostdatabase, and lost server.
Lost Item
A lost item from a mailbox often occurs because a user deleted the item either acciden
tly or on purpose, and the user later realizes that the item was required. One lost mailb
ox item typically consists of asmall amount of data. However, that small amount of da
ta can be very important. Lost items often include an email message or a calendar item
, and may include attachments important to the user.
Lost Mailbox
A lost mailbox typically occurs when the Exchange administrator deletes a users mail
box. While this could happen accidentally, it more commonly occurs when a user leav
es the organization. In a commonscenario, after a user leaves the organization, the use
rs manager needs access to the mailbox to view projects on which the user was worki
ng. However, because the administrator already deleted the mailbox,its contents are n
o longer available for viewing by the manager.
Lost Database
A lost database results in a loss of all mailboxes in that database. In addition, while th
e database is missing, the users whose mailboxes are in this database can no longer se
nd and or receive messages.
A lost database typically occurs because of a system malfunction, which can include d
isk failure or database corruption. Lost database recovery is critical, because many use
rs may be affected by the outage.
Lost Server
A lost server results in a loss of all databases located on that server. A lost server typic
ally occurs because of a system or infrastructure failure. Lost server recovery is critica
l, because many users may beaffected. In the event that a data center is lost, multiple s
ervers could also be lost.
Data-Loss Mitigation Features
Exchange Server 2013 includes a number of features that you can use to mitigate data
loss.
This is important because when data loss is mitigated, you do not need to perform rec
overy from a backup. Typically, it is much faster to use these data-
loss mitigation methods before you attempt toperform recovery from a backup.
Deleted Items Recovery
In earlier versions of Exchange, items that were deleted from a user were still recover
able until the items were purged from the dumpster. A hard delete
(performed by clicking SHIFT + DELETE) permanentlyremoves the messages from t
he mailbox. In Exchange Server 2013, the dumpster is replaced by the Recoverable Ite
ms store. If you do not modify the default retention times, messages are purged from t
hemailbox database after 14 days, and calendar items after 120 days.
Single-Item Recovery
Microsoft Exchange Server 2010 introduced single-
item recovery, a new feature that you could use to recover items without having to rest
ore the mailbox database using a backup. This feature is disabledby default and needs
to be enabled for each mailbox. Without single-
item recovery enabled, items that are purged from the Recoverable Items store can onl
y be recovered through a backup of the mailboxdatabase.
When single-
item recovery is enabled, all items in the Recovery Items store are preserved and cann
ot be deleted by the user. Without single-
item recovery in place, items are purged after 14 days, andcalendar items after 120 da
ys. These default activities do not apply when the Recoverable Item warning quota is r
eached. In that instance the items are purged in a first-in, first-out order.
In-Place Hold
Another option you can use to recover items from a users mailbox is to enable In-
Place Hold for the user. With this feature, all items that are deleted from the users ma
ilbox are preserved in the RecoverableItems store, and can be recovered through an e
Discovery search on the users mailbox. Administrators can search and recover held it
ems. Users can not search or recover the held items.
Additional Data-Loss Mitigation Features
Other data-loss mitigation features include:
Deleted mailbox retention. Use deleted mailbox retention to recover deleted mailboxes and their co
DAG. Use a DAG in most scenarios, to recover from a lost server or database. When a server or da
th site resilience, a DAG mitigates the loss of an entire data center.
Shadow redundancy. In Exchange Server 2013, the transport server now makes a copy of each mes
transit, the copy of the message is redelivered.
Planning a Disaster Mitigation Strategy

When you implement Exchange Server 2013, the default configuration is sufficient fo
r many organizations. However, if you plan a disaster mitigation strategy, consider the
following:
Increase deleted item retention so that the items are recoverable for a longer time period, but in mos
Increase deleted-item retention for critical users. By increasing the retention time for critical users,
Enable single-item recovery to ensure that all items are recoverable. Single-item recovery prevents
Increase deleted mailbox retention to make mailboxes recoverable for a longer time period, but for
Use DAGs to provide a server-level redundancy and avoid data loss. You must have the Enterprise
Use a lagged copy to prevent database corruption. Database corruption can occur when a transactio
ng transaction from being replayed on the lagged passive copy.
Discussion: What Is the Relationship Between Disaster Reco
very and High Availability?

Use the discussion questions to help examine the relationship between disaster recove
ry and high availability.
Question: What high-
availability features can you use as a first line against a disaster?
Question: Would your organization accept using only high availability features and n
ot use backups?
Exchange Server Native Data Protection

Exchange Server 2013 enables a much tighter integration of high availability with disa
ster recovery, especially if the Exchange Server 2013 high-
availability features are sufficient for your backup requirements.
Starting with Exchange Server 2010, a new feature called Exchange Native Data Prote
ction is included that allows you to reduce or completely remove your traditional back
up solutions for mailboxes andExchange servers. You should carefully consider wheth
er this feature meets your disaster recovery requirements. Exchange Native Data Prote
ction includes the following features:
High availability to minimize downtime and data loss. If Exchange Server 2013 DAGs are the prim
n spread database copies across multiple data centers or Active Directory sites. This allows you to a
Single-item recovery and In-Place hold policies for recovering deleted messages. In Exchange Serv
place hold preserves electronically stored information such as email messages so that users cannot d
Point-in-
time database recovery with lagged database copies of a mailbox database. When you configure a m
ys. This means that if you have an issue with your current active database, you can switch to the lag
Archive mailboxes, retention and archive policies, and In-
Place eDiscovery for managing large mailboxes. By configuring archive mailboxes, you can provid
ing retention and archive policies. All of the messages areavailable to the user, and can also be acce
As you consider implementing these features, you should evaluate the cost of your cur
rent backup infrastructure, including hardware, installation, and license costs, and the
management costs associated withrecovering data and maintaining the backups. Depe
nding on the requirements of your organization, it is likely you can attain a lower Exc
hange Total Cost of Ownership through maintaining at least threemailbox database co
pies instead of one with backups.
Even though it might appear that highly available deployments no longer require tradit
ional backups, you may still require them in your organization. Integrating high-
availability features as an alternative tobackups only works for the mailbox databases.
You still may consider using traditional backups for other Exchange Server 2013 con
figurations.
Discussion: When Is Exchange Server Native Data Protectio
n Appropriate?

Discuss Exchange Server Native Data Protection with the students.


Does your organization work with Exchange Server 2010 or 2013 and that uses only Exchange Se
Why?
Does your organization use traditional backups? Why?
Does your organization use combination of Exchange Server Native Data Protection and tradition
Which features of Exchange Server Native Data Protection do you use in your organization?
In which situation is it appropriate to use only Exchange Server Native Data Protection?
What Are the Timelines for Disaster Recovery?

The timelines for disaster recovery are determined by the Service Level Agreement
(SLA). Each SLA should include a Recovery-Time Objective (RTO) and a Recovery-
Point Objective
(RPO) that you use todetermine how to perform backups and disaster recovery.
The RTO for a service defines how quickly you should recover the service. For examp
le, after a Mailbox server fails, the RTO for the Mailbox server might indicate that yo
u need to recover the mailboxes storedon that server within two hours.
In some cases, there may be a RTO for partial
functionality. For example, after a Mailbox server fails, the RTO for sending and recei
ving messages might be one hour, but the RTO for historical data in mailboxes might
be 12 hours.
The RPO for a service defines the point in time when you must recover the service. T
he RPO may indicate that data from a specific timeframe can be lost, or that recovery
must equal a certain point in time.For example, the RPO for a Mailbox server may ind
icate that up to 12 hours of data may be lost, or that a Mailbox server must be recover
ed to the backup at 2 a.m. the previous day.
Based on your RTO and RPO for Mailbox servers, you may choose to:
Keep databases small, to shorten recovery times.
Keep transaction logs on separate drives from the database, to ensure that you can replay them aft
Perform a backup every few hours, to ensure minimal data loss.
Scenarios Requiring Backup and Restore

After implementing data loss mitigation and high availability for Mailbox servers, you
still may encounter scenarios that require backup and restore for data recovery. Data r
ecovery scenarios requiring backupand restore include:
Recovering a hard-deleted message when single-item recovery is not enabled. If single-item recove
Recovering a message after the item retention period has passed. Even when you enable single-item
Recovering a public folder item after the item-retention period has passed. Exchange Server 2013 o
Recovering a database when not using a DAG. You must recover failed databases from backup whe
ypically to restore from backup than to repair a database.
Recover from a server failure when the Mailbox server is not a member of a DAG. When a Mailbox
In addition to data-
recovery requirements, a common reason for backups is compliance. Some organizati
ons are required by regulations or laws to maintain an archive of email for a period of
time. You canuse a backup for this purpose, but you should also consider non-
Microsoft archiving software.
Lesson 2: Planning and Implementing Exchange Ser
ver 2013 Backup
When planning Exchange Server 2013 backup, consider which data you need to restor
e. You only need to back up the data that must be restored. Limiting the backup data s
ize decreases the time it takes toperform the backup, and provides more flexibility in y
our backup schedule.
The software you use to perform backups also can influence your backup process. The
re are many non-
Microsoft solutions for backing up Exchange Server 2013. You also can use Windows
Server Backup inthe Windows operating system and the Microsoft System Center
Data Protection Manager (Data Protection Manager).
This lesson provides an overview of the requirements that are needed to implement an
Exchange Server 2013 backup solution.
Lesson Objectives
After completing this lesson, you will be able to:
Identify the backup requirements for Exchange Server 2013.
Choose Exchange Server backup software.
Choose Exchange Server backup media.
Describe how Volume Shadow Copy Service (VSS) backup works.
Backup Requirements for Exchange 2013

The backup requirements for Exchange Server 2013 computers depend on the Exchan
ge server role that is installed on the computer. The following table lists the informati
on that you need to performbackup for each Exchange server role.
Exchange server role Backed-up data Purpose

All roles System State of server and Active Directory Domain Services System State includes the lo
(AD DS) domaincontrollers (this is an optional step and

Mailbox server Databases and transaction logs Message- Restore data if a database is
tracking logs Unified Messaging customaudio prompts

Client Access server Server certificates used for Secure Sockets Layer Restore the server certificate
(SSL) Specific Internet InformationServer (IIS) configuration
Choosing Exchange Server Backup Software

You can back up by using the built-


in Windows Server Backup software, Data Protection Manager, or non-
Microsoft software. Choose the software based on the features that you require. At a
minimum, usebackup software that works properly with Exchange Server 2013.
The backup software that you choose must support Volume Shadow Copy Service
(VSS) backups for Exchange Server 2013. A VSS backup takes a snapshot of the data
base rather than streaming the datafrom Exchange server. On the Exchange server, the
Exchange Server VSS writer is responsible for triggering the snapshot and for makin
g the Exchange server databases consistent before the snapshot istaken.
Windows Server Backup
You can use Windows Server Backup, which is included with Windows Server 2008
R2 and later, to back up Exchange Server 2013 databases and other data. When you in
stall Exchange Server 2013, theversion of Windows Server Backup is updated to supp
ort Exchange Server 2013 backups. However, Windows Server Backup has the follow
ing critical limitations:
It must run locally on the server that has the Exchange server data.
It must back up to a local disk or network share, and not to tape.
It restores only full databases.
It cannot back up passive DAG copies.
DPM
DPM is a backup solution for servers running Windows Server. DPM can back up bas
ic file and print servers, and application servers. DPM performs disk-
based backups first, and then you can use it toarchive to tape.
DPM improves on Windows Server Backup in the following ways:
Unlike Windows Server Backup, Data Protection Manager requires only an agent to be installed on
You can restore databases or mailboxes. Recovering a mailbox is easier than restoring a database to
You can back up passive database copies. This means that you can back up databases from a server
Non-Microsoft Backup Software
Most non-Microsoft backup software is similar to DPM. However, some non-
Microsoft backup software has the following additional features:
Individual-item restore. Some non-
Microsoft backup software can restore individual mail messages directly from backup to a users m
Brick-level backup. Brick-level backups are backups of mailbox contents. To perform a brick-level
(MAPI) connectionto each mailbox that it is backing up. This can be useful for backing up specific
Choosing Exchange Server Backup Media

Tape backup remains a popular method of performing backups. Tapes are easy to tran
sport and very durable. Tape capacity and speed have steadily increased as manufactu
rers introduce new products. Ifyou need to expand backup capacity beyond a single ta
pe, you can use a tape changer that automatically rotates several tapes in a single unit.
In high-
capacity environments, you can use a tape library. Atape library is a cabinet with one
or more tape backup units, and a robot arm that moves tapes in and out of the tape bac
kup units.
To increase backup performance, many organizations use disk-
based backups instead of tapes. Disk storage is often less expensive than tape storage
when you use large-
capacity disks rather than the fasterperforming Small Computer System Interface
(SCSI) disks.
However, disk-based backups are not as well suited as tape-based backups for off-
site storage. Disks tend to be sensitive to physical movement, and may become unrelia
ble if you transport them regularly.Therefore, many organizations use disks as a first b
ackup tier, and then transfer backups to tape for off-site storage.
If your Exchange server databases are located on a storage area network
(SAN), then you can use SAN-
based snapshots to lessen backup traffic on the main network, and keep backup traffic
on the SAN. Thebackup is taken from the SAN snapshot rather than through the Exch
ange server. To implement SAN-
based snapshots for Exchange server backup, your backup application must support y
our specific SANhardware.
How Does a VSS Backup Work?

Starting with Exchange 2010, extensible storage engine (ESE)-


streaming application programming interfaces
( APIs) are no longer available. Exchange now only supports use of VSS-
based backups.
VSS
Volume Shadow Copy Service provides the backup infrastructure for the Microsoft
Windows Server 2008 or newer operating systems, as well as a mechanism for creatin
g consistent point-in-time copies ofdata known as shadow copies.
The VSS can be used for a number of purposes, such as:
Creating consistent backups of open files and applications.
Creating shadow copies for shared folders.
Quickly recovering and restoring files and data.
Creating transportable shadow copies using a hardware provider for backup, testing, and data min
The following components are included in VSS:
Component Description

Volume Shadow Copy Service A service that coordinates various components to create consistent

Requestor An application that requests that a volume shadow copy can be tak

Writer Stores persistent information on one or more volumes that particip

Provider Creates and maintains the shadow copies.

Source volume Volume that contains the data to be shadow copied.

Storage volume Volume that holds the shadow copy storage files for the system co

New to Exchange Server 2013


Microsoft Exchange Server 2007 and Exchange Server 2010 include two VSS writer
s, one inside the Microsoft Exchange Information Store service and one inside the Mic
rosoft Exchange Replication service.With Exchange Server 2013, the writer inside the
Microsoft Exchange Information service is moved to the Microsoft Exchange Replica
tion service and is referred to as the Microsoft Exchange Writer. This writeris used by
Exchange-aware VSS-
based applications to back up active and passive database copies and to restore them.
For backup or restore of Exchange databases, both services
(Microsoft ExchangeInformation Store and Microsoft Exchange Replication) are requi
red and need to be running.
How VSS Backup Works
Backup solutions that use VSS create a shadow copy of the disk as the backup process
begins. Then, Exchange server creates the backup with the shadow copy rather than t
he working disk, so that backupdoes not interrupt normal operations.
It produces a backup of a volume that reflects that volumes state when the backup be
gins, even if the data changes while the backup is in progress. All of the data in the ba
ckup is internally consistent, and itreflects the volumes state at a single point in time.
It notifies applications and services that a backup is about to occur. The services and a
pplications, such as Exchange server, can therefore prepare for thebackup by cleaning
up on-disk structures and flushing caches.
Supported Exchange Server 2013 Technologies
Only Exchange-aware, VSS-
based backups are supported in Exchange Server 2013. Windows Server Backup is ex
tended with a plug-
in through the installation of Exchange 2013 that makes it possible tomake VSS-
based backups of Exchange data. The following Exchange-
aware applications can be used to back up and restore Exchange databases:
Windows Server Backup (with VSS plug-in)
Data Protection Manager
Third-party VSS-based application
Limitations of VSS
Be aware of the following limitations when you use VSS for Exchange data backup an
d restore:
With the Windows Server Backup, you can only back up volumes containing active mailbox databa
party VSS-based application.
A separate VSS writer in the Microsoft Exchange Replication service is used to back up the passive
party Exchange-aware VSS-based application; it is not possible to perform a VSS restore directly to
o Restore the passive mailbox database to an alternate location.
o Suspend replication to the passive copy.
o Copy the database and log files from the alternate location to the location of the passive database
Demonstration: How to Back Up Exchange Server 2013
Demonstration Steps
1. In Server Manager, add the Windows Server Backup feature.
2. Create a shared folder named Backup on LON-CAS1.
3. In Windows Server Backup, create a backup set to back up the entire server to \\LON-CAS1\Ba
4. Verify the backup in the Event Viewer.
Question: Do you plan to use Windows Server Backup as your primary Exchange Server backu
Lesson 3: Planning and Implementing Exchange Ser
ver 2013 Recovery
To restore lost servers and data in the most efficient manner, you need to understand t
he options available for recovering Exchange server functionality and data. The recov
ery process varies depending onthe specific server roles. To ensure that everyone in y
our organization understands the recovery process, you should create and maintain a d
isaster recovery plan.
This lesson provides an overview of the options that are available to recover mailbox i
tems, databases, and Exchange servers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the options to recover Exchange server.
Describe the options to recover mailbox data.
Recover mailbox data.
Recover Client Access servers.
Recover the public folder hierarchy.
Recover data using the recovery database.
Repair a corrupted Exchange server database.
Recover a database with the dial-tone functionality.
Options for Recovering Exchange Server Functionality

You have two options when recovering Exchange server functionality. You can either
replace the lost server roles or recover the lost server. Both options allow you to recov
er full functionality.
Replace the Lost Server Roles
It is typically faster to replace a lost server role than to restore a lost server. Replacing
a lost server role means that you install a new additional server with the lost role on it.
If you are using a DAG, you canadd a new server to the DAG and create a new datab
ase copy on the server. Other server roles may have customizations that you need to c
onfigure.
Recover the Lost Server
When a server fails, you can recover the lost server to restore the functionality provide
d by that server. Recovering the server requires you to build a new server, and to join t
hat server to the domain using thesame computer account name. You can restore the c
omputers system state to recover the computer name and recover some configuration
information, such as the IP address and certificates, but this is notthe recommended re
covery process.
After joining the domain, install Exchange Server 2013 using the Recovery mode. The
Recovery mode reads the Exchange server configuration information from AD DS an
d automatically installs theappropriate server roles that are linked to the computer acc
ount. After installation, the Exchange server configuration information stored in AD
DS is used for that computer.
Note: Never delete the computer account for a failed Exchange server. If you do, you
cannot recover the Exchange server functionality for that server.
When to Recover a Lost Server
Even though it is faster and easier to replace a lost server role than to recover a lost ser
ver, you should recover the server in the following cases:
To avoid reconfiguring firewalls. Internet-accessible servers such as Microsoft Outlook Web App
creating the original configuration means that you do not need to reconfigure firewalls to direct traf
nt Access array.
To recover poorly documented customizations. If a lost servers customizations are poorly documen
To avoid reconfiguring applications configured to use a specific server. Some applications are conf
Hub Transport server with an appropriate Simple Mail Transfer Protocol (SMTP) receive connector
Options for Recovering Mailbox Data and Databases
If a database is intact, you can use single-
item recovery to restore individual messages. If a database is lost due to corruption or
server failure, you need to recover the data that was stored in the lostdatabase. There a
re many options that you can use when you perform a recovery. Each option is approp
riate in different circumstances. The available options are described in the following t
able:

Option Description

Database restore Recover a database lost due to corruption or disk failure by restoring the database. After restoration, repla

Recovery database A recovery database is a database that is mounted on a Mailbox server, but is not directly accessible to us

Database portabilit You do not need to restore databases on the same servers that backed them up. You can restore and moun
y e located on a different server. After restoring a database to an alternate server, youmust use the Set-Mai

Dial-tone recovery When a mailbox database fails, users with mailboxes in that database can no longer send and receive mes
tone database is functional, restore historical data to a recovery database, and then merge the data into the

DAG recovery Performing a DAG recovery means that you do not need to perform a database restore. When you have m

Planning the Recovery of Mailbox Data and Databases

When you plan Mailbox server recovery, consider the following:


Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. Wh
her recovery methods, and it improves the recovery experience for users and administrators.
Place transaction logs and databases on physically separate disks if you do not use a DAG, and if yo
Recover basic functionality as soon as possible if you do not use a DAG, and a Mailbox server or d
Ensure that you have enough free disk space to hold a restored database. Allocate enough free disk
(LUN) on each Mailbox server, or allocate one server to use for database recoveries.
Plan to use mailbox databases of a smaller size. This is important when it comes to a reseed process
Planning the Recovery of Client Access Servers

The Client Access server handles all client connections by admitting all client requests
and routing them to the correct active Mailbox database. It also provides authenticatio
n, redirection, and proxy services,but it does not contain significant amounts of user or
configuration data. You can recover the basic functions of Client Access servers with
out backing up existing servers. Backups are required only if you arerestoring addition
al configuration options that you may have set after installation.
Adding a Server Role
One way that you can replace a failed Client Access server is to add the server role to
an existing Exchange server in the same site. This way, you can recover functionality
quickly. In most cases, this is atemporary solution that you can use until you can rebui
ld the failed server, or deploy a new server as a replacement.
Deploying a New Server
You also can deploy a new server with the same server role to replace a failed Client
Access server. A new Client Access server role replaces the functionality of a failed C
lient Access server after all neededconfigurations are complete
(such as adding to hardware load-
balancing configuration and importing the Exchange certificate).
You can recover the lost server by using the RecoverServer switch in Exchange Serve
r 2013. Most of the settings for a computer running Exchange Server 2013 are stored i
n Active Directory. TheRecoverServer switch rebuilds an Exchange server with the sa
me name by using settings and other information stored in Active Directory.
When you replace a Client Access server with a new one, you must perform additiona
l configurations rather than rebuild the failed server. Any configuration changes that y
ou made to the websites that wereused on a Client Access server
such as authentication options
are lost when you replace a Client Access server. To return the Client Access server ro
le to its previous configuration state, you must havedocumented your previous change
s so that you can perform them again on the new server. When you rebuild a server, th
ese changes are restored from backup.
Considerations for Deploying a New Server
Deploying a new server may require you to reconfigure some applications. For examp
le, if you configure a Voice over IP
(VoIP) gateway to communicate with the DNS name or IP address of the failed server
,then you must reconfigure the VoIP gateway.
If you choose not to rebuild a failed Exchange server, you must remove it manually fr
om AD DS using the LDP.exe tool. This tool is a Lightweight Directory Access Proto
col (LDAP) client that allows users toperform operations against the Active Directory.
Repairing Exchange Server Database Corruption

Exchange Server 2013 uses the New-


MailboxRepairRequest cmdlet to detect and repair a corrupted mailbox or mailbox d
atabase while leaving the mailbox database online. This cmdlet was first introducedwi
th Exchange Server 2010 Service Pack 1 (SP1).
Note: Once you use these cmdlets to begin the repair process, you can stop the proces
s only by dismounting the database.
Use the New-
MailboxRepairRequest cmdlet to detect and fix mailbox and mailbox databases corr
uptions. You can run this cmdlet against a mailbox or against a database. During the r
epair process, onlythe current mailbox being repaired is inaccessible; all other mailbo
xes in the database remain operational.
The New-
MailboxRepairRequest cmdlet detects and fixes the following types of mailbox corrup
tions:

Corruption type Description

SearchFolder Detects and fixes search folder corruptions.

AggregateCounts Detects and fixes aggregate counts on folders that are not reflecting the correct

FolderView Detects and fixes views on folders that are not returning the correct contents.

ProvisionedFolders Detects and fixes provisioned folders that are pointing incorrectly into parent fo

For example, the following cmdlet detects and repairs all corrupt items for user Christi
nes mailbox:
New-MailboxRepairRequest -Mailbox Christine -CorruptionType
ProvisionedFolder,SearchFolder,AggregateCounts,Folderview
Process for Recovering Data Using the Recovery Database

The recovery database is a recovered database that can coexist on the same server that
hosts the original database. Users cannot access it directly.
Only administrators can access it to recover single items, folders, mailboxes, or compl
ete databases from the recovery database.
The recovery database was first introduced in Exchange Server 2010, and it replaced t
he recovery storage group from previous Exchange versions. You can use the Exchan
ge Management Shell to create arecovery database.
Recovering Data by Using the Recovery Database
To recover data by using the recovery database, complete the following steps:
1. Restore the database that you want to recover into the folder structure of the recovery database.
2. Create a new recovery database with the Exchange Management Shell, and configure it to use t
3. Put the restored database in a clean shutdown state with Eseutil /R.
4. Mount the recovery database, and merge the data from the recovery database mailbox into the p
MailboxRestoreRequest cmdlet to perform this task.
When to Use the Recovery Database
You can use the recovery database in the following scenarios:
Dial-tone recovery. When you implement dial-tone recovery, you set up a dial-
tone mailbox database on the same server or on an alternate server to provide temporary access to e
Individual mailbox recovery. You can recover individual mailboxes by restoring the database that h
Specific item recovery. If a message no longer exists in the production database, you can recover th
should consider by using a hold policy for this situation, as recovering the database might be timec
Demonstration: How to Recover Data by Using the Recovery
Database
Demonstration Steps
1. Use Windows Server Backup to restore Exchange to C:\Restore.
Note: The backup activity from the previous demonstration must be completed before you can
2. In the Exchange Management Shell, execute the following command to determine the appropria
Get-MailboxDatabase ID Mailbox Database 1 | fl name, guid, edbfilepath,
logfolderpath
3. In the Exchange Management Shell, type the following command to create the Recovery databa
New-MailboxDatabase Recovery Name RecoveryDB EdbFilePath C:\Restore\3c32c739-
a0ce-43bc-a299-2f56f2bcb20c\C_\Program Files\Microsoft\Exchange
Server\V15\Mailbox\Mailbox Database 1808842331\Mailbox Database 1808842331.edb
LogFolderPath C:\Restore\GUID\C_\Program Files\Microsoft\Exchange
Server\V15\Mailbox\Mailbox Database 1808842331 Server LON-MBX1
4. Restart the Microsoft Exchange Information Store service.
5. In the Exchange Management Shell, navigate to the folder of the mailbox database.
CD C:\Restore\3c32c739-a0ce-43bc-a299-2f56f2bcb20c\C_\Program
Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 1808842331
6. Type the following command to bring the restored mailbox database into a clean shutdown stat
Eseutil /r E00 /i /d
7. In the Exchange Management Shell, type the following command to mount the restored mailbo
Mount-Database RecoveryDB
8. In the Exchange Management Shell, type the following command to list all mailboxes available
Get-MailboxStatistics Database RecoveryDB
9. At the Exchange Management Shell prompt, type the following command, and press Enter.
New-MailboxRestoreRequest SourceDatabase RecoveryDB SourceStoreMailbox Tony Smi
TargetMailbox tony@adatum.com -SkipMerging StorageProviderForSource
10. At the Exchange Management Shell prompt, type the following command, and press Enter. Thi
Get-MailboxRestoreRequest
What Is Dial-Tone Recovery?

Dial-
tone recovery is a process in which the email service is recovered first to the users thr
ough creating a new mailbox database, called dial-
tone database. Recovering the mailbox data occurs in a later step.With dial-
tone recovery, users can send and receive email very fast after a server or database los
s. Users can send and receive email messages, but they do not have access to their mai
lbox data. Afterrecovering the mailbox database, you can merge the content of the rec
overed mailbox database into the dial-tone database.
Using Dial-Tone Recovery
Use the dial-
tone recovery method when it is critical for users to regain messaging functionality qu
ickly after a mailbox server or database fails, and when you must restore historical dat
a from a backup asquickly as possible. The loss may result from a hardware failure or
database corruption. If the server fails, it will take a considerable period of time to reb
uild the server and restore the databases. If a largedatabase fails, it may take several h
ours to restore the database from a backup.
If the original mailbox server remains functional, or if you have an alternative mailbo
x server available, you can restore messaging functionality within minutes by using di
al-
tone recovery. This enablescontinued email use while you recover the failed server or
database.
Process for Implementing Dial-Tone Recovery

There are several dial-tone recovery scenarios, but all follow the same general steps.
Implementing Dial-Tone Recovery
Follow these general steps to implement dial-tone recovery:
1.Create the dial-
tone database. For messaging client computers to regain functionality as quickly as possible, create
tone database:
o Create the dial-tone database on the same server as the failed database. Use this method if the
o Create the dial-tone database on a different server than the failed database. Use this method to
2.Configure the mailboxes that were on the failed database to use the new dial-tone database.
3.Restore the database and log files that you want to recover into the Recovery Database.
4.Swap the dial-tone database with the database that you have recovered in the step before.
5.Export and import the content from the dial-tone database into the recovered original database.
Note: You do not need to reconfigure the Outlook profiles with Autodiscover in place, because co
Lab: Implementing Disaster Recovery for Exchange
Server 2013
Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has
deployed Exchange Server 2013. You now want to ensure that all Exchange server-
related data is backed up and that youcan restore not only the full server or database, b
ut also a mailbox or mailbox folder.
Objectives
After this lab, you will be able to:
Backup Exchange Server 2013.
Restore Exchange server data.
Lab Setup
Estimated Time: 75 minutes
Virtual machines 20341B
20341B
20341B

User name Adatum\

Password Pa$$w0r

For this lab, you will use the available virtual-


machine environment. Before you begin the lab, you must complete the following step
s:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1, and 20341B-LON-CAS1.
Exercise 1: Backing Up Exchange 2013
Scenario
You create a backup of your Exchange Server 2013 mailbox database to ensure that y
ou can restore it when necessary.
The main tasks for this exercise are as follows:
1. Populate a mailbox with Outlook Web App
2. Install Windows Server Backup
3. Perform a backup of a mailbox database using Windows Server Backup
4. Delete message in mailbox
Task 1: Populate a mailbox with Outlook Web App
1. On LON-CAS1, open Internet Explorer. Type https://lon-cas1.Adatum.com/owa.
2. Sign in as Adatum\michael with the password Pa$$w0rd.
3. Send a new mail message to Mark Bebbington with the subject Message before backup, and th
4. Sign in again as Adatum\mark with the password Pa$$w0rd, and check that the message has
5. Sign out from Outlook Web App, and close Internet Explorer.
6. From the Start screen, open the Exchange Management Shell, and use the following command
Get-Mailbox mark@ADatum.com |fl name,database,guid
Task 2: Install Windows Server Backup
1. On LON-MBX1, use the Server Manager to install the Windows Server Backup feature.
Task 3: Perform a backup of a mailbox database using Windows Server Backup
1. On LON-CAS1, open File Explorer and create a folder named Backup on drive C:\. Share this
2. On LON-MBX1, start Windows Server Backup and perform a full server backup.
3. As the location of the backup, select the shared folder \\LON-CAS1\Backup, and select Do no
4. Use the account Administrator with the password Pa$$w0rd as credentials.
5. Close Windows Server Backup when the backup is finished successfully. It may take 10 to 15 m
Task 4: Delete message in mailbox
1. On LON-CAS1, open Internet Explorer. Type https://lon-cas1.ADatum.com/owa.
2. Sign in as Adatum\Mark with the password Pa$$w0rd.
3. Delete the message received from Michael.
4. Empty the Deleted Items folder, and then from the Deleted Items folder, purge the message fro
5. Sign out from Outlook Web App.
Results: After completing this exercise, you have successfully backed up the mailbox
databases.
Exercise 2: Restoring Exchange Server 2013 Data
Scenario
Some of your users complain that they are missing messages from their mailboxes. Yo
u now need to use the backup you created to recover their messages.
The main tasks for this exercise are as follows:
1. Restore the database using Windows Server Database
2. Create a recovery database with the Exchange Management Shell
3. Recover the mailbox from the recovery database
Task 1: Restore the database using Windows Server Database
1. On LON-MBX1, open File Explorer and create a folder named C:\Restore.
2. Open Windows Server Backup, and restore the backup located at \\LON-CAS1\Backup to the
Task 2: Create a recovery database with the Exchange Management Shell
1. On server LON-MBX1, create a recovery database with the Exchange Management Shell by us
2. Restart the Microsoft Exchange Information Store service.
3. In the Exchange Management Shell, change to the folder that contains the recovered database.
4. Use the eseutil command to set the mailbox database to a clean shutdown state.
5. Mount the restored database.
6. Get all mailboxes located on that recovered mailbox database. Verify that Mark Bebbington is l
Task 3: Recover the mailbox from the recovery database
1. On server LON-MBX1, recover Mark Bebbingtons mailbox by using the MailboxRestoreRequ
2. On LON-CAS1, open Outlook Web App and verify the recovered mailbox and the items in it.
Results: After completing this exercise, you will have successfully restored the missin
g items back into the users mailboxes.
Exercise 3: Exchange Server 2013 Disaster Recovery (Optional)
Scenario
After a hard-disk malfunction, the Exchange Server 2013 Client Access server LON-
CAS2 is no longer operational. You have to restore the server with the /RecoverServe
r mode in the setup.
The main tasks for this exercise are as follows:
1. Installing Exchange Server 2013 in Recover Server mode
2. To prepare for the next module
Task 1: Installing Exchange Server 2013 in Recover Server mode
1. On LON-DC1, reset the computer account of LON-CAS2 by using Active Directory Users an
2. Start 20341B-LON-SVR1 and sign in as Administrator using the password Pa$$w0rd.
3. Change the IP address for the computer to 172.16.0.21, and the DNS address to 172.16.0.10.
4. Rename LON-SRV1 to LON-CAS2 and join the server to the Adatum domain.
5. In Hyper-V Manager, open the 20341B-LON-SVR1 settings, and attach the Exchange iso from
6. On LON-CAS2, install Exchange Server 2013 with the RecoverServer switch.
Task 2: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-SVR1, and 20341B-LON-MBX1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, you will have successfully recovered LON-
CAS2.
Question: Which feature do you need before you can run a local backup on an Excha
nge Server 2013 with the Mailbox role installed?
Question: Which tool do you need to create a Recovery Database in Exchange Server
2013?
Module Review and Takeaways
Best Practice
Supplement or modify the following best practices for your own work situations:
Whenever possible, use a DAG to protect mailbox databases. DAG recovery is faster and easier th
When you lose a database, use a dial-tone database to quickly recover basic messaging functional
Use a recovery database to retrieve specific items from a backup.
Allocate disk space for a recovery database when you are designing server storage.
Use single-item recovery to prevent users from purging messages before the messages reach the it
Review Question(s)
Question: What are possible data-loss scenarios?
Question: What steps are required in the process of recovering data using the Recover
y Database?
Question: Which cmdlet do you use to repair database corruption?
Question: Which options do you have to recover mailbox data?
Tools
Exchange Administration Center
Exchange Management Shell
Windows Server Backup
Module 8: Planning and Configuring Message Trans
port
Contents:
Module Overview

Lesson 1: Overview of Message Transport and Routing

Lesson 2: Planning and Configuring Message Transport

Lesson 3: Managing Transport Rules

Lab: Planning and Configuring Message Transport

Module Review and Takeaways

Module Overview
You must consider many factors when you implement message transport in Microsoft
Exchange Server 2013. First, you must understand the components of message trans
port and how Exchange Server2013 routes messages. You must understand how to tro
ubleshoot message transport issues. Finally, it is important that you know how to conf
igure and apply transport rules.
This module describes planning and configuring message transport in an Exchange Se
rver 2013 organization.
Objectives
After completing this module, you will be able to:
Describe message transport in Exchange Server 2013.
Plan and configure message transport.
Manage transport rules.
Lesson 1
: Overview of Message Transport and Routing
In this lesson, you will review message flow and the components that message transpo
rt requires. To understand message flow, you should know how message routing work
s within an Exchange Serverorganization, and how Exchange Server routes messages
between Active Directory Domain Services
(AD DS) sites or outside the Exchange Server organization. Exchange Server 2013 pr
ovides several toolsfor troubleshooting Simple Mail Transfer Protocol
(SMTP) message delivery, and this lesson describes how you can use these troublesho
oting tools.
Lesson Objectives
After completing this lesson, you will be able to:
Describe message transport services.
Describe message transport components.
Describe message routing changes in Exchange Server 2013.
Describe routing destinations and delivery groups.
Describe routing in the Front End Transport service.
Describe routing in the Mailbox Transport service.
Describe how to modify default message flow.
Describe and use the tools for troubleshooting SMTP message delivery.
Describe transport agents.
Message Transport Services
In an Exchange Server 2013 organization, message transport is performed through the
transport pipeline. The transport pipeline represents the set of connections, connector
s, services, components, andqueues that work together in order to provide appropriate
message routing.

In Exchange Server 2007 and Exchange Server 2010, message routing was perfor
med by the Hub Transport or Edge Transport server roles. In Exchange Server 2013, t
he functionality of these roles isdistributed across the Client Access server, Mailbox s
erver, and Edge server roles. Several services work on the Client Access server, Mailb
ox server, and Edge server to manage message routing for bothinternal and external m
essaging traffic.
The following services participate in message transport:
Front End Transport service. This service, which runs on the Client Access server, behaves as a sta
ernet, receives messages, and initiates SMTP connections for message sending. However, this servi
nally, this serviceonly communicates with the Hub Transport service that resides on the Mailbox Se
Transport service. This service is almost identical to the Hub Transport server role in Exchange Ser
zation and content inspection. The most important difference between this service and the Hub Tran
es messages between theFront End Transport service and the Mailbox Transport service. The Mailb
Mailbox Transport service. Like the Hub Transport service, the Mailbox Transport service also run
oMailbox Transport Delivery. This service receives SMTP messages from the Hub Transport servic
oMail Transport Submission. This service works in the opposite direction of the Mailbox Transport
o the Hub Transport service by using the SMTP protocol. Unlike the Hub Transport service, the M
Messages coming from the Internet enter the Exchange transport pipeline through a R
eceive connector on the Front End Transport service on a Client Access server. After t
hat, messages are routed to theHub Transport service on a Mailbox server.
Messages inside the organization come directly to the Hub Transport service on a Mai
lbox server, through the Receive connector, the Mailbox Transport service, or the age
nt submission.
Note: If you have an Edge Transport server deployed in your perimeter network, Inter
net mail flow occurs directly between the Hub Transport service on the Mailbox serve
r and the Edge Transportserver, without passing through Front End Transport on Clien
t Access server.
Message Transport Components
Within the transport services that are running on the Client Access server and Mailbox
server, there are several components that play very important roles in message routin
g. The diagram on the slide imageshows these components and the possible routing di
rections for messages in Exchange Server 2013, and the relationships between the co
mponents in the transport pipeline.
SMTP Receive
SMTP Receive works on the Front End Transport service, and also on the Hub and M
ailbox Transport service. In each instance, it accepts SMTP traffic from various sourc
es. The message content inspection isperformed when a message is received by the Hu
b Transport service. In addition, transport rules are applied, and anti-
spam and antimalware inspection is performed. The SMTP session includes a series of
events that work together in a specific order to validate the contents of the message be
fore it is accepted. After a message passes completely through SMTP Receive and is n
ot rejected by receive events, orby an anti-
spam and antimalware agent, it is placed in the Submission queue.
SMTP Send
SMTP Send also works in several places on both the Front End Transport service and
the Hub Transport service. Message routing uses SMTP Send from the Hub Transport
service and depends on thelocation of the message recipients relative to the Mailbox s
erver where categorization occurred. The message can be routed to the following locat
ions:
The Mailbox Transport service on the same Mailbox server.
The Mailbox Transport service on a different Mailbox server that is part of the same database ava
The Hub Transport service on a Mailbox server in a different DAG, AD DS site, or AD DS forest
The Front End Transport service on a Client Access server for delivery to the Internet.
Categorizer
All routing decisions are made during a process called message categorization. The ca
tegorizer is a component of the Hub Transport service that categorizes messages. The
categorizer processes allmessages, and decides what to do with each message based o
n its destination. It also retrieves messages from the Submission Queue, processes the
m, and delivers messages to Delivery Queue.
Each of these processes is described as follows:
Identifies and verifies recipients. All messages must have a valid SMTP address to be identified.
Bifurcates messages that have multiple recipients. The expansion of distribution lists enables identi
(DSNs), and it determines whether Out-of-Office messages or automatically generated replies are s
Determines routing paths. When determining the routing path, the categorizer identifies the destinat
(NDR) is generated.
Converts content format. Recipients can require messages in different formats. The categorizer con
se Internet Mail Extensions (MIME) or Secure/Multipurpose Internet Mail Extensions (S/MIME) fo
Applies organizational message policies. You can use organizational policies to control messaging
Pickup and Replay Directories
Most messages enter the message transport pipeline through the SMTP Receive comp
onent, or by submission through the store driver. However, messages also can enter th
e message transport pipeline bybeing placed in the Pickup directory or Replay director
y on a Mailbox server.
After a message is placed in the Pickup directory, the store driver adds the message to
the submission queue. The store driver then deletes the message from the Pickup direc
tory. Messages from the Pickupdirectory must be text files that comply with the basic
SMTP message format and have configured read and write permissions.
The Pickup directory allows the Hub Transport service to process and deliver a proper
ly formatted text file. This can be useful for validating mail flow in an organization, re
playing specific messages, orreturning recovered email to the message transport pipeli
ne. In addition, some legacy applications may place messages directly into the Pickup
directory for delivery, rather than communicate directly withExchange Server SMTP
Receive connectors.
This example shows a plain text message that uses acceptable formatting for the Picku
p directory.
To: mary@contoso.com
From: bob@adatum.com
Subject: Message subject
This is the body of the message.
The Replay directory is used to resubmit exported Exchange messages and to receive
messages from foreign gateway servers. These messages are already formatted for the
Replay directory. There is little orno need for administrators or applications to compo
se and submit new message files by using the Replay directory. You can use the Picku
p directory to create and submit new message files.
This example shows a plain text message that uses acceptable formatting for the Repla
y directory:
X-Receiver: <mary@contoso.com> NOTIFY=NEVER ORcpt=mary@contoso.com
X-Sender: <bob@adatum.com> BODY=7bit ENVID=12345AB auth=<someAuth>
Subject: Optional message subject
This is the body of the message.
Store Driver
The store driver is a software component that is present within the Mailbox Transport
service in both the Mailbox Transport Submission and the Mailbox Transport Deliver
y components. The Store DriverSubmit retrieves messages from the senders outbox,
and then submits them to the Hub selector component. It also uses RPC to deliver rece
ived messages to the users mailbox.
After the store driver adds the messages successfully to the submission queue, it move
s the message from the senders Outbox to the senders Sent Items folder.
Messages in the Outbox are stored in the Messaging Application Programming Interfa
ce
(MAPI) format. The store driver must convert them to Summary Transport Neutral En
capsulation Format
(STNEF)before placing them in the submission queue. The store driver performs this
conversion to ensure successful delivery of the messages, regardless of the format that
created the messages. A Transport NeutralEncapsulation Format
(TNEF) encoded message contains a plain text version of the message, and a binary at
tachment that contains various other parts of the original message.
Some Microsoft Outlook features require that TNEF encoding be understood correct
ly by an Internet email recipient who also uses Outlook. For example, when you send
a message with voting buttons toa recipient over the Internet, if TNEF is not enabled f
or that recipient, the voting buttons will not be received. If the store driver cannot con
vert the content, it generates a non-delivery report (NDR).
Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one sub
mission queue within each Hub Transport service. The submission queue stores all me
ssages on a disk until thecategorizer processes them for delivery. The categorizer cann
ot process a message until the transport server promotes it to the submission queue. D
uring the time that the categorizer processes a message, acopy of the message remains
in the submission queue. After successful processing, the message is removed from b
oth the categorizer and the submission queue.
Messages can enter the submission queue in the following ways:
Messages received by an SMTP Receive connector. This is used for inbound messages from the In
(POP3) or Internet Message Access Protocolversion 4 (IMAP4).
Messages placed in the Pickup or Replay directories. This method is used for troubleshooting and
Messages submitted by a transport agent, such as a non-Microsoft connector, to a foreign messagi
Messages submitted by the store driver. This method is used to retrieve messages from the sender
Messages resubmitted after failed delivery. The categorizer resubmits messages that are not delive
Delivery Queue
Delivery queues contain messages that the Exchange Server has not delivered. Messag
es that are in the Delivery Queue are sent to the SMTP Send component and, dependin
g on their intended deliveryroute, they can be forwarded to another Mailbox server or
to the SMTP Receive component on the same Mailbox server.
Below is a diagram of messages transport components and services in the Exchange S
erver 2013 infrastructure.
Image not available in the media folder
Message-Routing Changes in Exchange Server 2013
Exchange Server 2013 provides enhanced message routing compared to previous Exc
hange Server versions. In Exchange Server 2013, message routing is integrated with t
he Client Access server and theMailbox Server role, and also is functionally different.

Some of the most important enhancements and changes in message routing include:
Routing in Exchange Server 2013 now uses DAGs as a routing boundary. Because each Mailbox Se
more efficient to use the DAG as a routing boundary than as an AD DS site topology. However, if D
routing boundary. The same concept is applied to routing interoperability in previous versions of Ex
The transport service on the Mailbox server role consists of two main services, the Hub Transport s
nsport components that directly interact with the mailbox database. RPC is used by the Store Driver
cate locally with the activecopies of the mailbox databases. This means that RPC is never used for c
y using SMTP protocol.
Exchange Server 2013 uses more precise queuing for remote destinations than previous Exchange v
s individual send connectors.
In Exchange Server 2013, linked connectors are deprecated. In previous Exchange versions, a linke
Routing Destinations and Delivery Groups
Each message that is sent has a source and a destination. The final destination for each
message in an Exchange Server 2013 organization is called a routing destination. The
re are several types of routingdestinations, including:

Mailbox Database. When a message is sent to a user with a mailbox on the Mailbox server in an Ex
Connector. A connector is used as a routing destination when it is configured as a send connector fo
Distribution group expansion server. If a distribution group has a dedicated expansion server, then t
Delivery Groups
Delivery groups represent the collection of transport servers that are responsible for de
livering messages to a specific routing destination. Each routing destination has its ow
n delivery group. Transportservers in a delivery group can be Exchange Server 2013
Mailbox servers or Exchange Server 2010 Hub Transport servers.
In scenarios where the routing destination is the mailbox database, the transport server
s in the delivery group are always the same version of Exchange Server as the mailbo
x database. In the cases where therouting destination is a connector or distribution gro
up expansion server, the transport servers can be Exchange Server 2013 Mailbox serv
ers or Exchange Server 2010 Hub transport servers.
The message routing path depends on the relationship between the source transport ser
ver and the delivery group. When the source transport server is in the destination deliv
ery group, then the routingdestination is actually the next hop for the message. Otherw
ise, if the source transport server is not in the destination delivery group, the message i
s relayed by using the least-
cost routing path. On that path,the message can be relayed to other transport servers, o
r the message is relayed directly to a transport server in the destination delivery group.
The message also can be delivered to the connector or the transport server in the deliv
ery group.
When a distribution group expansion server is the routing destination, the distribution
group is already expanded by the time messages reach the routing stage of categorizati
on on the distribution groupexpansion server. Therefore, the routing destination from t
he distribution group expansion server is always a mailbox database or a connector.
There are several types of delivery groups in Exchange Server 2013, including:
Routable DAG. This represents the set of Exchange Server 2013 servers that are members of the sam
o the Mailbox Transport service on the Mailbox server that currently holds the active copy of the de
Mailbox delivery group. This represents the set of Exchange servers that are running the same versi
2010 Hub Transport servers located in the AD DS site. The mailbox databases located on Exchange
(those that do not belong to a DAG) are serviced by the Hub Transport service on Exchange Server
er 2013, then the Hub Transport service transfers the message to the MailboxTransport service by S
Hub Transport uses RPC to write the message to the mailbox database.
Connector source servers. The connector source servers represent a mixed set of Exchange Server 2
different AD DS site. The connector is the routing destination. When a connector is scoped to a spe
AD DS site. When the AD DS site is not the final destination for a message, but the message must p
e specific site, and other sites cannot access it directly.
Server list. The server list represents the collection of one or more Exchange Server 2010 Hub Tran
iced by this delivery group.
Delivery group membership for the server is not exclusive. For example, an Exchange
Server 2013 Mailbox server that belongs to a DAG also can be the source server of a
scoped send connector. ThisMailbox server would belong to the routable DAG deliver
y group for the mailbox databases in the DAG, and also as a connector source server f
or the delivery group in the scoped Send connector.
Mail Flow in Exchange Server 2013
To better understand how the mail flow works in Exchange Server 2013, follow the st
eps below. The steps below show internal mail flow when the user on Mailbox Server
1 sends a message to the user onMailbox Server 2 within same Exchange organization
.

1 When the user sends the message from the


. Outlook client, the Mailbox Transport Submission service uses the Store Driver to connect to the m
2 After the message recipient is received to its mailbox database, the Mailbox Transport Submission
. server. It is important to note that in this case the email is not passed to the Transport service on th
n is routable to DAG,message will be directly passed from Mailbox Transport service on senders
3 The Transport service on the recipients mailbox server receives the email sent over SMTP from th
. spam/antimalware inspection is performed (if enabled). If the message passes all inspections, it is p
4
The Categorizer picks up the email from the Submission Queue, processes it and puts into a delive
.
5
The email is then sent by using SMTP from the Transport service to the Mailbox Transport Delive
.
6
The email is received over SMTP by the Mailbox Transport Delivery service from the Transport se
.
7
The Mailbox Transport Delivery service uses the Store Driver to connect to the mailbox database u
.
The diagram below shows Mailflow in Exchange 2013.
Image not available in the media folder
Routing in the Front End Transport Service
The Front End Transport service runs on each Client Access server. It acts as a statele
ss proxy for all incoming and
(optionally) outgoing external SMTP traffic for the Exchange 2013 organization. The
FrontEnd Transport service does not inspect message content, does not communicate
with the Mailbox Transport service on Mailbox servers, and does not queue any messa
ges locally.

The Hub Transport service on the Mailbox Server uses the send connector to commun
icate with the Front End Transport server. If the parameter FrontEndProxyEnabled i
s set to true, when you create thesend connector on the Mailbox server, then all outgoi
ng messages are proxied through the Front End Transport service on the Client Access
server. In this case, when message is sent to the Internet, the ClientAccess server is th
e component that actually sends the message to the destination SMTP server.
When the message arrives from the Internet, the Front End Transport service accepts t
he SMTP connection, and then tries to find an available Hub Transport service on the
Mailbox server to receive themessage. Because the Front End Transport service canno
t queue the messages on itself, if it does not find an available Hub Transport service, t
he email service will be perceived as unavailable by the externalsenders.
The Front End Transport service builds the routing tables based on information from
AD DS, and it uses delivery groups to determine how to route messages. However, th
e Front End Transport service isnever considered a member of a delivery group, even
when the Mailbox server and the Client access server are installed on the same physic
al server. As a result, the Front End Transport service communicatesonly with the Hu
b Transport service. In addition, the routing tables do not contain send connector route
s; instead, they contain a special list of Mailbox servers in the local AD DS site.
The Front End Transport routing service always resolves message recipients to the ap
propriate mailbox databases. The list of Mailbox servers that the Front End Transport
service uses is based on the mailboxdatabases of the message recipients. However, it i
s possible that none of the recipients have mailboxes. For example, when the recipient
is a distribution group or a mail user, a random Mailbox server in thelocal AD DS site
is selected for delivery.
The Front End Transport service searches for the appropriate delivery group for each
mailbox database, and then tries to find the associated routing information. The follow
ing is a list of delivery groups thatthe Front End Transport service can use:
Routable DAG.
Mailbox delivery group.
AD DS site.
When the front-
end server accepts the message, it looks up the number and type of recipients and then
performs one of the following:
If the message has a single recipient with a mailbox, the Front End Transport service selects a Mail
of the AD DS site.
If the message has multiple mailbox recipients, the Front End Transport service uses t
he first 20 recipients to select a Mailbox server in the closest delivery group.
Routing in the Mailbox Transport Service
The Mailbox Transport service, which runs on every Mailbox Server in an Exchange
Server 2013 organization, consists of two services, the Mailbox Transport Submission
service and the Mailbox TransportDelivery service. The Mailbox Transport service is
stateless, and does not queue any messages locally.

Similar to the Hub Transport service, the Mailbox Transport service builds the routing
table based on information from the AD DS. The Mailbox Transport service also uses
delivery groups for messagerouting.
The Mailbox Transport service always belongs to the same delivery group as the Mail
box server, and that group is called the local delivery group. This service also does not
automatically send messages tothe Hub Transport service in its local delivery group.
The Mailbox Transport service only communicates with the Hub Transport service on
Mailbox servers and with mailbox databases on the local Mailboxserver. It never com
municates with mailbox databases on other Mailbox servers.
When a message is sent from the users mailbox, the Transport Submission componen
t in the Mailbox Transport service resolves the message recipient to the appropriate m
ailbox database, and then theTransport Submission component looks for the routing in
formation for each mailbox database.
The delivery groups used by the Mailbox Transport Submission service are:
Routable DAG.
Mailbox delivery group.
AD DS site.
Depending on the number and the type of message recipients, the Mailbox Transport
Submission service performs one of the following actions:
If the message has a single recipient with a mailbox, the Mailbox Transport service selects a Mailbo
DS site.
If the message has multiple mailbox recipients, the Mailbox Transport service uses the first 20 recip
If there are no mailbox recipients in the message, the Mailbox Transport service selects a Mailbox s
The Mailbox Transport service communicates with the Hub Transport service. The me
ssage can be accepted or rejected for delivery to the local mailbox database when the
message is sent from the HubTransport service to the Mailbox Transport service. The
message is accepted for delivery if the recipient resides in an active copy of a local ma
ilbox database. However, if the recipient is not in the active copyof the local mailbox
database, the Mailbox Transport service provides a non-
delivery response to the Hub Transport service.
A non-
delivery response occurs when an active copy of the local mailbox database is moved
to another mailbox server, but the Hub Transport service still does not have the update
d information. In this case,the Mailbox Transport service issues a NDR to the Hub Tra
nsport service, with instructions to retry delivery, generate an NDR, or reroute the mes
sage.
Modifying the Default Message Flow
When a message is delivered to a remote delivery group, a routing path must be deter
mined for that message. A routing path is calculated based on the least-
cost routing path by adding the cost of the IPsite links that must be traversed to reach t
he destination. If the destination is a connector, the cost assigned to the address space
is added to the cost to reach the selected connector. If multiple routing pathsare possib
le, the routing path with the lowest aggregate cost is used.

In Exchange Server 2010, the message recipient was bounded to one specific AD DS
site, so only one least-
cost routing from source to destination existed. However, in Exchange Server 2013, a
deliverygroup can span multiple AD DS sites, which means that multiple least-
cost routing paths can exist to those multiple AD DS sites. As a result, Exchange Serv
er 2013 designates a single AD DS site in thedestination delivery group as the primary
site.
In some cases, you may want to modify the default message-
routing configuration. You can do this by configuring specific AD DS sites as Hub sit
es, and by assigning Exchange Server-
specific routing coststo AD DS site links. Hub sites are central sites that you define to
route messages.
By default, the Hub Transport service in one site will try to deliver messages to a reci
pient in another site by establishing a direct connection to a Hub Transport service in t
he remote AD DS site. However, youcan modify the default message-
routing topology in three ways: by configuring hub sites, by configuring Exchange-
specific routing costs, and by configuring expansion servers for distribution groups.
Configuring Hub Sites
You can configure one or more AD DS sites in your organization as hub sites. When a
hub site exists along the least-
cost routing path between two Mailbox servers, the messages are routed to a Mailboxs
erver in the hub site for processing before they are relayed to the destination server.
The Hub Transport service routes a message through a hub site only if it exists along t
he least-
cost routing path. The originating Mailbox server always calculates the lowest-
cost route first, and then checks ifany of the sites on the route are hub sites. If the lowe
st-
cost route does not include a hub site, the Hub Transport service will attempt a direct
connection.
Use the following cmdlet to configure a site as hub site:
Set-ADSite Identity sitename HubSiteEnabled $true cmdlet
Use the following cmdlet to check whether you have configured a hub site:
Get-AdSite | Format-List Name,HubSiteEnabled
Configuring Exchange-Specific Routing Costs
You also can modify the default message-routing topology by assigning an Exchange-
specific cost to an Active Directory IP site link. If you assign an Exchange-
specific cost to the site link, the Hub Transportservice determines the least-
cost routing path by using this attribute rather than the Active Directory-
assigned cost, unless the mailbox server is a member of DAG.
Use the following cmdlet to assign an Exchange-
specific routing cost to an Active Directory IP site link:
Set-AdSiteLink Identity ADsitelinkname ExchangeCost value
You also can assign a maximum message size limit for messages sent between AD DS
sites by using the following cmdlet:
Set-AdSiteLink Identity ADsitelinkname MaxMessageSize value
To check if you properly configured an Exchange cost, run following cmdlet:
Get-AdSite | Format-List Name,HubSiteEnabled
Configuring Expansion Servers for Distribution Groups
You also can modify the default routing topology by assigning expansion servers for d
istribution groups. By default, when a message is sent to a distribution group, the first
Hub Transport service thatreceives the message expands the distribution list and calcu
lates how to route the messages to each recipient in the list. If you configure an expan
sion server for the distribution list, all messages sent to thedistribution list are sent to t
he specified Hub Transport server, which then expands the list and distributes the mes
sages. For example, you can use expansion servers for location-
based distribution groups toensure that the local Hub Transport service resolves them.
Note: You might need to review the AD DS site design when you deploy Exchange S
erver 2013, to adjust the IP site links and site-
link costs so that you optimize delayed fan-
out and instead queue atthe point of failure.
Tools for Troubleshooting SMTP Message Delivery
Exchange Server 2013 provides several tools for troubleshooting SMTP message deli
very.

Note: Exchange Server 2013 relies on the AD DS site configuration for message routi
ng.
Therefore, to troubleshoot a message-
routing issue, you might need to use AD DS tools to validate or modify the site, site li
nk, or IP subnet information, and to verify AD DS replication. You can usethe Active
Directory Sites and Services tool to view IP subnets and site links.
Using the Queue Viewer
Messages waiting to be processed or delivered in Exchange Server 2013 reside in mes
sage queues on the Exchange Server Mailbox servers. All of the message queues provi
de a useful diagnostic tool tolocate and identify messages that have not been delivered
. To manage queues, you can use either the Exchange Queue Viewer or the Exchange
Management Shell. Exchange Server 2013 features simplifiedqueues. The Hub Transp
ort service maintains the following queues:
Submission queue. The submission queue contains messages that the Categorizer is processing.
Remote delivery queue. There is one queue for each outbound SMTP domain to which the Hub Tr
Poison message queue. The poison message queue contains messages that could cause the server
Mailbox delivery queue. There is one queue for each Mailbox server to which the Hub Transport s
Unreachable queue. The unreachable queue contains messages that the Hub Transport service can
You can view the queues on a Mailbox server by accessing the Exchange Queue View
er in the Toolbox.
To manage message queues from the Exchange Management Shell, use the following
cmdlets:
Get-Queue
Get-Message
In addition, from the Exchange Management Shell, you can perform the following tas
ks on queues and messages in queues:
Suspend-Queue and Resume-Queue
Retry-Queue
Suspend-Message and Resume-Message
Remove-Message
Message Tracking
You can also use message tracking to troubleshoot message flow. By default, message
tracking is enabled on Mailbox servers. The message-
tracking logs are retained for 30 days, with a maximum size for alllog files of 250 me
gabytes (MB). You can use the set-
TransportServer cmdlet in the Exchange Management Shell to modify the default se
ttings. If you want to explore tracking logs, you can do that byusing the Get-
MessageTrackingLog cmdlet
In Exchange Server 2013, you use Delivery Reports in the Exchange Administration
Center
(EAC) to perform message tracking. The Message Tracking tool does not provide the
level of detail that the trackinglogs provides. For example, when you send a message
between two Exchange servers that are in the same AD DS site, the Exchange server n
ames do not appear in Delivery reports; however, the trackinglogs provide this inform
ation.
Using Protocol Logging
Protocol logging can be configured to provide detailed information for troubleshootin
g message flow. Protocol logging is enabled on the SMTP Send connector or SMTP R
eceive connector properties, andthe log files are stored in C:\Program Files\Microsoft\
Exchange Server\TransportRoles\Logs\ProtocolLog folder.
Using Telnet
Telnet can check whether the SMTP port responds, and it can send a SMTP mail to a
connector to verify whether the connector accepts it. Telnet is a command-
line feature in Windows Server that uses thefollowing syntax: telnet <servername> S
MTP or Port #. For example, you can use either TELNET LON-
EX1 SMTP or TELNET LON-EX1 25, which are basically the same.
Remote Connectivity Analyzer Website
The following website enables you to test connectivity to various Exchange services fr
om the Internet, and the functionality of these services: https://www.testexchangeconn
ectivity.com/.
You also can test inbound and outbound email traffic that is using the SMTP protocol.
You can use this website to test both an on-
premises Exchange Server and Exchange Online in Microsoft Office 365.To use this
tool, you must enter the credentials of a working account from the Exchange domain t
hat you want to test.
Note: To avoid the risk of having your working credentials exploited and possibly co
mpromising the security of your Exchange server environment, we strongly recomme
nd that you create a testaccount for the purpose of using this tool, and delete this acco
unt immediately after you have completed the connectivity testing.
Demonstration: How to Troubleshoot SMTP Message Delive
ry
Demonstration Steps
1. Open the Command Prompt window.
2. To start the Telnet tool, at the command prompt, type Telnet LON-MBX1 SMTP, and try to se
3. On LON-MBX1, from the Start screen, start the Queue Viewer tool.
4. Suspend and resume the Submission queue.
5. Close Queue Viewer.
6. Open Exchange Outlook Web App, and sign in as Administrator.
7. Send one message to Amr@adatum.com and one to Amr@contoso.com.
8. Open the EAC on LON-CAS1, and in mail flow delivery reports, search for messages that Ad
9. View the message-delivery tracking report.
What Are Transport Agents?
Transport agents process email messages that pass through the transport pipeline on T
ransport service components. Custom transport agents provide additional functionality
to Exchange Server 2013, suchas anti-
spam or antivirus programs, or any transport function that your organization may requ
ire. You can install custom transport agents on Exchange Server 2013 as additional so
ftware components.

Exchange Server 2013 includes the following transport agents that enable it to provide
features such as transport rules and journaling:
Transport Rule agent. The Transport Rule agent processes transport rules on the Hub Transport serv
ers in the Exchange organization. This allows the Exchange Server to consistently apply a single se
Journaling agent. The Journaling agent is a compliance-
focused transport agent that processes messages on Hub Transport servers. It fires on the OnSubmit
g the message-journaling process.
Active Directory Rights Management Services Prelicensing agent. You can use the Active Director
(AD RMS) Prelicensing agent to certify the Outlook recipient's authenticity, sothat the recipient can
Note: Transport agents have full access to all messages that they process; and Exchange places no r
Lesson 2: Planning and Configuring Message Trans
port
Message transport planning is an important part of any Exchange infrastructure deplo
yment. You should understand how you can manage mail flow, and how to configure
email domains that your Exchangeserver hosts. In addition, you should know how to c
onfigure and manage SMTP Send and Receive connectors, which are the most import
ant components for establishing message flow.
Lesson Objectives
After completing this lesson, you will be able to:
Plan Exchange messaging transport.
Describe mail flow settings.
Plan accepted and remote domains.
Create and configure accepted and remote domains.
Describe SMTP connectors.
Create and configure SMTP connectors.
Describe foreign connectors.
Planning Exchange Messaging Transport
Before you actually configure the transport component in your Exchange Server 2013
infrastructure, it is important that you carefully plan your SMTP traffic in general, and
identify routes, paths, and transitionpoints for message transport.

In an Exchange Server 2013 infrastructure, you can configure and manage SMTP tran
sport on the following:
Client Access server, which hosts Front End Transport Service.
Mailbox server, which hosts the Hub Transport Service and Mailbox Transport Service.
Edge Transport server 2007, 2010, or 2013, if implemented.
Non-Microsoft SMTP Gateway, if implemented.
You should take into account the following considerations when you plan for messagi
ng transport:
On which email domains will you accept SMTP traffic? You should identify all email domain name
Which component initially accepts SMTP connections? The SMTP connections can be configured o
On which point do you implement SMTP traffic inspection for viruses and malware? You can impl
Are there any hosts in your network that require SMTP relaying? You might have applications or se
messages.
Do you have reliable connections for SMTP traffic inside your organization? For example, in some
Are you going to implement secure SMTP traffic with another organization? In some scenarios, you
Do you need to directly communicate with an organization that does not use SMTP for messaging?
After answering these questions and providing the necessary details, you will have en
ough information to properly configure your messaging transport structure inside the
organization, and also to and fromthe Internet.
Demonstration: Reviewing Mail-Flow Settings
Demonstration Steps
1. On LON-CAS1, switch to the EAC.
2. Navigate to mail flow.
3. Browse through all of the tabs in the mail flow section.
Planning Accepted Domains and Remote Domains
As part of the message transport configuration process, you should configure the dom
ains for which the Exchange server will accept email, and optionally configure users
with alternate email addresses.

Accepted Domains
When you create a new accepted domain, you have three options for the domain type:
Authoritative Domain. Select this option if the recipients using this domain name have mailboxes in
Internal Relay Domain. Select this option if your Exchange server should accept the email, but rela
global address list (GAL). When messages are sent to the contacts, the Transport service forwards t
External Relay Domain. Select this option if your Exchange server should accept the email, but rela
e external relay domain. This requires a Send connector from the transport server to the external rel
By default, only the forest root domain is established as an accepted domain. You sho
uld consider adding additional accepted domains in the following situations:
Additional namespaces. If you have additional domains within your forest, in particular, additional
you may consider adding authoritative domains for them.If you add an authoritative domain for an
Mergers and acquisitions. When your organization acquires another organization, you may decide t
External relay. You must configure an accepted domain to support external SMTP relay. Unlike an
outside your organization. An Internet Service Provider (ISP) might configure an external relay for
Remote Domains
Remote domains define SMTP domains that are external to your Exchange Server org
anization. You can create remote domain entries to define the settings for message tra
nsfer between the Exchange Server2013 organization and domains outside your AD D
S forest. When you create a remote domain entry, you control the types of messages t
hat are sent to that domain. You also can apply message-
formatpolicies and acceptable character sets for messages that are sent from your orga
nizations users to the remote domain.
The settings for remote domains determine the Exchange Server organizations global
configuration settings.
You can create remote domain entries to define the mail transfer settings between the
Exchange Server 2013 organization and a domain that is outside your AD DS forest.
When you create a domain entry,you provide a name to help the administrator identify
the entrys purpose when he or she views the configuration settings.
The domain name is limited to 64 characters. You also provide the domain name to w
hich this entry and the associated settings will apply. You can use a wildcard character
in the domain name to include allsub-
domains. The wildcard character must appear at the start of the domain name entry. T
he SMTP domain name is limited to 256 characters.
The default settings may be suitable for most situations, but when you work with a par
tner organization, you may choose to create a remote domain for their SMTP namespa
ce, and configure specificsettings accordingly. You also can choose to define your Off
ice 365 domain as your remote domain.
Demonstration: Creating and Configuring Accepted and Re
mote Domains
Demonstration Steps
1. In the EAC, navigate to mail flow.
2. On the accepted domain tab, create a new accepted domain named adatum.local of internal re
3. Open Exchange Management Shell.
4. Review the list of remote domains.
5. Create new remote domain called contoso.com.
6. Review all settings for remote domain contoso.com.
7. Set properties AutoForwardEnabled and DeliveryReportEnabled of remote domain Contoso
What Is an SMTP Connector?
An SMTP connector is an Exchange server component that supports one-
way SMTP connections that route mail between the Hub Transport service and the Fr
ont End Transport service, or between thetransport servers and the Internet. You creat
e and manage SMTP connectors from the EAC or the Exchange Management Shell.
Exchange Server 2013 provides two types of SMTP connectors, SMTP Receive conne
ctors and SMTP Send connectors. For Exchange server to send or receive messages us
ing SMTP, at least two SMTPconnectors must be available on the server.
What Are SMTP Receive Connectors?
Exchange Server 2013 requires an SMTP Receive connector to accept any SMTP ema
il. An SMTP Receive connector enables an Exchange Transport service to receive mai
l from any other SMTP sources,including SMTP mail programs such as Windows Mai
l and SMTP servers on the Internet, Edge Transport servers, and other Exchange Serv
er SMTP servers.
You create SMTP Receive connectors on each server running the Client Access or Ma
ilbox server role. You can configure multiple SMTP Receive connectors with differen
t parameters on a single Exchangeserver. In large organizations, there can be multiple
SMTP Receive connectors on a single server or on multiple servers. In small to mediu
m-sized organizations, as few as two connectors
(a Send and a Receiveconnector) could serve the entire organization. Default maximu
m message size for new receive connector is 35 MB.
You must configure each SMTP Receive connector with a port on which the connecto
r will receive connections, local IP addresses that will be used for incoming connectio
ns, and a remote IP subnet that cansend mail to this SMTP Receive connector. The co
mbination of these three properties must be unique across every SMTP Receive conne
ctor in the organization. When you install Exchange Server 2013,Receive connectors
are created by default on the Mailbox Transport Service and the Front End Transport
Service.
Default Receive Connectors on the Mailbox Transport Service
When you install a Mailbox server role, two Receive connectors are automatically cre
ated. No additional Receive connectors are needed for a typical Exchange operation, a
nd in most cases, the defaultconnectors will not require a configuration change. These
connectors include:
Default <server name>. Accepts authenticated connections from Mailbox servers running the Tran
Client Proxy <server name>. This connector accepts connections from front-end servers. It has the
Default Receive Connectors on a Front End Transport Service
During installation, the following Receive connectors are created on the Client Access
server:
Default FrontEnd <server name>. The connector accepts connections from SMTP senders over po
non-authenticated (anonymous) connections and has a Front End Transport role.
Outbound Proxy Frontend <server name>. The connector accepts messages from a Send Connecto
Client Frontend <server name>. This connector accepts authenticated connections from clients suc
Note: In a typical installation, no additional Receive connectors are required.
What Are SMTP Send Connectors?
An Exchange Server 2013 computer requires an SMTP Send connector to send any S
MTP email, and to send email to any SMTP server on the Internet or to any SMTP ser
vers in the same Exchange Serverorganization.
By default, no SMTP Send connectors are configured on Mailbox or Client Access ser
vers, except for the implicit SMTP Send connectors. These are created dynamically to
communicate with Transport servicesin other sites.
Keep in mind the relationship between the Front End Transport service on the Client
Access server and the Transport service on Mailbox servers in Exchange Server 2013,
because Send connectors functiondifferently in Exchange Server 2013 than in previo
us Exchange Server versions. You can now set a Send connector in the Transport serv
ice on a Mailbox server to route outbound mail through a Front Endtransport server in
the local AD DS site, by means of the FrontEndProxyEnabled parameter of the Set
-
SendConnector cmdlet. This allows you to manage how email is routed from the Tra
nsport service.
The default maximum message size is specified by the MaxMessageSize parameter.
Default maximum message size for a new send connector is 10 MB.The Set-
SendConnector cmdlet provides moreinformation on how to set parameters on a Sen
d connector.
In addition, the TlsCertificateName parameter has been added. It authenticates the lo
cal certificate to be used for outbound connections and minimizes the risk of fraudule
nt certificates.
How to Manage SMTP Connectors
You can use the EAC or the Exchange Management Shell to create, configure, and vie
w SMTP connectors. In the EAC, SMTP Receive connectors can be configured for ea
ch Mailbox server, while Sendconnectors are configured in the Organization Configur
ation node. To manage connectors using the Exchange Management Shell, use the Set
-ReceiveConnector and Set-
SendConnector cmdlets. If youincorrectly configure the SMTP Receive connectors, t
his can lead to open relay on the mail server. Therefore, you must carefully test the co
nfiguration.
Demonstration: How to Create and Configure SMTP Conne
ctors
Demonstration Steps
1.Use the Exchange Management Shell to create a new Send connector with the following properties
a. Name: Send to Internet
b. Address space: *
c. Source: LON-MBX1
2.Use Exchange Management Shell to create a new Send connector with the following properties:
a. Name: Secure Email to Contoso
b. Address space: contoso.com
c. DNSRoutingEnabled: false
d. Smarthost: 172.16.0.10
e. Authentication: basic
f. Credentials: Administrator, Pa$$w0rd
3.Use the EAC to verify the settings on new Send connectors.
4.Use the EAC to create a new Client receive connector to accept anonymous connections only from
What Are Foreign Connectors?
Sometimes you have to deliver email messages to a system that does not support SMT
P as a transport mechanism. One such example is a fax-
gateway server. In this scenario, you can use a Foreignconnector, which uses the Drop
directory to send outbound messages. The Drop directory can be local or shared. As a
transport mechanism, it uses file transfer protocols rather than SMTP. In the opposite
direction, Foreign gateway servers can send messages to the Exchange Server 2013 or
ganization by using the Pickup or Replay directories, as discussed earlier in this modu
le.

Correctly formatted email message files that you copy to each directory are submitted
for delivery to an Exchange mailbox.
You can create Foreign connectors on the mailbox transport service running on the M
ailbox server role. You must use the Exchange Management Shell to create and config
ure a Foreign connector.
The following example displays how to create a Foreign connector:
New-ForeignConnector -Name "FaxGW Foreign Connector" -AddressSpaces
"X400:c=US;a=Fabrikam;P=Contoso;5" -SourceTransportServers LON-MBX1,LON-
MBX2
To configure a Drop directory path for a Foreign connector, you should run following
cmdlet:
Set-ForeignConnector "Contoso Foreign Connector" -DropDirectory "C:\Drop
Directory"
To check a Foreign agent configuration, you should run the Get-
ForeignConnector cmdlet.
A delivery agent also can deliver messages from your SMTP Exchange Server enviro
nment to a system that does not use the SMTP protocol. Each delivery agent is associa
ted with a delivery agent connector,which queues messages routed to the delivery age
nt for processing and delivery to the non-SMTP device or system.
Although the Foreign connector architecture remains in Exchange Server 2013, we rec
ommend that you use delivery agents for routing messages to non-
SMTP systems whenever possible. The primaryreasons for this recommendation inclu
de:
You can use queue management for messages.
There is no need to manage file transfer to a Drop directory.
You can verify message delivery.
Note: Typically, delivery agents are produced by third-
party companies. By default, Exchange Server 2013 comes with only one delivery agent connecto
Lesson 3: Managing Transport Rules
You can implement messaging policies and compliance by applying transport rules to
messages as users send them within the organization. By implementing transport rules
, you ensure that all emailmessages sent within the organization or to external recipien
ts meet your organizations compliance requirements. You also can apply rights-
management policies to messages by using transport rules. Forexample, you can use tr
ansport rules to ensure compliance with data-loss prevention policies.
Lesson Objectives
After completing this lesson, you will be able to:
Describe transport rules.
Configure transport rules.
Plan transport rules.
Create transport rules.
Describe data-loss prevention policies.
Configure data-loss prevention policies.
What Are Transport Rules?
Exchange Server applies transport rules to messages as they pass through the Edge Tr
ansport or through service on Mailbox Server. The transport rule agent applies transpo
rt rules on the Hub Transportservice. Transport rules restrict message flow and conten
t modification while messages are in transit.
With transport rules, you can:
Prevent specified users from sending or receiving email from other specified users.
Prevent inappropriate content from entering or leaving the organization.
Apply restrictions based on message classifications to restrict the flow of confidential organization
Track or journal messages that specific individuals send or receive.
Redirect incoming and outgoing messages for inspection before delivery.
Apply disclaimers to messages as they pass through the organization.
Apply Active Directory Rights Management Services (AD RMS) templates to the messages based
Transport rules configured on one Mailbox server automatically apply to all other Mai
lbox servers in the organization. Exchange Server stores the transport rules in the Con
figuration container in AD DS, andreplicates them throughout the AD DS forest so tha
t they are accessible to all other Mailbox servers. This means that Exchange Server ap
plies the same transport rules to all email messages that users send orreceive in the org
anization.
Configuring Transport Rules
Transport rules are configured by using a wizard, similar to the wizard that Outlook us
es for mailbox rules. When you configure transport rules, you should define the follo
wing elements:

Conditions. Transport rule conditions indicate which email message attributes, headers, recipients, s
the conditions value, Exchange Server applies the rule, as long as the condition does not match an
rt rule then applies to allmessages. There is no limit to the number of conditions that you can apply
Note: If you configure multiple conditions on the same transport rule, all of the conditions must be
Actions. Exchange Server applies actions to email messages that match the conditions and for which
Exceptions. Exceptions determine which email messages to exclude from an action. Transport rule
rule action to an email message, even if the message matches all configured transport rule conditio
Note: If you configure multiple exceptions on the same transport rule, only one exception must mat
Predicates. Conditions and exceptions use predicates to define which part of an email message the
cates examine the subject, body, or attachment size. To determine whether Exchange Server should
Planning Transport Rules
Transport rules provide you with an almost limitless ability to control messaging in yo
ur Exchange Server organization. Always carefully plan your transport rules to ensure
that they behave as intended.Otherwise, you could accidentally delete messages, or d
eliver messages to unintended recipients.

Consider the following recommendations when you plan transport rules:


Plan conditions and exceptions carefully.
Transport rule conditions and exceptions define which messages are affected by the transport rule. I
Plan for Transport rule priority and order. In many cases, you will have to apply several transport ru
Use regular expressions to check message contents. Use regular expressions to simplify the list of te
number pattern, you can use the expression \d\d\d(-|.)\d\d\d\d, which denotes a pattern of three di
Test application of transport rules. Test new transport rules to ensure they behave as intended. This
Plan for transport rule limitations on encrypted and digitally signed messages. AD RMS integration
cryption through other mechanisms may prevent you from applying transport rules or records mana
rypted attachments.
Consider transport rule recovery. Deleted transport rules are not easily recoverable. Transport rules
create, and you can export transport rules to backup files by using the Export-TransportRuleColle
Demonstration: Creating Transport Rules
Demonstration Steps
1.On LON-CAS1, switch to the EAC.
2.Navigate to mail flow.
3.Choose to create new transport rule.
4.Configure rule with following properties:
a. Rule name: Test Transport Rule
b. Condition: Apply this rule if, the subject or body includes password
c. Action: Redirect the message to Administrator
d. Activate this rule now
5.Sign in to LON-CL1 as Aidan, and open Outlook 2013. Send a message to Amr@adatum.com wi
6.Sign in to Outlook Web App as Administrator.
7.Verify that you received an email from Aidan, and that the original message that Aidan sent to Am
What Are Data-Loss Prevention Policies?
In todays business environment, email is a critical communication resource. Various
kinds of information is exchanged by using email, and in some cases, business-
critical information can leak out of acompany in unprotected email.

To prevent this, Microsoft has implemented Data-


Loss Protection policies in Exchange Server 2013.
The primary purpose of Data Protection policies is to enforce compliance requirement
s for business-
critical data and manage its use in email, without hindering the productivity of worker
s. For example, youcan configure a policy to prevent sending data such as credit card
numbers, Social Security numbers, and IP addresses in email messages.
Note: Data Loss Prevention is a premium feature that requires an Enterprise Client Ac
cess License (CAL).
Data Loss Protection policies are a set of conditions that contain transport rules, action
s, and exceptions. When Data Loss Protection policies are applied, they filter email tra
ffic to prevent business-
criticalinformation in email from leaving the company. Data Loss Protection Policies
are very similar to transport rules; in fact, they are transport rules with an extended set
of options.
The difference between transport rules and Data Loss Protection policies is a new app
roach to classifying sensitive information that can be incorporated into mail flow proc
essing. This includes theperformance of deep content analysis through keyword match
es, dictionary matches, regular expression evaluation, and other content examination t
o detect content that violates organizational policies.
You can create Data Loss Protection policies in the EAC, and also in the Exchange M
anagement Shell. It is possible to create these policies for testing, where you just obser
ve the effects of the policies, or youcan enforce them to all email traffic in your organi
zation.
One benefit of Data Loss Protection policies is the ability to inform email senders that
they may be violating one of your policies, even before they send a message. This is a
ccomplished by using Data LossProtection Policy Tips, which are very similar to Mail
Tips, but are preconfigured to be used with Data Loss Protection policies.
Microsoft provides numerous Data Loss Protection policy templates in Exchange Serv
er 2013. You also have the option of defining your own custom policies and transport
rules as an alternative to usingpredefined policy templates provided by Microsoft,.
There are three different methods that can be applied when implementing Data Loss P
rotection policies:
Use the templates provided by Microsoft. This is the quickest way to start using Data Loss Protectio
rements. Some of the predefined policy templates include:
oU.S. Financial Data. Helps to detect the presence of data commonly associated with financial infor
oGermany Financial Data. Helps to detect the presence of data commonly associated with financial
oU.S. Health Insurance Portability and Accountability Act (HIPAA). Helps to detect the presence o
oU.S. Patriot Act. Helps to detect the presence of data commonly subject to the U.S. Patriot Act.
oU.K. Access to Medical Reports Act. Helps to detect the presence of data commonly associated w
oIsrael Protection of Privacy: Helps to detect the presence of data commonly associated with privat
oSaudi Arabia Anti-Cyber Crime Law. Helps to detect the presence of data commonly associated w
Use policy files created by a third-
party software vendor. You can import policies that are created by independent software vendors. T
Create a custom policy. If any of the predefined policies do not meet your requirements, you have t
ments and constraints of the environment in which the policy will be enforced.
When you create Data Loss Protection policies, you also can include rules that check f
or sensitive information. These information types should be used in your policies. The
conditions that you establish withina policy, such as how many times something is fo
und before an action is taken, might be customized within your new policies, to meet
your specific policy requirements.
To implement Data Loss Protection policy features, you must have Exchange Server 2
013 configured with at least one sender mailbox.
Demonstration: Configuring Data Loss Protection Policies
Demonstration Steps
1.In the EAC on LON-CAS1, navigate to compliance management data loss prevention.
2.Select to create new custom DLP Policy.
3.Configure the policy as follows:
a. Policy is Enforced
b. Name of policy: IP address block
c. Include rule: Block messages with sensitive information
d. Sensitive information type: IP address
e. Action: Generate incident report and send it to Administrator
f. Include following properties: sender, recipient, subject and matching content
g. Action: notify the sender with a Policy Tip with text your message is blocked.
4.Activate and save the policy.
Lab: Planning and Configuring Message Transport
Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinat
ional organization that has offices in several cities. Your organization has deployed E
xchange Server 2013. You need toconfigure Exchange Server to send messages to the
Internet and receive messages from the Internet. You also need to ensure that you can
troubleshoot message transport, if necessary. At the end, you needto implement some
configure message transport rules, according to the corporate security policy.
Objectives
At the end of this lab, you will be able to:
Configure message transport.
Troubleshoot message delivery.
Configure transport rules and data-loss prevention policies.
Lab Setup
Estimated time: 45 minutes
Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1
20341B-LON-CL1

User Name Adatum\Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1 and 20341B-LON-CAS1.
6.Repeat steps 2 and 3 for 20341B-LON-CL1. Do not sign in until directed to do so.
Exercise 1: Configuring Message Transport
Scenario
Your organization has deployed Exchange Server 2013 in two of its sites. However, al
l Internet messages should flow through the main site. As part of your job responsibili
ties, you need to set up messagetransport to and from the Internet. You also need to en
able one application that is running on the host with IP address 172.16.0.10 to anonym
ously relay email through your Exchange server.
The main tasks for this exercise are as follows:
1. Configure a Send connector to the Internet
2. Configure a receive connector to accept relaying
Task 1: Configure a Send connector to the Internet
1.On LON-CAS1, open Internet Explorer and type https://lon-cas1.adatum.com/ecp, and press Ent
2.Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.Navigate to mail flow send connectors.
4.Select to create a new send connector with the following properties:
a. Name: Internet sending
b. Type: Internet
c. Resolution: MX record associated with recipient domain
d. FQDN : *
e. Source Server: LON-MBX1
Task 2: Configure a receive connector to accept relaying
1. In the EAC, select to create a new receive connector.
2. Name the connector AppClient.
3. Allow connections only from IP address 172.16.0.10.
4. Allow anonymous connections from this IP.
Results: After completing this exercise, the students will have configured message tra
nsport.
Exercise 2: Troubleshooting Message Delivery
Scenario
You have successfully installed Exchange Server 2013 in two sites. You now need to
make sure that mail flow is working correctly.
The main tasks for this exercise are as follows:
1. Verify that messages from the Internet can be received
2. Troubleshoot message transport
Task 1: Verify that messages from the Internet can be received
1.On LON-DC1, use Telnet to connect to LON-CAS1 with SMTP protocol.
2.Issue the following commands at the Telnet prompt, and press Enter between the commands:
a. helo
b. mail from: info@internet.com
c. rcpt to:Aidan@adatum.com
d. data
e. Test from Internet
f. . (period)
3.Switch to LON-CL1, log on as Aidan with the password Pa$$w0rd, open Outlook 2013, and verify
4.Reply to the message with the text of your choice.
Task 2: Troubleshoot message transport
1. On LON-MBX1, open the Exchange Toolbox.
2. Start Queue Viewer.
3. Verify that there is a queue for the domain internet.com.
4. Remove the message from Aidan@adatum.com.
5. Switch to Outlook 2013 on LON-CL1, and ensure that Aidan received a NDR.
Results: After completing this exercise, the students will have completed SMTP troub
leshooting.
Exercise 3: Configuring Transport Rules and Data-
Loss Prevention Policies
Scenario
You are testing transport rules and Data-
Loss Prevention policies. At first, you will implement a transport rule that appends a d
isclaimer for every message that is sent from A. Datum organization. In addition,accor
ding to the corporate security policy, you should create a data-
loss prevention policy that prevents users from sending IP address data in emails.
The main tasks for this exercise are as follows:
1. Implementing and testing a disclaimer transport rule
2. Create a Data-Loss Prevention policy
3. Verify data-loss prevention policy functionality
4. To prepare for the next module
Task 1: Implementing and testing a disclaimer transport rule
1. On LON-CAS1, in the Exchange admin center, click mail flow in the feature pane.
2. On the rules tab, start the wizard for the new rule.
3. Select that the rule is applied whenever the sender of the message is inside the organization.
4. Select action for the message to be Append the disclaimer.
5. Type the text this is Adatum Disclaimer text as the disclaimer.
6. Select wrap as the fallback action.
7. Configure that Administrator should be excluded from this rule.
8. Switch to LON-CL1 and in Outlook 2013, send a test message to Administrator.
9. Sign in to Outlook Web App as Adatum\Administrator with the password Pa$$w0rd.
10. Verify that you received the message from Aidan, and that it includes the disclaimer.
11. Reply to that message.
12. On LON-CL1, open the message from Administrator, and verify that there is no disclaimer.
Task 2: Create a Data-Loss Prevention policy
1.In the EAC on LON-CAS1, navigate to compliance management data loss prevention.
2.Select to create a new custom DLP Policy.
3.Configure the policy as follows:
a. Policy is Enforced
b. Name of policy: IP address block
c. Include rule: Block messages with sensitive information
d. Apply this rule if: The recipient is located inside the organization.
e. Sensitive information type: IP address
f. Action: Generate incident report and send it to Administrator
g. Action: notify the sender with a Policy Tip with text your message is blocked
4.Activate and save the policy.
Task 3: Verify data-loss prevention policy functionality
1.Ensure that you are logged on to LON-CL1 as Aidan.
2.Switch to Outlook 2013.
3.Send a message to amr@adatum.com with the following text: This is my IP address: 192.168.0.1
4.Wait for a few moments, and see if you receive an email message that your previous message to A
5.Switch to Internet Explorer.
6.In the Outlook Web App, ensure that you received an email from Aidan and that original message
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have configured transport rul
es and data-loss prevention policies.
Question: What would you need to configure to enable outbound Internet email from
each
A.Datum location?
Question: A user reports that she sent a message to a user in another company two ho
urs ago, and the message has not arrived. How would you troubleshoot this?
Module Review and Takeaways
Best Practice
Do not modify default message routing flow unless it is absolutely necessary.
Use Queue Viewer as the first tool to diagnose message delivery failure.
Understand the difference between transport rules and data-loss prevention policies.
Common Issues and Troubleshooting Tips
Common Issue

Transport rule is not applied to the message

Review Question(s)
Question: Where is the Hub Transport functionality from Exchange Server 2007 and
Exchange Server 2010 located in Exchange Server 2013?
Tools
Exchange Administration Center
Exchange Management Shell
Queue Viewer
Module 9: Planning and Configuring Message Hygie
ne
Contents:
Module Overview

Lesson 1: Planning Messaging Security

Lesson 2: Implementing an Antivirus Solution for Exchange Server 2013

Lesson 3: Implementing an Anti-Spam Solution for Exchange Server 2013

Lab: Planning and Configuring Message Security

Module Review and Takeaways

Module Overview
In any deployment, Exchange Server 2013 is exposed to the Internet 24 hours a day be
cause email messages are commonly sent and received from the Internet. Users conne
ct from the Internet to accesstheir mailboxes by using different types of web browsers,
computers, and devices. When users have this exposure to the Internet, organizations
must plan and deploy security solutions that will protect theirExchange infrastructure.
Organizations also must ensure that critical data, such as email messages, are protecte
d from unauthorized access from the Internet, and that servers are protected from netw
orkattacks and malware.
Objectives
After completing this module, you will be able to:
Plan messaging security.
Implement an antivirus solution for Exchange Server 2013.
Implement an anti-spam solution for Exchange Server 2013.
Lesson 1 : Planning Messaging Security
When administrators plan Exchange Server 2013 deployment, security should be part
of their organizations overall IT infrastructure security strategy. Administrators shoul
d have expertise in Exchange Server2013, networking, security, Windows Server 20
12 operating system, and Active Directory Domain Services
(AD DS) when they plan messaging security.
Security solutions complexity and cost might differ depending on the organizations
business requirements and security requirements. Because cost is important, administr
ators should make sure that theyinclude business managers in the process of approvin
g the optimal security solution.
Lesson Objectives
After completing this lesson, you will be able to:
Define messaging security requirements.
Plan a Simple Mail Transfer Protocol (SMTP) gateway solution.
Plan restrictions to message flow.
Plan SMTP connector security.
Plan secure message routing between partner organizations.
Plan client-based messaging security.
Defining Message Security Requirements
When administrators plan security, they should align their plan with the global corpor
ate-
security requirements. Organizations should define the types of clients that will be con
necting to their ExchangeServer. They also should define how to protect their messagi
ng infrastructure from both external and internal security threats.

Defining message security requirements includes following components:


Exchange Server security requirements.
Exchange servers must be configured with malware protection and spam protection.
Organizations can use on-premise or cloud-based anti-spam and antimalware solutions to protect fr
Perimeter security requirements. Organizations should deploy firewalls and reverse proxy software
ployed in the perimeter network. SMTP gateway software or devices should have antimalware and
Internal client security requirements. Each client that connects to the Exchange infrastructure throug
External client security requirements. Organizations should decide which external clients they will
led and configured. Organizations should also decide which type of access they will allow, such as
SMTP Gateway Solution
The Simple Mail Transfer Protocol
(SMTP) gateway solution is software or a device that is deployed in a perimeter netwo
rk. If the SMTP gateway solution in a perimeter network runs on a Windows Serverop
erating system, the computer should not be a member of the domain. This configuratio
n makes it much easier and more secure to deploy in a perimeter network, because do
main member computerslocated in perimeter network need more ports opened on fire
wall for connecting to domain controllers, comparing to non-domain computers.

When you deploy a SMTP gateway solution, consider the following infrastructure req
uirements:
The SMTP gateway solution should help prevent spam messages and malware from reaching your o
You should install a SMTP gateway solution on standalone servers, or as a device. The SMTP gatew
(FQDN) configured. This is because the MX record ofthe organizations SMTP domain resolves to
work.
You should deploy a SMTP gateway solution in a perimeter network. This configuration provides t
The firewall configuration required for a SMTP gateway solution is greatly simplified, because the

Firewall Firewall rule

External Allow TCP port 25 from all external IP addresses to the SMTP gateway solution.

External Allow TCP port 25 to all external IP addresses from the SMTP gateway solution.
External Allow TCP and UDP port 53 to all external IP addresses from the SMTP gateway solution.

Internal Allow TCP port 25 from the SMTP gateway solution to specified Client Access servers.

Internal Allow TCP port 25 from specified Client Access servers to the SMTP gateway solution.

Internal If the SMTP gateway solution is configured to contact AD DS, allow the specific port needed for secure access
(LDAP) port 636.

Internal Allow a port 3389 for remote administration of the Remote Desktop Protocol (RDP) from the internal network

If the SMTP gateway solution directly routes email to the Internet, you must configure the server w
Note: The Edge server role is now included in Microsoft Exchange Server 2013 SP1. However, an
Planning Restrictions to Message Flow
Every organization sends and receives email messages 24 hours a day, seven days a w
eek. The messages are sent and received from the Internet, and within the organization
. To increase messaging security,organizations can optionally restrict message flow, s
o that some emails will not be allowed to be sent to the Internet, and others will not be
sent within the corporate network.

Planning restrictions to message flow includes:


Planning for message delivery restrictions.
Organizations might decide to restrict who can send email to selected users or groups. For example
Planning for transport rules. Transport rules are applied as messages pass through the Exchange Ser
ctions on which users can send email to each other and on message flow based on message contents
Planning for message moderation. You can assign moderators permissions to review all messages th
o alert the message originators if their message is approved or not.
Planning for data-loss prevention. Data Loss Prevention
(DLP) is a new custom feature in Exchange Server 2013 that performs message content analysis an
ational security and compliance policies.
Planning SMTP Connector Security
Exchange Server 2013 offers several options to secure SMTP messaging traffic. All of
these options rely on certificates to encrypt the traffic. The following methods for sec
uring SMTP require that youimplement the option both on the source and the target si
de.

IPSec
IPSec provides a set of extensions to the basic IP protocol, and you can use it to encry
pt server-to-server communication. You can use IPSec to tunnel traffic, or peer-to-
peer, to secure all IP communicationsnatively. Because IPSec operates on the transpor
t layer and is network based, applications that run on Exchange Server 2013 do not ne
ed to be aware of IPSec. You can use IPSec to secure server-to-server orclient-to-
server communication. You do not need another encryption method when using IPSec
.
VPN
VPN also operates on the transport layer, and it frequently uses IPSec as the underlyin
g protocol. You can use VPN for site-to-site or client-to-
site connections. Both operate on the transport layer, which canbe an advantage over a
pplication-layer protocols such as Secure MIME
(S/MIME), which does not require the application on both ends to know about the pro
tocol.
TLS
The transport layer security
(TLS) protocol is the default protocol that an Exchange Server 2013 organization uses
to encrypt server communication. It is a standard protocol that you can use to provide
secureweb communications on the Internet or intranet. TLS enables clients to authent
icate servers or, optionally, servers to authenticate clients. It also provides a secure ch
annel by encrypting communications. TLS isthe latest version of the SSL protocol.
Exchange Server 2013s Domain Security feature uses TLS with mutual authenticatio
n, also known as mutual TLS, to provide session-
based authentication and encryption. Standard TLS is used to provideconfidentiality b
y encrypting, but not authenticating the communication partners. This is typical of SS
L, which is the HTTP implementation of TLS.
Alternate Options for Securing SMTP Traffic
Besides the abovementioned options, you can also implement authentication and auth
orization on SMTP connectors for security. This does not enforce traffic encryption, b
ut it can prevent unauthorizedusers from sending SMTP messages to users in your org
anization, or relaying SMTP messages to the Internet. You can configure authenticatio
n and authorization based on user login, or on IP addresses or IPranges.
Planning Secure Message Routing Between Partner Organiz
ations
You can configure Exchange Server 2013 to use TLS to provide security for SMTP e
mail. In most cases, you cannot use TLS when sending or receiving email because SM
TP servers are not configured to useTLS. However, by requiring TLS for all SMTP e
mail sent between your organization and other specified organizations, you can enable
a high security level for SMTP email.

Securing a Connector to a Partner Organization


To secure a connector to a partner organization, you should configure mutual TLS, wh
ere each server verifies the identity of the other server by validating the certificate that
the other server provides. It is aneasy way for administrators to manage secured mess
age paths between domains over the Internet. This means that all connections between
the partner organizations are authenticated, and that all messagesare encrypted while i
n transit on the Internet.
TLS with mutual authentication differs from TLS in its usual implementation. Typical
ly, when you implement TLS, the client verifies a secure connection to the intended se
rver by validating the serverscertificate, which it receives during TLS negotiation. Wi
th mutual TLS, each server verifies the connection with the other server by validating
a certificate that the other server provides.
Securing a connector to a partner organization works in a manner similar to establishi
ng a TLS connection to an SMTP Receive connector. However, because mutual TLS i
s used, both the sender and therecipient authenticate each another before they send dat
a. The message takes the following route from one organization to the other:
1 The transport component on the sender Mailbox server initiates a mutual TLS session with the tran
. ing domain. You must set the domain information on the sending side by using the Set-Transport
TLSReceiveDomainSecureList <domain name> cmdlet to set the domain information.
2
The SMTP communication is encrypted and transferred to the target Mailbox server.
.
3
The message is marked as secure, which displays in Outlook 2007 or newer versions, and in Outlo
.
To secure a connector to a partner organization, you need to perform the following pr
ocess:
1 On the Mailbox server, generate a certificate request for TLS certificates. You can request the cert
. (CA) or from a commercial CA. The SMTP server inthe partner organization must trust the certific
2
Import and enable the certificate on the Mailbox server. After you request the certificate, you must
.
3
Configure outbound connector security. To configure outbound connector security, use Exchange
.
4
Configure inbound connector security. To configure inbound connector security, use Exchange Ma
.
5
Notify partner to configure connector security. Connector security must be configured on both side
.
6 Test message flow. Finally, send a message to the partner, and vice versa, to verify that domain se
. Note: When you install the Mailbox server role, a self-
signed certificate is issued to the server. No other computers trust this certificate. When you requir
cross-forest trust, or import a CAscertificate in the trusted root CA store on both sides.
Planning Client-Based Messaging Security
S/MIME is a messaging client-
based solution for securing SMTP email. With S/MIME, each client computer must ha
ve a certificate, and the user is responsible for signing or encrypting each email.

How S/MIME Secures Email


S/MIME provides email security by using the following options:
Digital signatures. When a user chooses to add a digital signature to a message, the senders private
ent. When the recipient receives the message, the senders public key decrypts the hash value and c
Authentication. If the public key can decrypt the hash value attached to the message, the recipient k
Nonrepudiation. Only the private key associated with the public key could be used to encrypt the ha
Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a messa
Message encryption. When a user chooses to encrypt a message by using S/MIME, the messaging c
ed session key is combined with the encrypted message when the message is sent. When the messag
Message encryption enhances confidentiality. You can decrypt a message by using only the private
When to Use S/MIME
When you configure S/MIME, consider the following:
A client certificate is required on each computer that sends secure email. Distributing client certifi
A sender must obtain access to the recipients public key before the sender can send an encrypted
S/MIME is a user-based security model; therefore, the user has to take the action to sign or encryp
Certificates must be backed up. If one is lost, the user will not be able to decrypt messages that we
Messages cannot be scanned for policy compliance, viruses, or spam because the messages enterin
To set up a secure channel, all other solutions require some level of agreement betwee
n the messaging administrators in the two organizations. If users need to send secure e
mails to recipients in manydifferent organizations, S/MIME is the most feasible optio
n.
Demonstration: Configuring Secure Message Routing Betwe
en Partner Organizations
Demonstration Steps
1
On LON-CAS1, open the Exchange Administration Center (EAC) at https://LON- CAS1.adatum
.
2
Navigate to mail flow send connectors.
.
3
Create a send connector dedicated to the contoso.com domain. Click Partner type of connector. S
.
4
Create a receive connector dedicated to contoso.com.
.
5
Click Partner type of connector, and then configure the connector to accept email only from 172.1
.
6
On LON-CAS1, in the Exchange Management Shell, type : Set-TransportConfig TLSSendDom
.
7 On LON-CAS1, in the Exchange Management Shell type : Set-TransportConfig TLSReceiveD
. Note: The steps described in this demonstration also should be performed in the partner organizati
om domain.
Lesson 2: Implementing an Antivirus Solution for E
xchange Server 2013
Email is one of the most common ways to spread viruses from one organization to ano
ther. One of your primary tasks in protecting your Exchange Server organization is to
ensure that all messages thatcontain viruses are stopped at the messaging environment
s perimeter, but also within the corporate network.
Exchange Server 2013 introduces a built-
in feature for antimalware protection. This feature can be used as a standalone solutio
n, or it can be paired with Microsofts cloud-
based solution known as ExchangeOnline Protection. It also can be replaced with a thi
rd-party antivirus solution.
Lesson Objectives
After completing this lesson, you will be able to:
Describe antivirus solution requirements.
Describe options for implementing an antivirus solution in Exchange Server 2013.
Configure antivirus solution features in Exchange Server 2013.
Describe Exchange Online Protection.
Describe deployment options for Online Protection.
Define best practices for deploying an antivirus solution.
Overview of Antivirus Solution Requirements
Organizations should evaluate and plan their antivirus solution on a corporate level. T
hey must ensure that their IT infrastructure is protected from any threat, regardless of
whether it originates from theInternet or from within their internal corporate network.
To successfully protect their Exchange Server environment, organizations must also p
rotect all other software products, such as Windows server andclient computers, Micr
osoft SQL Server, and Microsoft SharePoint Server.

When planning an antivirus solution, organizations should consider the following requ
irements:
Protection from malware (viruses and spyware). The solution must be efficient in recognizing and r
Protection from spam. The solution should also have anti-spam features in order to provide a single
Designed for Exchange Server 2013. An antivirus solution must be designed to support the new arc
level-based antivirus solutions for protecting Exchange Server 2013. If you use file-level-based anti
Corporate antivirus software. Organizations also might choose to deploy a corporate antivirus solut
level basedprotection, Exchange Server, and Microsoft Lync Server. In this scenario, security a
Options for Implementing an Antivirus Solution in Exchang
e Server 2013
Each organization has its own unique strategy for antivirus protection, which is based
on the organizations business requirements. Some organizations choose to deploy the
built-
in antimalware protection inExchange Server 2013, while other organizations invest i
n third-party solutions. Some organizations might choose to use a cloud-
based solution such as Exchange Online protection to eliminate any potentialinfected
email before it reaches the corporate network.

When you plan your antivirus solution for Exchange Server 2013, you should conside
r the following options:
Use the built-in antimalware features. Antivirus organizations can use the built-in protection that ru
Use a hosted, cloud-
based solution or hybrid solution. In this scenario, organizations can choose to use both onsite antim
premise.
Use the existing corporate antivirus solution. Some organizations already have a third-party corpora
party antivirus software for Exchange Server 2013 that will integrate with the corporate antivirus so
Deploy an antivirus solution in the perimeter network. Many organizations deploy a SMTP gateway
spam software installed. In this scenario, email is inspected formalware before it enters the corporat
Antivirus Solution Features in Exchange Server 2013
Exchange Server 2013 introduces built-
in antimalware protection that is deployed on the Mailbox server role. This protection
is not available on the Client Access server role.

Exchange antimalware protection features include:


Antimalware protection can be enabled or disabled. Organizations might choose between Exchange
party antivirussolution is used, then Exchange antimalware protection should be disabled. You can
cenarios where you would troubleshoot issues that are related to Exchange antimalware protection.
Once enabled, antimalware protection will connect to the Internet using HTTP port 80 in order to d
Exchange Server is deployed in a production environment, because an Exchange Server that is not
The scanning is performed on each message that is sent or received by the Mailbox server role. Sca
You can configure the default antimalware policy by using both the EAC and Exchange Manageme
oDelete the entire message. This is the default setting that will delete the entire message, including
oDelete all attachments and use default alert text. If malware is detected in an attachment, this actio
s detected in one or more attachments included with this email. All attachments have been deleted
oDelete all attachments and use custom alert text. If malware is detected in an attachment, this actio
oNotify the administrator and sender. A message can be sent to the sender or administrator that an e
What Is Exchange Online Protection?
Exchange Online Protection
(formerly Microsoft Forefront Protection for Exchange) is a cloud-based anti-
spam and antimalware solution. Organizations can choose to deploy it as a single solut
ion or a hybridsolution together with the Exchange Server on-
premise antimalware protection. Because this is a cloud-
based product, it does not require any hardware or software deployment. Instead, the c
urrent MailExchanger (MX) records of the on-
premise Exchange Server are reconfigured to point to the servers where Exchange Onl
ine Protection is hosted.

Exchange Online Protection has the following features:


Web-based management console. Administrators can manage antimalware protection according to t
Multi-engine antivirus. Multiple engines that run on Exchange Online Protection eliminate malware
Real-time response. Exchange Online Protection is updated every two hours with definition updates
Email availability. If an on-
premise Exchange Server infrastructure is unavailable for any reason, Exchange Online Protection a
Reporting. This feature provides comprehensive reporting, auditing, and message-tracing capabiliti
Best Practices for Deploying an Antivirus Solution
Deploying and managing an antivirus solution in Exchange Server is a continuous pro
cess. Exchange administrators should regularly monitor and evaluate their antivirus so
lution to report on its efficiency;this may include statistics such as the percentage of m
essages cleaned from malware.

Furthermore, Exchange administrators and security administrators should also stay abr
east of the latest security threats.
You should consider the following best practices when you deploy an antivirus solutio
n:
Provide multi-layered protection. To provide enhanced security against viruses, you should implem
protected client within your company. Therefore, as a best practice, you should implement several l
based Exchange Online Protection. Furthermore, it is recommended that antimalware engines on th
Maintain regular antivirus updates. Installing an antivirus product does not automatically mean that
implementedantivirus solution. You also should monitor your antivirus patterns frequently to ensur
Monitor antivirus reports. Exchange administrators should regularly monitor antivirus software rep
Stay informed on the latest Internet security and malware threats. Exchange administrators and secu
ent best practices and recommendations.
Demonstration: Configuring Antimalware Protection for Ex
change Server
Demonstration Steps
Enabling antimalware features in Exchange Server 2013
1. On LON-MBX1, in the Exchange Management Shell, type the following:
CD C:\Program Files\Microsoft\Exchange Server\V15\Scripts
2. In the Exchange Management Shell, enable antimalware scanning by typing the following scrip
.\Enable-AntimalwareScanning.ps1
3. Verify that the following message appears: Antimalware engines are updating. This may tak
4. In the Exchange Management Shell, restart the Microsoft Exchange Transport Service by run
Restart-Service MSExchangeTransport
5. Type CTRL-C to stop running the script.
6. In the Exchange Management Shell, list the installed transport agents by running the following
Get-TransportAgent
7. Verify that the following antimalware agent is listed: Malware Agent. Verify that the status of
Configuring the default antimalware policy
1.Switch to LON-CAS1.
2.In the EAC, open the Malware filter tab.
3.Edit the default antimalware policy by selecting:
o Malware Detection Response: select Delete all attachments and use custom alert text.
o Custom alert text box, and then type:
o The attachment has been deleted because it contained malware. Contact your administr
o Notifications: select both the Notify internal senders and Notify external senders check bo
o Administrator Notifications: select Notify administrator about undelivered messages fro
o Administrator email address box: type administrator@adatum.com.
4.Next, continue to edit the default antimalware settings by selecting:
o Administrator Notifications: select Notify administrator about undelivered messages fro
o Administrator email address box: type administrator@adatum.com.
5.Save the configuration settings.
Lesson 3: Implementing an Anti-
Spam Solution for Exchange Server 2013
Spam messages can adversely affect the messaging environment of your organization.
Therefore, implementing an anti-
spam solution is a critical component of maintaining your organizations messagingen
vironment hygiene. Exchange Server 2013 includes several features that you can use t
o implement anti-spam protection in your organization.
This lesson provides an overview of the options available for anti-
spam filtering, and describes how you can configure your Exchange Server 2013 to re
duce spam in your organization.
Lesson Objectives
After completing this lesson, you will be able to:
Define anti-spam solutions.
Describe Exchange Server 2013 spam-filtering features.
Apply Exchange Server 2013 spam filters.
Configure Sender ID filtering.
Configure sender reputation filtering.
Configure content filtering.
Understand the spam confidence level (SCL) in Exchange Server 2013.
Apply best practices for deploying an anti-spam solution.
Overview of Anti-Spam Solutions
Organizations should evaluate and plan their strategy regarding the most appropriate a
nti-
spam solution based on their network infrastructure and business requirements. They
might consider usingdifferent solutions, including on-
premise software or devices, or cloud-based anti-spam services.

When you plan to deploy an antivirus solution, you should consider the following opti
ons:
Ease of configuration. The solution should be straightforward to configure and manage. It should al
Protection from malware. Ideally, the solution should also have antimalware features to provide a s
Use the built-in anti-spam features. Organizations can use the built-in protection that runs on the M
Hosted, cloud-based solution or hybrid solution. In this scenario, organizations might choose to use
spam filtering solutions that will help keep spam outside the corporate network.
Deploying an anti-spam solution in the perimeter network. Many organizations deploy a SMTP gat
End-
user notification for quarantined messages. The solution notifies users if an email sent is blocked. If
spam or antimalware scanning. If he email is not a spam and does not contain malware users can re
spam software solutions have options to enable users to retrieve their quarantined messages withou
Overview of Spam-Filtering Features
The spam-
filtering functionality available on the Mailbox server role is not enabled by default. If
you do not have a SMTP gateway, Exchange Edge Transport server or online anti-
spam solution, you shouldenable spam filtering in Exchange Server 2013. To enable a
nd configure anti-
spam filtering in Exchange Server 2013, you should use the Exchange Management S
hell. You cannot configure spam-filtering withthe Exchange Administration Center.

Mailbox Server Anti-Spam Agents


The following table lists the anti-
spam agents implemented during the default installation of the Mailbox server role.
Agent Description

Content Filtering Filters messages based on the message contents. This agent uses Microsoft SmartScreen

Sender ID Filters messages by verifying the IP address of the sending SMTP server against the pur

Sender Filtering Filters messages based on the sender in the MAIL FROM: SMTP header in the message

Recipient Filtering Filters messages based on the recipients in the RCPT TO: SMTP header in the message.

Sender Reputation Filtering Filters messages based on many sender characteristics accumulated over a specific perio

Unlike previous Exchange Server versions, Exchange Server 2013 does not provide a
n option for connection filtering based on sender IP or real-time block list
(RBL) providers. It is critical that organizationsdeploy a connection filtering gateway
or a cloud based anti-
spam solution that includes connection filtering based on sender IP and RBL lists, bec
ause most of the spam can be blocked by using RBLproviders.
Anti-
spam configuration filtering features in Exchange Server 2013 is only performed by u
sing Exchange Management Shell. The filtering agents are not installed by default. To
install all anti-spam agents, youshould run the Install-
AntiSpamAgents.ps1 script in Exchange Management Shell, located in following pat
h the ExchangeInstallPath\Scripts, where ExchangeInstallPath is a variable that re
presents afolder where Exchange Server files have been installed.
Note: You can view all the agents installed on the Mailbox server by using the Get-
TransportAgent cmdlet on the Mailbox server.
Safelist Aggregation
In Exchange Server 2013, the Content Filter agent on the Mailbox server uses the Mic
rosoft Office Outlook Safe Senders lists, Safe Recipients lists, and trusted contacts t
o optimize spam filtering. Safelistaggregation is a set of anti-
spam functionality that Outlook and Exchange Server 2013 share. This anti-
spam functionality collects data from the anti-
spam safe lists that Microsoft Outlook users configure,and makes this data available t
o the anti-spam agents on the Mailbox server. You must use the Update-
Safelist cmdlet to configure safelist aggregation.
Applying Exchange Server 2013 Spam Filters
The Mailbox server role in Exchange Server 2013 uses spam-
filtering agents to examine each SMTP connection and the messages sent through it.
When an SMTP server on the Internet connects to theExchange Client Access server a
nd initiates an SMTP session, the SMTP protocol is proxied to the Mailbox server, wh
ere the Mailbox server examines each message by using the following sequence:
1 The Mailbox server compares the senders email address with the list of senders configured in sen
. essage from the blocked sender, but stamp the message with the blocked sender information and co
2 The Mailbox server examines the recipient against the Recipient Block list configured in recipient
. are not on the Recipient Block list, further processing is done on the message.
3 Exchange Server 2013 applies Sender ID filtering. Depending on how the Sender ID is configured
. ed as one of the criteria when content filtering processes the message.
4 The Mailbox server applies content filtering, which compares the sender to the senders in the Safe
. nders List, the message is assigned a SCL rating and content filtering performs one of the followin
oIf the SCL rating is higher than one of the configured Mailbox server thresholds, content filtering
oIf the SCL rating is lower than one of the Mailbox server thresholds, the message is passed to a tr
Note: You can bypass spam filtering for a specific recipient by setting the AntispamBypassEna
What Is Sender and Recipient Filtering?
Sender and recipient filtering are features that provide protection from unwanted emai
l in Exchange Server 2013. Sender filtering evaluates the MAIL FROM: SMTP heade
r from an incoming email. Based onthat information, sender filtering can reject the me
ssage if it originates from an unwanted domain. Recipient filtering evaluates the RCP
T TO SMTP header from an incoming email.

Based on that information recipient filtering can send an SMTP error message to the s
ending server if the message is sent to a non-existing recipient.
Sender Filtering
Sender filtering is performed by the sender filter agent. If the sender email address or
a domain matches the sender filter configuration, the filtering agent performs one of th
e following actions:
The sender filter agent rejects the SMTP request with a 554 5.1.0 Sender Denied SMTP session e
The sender filter agent does not reject the message, but it stamps the message with information tha
spam agents that process the same message use thestamp information to increase the SCL value o
You can configure sender filtering to block a specific email address, a domain, or a do
main with its subdomains. By default, sender filtering is performed on the email that i
s sent only from the non-authenticated servers, which are external senders.
After you install anti-
spam agents on the Exchange Server Mailbox role, you should check if Sender Filter
Agent is enabled by typing the following cmdlet in Exchange Management Shell:
Get-SenderFilterConfig | Format-List Enabled
To configure sender filtering to block messages from marketing@contoso.com, you
should type the following cmdlet:
Set-SenderFilterConfig -BlockedSenders marketing@contoso.com
To configure sender filtering to block all messages originating from company with an
SMTP domain of contoso.com, you should type the following cmdlet:
Set-SenderFilterConfig -BlockedDomains contoso.com
Recipient Filtering
Recipient filtering is performed by the recipient filter agent. Based on the destination
email address of the recipient, recipient filter agent performs one of the following acti
ons:
If the recipient email address does not exist or it should be blocked from receiving email from exter
If an incoming email message is sent to the existing email address, and the recipient does not match
After you install anti-
spam agents on the Exchange Server Mailbox role, you should check if the Recipient
Filter Agent is enabled by typing the following cmdlet in the Exchange Management
Shell:
Get-RecipientFilterConfig | Format-List Enabled
To configure recipient filtering to block external messages sent to helpdesk@adatum
.com, you should run the following cmdlet:
Set-RecipientFilterConfig -BlockListEnabled $true -BlockedRecipients
helpdesk@adatum.com
To configure recipient filtering to block messages to recipients that do not exist in you
r organization, run the following cmdlet:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
What Is Sender ID Filtering?
Sender ID filtering enables received email messages to be filtered based on the servers
from which they originated. Sender ID filtering requires implementation of the Sende
r ID Framework, which is anindustry standard that verifies the Internet domain from
which each email message originates, based on the senders server IP address. The Se
nder ID Framework provides protection against email domainspoofing and phishing s
chemes. By using the Sender ID Framework, email senders can register all email serv
ers that send email from their SMTP domain. Then, email recipients can filter email fr
om thatdomain that does not come from the specified servers.

Sender Policy Framework Records


To enable Sender ID filtering, each email sender must create a Sender Policy Framew
ork
(SPF) record and add it to their domains DNS records. The SPF record is a single text
(TXT) record in the DNS databasethat identifies each domains email servers. SPF rec
ords can use several formats, including those in the following examples:
Adatum.com. IN TXT v=spf1 mx -all. This record specifies that any server that has an MX reco
Mail IN TXT v=spf1 a -all. This record indicates that any host with an A record can send mail.
Adatum.com IN TXT v=spf1 ip4:10.10.0.20 all. This record indicates that a server with the IP
Note: Microsoft provides the Sender ID Framework SPF Record Wizard to create your organization
How Sender ID Works
After you configure the SPF records, any destination messaging servers that use the S
ender ID features can identify your server by using Sender ID. After you enable Sende
r ID filtering, the following processshows how all email messages are filtered:
1
The sender transmits an email message to the recipient organization. The destination mail server re
.
2 The destination server checks the domain that claims to have sent the message, and checks DNS fo
. er authorized to send email for that domain is called the purported responsible address.
3
If the IP addresses match, the destination server authenticates the message and delivers it to the de
.
4
If the addresses do not match, the mail fails authentication. Depending on the email server configu
.
How Sender ID is configured
After you install anti-
spam agents on the Exchange Server Mailbox role, you should check if Sender ID is e
nabled by typing the following cmdlet in the Exchange Management Shell:
Get-SenderIDConfig | Format-List Enabled
To configure Sender ID filtering to reject email from spoofed domains, you should typ
e the following cmdlet in the Exchange Management Shell:
Set-SenderIDConfig -SpoofedDomainAction Reject
You can also configure Sender ID filtering to bypass a specific internal recipient, or fo
r a specific sender domain. To configure Sender ID filtering exception for a specific in
ternal user, for email received bycontoso.com domain, you should type following cmd
let in the Exchange Management Shell:
Set-SenderIDConfig -BypassedRecipients adam@adatum.com -
BypassedSenderDomains
contoso.com
What Is Sender Reputation Filtering?
The Sender Reputation is part of Exchange Server 2013 Sender anti-
spam functionality and it makes message filtering decisions based on information abo
ut recent email messages received from specificsenders. The Sender Reputation agent
analyzes various statistics about the sender and the email message to create a sender re
putation level (SRL).
This SRL is a number between 0 and 9, where a value of 0 indicates that there is less t
han a 1 percent chance that the sender is a spammer, and a value of 9 indicates that the
re is more than a 99 percentchance of it. If a sender appears to be the spam source, the
n the Sender Reputation agent automatically adds the IP address for the SMTP server t
hat is sending the message to the list of blocked IPaddresses.
How Sender Reputation Filtering Works
When the Mailbox server receives the first message from a specific sender, the SMTP
sender is assigned an SRL of 0. As more messages arrive from the same source, the Se
nder Reputation agent evaluatesthe messages and begins to adjust the senders rating.
The Sender Reputation agent uses the following criteria to evaluate each sender:
Sender open proxy test. The sender open proxy test is an open proxy is a proxy server that accepts c
alculates an SRL, it does so by formatting an SMTP request in an attempt to connect back to the Ma
statistic.
HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the receiv
ot match the IP address from which the connection originated, or to use a domain name that is diffe
spammer.
Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from
e DNS query by submitting the originating IP address to DNS. If the domain names do not match, t
SCL ratings analysis on a particular senders messages. When the Content Filter agent processes a m
each senders SCL ratings and uses it to calculate SRL ratings.
The Sender Reputation agent calculates the SRL for each unique sender over a specifi
c time. When the SRL rating exceeds the configured limit, the IP address for the sendi
ng SMTP server is added to the IPBlock list for a specific time.
Sender Reputation Configuration
You can configure the Sender Reputation settings only by using the Exchange Manag
ement Shell. Settings include the Sender Reputation block threshold, and configuring t
he timeout period for how long asender will remain on the IP Block list. By default, if
sender reputation threshold is reached, the sender IP addresses are blocked for 24 hour
s.
The agent that performs Sender Reputation filtering is called the Protocol Analysis Ag
ent, and it is not installed by default. After you install anti-
spam agents on the Exchange Server Mailbox role, you shouldcheck the Reputation fil
tering configuration settings by typing following cmdlet in the Exchange Management
Shell:
Get-SenderReputationConfig | Format-List Enabled,*MailEnabled
To configure sender SRL block threshold to 7 and to add senders that reached that thr
eshold value to the IP Block List for 36 hours, you should type following cmdlet in Ex
change Management Shell:
Set-SenderReputationConfig -SrlBlockThreshold 7 -SenderBlockingPeriod 48
Understanding the SCL in Exchange Server 2013
The Content Filter agent analyzes the content of every email message to evaluate whet
her the message is spam. When the Mailbox server receives a message, the Content Fi
lter agent evaluates the messagescontent for recognizable patterns, and then assigns a
rating based on the probability that the message is spam. This rating is attached to the
message as a SCL, which is a numerical value between 0 and 9. Arating of 0 indicate
s that the message is highly unlikely to be spam, whereas a rating of 9 indicates that th
e message is very likely to be spam. This rating persists with the message when it is se
nt to otherservers running Exchange Server.

SCL Thresholds and Actions


You can configure SCL thresholds and actions only in the Exchange Management She
ll. The Exchange server evaluates the SCL value for a specific message and performs t
he corresponding action defined forthat value in the Exchange Management Shell. Ex
change administrators can configure SCL threshold from 0 to 9 and define the followi
ng actions:
SCL delete threshold. If the SCL value is equal to or higher than the SCL delete threshold, the mess
SCL reject threshold. If the SCL value is equal to or higher than the SCL reject threshold, the messa
(NDR) will be sent to the original sender of the message. If thevalue is lower than the SCL reject th
SCL quarantine threshold. If the SCL value is equal to or higher than the SCL quarantine threshold,
positive messages and forward them to the recipients. False positive is an email has been blocked d
spam or antimalware scanning, but theemail actually is not a spam and does not contain malware. If
SCL junk email folder threshold. If the SCL value is equal to or higher than the SCL quarantine thr
What Is Content Filtering?
Content filtering is configured to reject all messages with an SCL higher than 7. You c
an modify the default content-
filtering settings by using the Exchange Management Shell.

You can modify the following settings in the Exchange Management Shell:
Configure custom words. You can specify a list of key words or phrases to prevent blocking any me
ords or phrases that will cause the Content Filter agent to block a message containing those words.
Specify exceptions. You can configure exceptions to exclude any messages from content filtering th
Specify actions. You can configure the SCL thresholds and threshold actions. You can configure th
Note: When the Content Filter agent rejects a message, it uses the default response of 550
5.7.1 Message rejected due to content restrictions. You can customize this message
by using
the set-ContentFilterConfig cmdlet in the Exchange Management Shell.
Configuring the Quarantine Mailbox
When the SCL value for a specific message exceeds the SCL quarantine threshold, the
Content Filter agent sends the message to a quarantine mailbox. Before you can confi
gure this option on the Mailboxserver, you must configure a mailbox as the quarantine
mailbox by configuring the quarantinemailbox parameter of the set-
contentfilterconfig cmdlet. As a messaging administrator, you shouldregularly check
the quarantine mailbox to make sure that the content filter is not filtering legitimate e
mails.
Note: Messages are sent to the quarantine mailbox only when the SCL threshold exce
eds the value that you configured on the content filter. To see details on all actions tha
t transport agents performon a Mailbox Server, use the scripts located in the following
folder: %programfiles%\Microsoft\Exchange Server\Scripts.
The Get-
AgentLog.ps1 script produces a raw listing of all actions that transport agents perfor
m. The folder contains several other scripts that produce formatted reports listing infor
mation such as the topblocked sender domains, the top blocked senders, and the top bl
ocked recipients. By default, the transport agent logs are located in the following folde
r:%programfiles%\Microsoft\ExchangeServer\TransportRoles\Logs\AgentLog.
The SCL Junk Email Folder Threshold
If the SCL value for a specific message exceeds the SCL junk email folder threshold, t
hen the Mailbox server places the message in the Outlook users junk email folder. If t
he SCL value for a message is lowerthan the SCL delete, reject, quarantine, and junk e
mail folder threshold values, then the Mailbox server puts the message in the users In
box.
Best Practices for Deploying an Anti-Spam Solution
Anti-spam protection requires ongoing monitoring of the anti-
spam solution reports. Administrators have to evaluate anti-
spam settings and adjust the configuration according to current Internet spamthreats a
nd the users feedback. For example, an organizations users might complain that they
receive more than five spam messages per day, which indicates that anti-
spam configuration should beenhanced with additional settings.

When configuring anti-spam settings, consider the following best practices:


Update anti-spam definitions. Anti-spam software uses definitions to scan email for content that is l
spam software vendors must remain diligent in updating their anti-spam definitions. Consequently,
Monitor anti-spam reports. Exchange administrators should regularly monitor anti-spam software re
Regularly read about latest Internet security and spam threats. Exchange administrators and security
spam settings should be reconfigured according to latest best practices and recommendations.
Regularly evaluate end users feedback. User feedback related to the number of spam messages rec
spam solution. Exchange administrators and security administrators should regularly evaluate end u
m messaged received each day. Conversely, users might mentionthat they do not receive email from
Use multi-layered anti-spam protection. Exchange Server 2013 anti-
spam agents are located on the Mailbox server role in the internal network; therefore, it is recomme
spam protection; in other words, by using both cloud-based Exchange Online Protectionand Exchan
spamfeatures in the Exchange on-premise deployment.
Demonstration: Configuring Anti-
Spam Features on Exchange Server 2013
Demonstration Steps
Enabling anti-spam features on LON-MBX1
1. Switch to LON-MBX1.
2. Switch to the Exchange Management Shell.
3. In the Exchange Management Shell, install anti-spam agents by running the following Window
.\Install-AntiSpamAgents.ps1
4. In the Exchange Management Shell, restart the Microsoft Exchange Transport Service by run
Restart-Service MSExchangeTransport
5. In the Exchange Management Shell, specify the IP addresses of the internal SMTP servers LO
MBX2 that should be ignored by the Sender ID agent, by running the followingcmdlet:
Set-TransportConfig -InternalSMTPServers @{Add=172.16.0.22,172.16.0.223}
6. In the Exchange Management Shell, list installed transport agents by running the following cmd
Get-TransportAgent
Verify that the following anti-
spam agents are listed: Content Filter Agent, Sender ID Agent, Sender Filter Agen
t, Recipient Filter Agent, Protocol Analysis Agent.
Configuring content filtering on LON-MBX1
1. In the Exchange Management Shell, verify that content filtering is enabled by running the follo
Get-ContentFilterConfig | Format-List Enabled
Verify that Enabled:True is displayed.
2. In the Exchange Management Shell, configure the blocked phrase Poker results by running the
Add-ContentFilterPhrase -Influence BadWord -Phrase "Poker results"
3. In the Exchange Management Shell, configure the allowed phrase Report document by runnin
Add-ContentFilterPhrase -Influence GoodWord -Phrase "Report document"
Lab: Planning and Configuring Message Security
Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinat
ional organization. Your organization has deployed Exchange Server 2013 internally,
and now you must configureoptions for message security.
Objectives
After completing this lab, you will be able to:
Configure antimalware in Exchange Server 2013.
Configure anti-spam in Exchange Server 2013.
Lab Setup
Estimated Time: 45 minutes

Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1

User name Adatum\Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In the Windows Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Sta
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2-4 for 20341B-LON-MBX1, and 20341B-LON-CAS1.
Exercise 1: Configure Antimalware Options in Exchange Server 2013
Scenario
A. Datum organization has decided to use Exchange Server 2013 antimalware features
. You have to
configure antimalware features to prevent malware from entering your network.
The main tasks for this exercise are as follows:
1. Enable antimalware features in Exchange Server 2013
2. Configure the default antimalware policy in Exchange Server 2013
Task 1: Enable antimalware features in Exchange Server 2013
1.On LON-MBX1, on the Start screen click Exchange Management Shell.
2.In Exchange Management Shell, change current folder to \Program Files\Microsoft\Exchange S
cd \Program Files\Microsoft\Exchange Server\V15\Scripts
3.In the Exchange Management Shell, enable antimalware scanning by typing the following script:
.\Enable-AntimalwareScanning.ps1
4.Verify that the following message appears: Antimalware engines are updating. This may take a
C to stop the script.
5.In the Exchange Management Shell, restart the Microsoft Exchange Transport Service by runnin
Restart-Service MSExchangeTransport
6.In the Exchange Management Shell, list installed transport agents by running the following cmdlet
Get-TransportAgent
7.Verify that the following antimalware agent is listed: Malware Agent. Note that the status of Malw
Task 2: Configure the default antimalware policy in Exchange Server 2013
1.Switch to LON-CAS1.
2.Start Internet Explorer.
3.In Internet Explorer, open the EAC located on following address:
4.https://lon-cas1.adatum.com/ecp
5.Sign in to the EAC as Adatum\Administrator with the password Pa$$w0rd.
6.In the EAC, from the protection feature open the malware filter tab.
o Edit the default antimalware policy using following settings:
o Malware Detection Response: select Delete all attachments and use custom alert text.
o Custom alert text box, type following text: The attachment has been deleted because it co
o Notifications: select both Notify internal senders and Notify external senders check boxes
o Administrator Notifications: select Notify administrator about undelivered messages fro
o Administrator email address box: type administrator@adatum.com.
7.Next, continue to change the default antimalware policy settings by selecting:
o Administrator Notifications: select Notify administrator about undelivered messages fro
o Administrator email address box: type administrator@adatum.com.
8.Save the configuration settings.
Exercise 2: Configuring Anti-Spam Options on Exchange Server
Scenario
A. Datum organization has decided to use Exchange Server 2013 anti-
spam features. You have to
configure anti-spam features to prevent spam from entering your network.
The main tasks for this exercise are as follows:
1. Enable anti-spam features on LON-MBX1
2. Configure content filtering on LON-MBX1
3. Configure sender and recipient filtering on LON-MBX1
Task 1: Enable anti-spam features on LON-MBX1
1. Switch to LON-MBX1.
2. In the Exchange Management Shell, install anti-spam agents by running the following PowerSh
.\Install-AntiSpamAgents.ps1
3. In the Exchange Management Shell, restart the Microsoft Exchange Transport Service by run
Restart-Service MSExchangeTransport
4. In the Exchange Management Shell, specify the IP addresses of the internal SMTP servers LO
MBX2 that should be ignored by the Sender ID agent, by running the followingcmdlet:
Set-TransportConfig -InternalSMTPServers @{Add=172.16.0.22,172.16.0.223}
5. In the Exchange Management Shell, list installed transport agents by running the following cmd
Get-TransportAgent
6. Verify that the following anti-spam agents are listed: Content Filter Agent, Sender ID Agent,
Task 2: Configure content filtering on LON-MBX1
1.In the Exchange Management Shell, verify that content filtering is enabled by running the followin
Get-ContentFilterConfig | Format-List Enabled
2.Verify that Enabled:True is displayed.
3.In the Exchange Management Shell, configure blocked phrase Poker results by running the follow
Add-ContentFilterPhrase -Influence BadWord -Phrase "Poker results"
4.In the Exchange Management Shell, configure allowed phrase Report document by running the f
Add-ContentFilterPhrase -Influence GoodWord -Phrase "Report document"
5.In the Exchange Management Shell, configure the quarantine mailbox quarantine@adatum.com
Set-ContentFilterConfig
-QuarantineMailbox quarantine@adatum.com
Note: In a production environment, you should also create a user mailbox and configure it to be a
6.In the Exchange Management Shell, configure SCL thresholds with the following values SCLReje
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8 -
SCLQuarantineEnabled $true -SCLQuarantineThreshold 7
7.In the Exchange Management Shell, configure custom rejection response "Your message was rej
Set-ContentFilterConfig -RejectionResponse "Your message was rejected by our spam
filter. Contact your administrator."
8.In the Exchange Management Shell, configure the SCL junk threshold with the value 6 for all ma
Set-OrganizationConfig -SCLJunkThreshold 6
Task 3: Configure sender and recipient filtering on LON-MBX1
1. On LON-MBX1, in the Exchange Management Shell, configure sender filtering to block messa
Set-SenderFilterConfig -BlockedSenders marketing@contoso.com
2. In the Exchange Management Shell, configure recipient filtering to block messages sent to help
Set-RecipientFilterConfig -BlockListEnabled $true -BlockedRecipients
helpdesk@adatum.com
Note: In this scenario, we assume that the email address helpdesk@adatum.com is for internal
Exercise 3: Validating Antimalware and Anti-Spam Configuration
Scenario
In this exercise, you will validate antimalware and anti-
spam configuration by sending a test email that contains simulated test malware. Then
you will connect to LON-
MBX1 by using the telnet command,and you will send email messages that should be
blocked by the anti-spam agents.
The main tasks for this exercise are as follows:
1. Validate antimalware configuration
2. Validate anti-spam configuration
3. To prepare for the next module
Task 1: Validate antimalware configuration
1. Switch to LON-CAS1.
2. Edit the E:\Labfiles\Mod09\Eicar.txt file and remove the line breaks between the first line and t
3. Close any instances of Internet Explorer.
4. Open Internet Explorer, and type https://lon-cas1.adatum.com/owa.
5. Sign in as Adatum\Michael with the password of Pa$$w0rd, and save the default settings on the
6. In the Outlook Web App window, create a new email to mark@adatum.com with the subject Te
7. In the Outlook Web App window, click on Michael Allen, and then click Sign out.
8. In Internet Explorer, on the Outlook Web App logon page, sign in as Adatum\Mark with the pa
9. In the Outlook Web App window, double-click the new message from Michael Allen. Open the
10.In the Outlook Web App window, click on Mark Bebbington, and then click Sign out.
Task 2: Validate anti-spam configuration
1. Switch to LON-DC1.
2. On LON-DC1, open Windows PowerShell from the task bar.
3. At the command prompt, type telnet LON-CAS1 smtp, and then press Enter.
4. Type helo, and press Enter.
5. Type mail from: info@internet.com, and press Enter.
You should receive the response: 250 2.1.0 Sender OK
6. Type rcpt to: michael@adatum.com, and press Enter.
Response: 250 2.1.5 Recipient OK.
7. Type data, and press Enter.
Response: 354 Start mail input; end with <CRLF>.<CRLF>
8. 8. Type Subject: Information for you and then press Enter twice.Type Please find below pok
9. Press the period (.) key, and then press Enter.
10. Verify that following message is displayed: Your message was rejected by our spam filter. C
11. Type Quit, and press Enter.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state by performing
the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 and 3 for 20341B-LON-CAS1, and 20341B-LON-MBX1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise you should have validated antimalware scanni
ng when sending test message with malware simulation attachment, where the attach
ment will be deleted by theExchange Server 2013 antimalware feature. You should ha
ve also validated anti-
spam content filtering when sending a simulation of a spam message, where the messa
ge will be stored in the recipientsjunk email folder by the Exchange Server 2013 cont
ent filtering feature.
Question: What anti-spam agents are available in Exchange Server 2013?
Question: What is the purpose of the SCL threshold?
Module Review and Takeaways
Best Practice
When configuring an anti-
spam and antivirus solution, always follow the vendors technical documentation on h
ow to deploy, manage, and maintain those solutions. Internet threats are changing ever
y day,so Exchange administrators and security administrators must be regularly educa
ted on and aware of the latest security threats. As security threats change, an organizat
ions anti-
spam and antivirus solutionsand management best practices might also change.
Common Issues and Troubleshooting Tips
Common Issue

You have configured anti-spam content filtering, but employees complain that they still receive spam email.

You have configured anti-spam content filtering, but employees complain that they do not receive email from business partners

One employee complained that when he received an email, the attachment was missing, and was replaced with anotherattachme
Review Question(s)
Question: What strategy for anti-
spam and antimalware protection are you going to suggest for your organization?
Real-world Issues and Scenarios
Your employees often complain about email being blocked as a spam or malware, wh
en the email was neither spam nor malware. Such false-
positive email is one of the biggest issues in anti-
spam andantimalware protection. False positive means that an email has been blocked
due to anti-
spam or antimalware scanning, but the email actually is not a spam and does not conta
in malware.
To address the issue, contact security administrators to investigate the reasons why th
ose emails have been identified as a spam or malware. Re-evaluate your anti-
spam and antimalware protection settings,and edit the settings if neccecery.
Tools
Exchange Administration Center (EAC) Used for configuring antimalware policy
Exchange Management Shell Used for configuring antimalware policy, antimalware
settings, and anti-spam settings
Module 10: Planning and Configuring Administrati
ve Security and Auditing
Contents:
Module Overview

Lesson 1: Configuring Role-Based Access Control

Lesson 2: Configuring Audit Logging

Lab: Configuring Administrative Security and Auditing

Module Review and Takeaways

Module Overview
In many organizations, Microsoft Exchange Server provides a critical business funct
ion for both internal and external users. In addition, many organizations expose at leas
t a few of their Exchange servers tothe Internet. For these reasons, it is important that
you take appropriate actions to secure the Exchange Server deployment. There are sev
eral components to securing your Exchange Server deployment:configuring administr
ative permissions appropriately and securing the Exchange Server configuration. This
module describes how to configure permissions and secure Microsoft Exchange Ser
ver 2013.
Objectives
After completing this module, you will be able to:
Configure role-based access control (RBAC) permissions.
Configure audit logging.
Lesson 1 : Configuring Role-Based Access Control
Exchange Server 2013 uses the role-based access control
(RBAC) permissions model to restrict the administrative tasks that users can perform
on the Mailbox, Edge Transport, and Client Access server roles.With RBAC, you can
control the resources that administrators can configure and the features that users can
access. This lesson describes how to implement RBAC permissions in Exchange Serv
er 2013, andhow to configure permissions on Edge Transport servers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe RBAC.
Describe management role groups.
Identify Exchange Server 2013 built-in management role groups.
Manage RBAC permissions.
Configure custom management role groups.
Describe management role-assignment policies.
Describe Exchange Server split permissions.
Configure RBAC split permissions.
Configure Active Directory Domain Services (AD DS) split permissions.
What Is Role-Based Access Control?
RBAC is the permissions model available since the Microsoft Exchange Server 201
0 release. With RBAC, you do not have to modify and manage access control lists
(ACLs) on Exchange Server or ActiveDirectory Domain Services (AD DS) objects.

In Exchange Server 2013, RBAC controls the administrative tasks that users can perfo
rm and the extent to which they can administer their own mailbox and distribution gro
ups. When you configure RBACpermissions, you can define precisely which Exchang
e Management Shell cmdlets a user can run and which objects and attributes the user c
an modify.
All Exchange Server administration tools, including Exchange Management Shell, an
d the Exchange Administration Center
(EAC), use RBAC to determine user permissions. Therefore, permissions are consiste
ntregardless of which tool you use.
Note: If RBAC allows a user to run a specific cmdlet, that cmdlet actually runs in the
security context of the Exchange Trusted Subsystem, and not in the context of the user
. The Exchange TrustedSubsystem is a highly privileged universal security group that
has read/write access to every Exchange Server-
related object in the Exchange organization. It also is a member of the Administratorsl
ocal security group and the Exchange Windows Permissions universal security group,
which enables Exchange Server 2013 to create and manage AD DS objects.
RBAC Options
RBAC assigns permissions to users in two primary ways, depending on whether the u
ser is an administrator or an end user:
Management role groups. RBAC uses management role groups to assign permissions to administra
erver features, such as compliance or specific recipients. To use management role groups, add users
in management role group, or to a custom management role group. RBAC assigns each role group o
Management role assignment policies. Management role assignment policies are used to assign end
assignment policies consist of roles that control what users can do withtheir mailboxes or distributio
Note: You also can use direct role assignment to assign permissions. Direct role assignment is an a
assignment policy. Direct role assignments are useful when you need to provide a granular set of pe
role groups.
What Are Management Role Groups?
A management role group is a universal security group that simplifies the process of a
ssigning management roles to a group of users. All members of a role group are assign
ed the same set of roles.

In Exchange Server 2013, groups such as organization management and recipient man
agement are assigned administrator and specialist roles that define major administrativ
e tasks. Role groups enable youto more easily assign a broader set of permissions to a
group of administrators or specialist users.
Management role groups are used to assign administrator permissions to groups of use
rs. To understand how management role groups work, you need to understand their co
mponents.
Components of Management Role Groups
Management role groups use several underlying components to define how RBAC ass
igns permissions. These include:
Role holder. A role holder is a user or security group that can be added to a management role group
group member, RBAC grants it all of the permissions thatthe management roles provide. You can e
Management role group. The management role group is a universal security group that contains use
group members. Management role groups are assigned to managementroles. The combination of all
Management role. A management role is a container for a group of management role entries. These
Management role entries. A management role entry is a cmdlet, including its parameters, which you
Management role assignment. A management role assignment assigns a management role to a role
use the cmdlets that the management role defines.
Management role scope. A management role scope is the scope of influence or impact that the role
organizational units, and recipient objects, among others.
Examples of Management Role Groups
Management role groups define who can perform specific tasks and the scope within
which administrators can perform those tasks. For example, you can use RBAC to assi
gn permissions as the followingtable shows:

Role holder Management role group Management role Management role en

Stan Organization Management Organization Management All Exchange cmdlets

Joel Help Desk HelpDesk Cmdlets related to mailbox

Andy Sales Admins SalesAdminRole Cmdlets related to Recipien

Built-In Management Role Groups


Exchange Server 2013 includes several built-
in role groups that you can use to provide varying levels of administrative permissions
to user groups. You can add users to, or remove them from any built-
inrole group. You also can add or remove role assignments to or from most role group
s.
Role group Description

Organization Management Role holders have access to the entire Exchange Server 2013 organization and can

View-Only Organization Management Role holders can view the properties of any object in the organization.

Recipient Management Role holders have access to create or modify Exchange Server 2013 recipients wi

UM Management Role holders can manage the Unified Messaging (UM) features within the organiz

Discovery Management Role holders can perform searches of mailboxes in the Exchange organization for

Records Management Role holders can configure compliance features, such as retention policy tags, me

Server Management Role holders have access to Exchange Server configuration. They do not have acc

Help Desk Role holders can perform limited recipient management.

Public Folder Management Role holders can manage public folders and databases on Exchange servers.

Delegated Setup Role holders can deploy previously provisioned Exchange servers.

Compliance Management Role holders can configure and manage compliance settings. This role group is ne

Hygiene Management Role holders can manage Exchange Server anti-spam features and grant permissio

Note: All of these role groups are located in the Microsoft Exchange Server Security
Groups organization unit (OU) in AD DS.
Demonstration: Managing Permissions Using the Built-
In Role Groups
In this demonstration, you will review how to manage RBAC permissions in Exchang
e Server 2013 by using the built-
in role groups. You will see how to add users to the built-
in role groups, and how RBACassigns the resulting permissions to the user accounts.
Demonstration Steps
1. On LON-DC1, open Active Directory Users and Computers, and add Tony to the Recipient Ma
2. On LON-
CAS1, open the EAC, sign in as Adatum\Tony and verify that you can see the Exchange Serve
3. Start the Exchange Management Shell, and run the following cmdlets:
Get-ExchangeServer | FL
Set-User Adam -Title Manager
Process for Configuring Custom Role Groups
In addition to the built-
in role groups, you also can create custom role groups to delegate specific permissions
within the Exchange organization. Use this option when your ability to limit permissi
ons isbeyond the scope of the built-in role groups.

Configuring a Custom Management Role Group


RBAC offers a variety of ways in which you can assign permissions in an Exchange S
erver 2013 environment. For example, RBAC enables you to assign permissions to a g
roup of administrators in a branchoffice who only need to manage recipient tasks for b
ranch-office users and mailboxes on branch-
office Mailbox servers. To implement this scenario, you would:
1 Create a new role group, and add the branch office administrators to the role group. You can use th
. RoleGroup cmdlet to create the group or create the group using the EAC. When you createthe gro
2 Assign management roles to the branch office administrators. To delegate permissions to a custom
. in management roles. Exchange Server 2013 includes approximately 70 built-in management roles
managementrole cmdlet. To view detailed information about a management role, type get-manag
Note: You also can configure a new management role rather than use one of the existing managem
ManagementRole cmdlet to create a custom managementrole based on one of the existing manag
ermissions from the role, as necessary, by using the Remove-managementroleentry cmdlet. How
3
Identify the management scope for the management role. For example, in the branch-office scenar
.
4 Create the management role group using the information that you collect. You can use the EAC or
. RoleGroup Name BranchOfficeAdmins roles Mail Recipients, Distribution Groups, Move
The cmdlet does the following:
o Creates a new role group named BranchOfficeAdmins.
o Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creatio
o Configures a management role scope limited to the BranchOffice OU in the Adatum.com doma
Demonstration: Configuring Custom Role Groups
In this demonstration, you will see how to create a custom role group, add roles and m
embers to the role group, and verify that the permissions you granted are working as e
xpected.
Demonstration Steps
1.On LON-
CAS1, in the EAC, create a new role group named MarketingAdmins. This group should be loca
2.Switch to LON-MBX1, verify in Active Directory Users and Computers that the new group has be
3.Verify in the EAC that the permissions are correctly working.
What Are Management Role Assignment Policies?
Management role assignment policies associate end-
user management roles with users. You do not configure administrative permissions w
ith management role assignment policies. Rather, you usemanagement role assignmen
t policies to configure the changes that users can make to their own mailbox settings a
nd to distribution groups that they own. Every user with an Exchange Server 2013 mai
lboxreceives a role assignment policy, by default. You can:
Decide which role assignment policy to assign by default.
Choose what to include in the default role assignment policy.
Override the default policy for specific mailboxes.
In Exchange Server 2013, you can use the EAC to view and modify the default manag
ement role assignment policy and configure additional management role assignment p
olicies with different permissions.For example, you can modify the default role assign
ment policy so the users cannot change their own properties, such as their addresses or
telephone numbers. If you create a custom management roleassignment policy, you m
ust assign it to the applicable mailboxes.
Role Assignment Components
Role assignment policies consist of the following components that define what users c
an do with their mailboxes:
Mailbox. Mailboxes are assigned a single role assignment policy. When a mailbox is assigned a rol
Management role assignment policy. The management role assignment policy is an object in Excha
s included in a role assignment policy defines everything that associated users can manage on their
Management role assignment. Management role assignments link management roles and role assign
fy a scope. The scope that the assignment applies is based on the management role, and is either Se
Management role. A management role is a container for a group of management role entries. Roles
Management role entry. A management role entry is a cmdlet, script, or special permission that ena
What Are Exchange Server Split Permissions?
AD DS and Exchange Server 2013 are highly integrated, and there is no option for ch
anging this.
In many small or medium sized-
organizations, the same administrators are responsible for managing both the Exchang
e Server environment and the AD DS environment. This is called a shared-
permissionsmodel.
However, in many larger organizations, different teams of administrators are responsi
ble for managing the AD DS and Exchange Server infrastructures. These organization
s often have two separate IT groupsthat manage the organizations Exchange Server in
frastructure
(including servers and recipients) and its AD DS infrastructure. Normally, this means
that Exchange Server administrators cannot manage AD DSobjects, and vice versa. T
his model of administration is often called a split-
permissions model. Split permissions enable organizations to assign specific permissi
ons and related tasks to specific groups withinthe organization.
When you implement split permissions, you remove the ability of Exchange Server ad
ministrators to create security principals, such as user or security group objects, in AD
DS by using the Exchange Servermanagement tools. This applies to both user accoun
t and security groups. The end result of implementing split permissions is that security
principals must be created using AD DS management tools. Oncethe object has been
created, you can use the Exchange management tools to configure the Exchange-
specific attributes on the security principals.
Exchange Server 2013 defaults to the shared-
permissions model. You do not need to change anything, if this is the permissions mo
del you want to use. This model does not separate the management ofExchange Server
and Active Directory objects from within the Exchange Server management tools. It a
llows administrators using the Exchange Server management tools to create security p
rincipals in AD DS.
Split-Permissions Options in Exchange Server 2013
The following are the Exchange Server 2013 options for implementing split permissio
ns:
RBAC split permissions. When you implement RBAC split permissions, you remove the Exchange
Active Directory split permissions. When you implement Active Directory split permissions, you re
s prevents anyone from using the Exchange Server management tools to create AD DS security prin
Configuring RBAC Split Permissions
By default, administrators who are assigned to either the Mail Recipient Creation role
or the Security Group Creation and Membership role can create security principals in
AD DS. In Exchange Server 2013, theOrganization Management role group is assigne
d both of these role assignments, while the Recipient Management role group is assign
ed the Mail Recipient Creation Role role assignment.

When you configure RBAC split permissions, you remove theses management role as
signments from the default management role groups. This means that the members of
the management role groups nolonger have permission to run the cmdlets used to crea
te security principals, thus blocking them from creating these objects by using any of t
he Exchange Server 2013 management tools. When you enableRBAC split permission
s, Exchange Server administrators will not be able to use the following cmdlets:
New-Mailbox
New-MailContact
New-MailUser
New-RemoteMailbox
Remove-Mailbox
Remove-MailContact
Remove-MailUser
Remove-RemoteMailbox
In addition, the associated features in the Exchange Server Management Console and t
he EAC
(such as the New Mailbox Wizard) will generate an error if you try to use them.
Configuring RBAC split permissions does not prevent administrators from using the
AD DS management tools to create security principals. If an Exchange Server adminis
trator has AD DS permissions tocreate security principals, they can do so by using the
AD DS tools. They can then configure the Exchange Server attributes using the Excha
nge Server management tools.
In addition, configuring RBAC split permissions does not modify the underlying RBA
C principle that Exchange servers through the Exchange Trusted Subsystem group ha
ve permissions to create securityprincipals in Active Directory. RBAC split permissio
ns doesnt remove permissions from the Exchange Trusted Subsystem account, it only
removes permission to run cmdlets from Exchange Serveradministrators.
To configure RBAC split permissions, you must do the following:
1 Disable Active Directory split permissions if it is enabled. You can do this by running Exchange S
. n is using the shared-permissions model, you can skip this step.
2 Create a new role group that will contain the administrators that will be able to create security prin
. ment tools to create security principals.
3
Create regular and delegating role assignments between the Mail Recipient Creation role and the n
.
4
Create regular and delegating role assignments between the Security Group Creation and Members
.
5
Remove the regular and delegating management role assignments between the Mail Recipient Cre
.
6
Remove the regular and delegating role assignments between the Security Group Creation and Me
.
After configuring RBAC split permissions, only members of the new role group that y
ou create can create security principals, such as mailboxes. The new role group will o
nly be able to create the objects; itwill not be able to configure the Exchange Server at
tributes on the new object. An Active Directory administrator who is a member of the
new group will need to create the object, and then an ExchangeServer administrator w
ill need to configure the Exchange Server attributes on the object. If you want the new
role group to also be able to manage the Exchange Server attributes on the new object
, you mustassign the Mail Recipients role to the new role group.
Configuring Active Directory Split Permissions
Active Directory split permissions differ from RBAC split permissions. When you im
plement Active Directory split permissions, the Exchange servers no longer have per
mission to create AD DS securityprincipals, because the permissions that are normally
granted to the Exchange Windows Permissions group are removed. Since the Exchan
ge Trusted Subsystem group that contains all of the Exchange Server2010 and Exchan
ge Server 2013 servers is the only member of the Exchange Windows Permissions gro
up, these permissions are removed from the Exchange servers.

Enabling Active Directory split permissions means that:


You can no longer create mailboxes, mail-enabled users, distribution groups, and other security pr
You cannot add and remove distribution-group members from the Exchange Server management
The Exchange Trusted Subsystem and Exchange servers no longer have permissions to create sec
Exchange servers and the Exchange Server management tools can only modify the Exchange Serv
You can enable Active Directory split permissions when you run the Exchange Server
2013 setup program during the initial deployment of Exchange Server 2013. You can
also use the command-
line setupprogram with the /PrepareAD option and the /ActiveDirectorySplitPermis
sions option set to true when you first install Exchange Server 2013, or you can run t
his command after installing Exchange Serverto change an existing deployment to use
Active Directory split permissions.
You enable or disable Active Directory split permissions by using the Exchange Serve
r 2013 setup program. If you enable Active Directory split permissions, Exchange Ser
ver 2013 Setup makes the followingchanges to the AD DS and Exchange Server deplo
yments:
It creates a new OU called Microsoft Exchange Protected Groups.
It creates the Exchange Windows Permissions security group in the Microsoft Exchange Protected G
It does not add the Exchange Trusted Subsystem security group to the Exchange Windows Permiss
It does not create non-delegating management role assignments to management roles with the follow
o MailRecipientCreation
o SecurityGroupCreationandMembership
It does not add access control entries that would have been assigned to the Exchange Windows Perm
To disable Active Directory split permissions, you can rerun Exchange setup with the
/PrepareAD and the /ActiveDirectorySplitPermissions parameters, setting the Activ
eDirectorySplitPermissionsparameter to false.
Lesson 2: Configuring Audit Logging
In organizations where multiple Exchange Server administrators exist, it can sometim
es be difficult to trace changes that have been made to the Exchange Server configurat
ion objects. In addition, it can bedifficult to provide information about users who acce
ss other mailboxes or perform other types of data access. Exchange Server 2013 conta
ins logging functionality that can provide you with informationabout administrative ta
sks performed on your Exchange servers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe administrator audit logging.
Describe mailbox audit logging.
Configure audit logging.
What Is Administrator Audit Logging?
In Exchange Server 2013, administrator audit logging captures data about changes ma
de to your organization by users and administrators. By default, administrator audit lo
gging captures information aboutall changes made to the Exchange server deployment
.
Exchange Server 2013 administrator audit logs track all Exchange Management Shell
cmdlets that make changes to the Exchange Server environment.
Because all tasks performed in the EAC are translated to Exchange Management Shell
cmdlets, all changes are logged, regardless of which tool you use to perform the task.
Audit logging is intended to show which actions were taken to modify objects in an E
xchange organization, rather than which objects were viewed. Cmdlets are audited if t
he cmdlet is on the cmdlet auditinglist, and one or more parameters on that cmdlet are
on the parameter-auditing list. By default, the Test-, Get-
, and Search- cmdlets are not logged, because these cmdlets are usually not security cr
itical, andthey cannot directly change anything on Exchange Server objects. All other
cmdlets are logged.
You can configure administrator audit logging in the Exchange Management Shell by
using the
Set-
AdminAuditLogConfig cmdlet. This cmdlet uses several parameters that allow you t
o configure audit logging. Some of the most important parameters for this cmdlet are:
AdminAuditLogEnabled. When set to False, logging is not enabled. By default, logging is enabled
TestCmdletLoggingEnabled. This parameter enables Test- cmdlet logging.
AdminAuditLogCmdlets. This parameter specifies which cmdlets are logged when administrator a
AdminAuditLogParameters. This parameter specifies whether cmdlet parameters are logged. By d
AdminAuditLogAgeLimit. This parameter specifies how long each log entry should be kept before
If you want to see how administrator audit logging is configured currently, run the Ge
t-AdminAuditLogConfig cmdlet.
Each time a cmdlet is logged, Exchange Server creates an audit log entry. Exchange S
erver 2013 stores audit logs in a hidden, dedicated arbitration mailbox that you can on
ly access by using the EAC AuditingReports page, or the Search-
AdminAuditLog or New-
AdminAuditLogSearch cmdlets. The logs are not accessible from Microsoft Outlook
Web App or Microsoft Office Outlook. In addition, no onecan delete audit log ent
ries, and you cannot modify this dedicated mailbox.
In the EAC, you can view or export administrator audit-
logging reports. If you want to search the logs by specifying your own search paramet
ers, you must use the Exchange Management Shell.
For example, suppose you want to search Set-
Mailbox usage between 2/16/2013 and 3/16/2013, and send the search results to Andr
eas@adatum.com. To accomplish this, you would run the followingcmdlet:
New-AdminAuditLogSearch -Cmdlets Set-Mailbox -StartDate 02/16/2013 -EndDate
03/16/2013 -StatusMailRecipients Andreas@adatum.com -Name "Mailbox changes
report"
After you run the New-
AdminAuditLogSearch cmdlet, Exchange Server may take up to 15 minutes to deliv
er the report to the specified recipient.
You also can use the same parameters with the Search-
AdminAuditLog cmdlet, except for the StatusMailRecipients parameter that specifies
to send a report by email. The Search-
AdminAuditLog cmdletprovides the report inside the Exchange Management Shell w
indow.
What Is Mailbox Audit Logging?
Mailbox audit logging allows you to log mailbox access by mailbox owners, delegates
(including administrators with full mailbox-
access permissions), and administrators. Mailboxes are accessed by anadministrator o
nly in the following scenarios:

For discovery searches.


When Mailbox exports are specified through the New-MailboxExportRequest cmdlet.
For Microsoft Exchange Server Messaging Application Programming Interface (MAPI) editor ma
When you enable audit logging for a mailbox, you can specify which user actions sho
uld be logged. You can also specify whether to log mailbox owner, delegate, or admin
istrator actions. Audit log entriesalso include important information such as the client
IP address, host name, and the process or client used to access the mailbox. For items
that are moved, the entry includes the name of the destinationfolder.
Mailbox audit logs are generated for each mailbox that has mailbox audit logging ena
bled. Log entries are stored in the Audits subfolder of the audited mailbox Recoverabl
e Items folder. If you move amailbox to another Mailbox server, the mailbox audit log
s for that mailbox also move because they are located in the mailbox.
By default, mailbox audit log entries are retained in the mailbox for 90 days.
Planning for Mailbox Audit Logging
Unlike administrator audit logging, mailbox audit logging is not enabled by default, so
you must activate it manually. In addition, mailbox audit logging is activated on a per
-
mailbox basis, and not as ageneral option. When you enable mailbox audit logging for
a mailbox, access to the mailbox and certain administrator and delegate actions are lo
gged by default.
To log actions taken by the mailbox owner, you must specify which owner actions sho
uld be audited. However, for mailboxes such as the Discovery Search Mailbox
which may contain more sensitiveinformation
consider enabling mailbox audit logging for mailbox owner actions such as message d
eletion. We recommend that you only enable auditing of the specific owner actions ne
cessary to meetbusiness or security requirements.
To enable mailbox auditing on a specific mailbox, use the Exchange Management She
ll. The following example enables mailbox auditing on Anil Elsons mailbox:
Set-Mailbox -Identity " Anil Elson" -AuditEnabled $true
To disable mailbox auditing, change the $true parameter to $false.
To search the mailbox audit log, you can use both the EAC and the Exchange Manage
ment Shell. The EAC allows you to generate reports for non-
owner mailbox access, which is the most common report forthis type of auditing. How
ever, in this report you can only set a date range as your filter. If you want to specify a
ll available options, use the Exchange Management Shell to perform your search.
The following example searches for users who accessed Terris mailbox during 2013,
limiting results to 2,000:
Search-MailboxAuditLog -Identity Anil -LogonTypes Admin,Delegate -StartDate
1/1/2013
-EndDate 12/31/2013 -ResultSize 2000
The results return to the Exchange Management Shell window.
The following example searches Terris and Jans mailboxes and sends the results to a
specific mailbox:
New-MailboxAuditLogSearch Name "Admin and Delegate Access" -Mailboxes
"Terri
Chudzik"," Jan Dryml " -LogonTypes Admin,Delegate -StartDate 1/1/2013 -EndDate
12/31/2013 -StatusMailRecipients "auditors@adatum.com"
This cmdlet locates access attempts by administrators and delegates during 2013. Res
ults are sent to the email alias auditors@adatum.com.
Demonstration: Configuring Audit Logging
In this demonstration, you will review how to configure administrator audit logging a
nd mailbox audit logging, and how to search audit logs from both the EAC and the Ex
change Management Shell.
Demonstration Steps
1. On LON-CAS1, in Exchange Management Shell, review how the Audit Log is currently config
2. In the EAC, add Send AS permissions on Anil Elsons mailbox for Allie Bellew.
3. In Exchange Management Shell, verify that you see the permission change in the admin log.
4. Enable audit logging on Anils mailbox.
5. Send a message from Allies mailbox as Anil.
6. In the EAC, run a Run a non-owner mailbox access report to verify that the message was logge
Lab: Configuring Administrative Security and Audi
ting
Scenario
A. Datum Corporation has deployed Exchange Server 2013. The company security off
icer has provided
you a set of requirements to ensure that the Exchange Server 2013 deployment is as se
cure as possible. The requirements specific concerns include:
Exchange Server administrators should have minimal permissions. This means that whenever pos
Any configuration changes made to the Exchange Server environment should be audited. The aud
The organization must have the option of auditing all non-owner access to user mailboxes. The au
AD DS object creation should be done by only the HRAdmins group. Nobody else should create A
Objectives
The students will be able to configure Exchange Server 2013 RBAC permissions and
audit logging for both administrators and users.
Lab Setup
Estimated time: 60 minutes

Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1

User Name Adatum\Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1, and 20341B-LON-CAS1.
Exercise 1: Configuring Exchange Server Permissions
Scenario
A. Datum Corporation has completed the Exchange Server 2013 deployment, and is w
orking on
integrating Exchange Server and recipient management with its current management p
ractices. To meet the management requirements, you need to ensure that:
Members of the IT administrators group can administer individual Exchange Server 2013 servers, b
Members of the HelpDeskAdmins group must be able to manage mail recipients throughout the ent
Members of the SupportDesk group should be able to manage mailboxes and distribution groups fo
The main tasks for this exercise are as follows:
1. Configure Exchange server permissions for the IT administrators group
2. Configure permissions for the Support Desk and HelpDeskAdmins groups
3. Verify the permissions for the three role groups created
Task 1: Configure Exchange server permissions for the IT administrators group
1. On LON-MBX1, open Server Manager, and then open Active Directory Users and Computer
2. Add the IT group as member to Server Management group located in Adatum.com\Microsoft
Task 2: Configure permissions for the Support Desk and HelpDeskAdmins grou
ps
1. On LON-MBX1, from the Start screen, open Exchange Management Shell.
2. In the Exchange Management Shell, run the following cmdlets:
New-RoleGroup -Name HelpDeskAdmins -roles Mail Recipients
New-RoleGroup -Name SupportDesk -roles Mail Recipients, Mail Recipient Creation,
Distribution Groups
3. Open Internet Explorer, connect to https://LON-CAS1.adatum.com/ecp. Sign in as Adatum
4. In the EAC, in permissions, add Ryan Spanton to SupportDesk role group and add Carol Tr
5. Close Internet Explorer.
Task 3: Verify the permissions for the three role groups created
1. On LON-MBX1, open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp
2. Modify the Research database:
o Issue a warning at (GB): unlimited
3. Verify that you can see the UM dial plans, but not create or modify them. Remember that Tony is
4. Close Internet Explorer, open Internet Explorer, and connect to https://LON- CAS1.adatum.c
5. In recipients feature, in mailboxes, modify Alan Steiner:
o Department: IT
6. In recipient feature, in groups, try to modify Research:
o Group description: test
7. In recipients feature, in mailboxes, create a new mailbox:
o Alias: Test
o First name: Test
o Last name: Test
o User logon: Test
o New password: Pa$$word
o Confirm password: Pa$$word
8. Close Internet Explorer, open Internet Explorer, and connect to https://LON-CAS1.adatum.com
9. In the feature pane, access recipients. Note that there is no New user button on the toolbar.
10.In recipients feature, in mailboxes, modify Alan Steiner:
o Department: Customer Service
11.Verify that groups is not available in tabs as Carol does not have permission to manage groups.
12.Close Internet Explorer.
Results: After completing this exercise, the students will have configured RBAC roles
and verified that the permissions are granted accordingly.
Exercise 2: Configuring Audit Logging
Scenario
You now need to configure audit logging on the Info@Adatum.com shared mailbox.
This mailbox is used by the IT group to send out information to everyone in the organi
zation.
The main tasks for this exercise are as follows:
1. Configure audit logging on the Info@Adatum.com mailbox
2. Perform SendAs activity on the Info@Adatum.com mailbox
3. Verify that the activity is logged
Task 1: Configure audit logging on the Info@Adatum.com mailbox
1. On LON-MBX1, open Exchange Management Shell.
2. In the Exchange Management Shell, run the following cmdlet:
Set-Mailbox -Identity "Info" -AuditDelegate SendAs,SendOnBehalf -
AuditEnabled $true
Task 2: Perform SendAs activity on the Info@Adatum.com mailbox
1.On LON-CAS1, open Internet Explorer, and connect to https://LON-CAS1.adatum.com/owa.
2.Create and send a new mail message:
o From: Info@adatum.com
o To: Tony Smith
o Subject: Testing Send As logging
3.Verify that the message is sent.
4.Close Internet Explorer
Task 3: Verify that the activity is logged
1.On LON-MBX1, open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp.
2.In compliance management, in auditing, Run a non-owner mailbox access report:
o Search for access by: All non-owners
3.In the search results, view the report that shows that Tony Smith accessed the Info mailbox.
Results: After completing this exercise, the students will have configured mailbox au
dit logging and verified that audit logging works correctly.
Exercise 3: Configuring RBAC Split Permissions on Exchange Server 2
013
Scenario
You want to separate those who can create security principals in the AD DS domain p
artition from those who administer the Exchange organization data in the AD DS conf
iguration partition. Only theHRAdmins group should be allowed to create objects in A
D DS domain partition. You decide to implement the RBAC split permissions model
on your organization.
The main tasks for this exercise are as follows:
1. Create a new role group called HRAdmins, and assign permissions
2. Remove the permission to create AD DS objects from other Exchange Server administrator gro
3. Validate RBAC split-permissions functionality
4. To prepare for the next module
Task 1: Create a new role group called HRAdmins, and assign permissions
1.On LON-MBX1, open Exchange Management Shell.
2.In the Exchange Management Shell, run the following cmdlets:
New-RoleGroup "HRAdmins" -Roles "Mail Recipient Creation", "Security Group Creation
and Membership"
New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup
"HRAdmins" -Delegating
New-ManagementRoleAssignment -Role "Security Group Creation and Membership" -
SecurityGroup "HRAdmins" Delegating
Add-RoleGroupMember "HRAdmins" -Member Tony
3.From Server Manager, open Active Directory Users and Computers and modify HRAdmins gro
o Managed By: HRAdmins
o Manager can update membership list: enabled
4.Add HRAdmins to the Recipient Management group. This is required to assign the HRAdmins g
Task 2: Remove the permission to create AD DS objects from other Exchange Se
rver administrator groups
1. On LON-MBX1, open Exchange Management Shell.
2. In the Exchange Management Shell, run the following cmdlets:
Get-ManagementRoleAssignment -Role "Mail Recipient Creation" | Format-Table Name,
Role, RoleAssigneeName Auto
Get-ManagementRoleAssignment -Role "Mail Recipient Creation" | Where {
$_.RoleAssigneeName -NE "HRAdmins" } | Remove-ManagementRoleAssignment
Get-ManagementRoleAssignment -Role "Security Group Creation and Membership" | Where {
$_.RoleAssigneeName -NE "HRAdmins" } | Remove-ManagementRoleAssignment
3. Close the Exchange Management Shell.
Task 3: Validate RBAC split-permissions functionality
1.On LON-MBX1, open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp.
2.In the recipients feature, in mailboxes, create a new mailbox. When you click on New user that al
3.Close Internet Explorer and open Internet Explorer, connect to https://LON- CAS1.adatum.com
4.In recipients feature, in mailboxes, create a mailbox with a new user:
o Alias: Test2
o First name: Test2
o Last name: Test2
o User logon: Test2
o New password: Pa$$word
o Confirm password: Pa$$word
This confirms that Tony is able to create user accounts for new mailboxes.
5.Close Internet Explorer.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, and 20341B-LON-MBX1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, students will have created a new role group, c
onfigured RBAC split permissions, and validated that RBAC split permissions are wo
rking as expected.
Question: You have a shared mailbox that requires logging any activity in which othe
r users send on behalf of this mailbox. What do you need to do?
Question: Your compliance office requires permission to configure and manage comp
liance settings in your Exchange organization. You want to make sure that the compli
ance officer has the leastamount of permissions necessary for doing his or her job. Wh
at built-in management role group would you use?
Module Review and Takeaways
Best Practice
Supplement or modify the following best practices for your own work situations:
When you configure permissions in the Exchange organization, make sure that the users have the m
ion. Do not enable RBAC or Active Directory split permissions if you do not have a usage scenario
Whenever possible, use the built-in role groups to assign permission in the Exchange organization.
Enable administrative audit logging on shared mailboxes.
Do not enable RBAC or Active Directory split permissions if you do not have a usage scenario to s
Ensure that you document all permissions that you assign in the Exchange organizatio
n. If users are unable to perform required tasks, or if users are performing tasks to whi
ch they should not have access,you should be able to identify the reason by referring t
o your documentation.
Common Issues and Troubleshooting Tips
Common Issue

Your Exchange mailbox administrators are not able to create user accounts when creating a mailbox.
Common Issue

An administrator is able to log on to the Exchange server and start Exchange Management Shell, but cannot run the cmdlets tom

Review Question(s)
Question: In which scenario should you implement AD split permissions in your Exc
hange Server 2013 organization?
Question: You need to enable members of the Human Resources department to confi
gure user mailboxes for the entire organization. What should you do?
Question: How can you identify whether someone was accessing another users mail
box?
Module 11: Monitoring and Troubleshooting Micros
oft Exchange Server 2013
Contents:
Module Overview

Lesson 1: Monitoring Exchange Server 2013

Lesson 2: Maintaining Exchange Server 2013

Lesson 3: Troubleshooting Exchange Server 2013

Lab: Monitoring and Troubleshooting Exchange Server 2013

Module Review and Takeaways

Module Overview
Monitoring and troubleshooting processes for Microsoft Exchange Server 2013 are
very important because they allow administrators to provide performance optimized m
essaging infrastructures.Monitoring processes can improve your ability to identify, tro
ubleshoot, and repair issues before end users experience them.
By designing a comprehensive monitoring solution for your Exchange Server 2013 or
ganization, you can reduce end-user problems and prevent potentially serious issues.
After you deploy Exchange Server 2013, you must make sure that it continues to run e
fficiently by maintaining a stable environment. This module describes how to monitor
, maintain, and troubleshoot yourExchange Server 2013 environment.
Objectives
After completing this module, you will be able to
Monitor Exchange Server 2013.
Maintain Exchange Server 2013.
Troubleshoot Exchange Server 2013.
Lesson 1 : Monitoring Exchange Server 2013
Exchange administrators must know how Exchange works so that they can implement
monitoring tools by using the appropriate metrics, to ensure a healthy Exchange envir
onment. You must develop amonitoring solution to improve the ability to identify, tro
ubleshoot, and repair issues before they affect end users.
To reduce and prevent end-
user problems, you must engage in additional consideration and planning to design a
monitoring solution for your Exchange Server 2013 organization. In this lesson, you
willreview the basic monitoring tools and the metrics that you use to monitor Exchang
e Server 2013.
Lesson Objectives
After completing this lesson, you will be able to:
Explain why the Performance Monitor is important.
Describe performance baseline.
Establish a performance baseline.
Describe the Exchange Server 2013 monitoring tools.
Collect the key performance data for Exchange Server 2013.
Collect the performance counters that you should monitor on the Mailbox server role.
Collect the performance counters that you should monitor on the transport components.
Collect the performance counters that you should monitor on the Client Access server role.
Use the collected performance data.
Why Is Performance Monitoring Important?
Every organization should have well-
defined monitoring procedures in place for its Exchange Server environment. Monitor
ing provides up-to-
date information about key Exchange Server health andperformance parameters. Furth
ermore, monitoring procedures should be reevaluated on a regular basis to accommod
ate the changes in organizations IT infrastructure.
To monitor Exchange Server performance most efficiently, you must:
Identify performance issues. When problems arise, you can identify and repair them without relying
Identify growth trends to improve plans for upgrades. As the system grows and usage patterns chan
Measure performance against service level agreements (SLAs). You need to demonstrate whether E
Identify security issues and denial-of-service attacks. When performance and other metrics do not m
To effectively monitor performance, you must gather and monitor metrics from the pr
ocessor, memory, disk, and Exchange services. You can monitor additional informatio
n, depending on the ExchangeServer roles that you install.
What Is a Performance Baseline?
Monitoring Exchange Server performance produces data output that Exchange admini
strators should review. Administrators should review this data to determine whether s
ystem behavior and performanceaddresses business requirements.

Monitoring data helps Exchange administrators to identify growth patterns, performan


ce issues, application or service impact, and the impact of organizational or user chan
ges. Monitoring data also helpsadministrators to decide whether an Exchange Server u
pgrade or server replacement is needed.
During the monitoring process, administrators need to compare current performance d
ata with their servers average usage. You may want to monitor server usage every da
y over a one-
month period todetermine the average server usage. This average usage is called the p
erformance baseline. Based on the comparison between the current performance data
and the performance baseline, you can choose toperform one of the following:
If server performance is similar to the performance baseline, administrators can conclude that this is
If server performance deviates substantially from the performance baseline, administrators must tak
Without having a performance baseline, administrators cannot perform a relevant anal
ysis of the performance data, and therefore cannot decide correctly on what action to t
ake. Administrators should createa performance baseline for each server. Developing
a performance baseline for each server is important because servers are configured dif
ferently. Each server can vary depending on several factors, includingwhether it is a p
hysical or virtual machine and the varying amounts of memory and processor types.
Even identical servers can have different performance baselines; for example, they mi
ght host different server roles, such as Client Access server and Mailbox server. In fac
t, even when two identical servershave the same server roles, such as Mailbox server r
oles, they still may have different performance baselines. This can happen when the n
umber of user mailboxes that are located on each of the Mailboxservers is different.
You should evaluate performance baseline regularly. IT infrastructure in organizations
is dynamic, and servers are upgraded or replaced on a regular basis; therefore, perfor
mance baselines change as well.
Exchange performance baseline also depends on the number of user mailboxes and so
ftware or service pack updates. Moreover, new software installation and software upgr
ades, such as antivirus or backupsoftware, might also change the performance baselin
e.
Establishing a Performance Baseline
Establishing a performance baseline is an essential step during Exchange server monit
oring.
Organizations that use management and monitoring software such as Microsoft Syst
em Center Operations Manager 2012
(Operations Manager) can use it to create a performance baseline automatically.Opera
tions Manager alerts administrators of any substantial deviation from the performance
baseline. In addition, Operations Manager will update the performance baseline over t
ime dynamically, accordingto changes in the Exchange Server infrastructure.
If your organization does not use Operations Manager or other software that automatic
ally creates a performance baseline, you should create it manually by using following
recommendations:
Performance baseline is established during relevant timeframe, such as one month.
If Exchange Server usage during the weekends or after office hours is not the same as during office
If backup procedures affect server performance, those procedures should be scheduled after office h
Performance baseline should not be measured during the server updates, hardware upgrades, or mai
Performance baseline should be reevaluated regularly, especially after hardware upgrades, changes
Tools for Monitoring Exchange Server
Organizations use different types of software or tools to monitor their Exchange Serve
r environments. Depending on the size of the organizations and the complexity of thei
r IT infrastructure, monitoringsoftware can be classified in two categories:

Enterprise monitoring solutions, such as Operations Manager.


Small and medium-sized organization monitoring solutions, such as Performance
Monitor.
Enterprise Monitoring Solutions
Most enterprise environments already use monitoring and service management solutio
ns across their IT infrastructures. An example includes Operations Manager with the
Exchange Server 2013 managementpack, which provides a monitoring solution for IT
infrastructures, including monitoring for Exchange Server 2013.
Operations Manager performs multiple monitoring tasks, such as:
Monitoring Exchange Server 2013 events.
Collecting Exchange component-specific performance counters in one central location.
Alerting operators if intervention is necessary.
Correlating critical events automatically.
Managing Exchange servers and identifying issues before they become critical.
Operations Manager also allows you to customize the data you need to collect. Theref
ore, you can make adjustments to accommodate your particular usage and hardware sc
enarios.
Monitoring Solutions by Using Performance Monitor
In situations where no enterprise monitoring solution exists, you can use the Performa
nce Monitor in the Windows Server 2012 operating system to collect performance d
ata and monitor Exchange Serverhealth. The Performance Monitor analyzes how Exc
hange Server 2013 affects your computer's performance, both in real time and by colle
cting log data for future analysis.
The Performance Monitor uses performance counters, event trace data, and configurat
ion information, which can be combined into Data Collector Sets. It also provides a sy
stem-stability overview and detailsabout events that impact reliability.
Collecting Performance Data for the Exchange Server
When you monitor Exchange Server 2013 servers, you should know which performan
ce aspects are most important for your organization. You can use the common counter
s and threshold values detailed inthis lesson to identify potential issues proactively, an
d help identify the root cause of issues when you troubleshoot.

Because these values are general guidelines, it is important to trend and perhaps adjust
these values to meet the needs of a specific environment. You can determine values t
hat work in a specific environmentby documenting normal operating values to create a
baseline. After you create the baseline, set thresholds so that when performance metri
cs are not met, you know that the server is not operating optimally.
In addition, when you run Exchange Server 2013 in a virtualized environment, you sh
ould consider adding virtualization counters in your monitoring strategy. Some examp
les of virtualization counters include:
Hyper-V Virtual Machine Health Summary counters.
Counters related to Hyper-V processor utilization, such as Hyper-V Hypervisor Logical Processor
Counters related to Memory utilization on both physical and virtual machines.
Counters related to Hyper-V networking utilization, such as Hyper-V Legacy Network Adapter an
Counters related to Hyper-V storage utilization, such as Hyper-V Virtual Storage Device.
Processor
The processor is a fundamental component that you need to monitor to ensure server h
ealth on
Exchange Server 2013 roles. The following table includes the description and expecte
d value for the counters you can use to monitor the server.

Counter Description

_Total\% Processor Time Displays the percentage of time that the processor is executing application or operating syste

_Total\% User Time Displays the percentage of processor time that is spent in user mode. This represents the tim

_Total\% Privileged Time Displays the percentage of processor time that is spent in privileged mode. This represents th

The Processor Queue Length is an additional counter related to processor performance


. If a Processor Queue Length is greater than the specified threshold value, this may in
dicate that there is more workavailable than the processor can handle. If this number i
s greater than 10 per processor core, this is a strong indicator that the processor is at ca
pacity, particularly when coupled with high CPU utilization.Although you typically d
o not use the Processor Queue Length counter for capacity planning, you can use it to
determine whether you should purchase faster processors for future servers.
The following table displays the description and expected value of the Processor Queu
e Length counter in the System group.
Group Counter Description

System Processor Queue Length Displays the number of threads each processor is servicing. You can use this count
Memory
Another key performance indicator is the memory counter. By tracking how much me
mory is available and how much memory has to be written to the page file, you can de
termine when you need to eitherincrease server memory or reduce server load.
The following table displays the description and expected values for memory counters
.

Counter Description

Available Mbytes Displays the amount of physical memory, in megabytes (MB), immediately available for alloc

to the sum of memory assigned to the standby (cached), free, and zero page lists.

Pool Paged Bytes Displays the portion of shared system memory that you can page to the disk paging file. The p

Transition Pages Repurposed/ Indicates system cache pressure.


sec

Page Reads/sec Displays that data must be read from the disk instead of memory. Indicates there is not enough

Pages/sec Displays the rate at which pages are read from or written to disk to resolve hard page faults. T
wide delays. Pages/sec is thesum of Memory\Pages Input/sec and Memory\Pages Output/sec.
(usually requested by applications) and non-cached mapped memory files.

Pages Input/sec Displays the rate at which pages are read from disk to resolve hard-page faults. Hard-
page faults occur when a process refers to a page in virtual memory that is not in its working s
ages Input/sec with the value of Memory\Page Reads/sec to determine the average number of

Pages Output/sec Displays the rate at which pages are written to disk to free space in physical memory. Pages a
ges back to disk to free up space when physical memoryis in short supply. This counter displa

MSExchange ADAccess Domain Controllers


Exchange Server 2013 relies heavily on Active Directory Domain Services
(AD DS) for storing and reading its configuration data. Therefore, it is essential to me
asure the response time and connection healthto AD DS.
The following table displays descriptions and expected values of Lightweight Director
y Access Protocol
(LDAP)-related counters.
Counter Description

LDAP Read Time Displays the time in milliseconds (ms) that it takes to send an LDAP read re

LDAP Search Time Displays the time (in ms) to send an LDAP search request and receive a res

Long running LDAP operations/min Displays the number of LDAP operations on this domain controller that too

LDAP Searches timed out per minute Displays the number of LDAP searches that returned LDAP Timeout during

Monitoring Services and Logs


It is also important that you verify that each of the Exchange Server 2013 services are
running and servicing requests. You can monitor services by polling the service status
using the Services managementtool, the Get-Services cmdlet, or a third-
party monitoring tool. Items logged in the Event logs also may indicate Exchange Ser
ver 2013 server problems. These events typically are classified as Errors orWarnings.
Collecting Performance Data for the Mailbox Server
When you collect performance data associated with Mailbox servers, you may focus o
n disk-
response time and the speed with which the server responds to requests. If the disk qu
eue length begins to grow,this is another indicator that the disk system is not meeting
demand. All of these indicators may signify that you to need to purchase additional or
faster disks, or modify the disk configuration.
There are many Mailbox servers performance counters that you can monitor dependin
g on your messaging environment. The following counters are crucial, and they are a
good starting point when youcollect performance data for the Mailbox server.
Logical Disk
Logical Disk counters determine whether disk performance is meeting demands. As di
sk latency increases, database reads and writes take more time.
The following table displays descriptions and expected values for Logical Disk counte
rs.

Counter Description

Avg. Disk sec/Read Displays the average time for reading data from the disk.

Avg. Disk sec/Write Displays the average time for writing data to the disk.

Avg. Disk sec/Transfer Displays the average number of bytes transferred to or from the disk during

MSExchangeIS Store
The Client Access and Transport services use Microsoft Remote Procedure Call
(RPC) to communicate with
Mailbox servers. Thus, it is important to monitor the response time for RPC requests t
o ensure that the mailbox server is responding quickly enough to support the load.
The following table displays the descriptions and expected values of RPC-
related counters.

Counter Description

% RPC Requests Displays the overall RPC requests that are currently executing within the

RPC Averaged Latency Shows the RPC latency (in ms) averaged for all operations in the last 1,02

RPC Operations/sec Displays the current number of RPC operations occurring per second.

MSExchangeDatabase ==> Instances


In Exchange Server, database performance is one of the most critical parameters. The
following table displays the counters you can use to monitor database performance.
Counter Description

Log Threads Waiting Displays the number of threads waiting for their data to be written to the log to com

I/O Database Reads Average Latency Displays the average length of time, in ms, per database read operation.

I/O Database Writes Average Latency Shows the average length of time, in ms, per database write operation.

Database Cache % Hit Shows the percentage of database file page requests fulfilled by the database cache

Question: If any of these performance counters is measured outside its normal range,
what will it most likely affect in the production environment?
Collecting Performance Data for the Transport Components
Transport components are installed on both the Mailbox server role and Client Access
server role.

Therefore, there are different counters for each role that should be monitored.
Transport Components on the Mailbox Server Role
The transport component on the mailbox server role uses a queue database, which is a
temporary holding location for messages that are processed in a specific order. Theref
ore, a disk system must meet theperformance requirements for processing organizatio
ns email. If the disk system does not meet performance requirements, you will need t
o replace your disk system with faster disks, or modify the diskconfiguration. For mor
e information on monitoring Logical Disk on mailbox server, read the previous topic
Collecting Performance Data for the Mailbox Server.
MSExchange Database ==> Instances
Monitoring queue database performance will help you identify issues with reading or
storing queue information in the databases. The following table displays descriptions
of transport database counters.
Counter Description

Log Generation Checkpoint Depth Displays the amount of work (in count of log files) that needs to be redone or undone to t

Version buckets allocated Displays the total number of allocated version buckets. Shows the default backpressure v

Log Record Stalls/sec Displays the number of log records that cannot be added to the log buffers per- second be

MSExchangeTransport Queues
Messages that are being queued for submission may indicate a problem with connecti
vity to the transport component of the Client Access server. The following table displa
ys the description and expectedvalues for transport queue length-related counters.

Counter Description

Messages Queued for Delivery Shows the current number of submitted messages that are not yet processed by tra

Active Mailbox Delivery Queue Length Displays the number of messages in the active mailbox queues.

Retry Mailbox Delivery Queue Length Displays the number of messages in a retry state that are attempting to deliver a m

Unreachable Queue Length Displays the number of messages in the Unreachable queue.

Poison Queue Length Displays the number of messages in the poison message queue. The poison messa

Transport Components on the Client Access Server Role


The Transport component on Client Access server role proxies the SMTP protocol to t
he Mailbox server role where the user mailbox database is located. Therefore, it is imp
ortant that you measure the successof the message-
routing process. In addition, it is important that you measure performance counters su
ch as number of sent and received messages, and SMTP service availability.
The following table displays the description transport component counters on Client A
ccess server.

Group Counter

MSExchangeFrontEndTransportSmtpAvailability MessagesFailedToRoute
Group Counter

MessagesSuccessfullyRouted

MSExchangeFrontEndTransportSmtpReceive InboundMessagesReceived/sec

MSExchangeFrontEndTransportSmtpSend MessagesSent/sec

Question: If any of these performance counters is measured outside its normal range,
what will it most likely affect in the production environment?
Collecting Performance Data for the Client Access Compone
nts
Assessing the Client Access components entails monitoring a variety of objects and co
unters. Your users client experience is affected by the response time of services used
by the Client Access components.

Just like the transport components, the Client Access components are installed on both
the Mailbox server role and the Client Access server role. Therefore, you should mon
itor different counters for eachserver role.
Performance Counters for Client Access Components on the Mailbox Se
rver Role ASP.NET and Applications
Microsoft Outlook Web App and the Exchange Web Services rely heavily on the Mi
crosoft
.NET Framework and ASP.NET files, which are read, processed, and rendered for the
end users. Monitoring theresponse time and the number of times the application has h
ad to restart can help you verify the overall health of the services.
Group Counter Description

ASP.NET Application Restarts Shows the number of times the application has been restarted during the W

Worker Process Restarts Shows the number of times a worker process has restarted on the comput

Requests Current Shows the current number of requests


(including those that are queued) currently executing, or waiting to be wr
ns a 503 error if the counter exceeds this value.

Request Wait Time Shows how long (in ms) the most recent request was waiting in the queue

ASP.NET Applicati Requests in Application Q Shows the number of requests in the application request queue. The maxi
ons ueue

MSExchange Web Services


Response times for web services, such as Outlook Web App, the Outlook Anywhere
(RPC/HTTP) proxy, Microsoft Exchange ActiveSync, Offline Address Book dow
nloads, and the Availability Service arevaluable metrics to monitor. If an Exchange ad
ministrator discovers that the value of these performance counters are different from p
erformance baseline, a client might experience a slow server response.

Group Counter Description

MSExchange OWA Average Response Time Shows the average time (in

Average Search Time Shows the average time (in

RPC/HTTP Proxy Number of failed back-end connection attempts per second Shows the rate at which the

MSExchange ActiveSync Average Request Time Shows the average time tha

MSExchange Availability Service Average Time to Process a Free Busy Request Shows the number of reque
Performance Counters for Client Access Components on the Client Acce
ss Server Role
In Exchange Server 2013, Client Access components on the Client Access server perf
orm authentication and proxy of HTTP traffic to client access components on the Mail
box server role. The following tabledescribes some of the recommended performance
counters relevant to components of the Client Access server role:

Group Counter Des

MSExchange HTTP Proxy Proxy Requests/Sec Show

RPC/HTTP Proxy Number of failed back-end connection attempts persecond Show

MSExchange Authentication Total Authentication requests Show

Question: If any of these Client Access server performance counters is measured outs
ide its normal range, what will it most likely affect in the production environment?
Using the Collected Performance Data
To determine which thresholds indicate an existing problem, set a monitoring baseline
by reviewing performance data over a full business cycle.

Business cycles vary for each company, and your cycle should include both busy and
slow periods.
For some businesses, busy periods might correlate with the end-of-
month accounting close process, or periods with notably high sales figures. Gathering
a broad data set will provide sufficient data todetermine the appropriate operating thre
sholds.
To use the collected performance data:
1.Create a monitoring baseline by averaging performance metrics from a properly operating system:
o Monitor performance for a full business cycle.
o Note any peaks or troughs in the data.
2.Set warning and error level thresholds.
3.Review growth trends regularly to:
o Adjust thresholds.
o Adjust server configurations.
It is important that you review your thresholds periodically so that you can adjust the s
erversor the thresholds themselves
to ensure that the system is functioning properly.
Note: Operations Manager employs a self-
tuning threshold technology. This feature automatically adjusts thresholds for an objec
ts counters based on learned values. These thresholds areautomatically adjusted accor
ding to the current system usage and comparison with the baseline that was learned du
ring the previous monitoring.
Lesson 2: Maintaining Exchange Server 2013
Maintaining the Exchange Server messaging solution is an ongoing process that requir
es established procedures that will not affect server availability and user experience. A
dministrators also should followbest practices and recommendations from Microsoft r
elated to maintenance procedures. Using change-
management techniques to control change delivers many benefits, which are described
in this lesson.Change management often includes controlling which software updates
are applied, and how and when the updates are applied. It also includes managing you
r hardware upgrades.
In this lesson, you will review the importance of change management, and the techniq
ues you can use to perform upgrades to your Exchange Server computers.
Exchange Server 2013 introduces two new concepts for managing health and perform
ance: Workload Management and Managed Availability.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Exchange workload management.
Configure Exchange workload management.
Describe managed availability.
Describe change management.
Plan deployment of Exchange software updates.
Plan Exchange hardware updates.
What Is Exchange Workload Management?
Exchange Server 2013 introduces a new concept in monitoring and management calle
d Workload Management. Workload is defined as a feature, protocol, or service, such
as Outlook Web App, ExchangeActiveSync, or mailbox migration.

Workloads such as Outlook Web App are monitored and managed instead of the servi
ces that Outlook Web App uses or depends upon, such as Internet Information Service
s (IIS) and Active Directory.
You can manage workloads in Exchange Server 2013 in the following ways:
Monitoring system resources. This type of monitoring was introduced in Microsoft Exchange Ser
server resources are highly utilized, Exchange Server progressively slows down the lowest priorityw
hest priorityand Discretionary classification has the lowest priority. System resource thresholds, wh
Controlling how individual users consume resources. This method of managing workloads introduc
oBurst allowances. Exchange Server allows users to have greater resource consumption for short pe
oRecharge rate. Exchange server uses a resource budget system, where administrators set a rate wh
oTraffic shaping. Exchange Server delays the user whenever a user reaches the configured limit for
and almost undetectable.
oMaximum usage. Exchange Server temporarily blocks users from performing their tasks, because
Configuring Exchange Workload Management
Exchange workload management is configured in the Exchange Management Shell by
creating or changing the workload management policy settings. These setting can be
configured at the organizationallevel and applied to all Exchange Servers in the organi
zation, or at the server level and applied only to that specific server.
The cmdlets used to manage resource policy include:
New-ResourcePolicy
Remove-ResourcePolicy
Get-ResourcePolicy
Set-ResourcePolicy
Cmdlets used to manage workload management policy include:
New-WorkloadManagementPolicy
Remove-WorkloadManagementPolicy
Get-WorkloadManagementPolicy
Cmdlets used to manage workload policies include:
New-WorkloadPolicy
Remove-WorkloadPolicy
Get-WorkloadPolicy
Set-ResourcePolicy
Throttling policies are managed and assigned by using the following cmdlets:
New-ThrottlingPolicy
Get-ThrottlingPolicy
Set-ThrottlingPolicy
Remove-ThrottlingPolicy
Get-ThrottlingPolicyAssociation
Set-ThrottlingPolicyAssociation
To display current workload management policies, use the following cmdlet:
Get-WorkloadManagementPolicy
To change the default workload management policy for your organizations Outlook
Web App workload, use the following cmdlet:
New-WorkloadPolicy OrgOWAWorkloadPolicy -WorkloadType OWA -
WorkloadClassification
Discretionary -WorkloadManagementPolicy
GlobalOverrideWorkloadManagementPolicy.
To create a workload management policy for Outlook Web App for a specific server,
perform the following steps:
1. You should create a custom workload management policy that will be applied later to a specific
New-WorkloadManagementPolicy LondonWorkloadManagementPolicy
2. Next, you should create a new Outlook Web App workload policy by using the following cmdl
New-WorkloadPolicy LondonOWAWorkloadPolicy -WorkloadType OWA -WorkloadClassific
Discretionary -WorkloadManagementPolicy LondonWorkloadManagementPolicy
3. At the end, you should apply the custom workload management policy you just created to a spe
Set-ExchangeServer -WorkloadManagementPolicy LondonWorkloadManagementPolicy -Iden
LON-MBX01
<
What Is Managed Availability?
Managed availability is a new infrastructure of monitoring and managing Exchange w
orkloads.

Managed availability monitors the Exchange workloads health state. If there are any is
sues with Exchange workload health state, managed availability will try to perform re
covery of the Exchange workload.This feature provides users with continued access to
their mailboxes to avoid experiencing any failures or disconnections.
In previous Exchange Server versions, whenever server or performance issues arose, a
dministrators usually performed one of the following procedures to troubleshoot and d
iagnose the issue:
Check whether the service is running in the Services console.
Run different test cmdlets.
Review data in the performance monitor console.
In Exchange Server 2013, managed availability monitors workloads instead of service
s or performance. If any Exchange workload has a slow response or is not responding,
managed availability will try todetect and recover the workload. Managed availability
is integrated with Exchange Server high availability. For example, database failover
might be initiated even when the active database itself is healthy, butthe protocol that
connects clients to their mailboxes located on that particular database is not respondin
g.
Managed availability consists of three components:
Probes. Uses checks to monitor current user connections and creates notifications based on current
Monitor engine. Analyzes data output from the probe engine, and reacts with two possible decision
Responder engine. Tries to recover the Exchange workload if the monitor state is unhealthy. Depen
sue resolution, then the responder will escalate the issue, by notifying the administrators or by creat
Considerations for Change Management
The change-
management process varies widely from organization to organization. The basic comp
onents for managing change are:

Adopt a process model. A number of well-


defined frameworks are available, such as Microsoft Operations Framework. Adopting an establish
Define a process and use it consistently. Once you have implemented a process, ensure that everyon
Support the change-management process. If you do not support the process properly, you will not b
Successful change management depends on ensuring that everyone, from the engineer
s who implement the changes, to the organizations executives, understand the process
and follow it. Althoughmanaging change requires additional work up front, the proce
ss ensures proper and effective change. Properly implementing change saves time and
effort, and improves user satisfaction.
Planning Deployment of Exchange Software Updates
You can update Microsoft Exchange Server 2013 by applying rollup update packages
and service packs.

Unlike other products such as Windows Server, you cannot update Exchange Server b
y releasing single update files; instead, you must use packages that contain several up
dates and fixes.
Service packs and update rollups are part of the servicing strategy for Exchange Serve
r 2013. These resources provide an effective and easy method for distributing Exchan
ge Server 2013 fixes andmodifications. We recommend that you install the latest servi
ce pack and update rollup to keep the product up-to-date.
The latest update rollup in the series includes the fixes that were released in previous
update rollups for the same series. For example, if you install Update Rollup 3 for Exc
hange Server 2013 RTM, it includesthe fixes that were released in Update Rollup 1 an
d Update Rollup 2. Therefore, you need only the latest Update Rollup to be current.
Applying rollup packages and service packs is usually a straightforward procedure. H
owever, in some scenarios, you should consider the following:
When you install an update rollup package, Exchange tries to connect to the certificate revocation l
(CRL) website. Exchange examines the CRLs to verify the code signing certificate. If Exchange Se
to reduceinstallation times, turn off the Check for publishers certificate revocation option on the
When you apply an update rollup package, the update process may update the Logon.aspx file. If yo
d correctly, and after the update process is finished, Outlook Web App may display a blank page. T
create the Outlook Web App customizations in the Logon.aspx file.
If you have deployed Client Access server to Client Access server proxying, you must apply the up
When you install an update rollup, the Setup program automatically stops the appropriate Exchange
od of scheduled maintenance or during a period of low business impact.
When you install an update rollup on a server that is a database availability group (DAG) member,
The general process for installing update rollups on a DAG member is:
1. Run the StartDagServerMaintenance.ps1 script to put the DAG member into maintenance mode
2. Install the update rollup.
3. Run the StopDagServerMaintenance.ps1 script to take the DAG member out of maintenance m
4. Optionally, rebalance the DAG by using the RedistributeActiveDatabases.ps1 script.
5. Use this process to install operating system updates from Microsoft Update.
Planning Exchange Hardware Upgrades
Exchange Server 2013 uses hardware more efficiently than previous Exchange Server
versions, which means there may be less need than in the past to upgrade hardware. In
particular, Exchange Server 2013reduces disk activity. Disk capacity is one of the mo
st commonly required hardware upgrades.

Proactively monitoring hardware performance


processor, memory, disk, or network
is the best way to determine if there are bottlenecks in the environment. Another way t
o research hardware issues is togather and examine user feedback. You should not rel
y solely on user feedback as the first indication of issues, but it can help you pinpoint
particular user issues with the hardware.
However, since Exchange Server 2013 fully supports virtual environments, you might
consider deploying new virtual Exchange servers instead of upgrading hardware on e
xisting physical servers. Thisapproach provides better load balancing and resource dis
tribution, and a higher level of redundancy.
For example, if you want to host more mailboxes, you do not have to upgrade hardwar
e resources on a current Mailbox server. Instead, you can deploy a new Mailbox serve
r, move some mailboxes to it, andthen form a DAG. In this way, you scale out your E
xchange environment instead of scaling it up.
When you plan for virtualization, you should consider deploying hardware that lets yo
u increase physical resources for the virtual environment when needed. When you pla
n for physical Exchange serverdeployment, you might consider using blade servers for
scale out, because they have same architecture and provide unified monitoring and m
anagement.
Lesson 3: Troubleshooting Exchange Server 2013
Even in a well-
maintained Exchange Server 2013 organization, problems can arise, and you must ide
ntify and repair them. Although general troubleshooting guidelines exist, your experie
nce and an analyticalattitude often provide the best tools to successfully detect the pro
blems source and fix it.
Lesson Objectives
After completing this lesson, you will be able to:
Develop a troubleshooting methodology.
Troubleshoot database failures.
Troubleshoot database replication.
Troubleshoot performance issues.
Troubleshoot connectivity issues.
Describe troubleshooting tools.
Describe how to troubleshoot Mailbox servers.
Describe how to troubleshoot Client Access servers.
Describe how to troubleshoot Transport components.
Developing a Troubleshooting Methodology
To troubleshoot effectively, you must identify and diagnose problems, and then deter
mine and execute the necessary repair. There are many troubleshooting methods, and t
hey vary depending on the typeof problem that you need to resolve.
The key is to implement a repeatable troubleshooting process so that you can quickly r
esolve problems. A common troubleshooting method is to:
1
Clearly define the problem. Obtain an accurate description of the problem by verifying the reporte
.
2
Define the problem's scope. When you define the scope of the problem, you actually define the are
.
3 Gather information related to the problem. Turn up logging, review event logs, and try to reproduc
. without coming to conclusions and making premature decisions about the nature of the problem.
4 List the potential cause of the problem. With the problem statement and gathered data, you can enu
. ns. Search your company knowledge base, product support documentation, and the Internet forinfo
5 Rank the possible causes by probability, and define their solutions. Create a list of either solutions
. tions.
6 Rank solutions by ease of resolution and impact to complete. You should try the most likely soluti
. to try the less probable but less invasive solutions first.
7
Try the most probable and easily implemented resolutions first. Work through the list of solutions,
.
8
Reduce logging to normal. To reduce server loads, be sure to return all settings back to normal.
.
9
Document the resolution and root cause for future reference. Although you may remember details
.
Question: Why is it important to have a methodology for troubleshooting?
Troubleshooting Database Failures
Database availability and health are critical for Exchange Server functioning, because
all mailboxes and data are stored on mailbox databases.
Administrators should follow guidelines and best practices on creating, configuring, m
anaging, and maintaining mailbox databases.
If mailbox database failure occurs, use the troubleshooting methodology previously di
scussed, and incorporate the following guidelines:
Analyze event logs. If your organization does not use a monitoring solution such as System Center
Troubleshoot storage-system health. Databases can be corrupted in a scenario in which the storage s
system functioning, replace it, recover databases from backup, or reseed the database if configured
Check disk free space. If the logical disk where your databases are located is full, the database will
here more free disk space exists.
Analyze services dependencies. Mailbox databases are managed by the Microsoft Exchange Inform
vestigate their failures and to try to bring them back to a running state.
Analyze which applications are installed on Exchange Server. Some organizations deploy third-
party business applications that communicate with their Exchange servers. If these applications are
which willalso result in database failure. Make sure that no applications can access the Exchange s
Troubleshooting Database Replication
Organizations that have deployed DAGs should carefully monitor and manage DAG c
omponents and services. Monitoring replication enables you to maintain healthy and r
edundant databases acrossmultiple DAG members.

If database replication failure occurs, use the troubleshooting methodology previously


discussed, and incorporate the following guidelines:
Use database-failure troubleshooting guidelines. Check for individual database-health guidelines th
Check if Microsoft Exchange Replication service is running. Database replication in DAG member
Exchange Active Directory Topology service.
Use Exchange Management Shell cmdlets. You can use different test cmdlets in order to troublesho
You can use the Test-ReplicationHealth cmdlet to troubleshoot database replication and to review
Test-ReplicationHealth -Identity LON-MBX1
You can use the Get-MailboxDatabaseCopyStatus cmdlets to analyze health and status informatio
Get-MailboxDatabaseCopyStatus -Identity ExecutivesDB | Format-List
You can use the CollectOverMetrics.ps1 script that collects metrics in real time, while the script is
database replication for database ExecutivesDB:
CollectOverMetrics.ps1 -DatabaseAvailabilityGroup DAG1 -Database:"ExecutivesDB" -
GenerateHTMLReport ShowHTMLReport
Troubleshoot network infrastructure. If the network infrastructure that DAG members are using for
ios provides redundant network paths for database replication.
Troubleshooting Performance Issues
Performance issues can affect user experience and organizations in an Exchange Serv
er production environment. Therefore, you must perform a detailed analysis and diagn
ose the reasons for theperformance issues. Performance issues may result from a varie
ty of circumstances, including:

Increased number of user mailboxes because of new employees.


New software is installed, such as backup software, or software that is connected to the Exchange
A new update is installed that is not configured according to documentation best practices, or the
A security issue, malware, or network attack.
If performance issues occur, use the troubleshooting methodology previously discusse
d, and incorporate the following guidelines:
Operations Manager. If you are using Operations Manager, review the events reported, and use its d
Performance Monitor. If you are using Performance Monitor in Windows Server 2012, review the r
Performance Counters. Compare the current performance counters with your servers performance
Software Upgrade Issues. If the performance issue is related to a software upgrade, plan the approp
the new server.
Malware Issues. If the performance issue is related to malware, disconnect the server from the netw
t just your Exchange servers.
Troubleshooting Connectivity Issues
Exchange Server 2013 relies on fast and reliable network connections with domain co
ntrollers, because most of the Exchange Server configuration data is stored on domain
controllers. Client connections alsorely on stable network connectivity with client acc
ess servers to provide users with a productive messaging environment where they can
perform their tasks.

If connectivity issues occur, use the troubleshooting methodology previously discusse


d, and include the following guidelines:
Use Microsoft Remote Connectivity Analyzer.
Microsoft Remote Connectivity Analyzer is a web-based tool that simulates external client connect
Use Microsoft Connectivity Analyzer Tool. Microsoft Connectivity Analyzer Tool is a client progr
Analyze internal network infrastructure. Work closely with your network administrators to identify
o Internal network equipment failures.
o Internet network communication equipment.
o Firewall devices.
Analyze Exchange servers firewall configuration. Each Exchange server has its own setting in Win
Analyze Client Access servers health. Whenever users report connectivity issues, check for Client
ember of the Client Access array.
Troubleshooting Tools
Over time, many Exchange Server troubleshooting tools have been introduced. Each t
ool has a specific purpose, but they all require detailed product knowledge and inform
ation about your environment todetect potential problem solutions.

Two primary tools include:


Microsoft Remote Connectivity Analyzer.
Microsoft Remote Connectivity Analyzer is a web-
based tool that simulates external client connections to your Exchange Server infrastructure. In add
.
Microsoft Connectivity Analyzer Tool. Microsoft Connectivity Analyzer Tool is a client program th
Delivery Reports. Delivery Reports is a message-tracking tool in the Exchange Administration Cen
Other tools, such as the Performance Monitor, check the health of the Exchange Serve
r processes. You can use the Queue Viewer to view the message status in transport qu
eues. Tools such as NetworkMonitor and Telnet can help troubleshoot network issues
and message tracking, and the Routing Log Viewer can help you troubleshoot messag
e delivery issues.
In addition to the Exchange Administration Center, the Exchange Management Shell,
and Active Directory Users and Computers, there are many other tools that you can us
e to manage and troubleshoot anExchange Server 2013 organization. A number of the
se tools are included in the following table.

Tool name Description

ADSI Edit (adsiedit.msc) Use this tool for low-level editing of Active Directory objects and attributes.

Event Viewer (eventvwr.msc) Use this MMC snap-in to view logged events such as errors and warnings.

Performance Monitor Use this tool to monitor the performance of hardware components, operating
Tool name Description

Task Manager Use this tool to review which services are running and how many resources t

Exchange Server Database Utilities Use this tool to perform offline database procedures, such as defragmentation
(Eseutil.exe)

New-MailboxRepairRequest Use this tool to find and remove errors in the mailbox and public folder datab

LDP (ldp.exe) Use this tool to perform operations such as connect, bind, search, modify, add

Microsoft Baseline Security Analyzer Use this tool to determine the security state of the organizations servers in ac
(MBSA) GUI: MBSA.exe Command line:mbs
acli.exe

Microsoft Error Reporting Exchange Server 2013 uses this tool to collect crash dumps and debug inform
bout errors to Microsoft, and toreceive information about errors. Administrat

Process Monitor (procmon.exe) Use this tool to monitor real-time file system, registry, and process/thread act

Test-Outlook Connectivity Use this cmdlet to confirm the Outlook Anywhere connectivity between the c

Telnet (telnet.exe) Use this tool to troubleshoot Exchange Server mail flow.

Discussion: Troubleshooting Mailbox Servers


When you troubleshoot Mailbox server issues, you should check the databases health
and availability first. Use tools such as the Database Troubleshooter and the Event Vi
ewer to identify the problem andwork toward a resolution.

Question: A database has gone offline. What process can you use to troubleshoot the
problem?
Discussion: Troubleshooting Client Access Servers
You can apply standard troubleshooting techniques to the unique problems that can oc
cur with Client Access servers. Use tools such as the Remote Connectivity Analyzer a
nd Event Viewer to identify theproblem and work toward a resolution.

Question: Outlook users can no longer connect to the system. What process can you u
se to troubleshoot the problem?
Discussion: Troubleshooting Transport Components
Transport server issues usually are due to mail queue database corruption or network c
onnectivity problems. Use tools such as the Microsoft Remote Connectivity Analyzer,
Delivery Reports, and QueueViewer to identify the problem, and then work toward a
resolution.

Question: Users are reporting non-deliverable and slow-to-


deliver outbound email. What process can you use to troubleshoot the problem?
Lab: Monitoring and Troubleshooting Exchange Se
rver 2013
Scenario
You are the messaging administrator at A. Datum Corporation. You need to configure
basic monitoring by using the Performance Monitor. You also need to troubleshoot m
ailbox database and Client Accessserver issues.
Objectives
After performing this lab, you will be able to:
1. Monitor Exchange Server.
2. Troubleshoot database availability.
3. Troubleshoot Client Access servers.
Lab Setup
Estimated Time: 60 minutes

Virtual 20341B-LON-DC1
machines 20341B-LON-CAS1
20341B-LON-MBX1

User Adatum\Administrator
name

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Mana
2.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5.Repeat steps 2 to 4 for 20341B-LON-MBX1 and 20341B-LON-CAS1.
Exercise 1: Monitoring Exchange Server
Scenario
You are the messaging administrator at A. Datum Corporation. You need to configure
basic monitoring using the Windows Performance Monitor. Before you implement M
icrosoft Systems Center OperationsManager to monitor your Exchange Server 2013 c
omputers, you must create a data collector set to monitor key performance component
s that are running on your Mailbox server.
The main tasks for this exercise are as follows:
1. Create a new data collector set named Exchange Monitoring
2. Create a new performance-counter data collector set for monitoring basic Exchange Server
performance
3. Create a new performance-counter data collector set for monitoring Mailbox server role perform
4. Verify that the data collector set works properly
Task 1: Create a new data collector set named Exchange Monitoring
1.On LON-
MBX1, from Server Manager open the Performance Monitor, and create a data collector set named
Task 2: Create a new performance-
counter data collector set for monitoring basic Exchange Server performance
1. Add a new data collector to the Exchange Monitoring data collector set named
2. Add the performance counters in the following table to monitor basic Exchang

Object Counter

Processor % Processor Time


% User Time
% Privileged Time

MSExchange ADAccess LDAP Read Time


Domain Controllers LDAP Search Time
LDAP Searches timed out per minute
Long running LDAP operations/Min

Memory Available Mbytes


Page Reads/sec
Pages Input/sec
Pages/sec
Pages Output/sec
Pool Paged Bytes
Transition Pages Repurposed/sec

System Processor Queue Length


Task 3: Create a new performance-
counter data collector set for monitoring Mailbox server role performance
1. Add a new data collector to the Exchange Monitoring data collector set named M
2. Add the following performance counters to monitor basic Exchange Server 2013

Object Counter

LogicalDisk Avg.Disk sec/Read


Avg.Disk sec/Transfer
Avg.Disk sec/Write

MSExchangeIS Store RPC Average Latency


RPC Operations/sec
RPC Requests
Messages Delivered/sec

Task 4: Verify that the data collector set works properly


1. Start the Exchange Monitoring data collector set, and let it run for five minutes.
2. Stop the Exchange Monitoring data collector set, and then review the latest report.
3. Close the Performance Monitor.
Results: After this exercise, you should have created a data collector set for monitorin
g LON-MBX1 that uses the recommended performance counters.
Exercise 2: Troubleshooting Database Availability
Scenario
You are the messaging administrator for A. Datum Corporation. After recovering fro
m a hardware failure, your monitoring software reports that one of the mailbox databa
ses is not mounted. You musttroubleshoot and repair the database problem.
The main tasks for this exercise are as follows:
1. Identify the scope of the problem
2. Review the event logs
3. List the probable causes of the problem, and rank the possible solutions if multiple options exis
4. Review the database configuration
5. Reconfigure and mount the database
Task 1: Identify the scope of the problem
Before you begin this exercise, complete the following steps:
1.On LON-MBX1, open the Exchange Management Shell. At the prompt, type c:\scripts\Lab11Pre
2.On LON-MBX1, open the Exchange admin center using the link https://lon-cas1.adatum.com/ec
3.Identify whichif anymailbox databases are not mounted on LON-MBX1. Verify that database
4.Try to mount the database, and verify that two warning windows will appear, where the second w
Task 2: Review the event logs
1. Open the Event Viewer. In the Application Log and System Log, review the events generated,
Task 3: List the probable causes of the problem, and rank the possible solutions i
f multiple options exist
List the problems and possible solutions:

Problem Possible solution

Task 4: Review the database configuration


1. On LON-MBX1, open the Exchange Administration Center, and then review the database conf
2. Open a File Explorer window, and locate the database files.
Task 5: Reconfigure and mount the database
1. On LON-MBX1, in the Exchange Management Shell, reconfigure the MailboxDB100 database
Move-DatabasePath MailboxDB100 LogFolderPath C:\Program Files\Microsoft\Exchange
Server\V15\Mailbox\MailboxDB100 EdbFilePath C:\Program Files\Microsoft\Exchange
Server\V15\Mailbox\MailboxDB100\MailboxDB100.edb ConfigurationOnly force
2. Mount the database by running following cmdlet:
Mount-Database MailboxDB100
3. In the EAC, verify that database MailboxDB100 status is Mounted.
Results: After this exercise, you should have used a troubleshooting technique to iden
tify and fix a Mailbox server problem.
Exercise 3: Troubleshooting Client Access Servers
Scenario
You are the messaging administrator for A. Datum Corporation. Users report that they
cannot log on to Outlook Web App. You need to determine and then repair the proble
m.
The main tasks for this exercise are as follows:
1. Use the Test cmdlets to verify server health
2. List the probable causes of the problem, and rank the possible solutions if multiple options exis
3. Check the Outlook Web App configuration
4. Verify that you resolved the problem
Task 1: Use the Test cmdlets to verify server health
Before you begin this exercise, complete the following steps:
1. On LON-MBX1, in the Exchange Management Shell, at the prompt, type c:\scripts\Lab11Pre
2. Close the Exchange Management Shell.
3. On LON-MBX1, open the Exchange Management Shell, and run the Test-ServiceHealth cmdl
4. Verify that the output does not return any errors.
5. Run the Test-OwaConnectivity URL https://LON-MBX1.Adatum.com/OWA - TrustAny
6. Note the authentication errors.
Task 2: List the probable causes of the problem, and rank the possible solutions i
f multiple options exist
List the problems and possible solutions:
Problem Possible solution

Task 3: Check the Outlook Web App configuration


1. On LON-MBX1, verify that you cannot log on to EAC.
2. From Exchange Management Shell, display the verification methods for owa virtual directory,
3. From Exchange Management Shell, configure the verification method for owa virtual directory
4. From Exchange Management Shell, run IISReset command.
5. Verify that you can start the Exchange Administration Center.
Task 4: Verify that you resolved the problem
1. Attempt to log on to https://LON-CAS1.adatum.com/owa as Adatum\Administrator with the pa
2. Confirm that Administrator can now access Outlook Web App, and then close Internet Explore
Results: After this exercise, you should have used a troubleshooting technique to iden
tify and fix a Client Access server problem.
Question: Users are reporting issues with sending email to a remote domain. You nee
d to determine and resolve the problem. What should you do?
Question: Because of recent organizational growth, you are experiencing two issues.
Several memory thresholds have exceeded recommended limits, and recommended li
mits have also been exceededfor average read-
latency threshold for the logical disk that stores the page file. Which issue should you
address first?
Module Review and Takeaways
Best Practice
Supplement or modify the following best practices for your own work situations:
Follow the same steps each time you troubleshoot a problem. Then you will get into a habit of maki
Be diligent about separating the facts about the issue from any subjective information. A single pers
Ask many questions about the problem before you start to troubleshoot. If you have n
ot properly defined the problem, you cannot properly target your troubleshooting steps
.
Common Issues and Troubleshooting Tips
Common Issue

A company has recently experienced growth because of a popular new product. The company has had numerous Mail serverou

A database has gone offline, and the organization needs to troubleshoot the problem. A number of impatient users havemailbox

An Exchange Server service pack was recently released, and the company has decided to deploy it. What should you do before

Review Question(s)
Question: After reviewing the trend information retrieved from the monitoring syste
m, you notice that the processor usage for one of the four Mailbox servers is higher th
an average. What should youdo?
Real-world Issues and Scenarios
Your organization has deployed Exchange Server 2013, with two Client Access server
s and two Mailbox servers. There is no high availability configured. After several mon
ths, many users are complainingabout slow response. Your task is to troubleshoot and
resolve this issue. What will you do?
First, you should investigate whether this issue is occurring with all users or just some
users. You should start by using Remote Connectivity Analyzer to troubleshoot user c
onnectivity. You also shouldanalyze information in Performance Monitor to check if t
his behavior is due to performance reasons. If you use System Center Operations Man
ager, you will be able to troubleshoot the user experience withthe products end-to-
end monitoring capabilities.
In addition, you could deploy high availability for Client Access and Mailbox server r
oles. In this scenario, the new managed availability feature in Exchange Server 2013
will try multiple steps to improve theuser experience. For example, if the slow respons
e is due to issues on the HTTPS protocol from the Client Access server to the Mailbox
server, Exchange Managed Availability will perform a database failoverprocess to an
other DAG member. After the failover process is completed, the Client Access server
will be connected with another Mailbox Server that does not experience HTTPS proto
col issues.
Tools
Tool name Description

Microsoft Remote Connectivity Analyzer Use this web-based tool to simulate external client connections to Exchange

Microsoft Remote Connectivity Analyzer Tool Use this client program to simulate internal client connections to Exchange S

ADSI Edit (adsiedit.msc) Use for low-level editing of Active Directory objects and attributes. On Wind

Event Viewer (eventvwr.msc) Use this MMC snap-in to view logged events such as errors and warnings.

Performance Monitor Use this tool to monitor the performance of hardware components, the operat

Task Manager Use this tool to review which services are running and how much resources t
Tool name Description

Exchange Server Database Utilities Use this tool to perform offline database procedures, such as defragmentation
(Eseutil.exe)

New- MailboxRepairRequest Use this tool to find and remove errors in the mailbox and public folder datab

LDP (ldp.exe) Use this tool to perform operations such as connect, bind, search, modify, add

Microsoft Baseline Security Analyzer Use this tool to determine the security state of the organizations servers in ac
(MBSA) GUI: MBSA.exeCommand line: mbs
acli.exe

Microsoft Error Reporting Use this tool in Exchange Server 2013 to collect crash dumps and debug info
end data about errors to Microsoft, and to receive information abouterrors. A

Process Monitor (procmon.exe) Use this tool to monitor real-time file system, registry, and process/thread act

Test- OutlookConnectivity Use this cmdlet to confirm the Outlook Anywhere connectivity between the c

Telnet (telnet.exe) Use this tool to troubleshoot Exchange Server mail flow.

Course Evaluation
Include this slide only in the last module of the Course.
<insert slide here>
Keep this evaluation topic page if this is the final module in this course. Insert the Pro
duct_Evaluation.ppt on this page.
If this is not the final module in the course, delete this page
Your evaluation of this course will help Microsoft understand the quality of your learn
ing experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use y
our responses to improve your future learning experience. Your open and honest feed
back is valuable and appreciated.
Lab Answer Key: Module 1: Deploying and Managin
g Microsoft Exchange Server 2013
Lab: Deploying and Managing Exchange Server 20
13
Exercise 1: Evaluating Requirements and Prerequisites for an Exchange
Server 2013 Installation
Task 1: Evaluate the Active Directory Requirements
1. On LON-DC1, if necessary, on the task bar, click Server Manager.
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. Right-click Adatum.com, and then click Properties.
4. In the Adatum.com Properties dialog box, verify that the domain and forest functional levels a
(Note: It should be at least Windows Server2003)
5. Click OK, and then close Active Directory Users and Computers.
6. Click to the Start screen and then type adsi edit, and then press Enter.
7. Right-click ADSI Edit, and then click Connect to.
8. In the Connection Settings dialog box, in the Connection Point section, in the Select a well-k
9. In the left pane, expand Configuration [LON-DC1.adatum.com], and then click CN=Configu
10. Expand CN=Services, and verify that the CN=Microsoft Exchange has not been created.
11. Close ADSI Edit.
Task 2: Evaluate the DNS requirements
1. On LON-EX1, on the task bar, click Windows PowerShell.
2. In the Windows PowerShell window, type IPConfig /all, and then press Enter. Verify that the
3. At the command prompt, type Ping LON-DC1.adatum.com and press Enter. Verify that you h
4. At the command prompt, type Nslookup, and then press Enter.
5. At the command prompt, type set type=all, and then press Enter.
6. At the command prompt, type _ldap._tcp.dc._msdcs.adatum.com, and then press Enter. Verif
7. Close Windows PowerShell.
Results: After completing this exercise, the students will have evaluated the AD DS r
equirements.
Exercise 2: Deploying Exchange Server 2013
Task 1: Preparing AD DS for Exchange Server 2013 deployment
1. On LON-DC1, in the Virtual Machine Connection window click Media menu, select DVD D
2. Navigate to C:\Program Files\Microsoft Learning\20341\Drives\ExchangeServer2013CU1.
3. On the task bar, click Windows PowerShell.
4. Type D: and press Enter.
5. Type the following command, and then press Enter:
.\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:Adatum
6. Wait until the process completes.
7. Close Windows PowerShell.
Task 2: Performing Exchange Server 2013 installation on a single server
1. On LON-EX1, in the Virtual Machine Connection window, click Media menu, select DVD D
2. Navigate to C:\Program Files\Microsoft Learning\20341\Drives\ExchangeServer2013CU1.
3. On LON-EX1, open Windows PowerShell window from the task bar.
4. Type the following command to install the Exchange Server 2013 Windows components:
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45
CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Cons
Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging
Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45
Windows-Auth, Web-WMI, Windows-Identity-Foundation, and press Enter. (If you do not
5. Wait until installation of Windows components finishes.
6. Close the PowerShell window, and restart the server.
7. Sign in to LON-EX1 as Adatum\Administrator with the password Pa$$w0rd.
8. From the desktop, open File Explorer and navigate to D: drive.
9. Double-click setup.exe.
10. On the Check for Updates? page, click Dont check for updates right now, and click next. W
11. On the Introduction page, click next.
12. On the License Agreement page, click I accept the terms in the license agreement, and then
13. On the Recommended Settings page, click next.
14. On the Server Role Selection page, select Mailbox role and Client Access role, and then click
15. On the Installation Space and Location page, accept the default values, and click next.
16. On the Malware Protection Settings make sure that No is selected, and then click next.
17. On the Readiness Checks page, ensure that all prerequisites are met, and then click install.
18. Wait until the installation completes. It can take 30 to 40 minutes to finish. On the Setup Comp
19. Restart LON-EX1 and sign in as Adatum\Administrator with the password Pa$$w0rd.
Task 3: Verify Exchange Server installation
1. On LON-EX1, open the Server Manager console, and then click Tools.
2. Select Services.
3. Scroll down the list of services, and click the Microsoft Exchange Active Directory Topology
4. Review the status of the remaining Exchange Server services. Ensure that all services that are s
5. Close Services.
6. From the task bar, open File Explorer.
7. Browse to C:\Program Files\Microsoft\Exchange Server\V15. This list of folders includes C
8. Close File Explorer.
9. From the Start screen, click Internet Explorer.
10. In the Address bar, type https://lon-ex1.adatum.com/owa, and then press Enter.
11. Sign in as Adatum\Administrator with the password Pa$$w0rd.
12. At the Language and Time zone page, click save.
13. Click new mail.
14. Send an email to Administrator.
15. Verify that the email is received in the inbox.
16. Close Outlook Web App.
Results: After completing this exercise, the students will have deployed Exchange Ser
ver 2013.
Exercise 3: Managing Exchange Server 2013
Task 1: Explore Exchange Server 2013 Administration Center
1. On LON-EX1, from the Start screen, open Internet Explorer, type https://lon-ex1.adatum.co
2. In the Domain\user name text box type Adatum\Administrator, and type Pa$$w0rd in the P
3. In the EAC, click recipients in the left pane, and then click mailboxes in the central pane.
4. Click on the + sign and then click User mailbox.
5. In the new user mailbox window, select Existing user, and then click browse.
6. In the Select User Entire Forest window, select Aidan Delaney, and click ok.
7. In the Alias text box, type AidanD, and click save.
8. Make sure that Aidan Delaney appears in the list of mailboxes.
9. In the recipients node in the Exchange admin center, click groups.
10. Click the arrow next to the + sign.
11. Select Distribution group.
12. In the new distribution group window, type Adatum News in the Display name text box.
13. In the Alias text box, type AdatumNews.
14. Scroll down and make sure that Open is selected in last two sections. Click save.
15. In the upper right corner, click the arrow next to Administrator, and select Sign out.
Task 2: Manage Exchange Server with Exchange Management Shell
1. On LON-EX1, switch to the Start screen, and then click Exchange Management Shell.
2. In Exchange Management Shell, type get-user and press Enter.
All users from Adatum.com domain will be listed.
3. Type enable-mailbox identity Robert, and press Enter.
4. Type Get-Mailbox, and press Enter. You will receive all mailboxes on the server in the list.
5. Type get-mailbox | set-mailbox issuewarningquota 209715200 prohibitsendquota 262144
6. Type get-mailbox, and press Enter. Ensure that ProhibitSendQuota is set to 250 MB to all use
7. Type Get-User | Where-Object {$_.distinguishedname
ilike *ou=IT,dc=adatum,dc=com} | Enable-Mailbox, and press Enter.
8. Ensure that mailboxes for the IT organizational unit are created.
9. Close the Exchange Management Shell window.
Task 3: Explore Outlook Web App
1. On LON-EX1, from the Start screen, open Internet Explorer and type https://lon-ex1.adatum
2. In the Outlook Web App window, sign as Adatum\Aidan with the password Pa$$w0rd.
3. Click save on the next page.
4. In the Outlook Web App window, click new mail.
5. In the window on the right, send a new email to Administrator.
6. Click on the wheel icon in the upper right corner. Select Options.
7. In the options window, click on groups in the left pane.
8. In the central pane, click the Join button.
9. In the All Groups window, double-click Adatum News.
10. In the Adatum News window, click Join.
11. Close the all groups window.
12. Click on settings in the left pane
13. In the email signature box, type Aidan Delaney, Adatum Corp., and select Automatically inc
14. Click save.
15. Click the arrow in the upper left corner (back).
16. Click on the wheel icon in the upper right corner.
17. Select Change theme.
18. Click on theme of your choice, and then click OK.
19. Close the Internet Explorer window.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1-B, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-EX1-B.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have explored Exchange ma
nagement tools.
Lab Answer Key: Module 2: Planning and Configuri
ng Mailbox Servers
Lab: Configuring Mailbox Servers
Exercise 1: Planning Configuration for Mailbox Servers
Task 1: Analyze requirements for the A. Datum Exchange Server deployment
Read the Lab and Exercise scenario. Summarize the requirements from the exercise scenario.
Task 2: Use the Exchange Mailbox Server Role Requirements Calculator
1.On LON-CL1, click the Desktop tile.
2.On the task bar, click File Explorer, navigate to C:\Files and double-
click on E2013Calc.xlsm. On the Security warning, click Enable Content. If the Welcome to You
3.In the E2013Calc, on the Input sheet, enter the values in the following sections:
oExchange Environment Configuration
Server Multi-Role Configuration (MBX+CAS): No
Server Role Virtualization: Yes
High Availability Deployment: Yes
Number of Mailbox Servers Hosting Active Mailboxes/DAG: 4
Number of Database Availability Groups: 2
oMailbox Database Copy Configuration
Total Number of HA Database Copy Instances (Includes Active Copy) within DAG: 3
Total number of Lagged Database Copy Instances within DAG: 1
oExchange Data Configuration
Mailbox Moves/Week Percentage: 2%
LUN Free Space Percentage: 25%
oTier-1 User Mailbox Configuration
Total Number of Tier-1 User Mailboxes/Environment: 5,000
Projected Mailbox Number Growth Percentage: 5%
Total Send/Receive Capability/Mailbox/Day: 150 messages
Average Message Size (KB): 75
Mailbox Size Limit (MB): 1,024
Personal Archive Mailbox Size Limit (MB): 2,048
Deleted Item Retention Window (Days): 30
Single Item Recovery: Enabled
Calendar Version Storage: Enabled
oBackup Configuration
Backup Methodology: Software VSS Backup/Restore
Backup Frequency: Weekly Full / Daily incremental
Database and Log Isolation Configured: Yes
Backup/Truncation Failure Tolerance: 3
Network Failure Tolerance (Days): 0
oPrimary Datacenter Disk Configuration
Database: 1,000 GB, 7.2K RPM SAS 3.5
Log: 500 GB, 7.2K RPM SAS 3.5
Restore LUN: 1500 GB, 7.2K RPM SAS 3.5
Task 3: Analyze output from the Exchange Mailbox Server Role Requirements C
alculator
1. In the E2013Calc, click on the Role Requirements tab.
2. Review the calculated requirements provided in this sheet.
3. Click the Distribution sheet.
4. Click Fail Server for each server. Observe where the databases will be distributed.
5. Click Export DAG Scripts.
6. In the Storage Calculator Export Scripts window, click OK twice.
7. Click the LUN Requirements sheet. Review the calculated requirements provided in this sheet
8. Click the Backup Requirements sheet. Review calculated requirements provided in this sheet.
9. Click the Replication Requirements sheet. Review the calculated requirements provided in thi
10. Click the Storage Design sheet. Review the calculated requirements provided in this sheet.
11. Open File Explorer, and navigate to C:\Files.
12. Right-click the CreateMBDatabases.ps1 file, and select Edit. Review the contents of the gene
13. Right-click the CreateMBDatabaseCopies.ps1 file, and select Edit. Review the contents of th
14. Right-click the Diskpart.ps1 file, and select Edit. Review the contents of the generated script.
15. Close the Windows PowerShell ISE window.
Task 4: Discuss the solution with the instructor and the class
1. Discuss the solution provided by the Exchange Mailbox Server Role Requirements Calculator w
2. Change the values on the Input tab of the Exchange Mailbox Server Role Requirements Calcul
Results: After completing this exercise, the students will have created a plan for their
mailbox server configuration.
Exercise 2: Configure Storage on the Mailbox Servers
Task 1: Create and Configure iSCSI target and drives
1. On LON-DC1, open Server Manager, click Manage, and then click Add Roles and Features
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, make sure that Select a server from the server pool is
5. On the Select server roles page, expand File And Storage Services (Installed), expand File a
6. On the Select features page, click Next.
7. On the Confirm installation selections page, click Install.
8. When installation is complete, click Close.
9. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
10. In the File and Storage Services pane, click iSCSI.
11. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, se
12. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under S
13. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk1, and then cl
14. On the Specify iSCSI virtual disk size page, in the Size box, type 2, make sure GB is selected
15. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
16. On the Specify target name page, in the Name box, type LON-MBX1, and then click Next.
17. On the Specify access servers page, click Add.
18. In the Select a method to identify the initiator dialog box, click Browse. In the Select Compu
19. On the Specify access servers page, click Next.
20. On the Enable Authentication page, click Next.
21. On the Confirm selections page, click Create.
22. On the View results page, wait until the creation is completed, and then click Close.
23. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, se
24. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under S
25. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk2, and then cl
26. On the Specify iSCSI virtual disk size page, in the Size box, type 2, make sure GB is selected
27. On the Assign iSCSI target page, click lon-mbx1, and then click Next.
28. On the Confirm selections page, click Create.
29. On the View results page, wait until the creation is completed, and then click Close.
30. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, se
31. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under S
32. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk3, and then cl
33. On the Specify iSCSI virtual disk size page, in the Size box, type 500, make sure MB is select
34. On the Assign iSCSI target page, click lon-mbx1, and then click Next.
35. On the Confirm selections page, click Create.
36. On the View results page, wait until the creation is completed, and then click Close.
Task 2: Connect Exchange Server to the storage
1. On LON-MBX1, click the Desktop tile.
2. From the task bar, click Server Manager.
3. In Server Manager, click Tools, and then click iSCSI Initiator.
4. In the Microsoft iSCSI dialog box, click Yes.
5. Click the Discovery tab.
6. Click Discover Portal.
7. In the IP address or DNS name box, type 172.16.0.10, and then click OK.
8. Click the Targets tab.
9. Click Refresh.
10. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-mbx1-target, and then clic
11. Select Add this connection to the list of Favorite Targets, and then click OK two times.
Task 3: Configure storage
1. On LON-MBX1, in Server Manager, click Tools, and then click Computer Management.
2. Expand Storage, and then click Disk Management.
3. Right-click Disk 1, and then click Online.
4. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
5. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
6. On the Welcome to the New Simple Volume Wizard page, click Next.
7. On the Specify Volume Size page, click Next.
8. On the Assign Drive Letter or Path page, click Next.
9. On the Format Partition page, in the Volume Label box, type DB1. Select the Perform a qui
10. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk
11. Repeat steps 3 through 10 for Disk 2 and Disk 3. (Note: Use DB2 and Logs for Volume Labels
12. Close the Computer Management window.
Results: After completing this exercise, the students will have configured iSCSI stora
ge for their mailbox databases and logs.
Exercise 3: Creating and Configuring Mailbox Databases
Task 1: Configure Mailbox Settings for the Existing Mailbox Database
1. On LON-MBX1, click to the Start screen, and then click Internet Explorer.
2. In Internet Explorer, type https://lon-cas1.adatum.com/ecp, and press Enter.
3. Sign in as Adatum\Administrator with the password Pa$$w0rd.
4. In the EAC, in the feature pane, click servers.
5. Click the databases tab.
6. Double-click Mailbox Database 1.
7. In the Mailbox database window, click limits.
8. In the Issue a warning at (GB) text box, type 0.9.
9. In the Prohibit send at (GB): text box, type 1.
10. In the Prohibit send and receive at (GB): text box, type 1.3.
11. In the Keep deleted items for (days): text box, type 30.
12. Click save. Minimize the EAC window.
13. On LON-MBX1, click to the Start screen and then click Exchange Management Shell.
14. In the Exchange Management Shell window, type Get-MailboxDatabase and press Enter.
15. See the list of mailbox databases created.
16. In the Exchange Management Shell window, type the following command, and then press En
Move-DatabasePath Identity Mailbox Database 1 EdbFilePath E:\DB1\DB1.edb Log
17. Type y, and press Enter.
18. Type y, and press Enter.
19. Minimize the Exchange Management Shell window.
20. Open File Explorer and navigate to E:\ and open the DB1 folder. Make sure that the database D
21. Navigate to G:\, and open the folder Logs\DB1. Ensure that the log files are present.
22. Close File Explorer.
Task 2: Create and configure additional mailbox databases
1. Restore the EAC window.
2. Click servers in the feature pane, and then click the databases tab.
3. Click New.
4. In the Database window, in the Mailbox database text box, type DB2.
5. Click browse.
6. In the Select Server window, select LON-MBX1, and then click OK.
7. In the Database file path text box, type: F:\DB2\DB2.edb.
8. In the Log folder path text box, type G:\Logs\DB2.
9. Make sure that the Mount this database is selected, and then click save. Click ok.
10. Restore the Exchange Management Shell window.
11. In Exchange Management Shell window, type the following:
Set-MailboxDatabase identity DB2 DeletedItemRetention 20.00:00:00
-CircularLoggingEnabled $true ProhibitSendQuota 2.2GB, and then press Enter.
12. Type Dismount-Database identity DB2, and press Enter.
13. Type y, and press Enter.
14. Type Mount-Database identity DB2, and press Enter.
15. Leave the Exchange Management Shell window open.
Task 3: Export mailbox data to the .pst file
1. On the LON-MBX1 virtual machine, restore the Exchange Management Shell window.
2. Type New-ManagementRoleAssignment Role "Mailbox Import Export" User Administ
3. Close the Exchange Management Shell.
4. From the Start screen, click Exchange Management Shell.
5. Type the following, and then press Enter:
New-MailboxExportRequest -Mailbox aidan -FilePath \\lon-dc1\MailboxExport\aidan.pst
6. Type Get-MailboxExportrequest, and press Enter.
7. Make sure that the status of the request is completed. (If it is not completed, wait for several mi
8. Switch to LON-DC1. Open File Explorer and then browse to the C:\MailboxExport folder, a
9. Close File Explorer.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have their mailbox databases
created and configured.
Lab Answer Key: Module 3: Managing Recipient Ob
jects
Lab: Managing Recipient Objects
Exercise 1: Configure Trey Research Recipients
Task 1: Create the Trey Research AD DS objects
1. On LON-CAS1, start Server Manager.
2. Click Tools, and then click Active Directory Module for Windows PowerShell.
3. Type e: and press Enter.
4. Type cd Labfiles\Mod03, and then press Enter.
5. Type .\TreyResearchSetup.ps1, and then press Enter.
6. At the Type the Password prompt, type Pa$$w0rd and press Enter.
7. Close the Active Directory Module for Windows PowerShell window.
8. In Server Manager, click Tools, and then click Active Directory Users and Computers.
9. Expand Adatum.com, expand TreyResearch, and verify that the TreyResearch OU contains c
10. Close Active Directory Users and Computers.
Task 2: Create the Trey Research mailboxes
1. On LON-CAS1, click to the Start screen, and then click Exchange Management Shell.
2. At the command prompt, type New-MailboxDatabase Name TreyResearchDB Server LON
3. At the command prompt, type Invoke-Command ComputerName LON-MBX1 ScriptBlock
4. At the command prompt, type Mount-Database id TreyResearchDB, and then press Enter.
5. At the command prompt, type Get-User OrganizationalUnit TreyResearch | Enable-Mailbox
6. At the command prompt, type Get-Group OrganizationalUnit TreyResearch | Enable- Distr
7. On LON-CAS1, open Internet Explorer and connect to https://LON-CAS1.adatum.com /ecp.
8. Sign in as Adatum\administrator using the password Pa$$w0rd.
9. Click the resources tab.
10.Click New, and then click Room mailbox.
11.Fill in the following information:
o Room name: TR_Room1
o Email address: TR_Room1
o Organizational unit: click browse, click TreyResearch, and then click ok
o Location: Harrow
o Capacity: 20
12.Click Select delegates who can accept or decline booking requests.
13.Click Add, click Charlotte Weiss, click add, and then click ok.
14.Click more options, and under Mailbox database, click browse, click TreyResearchDB, and th
15.Click save.
16.In the Exchange Management Shell, type the following command, and then press Enter. Set-Cale
BookinPolicy AllTreyResearch.
17.On LON-CAS1, in the EAC, in the Features pane, click recipients.
18.Click the shared tab.
19.Click New.
20.Fill in the following information:
o Display name: TreyResearch Sales
o Organizational unit: TreyResearch\Sales
o Email address: TreyResearchSales
21.Under Full Access, click Add, click TR_Sales, then click add, and then click ok.
22.Click More options.
23.Under Mailbox database, click browse, click TreyResearchDB and then click ok.
24.Click save.
Task 3: Create the Trey Research distribution groups
1. On LON-CAS1, in the EAC, click the groups tab.
2. Click New, and then click Distribution group.
3. Fill in the following information:
o Display name: Trey_SalesMgrs
o Alias: TreySalesMgrs
o Organizational unit: TreyResearch\Sales
o Members: Florence Flipo, Sidney Higa
o Owner approval is required: Closed
Choose whether the group is open to leave: Closed
4. Click save.
5. On the groups tab, click New, and then click Distribution group.
6. Fill in the following information:
o Display name: TreyResearchNews
o Alias: TreyResearchNews
o Organizational unit: TreyResearch
o Members: none
o Owner approval is required: Open
o Choose whether the group is open to leave: Open
7. Click save.
8. On LON-CAS1, in the Exchange Management Shell, type cd E:\Labfiles\Mod03, and then press
9. Type $users=import-csv .\TreyResearchIntegrationTeam.csv, and press Enter.
10.Type foreach ($i in $users) {set-mailbox Identity $i.alias CustomAttribute1 TreyResearc
11.On LON-CAS1, in the EAC, on the groups tab, click New, and then click Dynamic distribution
12.Fill in the following information:
o Display name: TreyIntegration
o Alias: TreyIntegration
o Organizational unit: TreyResearch
o Owner: Administrator
13.Under Members, click Only the following recipient types, and select the Users with Exchange
14.Click add a rule.
15.From the drop-down list, click Recipient container.
16.Click Adatum.com, and then click ok.
17.Click add a rule.
18.From the drop-down list, click Custom Attribute 1.
19.In the specify words or phrases page, type TreyResearch Integration Project Team, click Ad
20.Click save.
Results: In this exercise, you created AD DS user and group accounts for Trey Resear
ch, created a room mailbox with custom permissions, and configured a shared mailbo
x. You also configureddistribution groups for the Trey Research users.
Exercise 2: Configure Address Lists and Policies for Trey Research
Task 1: Configure TreyResearch.net as an accepted domain
1. On LON-CAS1, in the EAC, click mail flow in the Features pane, and then on the accepted do
2. In the new accepted domain window, type TreyResearch as the Name, and TreyResearch.ne
3. Click save.
Task 2: Configure an email address policy for Trey Research users
1. On the email address policies tab, click New.
2. In the new email address policy window, type TreyResearch Email as the Policy name.
3. Under Email address format, click Add.
4. From the Select an accepted domain drop-down list, select TreyResearch.net.
5. Click John.Smith@contoso.com, and then click save.
6. In the new email address policy window, click add a rule.
7. Click Select one, and then click Recipient container.
8. Click TreyResearch, and then click ok.
9. Click save, and then click ok.
10. Click TreyResearch Email. In the Details pane, click Refresh, click Apply, and then click yes
11. Click close.
Task 3: Configure an address list for TreyResearch users
1. In the EAC, click organization in the Features pane, and then click address lists.
2. On the address lists tab, click New.
3. In the new address list window, type TreyResearch as the Name.
4. Click add a rule.
5. In the select one list, click Recipient container.
6. In the select an organizational unit dialog box, click TreyResearch, and click ok.
7. Click save, click ok, and then click Update.
8. Click yes, and then click close.
Task 4: Configure an address book policy for Trey Research users
1. On LON-CAS1, if required, open the Exchange Management Shell.
2. At the command prompt, type the following command, and press Enter.
New-GlobalAddressList -Name TreyResearchGAL -RecipientContainer TreyResearch
3. At the command prompt, type the following command, and press Enter.
Update-GlobalAddressList -id TreyResearchGAL
4. At the command prompt, type the following command, and press Enter.
New-OfflineAddressBook -Name TreyResearchOAB -AddressLists TreyResearch
5. At the command prompt, type the following command, and type Enter.
New-AddressList -Name TreyResearchRooms RecipientContainer TreyResearch
-IncludedRecipients Resources
6. At the command prompt, type the following command, and press Enter.
Update-AddressList TreyResearchRooms
7. At the command prompt, type the following command, and press Enter.
Set-OfflineAddressBook -id "TreyResearchOAB" VirtualDirectories LON-CAS1\oab
(Default Web Site),LON-MBX1\oab (Exchange Back End)
8. At the command prompt, type the following command, and press Enter.
Update-OfflineAddressBook -id "TreyResearchOAB"
9. At the command prompt, type the following command, and press Enter.
New-AddressBookPolicy -Name TreyResearchABP -AddressLists \TreyResearch
-OfflineAddressBook TreyResearchOAB -GlobalAddressList TreyResearchGAL -RoomList
\TreyResearchRooms
10. At the command prompt, type the following command, and press Enter.
Get-Mailbox -OrganizationalUnit TreyResearch | Set-Mailbox -AddressBookPolicy
TreyResearchABP
Task 5: Validate the deployment
1. In the EAC, click recipients in the Features pane.
2. Click mailboxes, and then double-click Aaron Nicholls and click the mailbox features tab.
3. Verify that the TreyResearchABP has been assigned to Aarons mailbox. Click cancel.
4. On LON-CL1, sign in as Adatum\Aaron using the password Pa$$w0rd.
5. Right-click on the Start screen, and click All apps.
6. Open Outlook 2013.
7. On the Welcome to Outlook 2013 page, click Next.
8. On the Add an Email Account page, click Next.
9. On the Auto Account Setup page, verify that Aarons information is automatically added, and
10. Click Finish, and wait for Outlook to open.
11. In the First things first window, click Ask me later, and click Accept.
12. After Outlook opens, click New Email. In the Untitled Message (HTML) window, click To
13. Verify that the user can only see users and groups in the TreyResearch OU.
14. Click Trey_SalesMgrs and click To, and then click OK.
15. Type a subject of test and short email message and then click Send.
16. Click the Calendar icon.
17. Click New Meeting.
18. In the Untitled Meeting window, click To.
19. Click Cindy White, and click Required.
20. Under Address Book, click TreyResearchRooms. Click TR_Room1 and click Resources. Cl
21. In the Untitled Meeting window, pick a time tomorrow in the Start time box.
22. Type a subject of test meeting and short message and click Send.
23. Review the Meeting Response message and close the message.
24. Open Internet Explorer, and connect to Https://lon-cas1.adatum.com/owa.
25. Sign in as Adatum\Aaron using the password Pa$$w0rd.
26. In the Outlook Web App window, click save.
27. In the Outlook Web App window, click the Settings icon in the top right corner, and click Op
28. Under options, click groups.
29. Under distribution groups I belong to, click Join.
30. In the all groups dialog box, double-click Trey_SalesMgrs.
31. In the Trey_SalesMgrs dialog box, click Join.
32. Review the error message stating that the group is closed and click ok. Click close.
33. In the all groups dialog box, double-click TreyResearchNews.
34. In the TreyResearchNews dialog box, click Join.
35. Close the all groups dialog box, and verify that Aaron is now a member of the TreyResearchN
36. In Outlook 2013, click New Email.
37. In the To box, type treyintegration@adatum.com. Type a subject and short message and click
38. Open Internet Explorer, and connect to Https://lon-cas1.adatum.com/owa.
39. Sign in as adatum\aidan using the password Pa$$w0rd. Click save.
40. In the Outlook Web App window, verify that Aidan received the message sent to the treyinteg
Results: In this exercise, you created an email address policy and address list for Trey
Research. You also created an address book policy for Trey Research and validated t
he deployment.
Exercise 3: Configure Public Folders for Trey Research
Task 1: Create the public folder mailbox
1. On LON-CAS1, switch to EAC.
2. In the Feature pane, click public folders.
3. Click the public folder mailboxes tab, and then click new public folder mailbox.
4. On the new public folder mailbox page, type PFMBX1 in the Name field.
5. Under Organizational unit, click browse, click TreyResearch, and then click ok.
6. Under Mailbox database, click browse, click TreyResearchDB and then click ok.
7. Click save.
Task 2: Create the public folders
1. Click public folders, and then click New public folder.
2. On the new Public Folder page, in the Name field, type TreyResearch, and then click save.
3. Click TreyResearch, and then click New public folder.
4. In the new public folder window, in the Name field, type Research, and then click save.
Task 3: Configure public folder permissions
1. Click Go to the parent folder.
2. Verify that TreyResearch is listed in the folder list, select the folder, and then under Folder pe
3. In the TreyResearch window, click Add.
4. In the public folder permissions window, next to User, click browse.
5. In the Select Recipient window, click TR_IT, and then click ok.
6. Under Permission level, click Owner, and then click save.
7. Select the Apply changes to this public folder and all its subfolders check box.
8. In the TreyResearch window, click Add.
9. In the public folder permissions window, next to User, click browse.
10. In the Select Recipient window, click AllTreyResearch, and then click OK.
11. Under Permission level, click Author, and then click save.
12. Click save and then click close.
Task 4: Validate the public folder deployment
1.On LON-CL1, in Outlook 2013, open the Folders view.
2.Verify that the Public Folders are listed in the left pane.
3.Expand the Public Folders and verify that the TreyResearch and Research public folders are vis
Note: It can take several minutes for the public folders to appear. If the public folders are not visib
CL1, sign in as Cindy using the password Pa$$w0rd, and open Outlook 2013. Configure the Outl
Task 5: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: In this exercise, you will have created public folder mailboxes for Trey Rese
arch and verified that users can access the mailboxes.
Lab Answer Key: Module 4: Planning and Deploying
Client Access Servers
Lab: Deploying and Configuring a Client Access Se
rver Role
Exercise 1: Configuring Certificates for the Client Access Server
Task 1: Make a certificate request on Exchange Server
1. On LON-CAS1, open Internet Explorer, type https://lon-cas1.adatum.com/ecp, and press Ent
2. Sign in as Adatum\administrator with the password Pa$$w0rd.
3. In the EAC, in the left navigation pane, click servers.
4. In the right pane, click certificates.
5. Click on the + sign.
6. In the Exchange Certificate Windows Internet Explorer window, in the new Exchange certif
7. In the Friendly name for this certificate, type mail.adatum.com, and click next.
8. On the page with the option for using wildcard certificates, do not make any changes, and click n
9. Click browse.
10.In the Select a Server window, click LON-CAS1, and click ok.
11.Click next.
12.On the next page, click Outlook Web App (when accessed from the Internet), and then click th
13.In the Specify the domains for the above Access type, enter mail.adatum.com, and click OK.
14.Repeat steps 12 and 13 for items where <not specified> is in the DOMAIN column.
15.Click next.
16.On the next page, make sure that you have the following names in the list: mail.adatum.com, lon
17.On the next page, fill in the following fields as follows:
a. Organization name: A.Datum
b. Department name: IT
c. City/Locality: Seattle
d. State/Province: WA
e. Country/Region name: United States
18.Click next.
19.On the next page, type \\lon-cas1\C$\windows\temp\certreq.req, and click finish.
Task 2: Issue a certificate from an internal CA
1. On LON-DC1, in Start, click Certification Authority.
2. In certsrv [Certification Authority (Local)], right-click Adatum-LON-DC1-CA, point to A
3. Right-click Adatum-LON-DC1-CA, point to All Tasks, and then click Start Service.
4. On LON-CAS1, open File Explorer, and navigate to C:\windows\temp.
5. Right-click CertReq.req, and then click Open with.
6. In the Windows dialog box, click Notepad.
7. In the CertReq.req Notepad window, press Ctrl+A to select all the text, and then press Ctrl+
8. Click to the Start screen, and then click Internet Explorer.
9. Connect to http://lon-dc1.adatum.com/certsrv.
10. Sign in as Administrator, using the password Pa$$w0rd.
11. On the Welcome page, click Request a certificate.
12. On the Request a Certificate page, click advanced certificate request.
13. On the Advanced Certificate Request page, click Submit a certificate request by using a ba
encodedPKCS#7 file.
14. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request f
15. In the Certificate Template drop-down list box, click Web Server, and then click Submit.
16. On the Certificate Issued page, click Download certificate.
17. In the File Download dialog box, click the arrow next to Save. Select Save As.
18. In the Save As dialog box, click Save.
19. In the Download complete dialog box, click Open.
20. In the Certificate dialog box, on the Details tab, click Subject Alternative Name. Verify that
21. On LON-CAS1, open File Explorer and create new folder called cert on the C:\ drive. Share th
22. Copy the file certnew.cer from C:\Users\Administrator.ADATUM\Downloads to C:\cert.
23. Close File Explorer.
Task 3: Assign a certificate to Exchange services
1. On the LON-CAS1, switch to the EAC.
2. Click servers, and then click certificates.
3. Next to Select server, click LON-CAS1.Adatum.com.
4. Click on mail.adatum.com, and then click on the toolbar and select import Exchange cert
5. Type \\lon-cas1\cert\certnew.cer and click next.
6. On the next page, click the + sign.
7. Select LON-CAS1, and click add and then click ok.
8. Click finish.
9. Make sure that mail.adatum.com appears in the list.
10. Click on mail.adatum.com, and click the pencil icon on the toolbar.
11. Click services.
12. Select IIS, and click save.
Results: After completing this exercise, the students will have a certificate installed o
n the Exchange Server Client Access server.
Exercise 2: Configuring Client Access Services Options
Task 1: Configure Client Access server options
1. In the EAC, on LON-CAS1, click servers in the left pane.
2. In the central pane, click virtual directories on the toolbar.
3. In the Select server list, click LON-CAS1.Adatum.com.
4. Click the mechanical key icon on the toolbar.
5. In the configure external access domain window, click the + sign.
6. Click on LON-CAS1, and click add-> button, and then click ok.
7. In the text box below Enter the domain name, type mail.adatum.com, and click save.
8. Click close after the operation completes.
9. In the center pane, click servers.
10.Click on LON-CAS1, and then click the pencil icon on the toolbar.
11.Click on POP3 in the left navigation pane.
12.Set the Logon method to Secure TLS connection.
13.Scroll down, and select More options.
o Set Maximum connections to 100.
o Set Maximum connections from a single IP address to 20.
o Set Maximum connections from a single user to 2.
14.Click save.
15.Click ok on the warning window.
Task 2: Verify authentication options on Client Access server
1. On LON-CAS1, in the EAC, in the servers node, click virtual directories.
2. Review the list of virtual directories for LON-CAS1.
3. Click on the Autodiscover virtual directory, and then click the pencil icon on the toolbar.
4. In the Virtual Directory Windows Internet Explorer window, click authentication.
5. Review the supported and selected options for authentication.
6. Make no changes, and click cancel.
7. Click on ecp virtual directory, and then click the pencil icon on the toolbar.
8. Review the supported and selected options for authentication. Notice that no options are selecte
9. Make no changes, and click Cancel.
10. Click on the PowerShell virtual directory, and then click the pencil icon on the toolbar.
11. In the Virtual Directory Windows Internet Explorer window, click Authentication.
12. Review the supported and selected options for authentication. Notice that no options are selecte
13. Make no changes, and click Cancel.
14. Click on the Microsoft-Server-ActiveSync virtual directory, and then click the pencil icon on
15. In the Virtual Directory Windows Internet Explorer window, click Authentication.
16. Review the supported and selected options for authentication. Notice that the certificate authent
17. Make no changes, and click Cancel.
18. Click on the OAB virtual directory, and then click the pencil icon on the toolbar.
19. In the Virtual Directory Windows Internet Explorer window, notice that there are no authe
20. Make no changes, and click Cancel.
Results: After completing this exercise, the students will have configured Client Acce
ss server.
Exercise 3: Configuring Custom MailTips
Task 1: Configure MailTips
1. On LON-CAS1, in the EAC, click recipients, and then click mailboxes.
2. In the list of mailboxes, click on April Reagan, and then click on the Edit icon on the toolbar.
3. In the April Reagan window, click MailTip.
4. In the text box, type Test e-mail tip for April, and click save.
5. From the Start screen, click Exchange Management Shell.
6. Type the following, and then press Enter:
Set-Mailbox Identity Aidan Mailtip this is english mail tip MailtipTranslation
(FR: Cest la lague francaise)
7. Close the Windows PowerShell window.
Task 2: Test MailTips
1. Open Internet Explorer and type https://lon-cas1.adatum.com/owa.
2. Sign in as Adatum\Don with the password of Pa$$w0rd.
3. On the Language and time zone page, select English, and make no changes to time zone, and
4. In the Outlook Web App window, click new mail.
5. Type April in the To field, and press Tab. Make sure that the field is populated with April Rea
6. Click in the Subject field. Ensure that email tip has appeared.
7. Click Discard, and click Discard again.
8. In the Outlook Web App window, click new mail.
9. Type Aidan in the To field, and press Tab. Make sure that the field is populated with Aidan D
10. Click in the Subject field. Ensure that E-mail tip has appeared, and that it appears in English.
11. Sign out of OWA.
12. Sign in as Adatum\Amr with the password of Pa$$w0rd.
13. On the Language and time zone page, select Francais (France), and make no changes to time
14. In the Outlook Web App window, click nouveau message.
15. In A field type Aidan, and press Tab. Make sure that the field is populated with Aidan Delaney
16. Click in the Objet field. Ensure that E-mail tip has appeared. and that it appears in French.
17. Click Ignorer, and click Ignorer again.
18. Sign out.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1 and 20341B-LON-MBX1.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Lab Answer Key: Module 5: Planning and Configuri
ng Messaging Client Connectivity
Lab: Planning and Configuring Messaging Client C
onnectivity
Exercise 1: Planning Client Connectivity
Task 1: Read and analyze scenario requirements
Read the exercise scenario, and analyze the requirements from both a functionality and security pe
Task 2: Propose a solution for client connectivity
1. Which client platforms should you support for internal clients?
For internal clients, you must support the Windows 8 operating system, Outlook 2003, and Outlo
2. Which client platforms should you support for external clients?
For external clients, you must support Windows 8 and Outlook 2010 for mobile computers, along
3. What concerns do you have regarding internal clients?
The biggest concern for internal clients is the fact that there is no unique email client software on
4. What concerns do you have regarding external clients?
The biggest concern for external clients is security. You have to support multiple platforms conne
5. How will you address the requirement for client connection encryption?
Client connections to the Client Access server will be encrypted by using SSL.
6. What solution will you propose for internal clients?
Outlook 2010 clients are supported by default. However, clients that are running Outlook 2003 ca
a. Use the Outlook Web App interface to access their mailboxes.
b. Use the built-in email client in Windows 8 to access their mailboxes by using the ActiveSyn
7. What solution will you propose for external clients?
External clients with mobile computers will be using Outlook Anywhere, while clients without m
8. How will you address the requirements for attachment downloading on public computers?
Clients that are connecting from public computers will be using Outlook Web App. To prevent th
9. How do you plan to force security requirements to mobile devices?
Security requirements for mobile devices can be enforced by implementing ActiveSync policies.
connect.
10 How do you plan to deploy the A. Datum Root CA certificate to client devices (both computers a
. The Root CA certificate is deployed to client computers by using Group Policy. If A. Datum has
es, or you can send a Root CA certificate file in an email to all users with a smartphone, along wi
11 Is there a way to control hardware features of mobile devices?
. Exchange Server 2013 does not support policies for hardware control on mobile devices.
12 Can you implement certificate-based authentication for mobile devices?
. Currently, certificate-based authentication is selectively supported. You should check with mobil
13 How will you implement the requirement for deleting content from a lost mobile device?
. For deleting the content on a lost mobile device, you should train users on how to use the Remote
Task 3: Discuss your solution with the class
Present your proposed solution. Discuss alternative solutions with the other students and the instru
Results: After completing this exercise, the students will have created a plan for client
connectivity.
Exercise 2: Configuring Outlook Web App and Outlook Anywhere
Task 1: Configuring Outlook Web App policies
1. On LON-CAS1, on the Start screen click Internet Explorer.
2. Browse to https://lon-cas1.adatum.com/ecp.
3. Sign in to the EAC as Adatum\Administrator with the password Pa$$w0rd.
4. In the EAC window, click permissions in left navigation pane.
5. In the central pane, click Outlook Web App policies.
6. Click the New icon.
7. In the new Outlook Web App mailbox policy, in the Policy name text box, type External Us
8. In the Communication management section, clear the Instant messaging and Text messagin
9. Scroll down and click More options.
10. In the Information management section, clear the Recover deleted items check box.
11. In the Public or shared computer section, clear the Direct file access check box.
12. Click save.
13. In the EAC console, click recipients.
14. Double-click Adam Barr.
15. In the Adam Barr window, click mailbox features in the left navigation pane. In the warning
16. In the right pane, scroll down to Email Connectivity section, and click View details.
17. In the Outlook Web App mailbox policy window, click browse.
18. Select External Users Policy and click ok, and then click save two times.
19. Click to the Start menu and then click Exchange Management Shell.
20. Type following command: Set-CASMailbox identity Aidan@adatum.com OwaMailboxP
21. In Internet Explorer, in the Exchange admin center, click recipients and then in the central pa
22. In the Brad Sutton window, on general tab, click More options.
23. In the Custom attributes section, click Edit.
24. In the 1: text box type external and click ok, and then click save.
25. Repeat steps 21 to 24 for users Chad Niswonger and Daniel Durrer.
26. Switch to Exchange Management Shell and type : get-mailbox filter {CustomAttribute1
OwaMailboxPolicy: External Users Policy, and press Enter.
27. Switch back to the EAC.
28. Double-click on Brad Sutton.
29. In the Brad Sutton window, click mailbox features.
30. In the right pane, scroll down to the Email Connectivity section and click View details.
31. Ensure that External Users Policy is applied.
32. Click cancel two times.
33. Repeat the steps 28 to 32 for users Chad Niswonger and Daniel Durrer.
Task 2: Configuring Outlook Anywhere
1. On LON-CAS1, in Exchange admin center, click servers in the left navigation pane.
2. In the central pane, double-click LON-CAS1.
3. In the LON-CAS1 window, click Outlook Anywhere.
4. In the first text box, type mail.adatum.com.
5. Make sure that second text box has the value lon-cas1.adatum.com, and that the third one has
6. Select NTLM in the third option.
7. Click save.
Task 3: Enabling and using Offline Outlook Web App
1. On LON-CL1, click to the desktop, open Internet Explorer and type https://lon-cas1.adatum
2. Sign in as Adatum\Aidan with the password Pa$$w0rd. Click save.
3. In Outlook Web App window, open the Settings menu next to the user name in the right corne
4. Click Next twice, and then press Ctrl+D.
5. In Add a favorite dialog box, click Add.
6. Sign out from Outlook Web App and close Internet Explorer.
7. On your host, open Hyper-V Manager.
8. Right-click the 20341B-LON-CL1 machine, and choose Settings.
9. Click on Network Adapter, and then in the Network drop-down box, select Not connected.
10. Click OK. By doing this you temporarily disconnect your client from the network.
11. Switch to the 20341B-LON-CL1 virtual machine.
12. Open Internet Explorer, and from the Favorites menu, choose Aidan Delaney - Outlook We
13. When the Outlook Web App window opens, verify that you can access mailbox content.
14. Send a test email to the administrator@adatum.com.
15. On your host, switch to Hyper-V Manager.
16. Right-click the 20341B-LON-CL1 machine and choose Settings.
17. Click on Network Adapter, and then in the Network drop-down box, select Private Network.
18. Wait for 20 to 30 seconds, and then refresh the Outlook Web App window. If a Security Aler
19. On LON-CAS1, open https://lon-cas1.adatum.com/owa, and sign in as Administrator.
20. Verify that you received the email from Aidan that was sent from the offline Outlook Web App
Results: After completing this exercise, students will have Outlook Web App and Out
look Anywhere configured.
Exercise 3: Configuring Exchange ActiveSync
Task 1: Plan a mobile device deployment
Because many different device platforms will be accessing your Exchange Server, what are your m
The main concern regarding the different device platforms will be their ability to support Exchange
How will you achieve the requirement that settings be consistent on each mobile device?
You can implement a mobile-device mailbox policy to achieve consistent settings.
How will you implement the password requirements on your mobile device?
You will enforce password requirements to all devices that connect to your Exchange by implemen
How will you implement the requirements for quarantine?
Requirements for quarantine can be implemented by configuring mobile device access options in th
Task 2: Configure mailbox policies for mobile devices
1. On LON-CAS1, switch to Internet Explorer and in the EAC, click mobile, and then click mob
2. Click the New icon.
3. In the new mobile device mailbox policy window, type Adatum Mobiles for the policy name.
4. Select the This is the default policy check box.
5. Do not select the Allow mobile devices that dont fully support these policies to synchroniz
6. Select the Require a password check box.
7. Select the Require an alphanumeric password check box.
8. Select 2 in the drop-down box called Password must include this many character sets.
9. Select the Minimum password length check box, and type 5 in the text box.
10. Select the Number of sign-in failures before device is wiped check box, and type 4 in the text
11. Select the Require sign-in after device has been inactive for, check box and type 5 in the text
12. Click save.
Task 3: Configure device access rules
1. On LON-CAS1, in the EAC, click mobile, and then click mobile device access.
2. Click the edit button.
3. In the Exchange ActiveSync access settings window, click Quarantine Let me decide to blo
4. In the Quarantine Notification Email Messages section, click the Add icon.
5. In the Select Administrators window, select Administrator, click add, and then click ok.
6. In the text box below, type the following text: Your device is temporary in quarantine. The Ad
7. Click save.
8. In the Device Access Rules pane, click the New icon.
9. In the new device access rule, in the Device family section, click browse.
10.In the Device Family window, click All families, and then click ok.
11.Under the Only this model section, click browse. Verify that no devices are listed, and then click
12.In the new device access rule window, click Quarantine Let me decide to block or allow lat
13.Click cancel.
Results: After completing this exercise, the students will have configured mobile devi
ce options and policies.
Exercise 4: Publishing Exchange Server 2013 Through TMG 2010
Task 1: Publish Exchange web-based services through TMG 2010
1. On LON-CAS1, open Windows PowerShell from taskbar, and type mmc.exe and then press Ent
2. In the Console1 window, open the File menu and then click Add/Remove Snap-in.
3. Click Certificates and then click Add. Select Computer account and click Next.
4. Select Local computer, and then click Finish. Click OK.
5. Expand Certificates, expand Personal, and then click on Certificates.
6. Right-click the certificate Webmail.adatum.com, navigate to All Tasks, and select Export.
7. On the Welcome page, click Next.
8. On the Export Private Key page, select Yes, export the private key and click Next.
9. On the Export File Format page, click Next.
10.On the Security page, select Password and type Pa$$w0rd in both fields. Click Next.
11.On the File to Export page, type C:\CAS1.pfx as the file name, and then click Next.
12.Click Finish. In the pop window click OK. Close Console1 and click No to the Save console set
13.Switch to LON-TMG machine.
14.On LON-TMG, click Start. In the Search box, type MMC, and then press Enter.
15.On the File menu, click Add/Remove Snap-in.
16.On the Add or Remove Snap-in page, click Certificates, and then click Add.
17.Click Computer account, click Next, click Finish, and then click OK.
18.Expand Certificates, right-click Personal, point to All Tasks, and then click Import.
19.On the Certificate Import Wizard page, click Next.
20.On the File to Import page, type \\LON-CAS1\C$\CAS1.pfx, and then click Next.
21.On the Password page, type Pa$$w0rd in the Password field, and then click Next.
22.On the Certificate Store page, click Next, and then click Finish.
23.Click OK, and then close Console1 without saving changes.
24.On LON-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then c
25.Expand Forefront TMG (LON-TMG), and then click Firewall Policy.
26.On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Acce
27.On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Rule, and th
28.On the Select Services page, in the Exchange version list, click Exchange Server 2010, select t
29.On the Publishing Type page, click Next.
30.On the Server Connection Security page, ensure that Use SSL to connect the published Web s
31.On the Internal Publishing Details page, in the Internal site name text box, type LON-CAS1.A
32.On the Public Name Details page, ensure that This domain name (type below) is configured in
33.On the Select Web Listener page, click New.
34.On the Welcome to the New Web Listener Wizard page, type HTTPS Listener, and then click
35.On the Client Connection Security page, ensure that Require SSL secured connections with c
36.On the Web Listener IP Addresses page, select the External check box, and then click Next.
37.On the Listener SSL Certificates page, click Select Certificate.
38.In the Select Certificate dialog box, click Webmail.adatum.com, click Select, and then click N
39.On the Authentication Settings page, accept the default of HTML Form Authentication, and t
40.On the Single Sign On Settings page, type Adatum.com as the single sign-on (SSO) domain nam
41.On the Select Web Listener page, click Next.
42.On the Authentication Delegation page, accept the default of Basic authentication, and then cl
43.On the User Sets page, accept the default, and then click Next.
44.On the Completing the New Exchange Publishing Rule Wizard page, click Finish.
45.Click Apply twice to apply the changes, and then click OK when the changes have been applied.
46.Switch to the LON-CAS1 machine.
47.Switch to Internet Explorer and in the EAC, click servers in Feature pane.
48.Click virtual directories tab.
49.On the virtual directories tab, double-click owa (Default Web Site) LON-CAS1.
50.In the External URL box, type https://webmail.adatum.com/owa.
51.Click authentication, and then click Use one or more standard authentication methods, and t
52.On the virtual directories tab, double-click ecp (Default Web Site) LON-CAS1.
53.In the External URL box, type https://webmail.adatum.com/ecp.
54.Click authentication, and then click Use one or more standard authentication methods, and t
55.Click yes on the warning window. Click ok.
56.Open the Windows PowerShell. At the PS prompt, type IISReset /noforce, and then press Enter
57.Wait until IIS service restarts.
58.Switch back to LON-TMG machine.
59.In the Forefront TMG console, double-click OWA rule.
60.In the OWA rule properties windows, click on the Application Settings tab.
61.In the Published server logoff URL, type /owa/logoff.owa. (Note: you are doing this because T
62.Click OK and then click Apply two times.
63.Click OK.
64.Double-click OWA rule.
65.On the General tab, click Test Rule.
66.In Web Publishing Rule Test Results window, look for results for https://webmail.adatum.com
Task 2: Publishing rule testing
1. On the host computer, in Hyper-V Manager, right-click 20341B-LON-CL1, and then click Set
2. Click Network Adapter, and in the Network drop-down list, click Private Network 2, and the
3. Log on to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
4. On LON-CL1, in the Start screen, type control panel. Click on the Control Panel icon.
5. Open the Control Panel, and then click View network status and tasks.
6. Click Change adapter settings.
7. Right-click Ethernet, and then click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
9. Change the IP address to 131.107.0.2, change the Default Gateway to 131.107.0.1.
10. Delete the value for DNS server.
11. Click OK, and then click Close. Close the Control Panel.
12. On the Start screen, type cmd and press Enter.
13. In the command prompt window, type notepad c:\windows\system32\drivers\etc\hosts, and th
14. At the bottom of the hosts file, type 131.107.0.1 webmail.adatum.com, and then save and clos
15. Open Internet Explorer, and then connect to https://webmail.adatum.com/owa.
16. Log on as adatum\administrator using the password Pa$$w0rd, and then verify that you acce
17. In the Outlook Web App window, click Settings and then click Options. Verify that you can c
18. Close Internet Explorer.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, 20341B-LON-TMG, and 203
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.You must now move the subnet object currently associated with the Swindon site to the London si
a. On LON-DC1, click Server Manager.
b. In Server Manager, click Tools and then click Active Directory Sites and Services.
c. In Active Directory Sites and Services, click Subnets.
d. Right-click 172.16.0.128/25 and then click Properties.
e. In the 172.16.0.128/25 Properties dialog box, in the Site list, click London and then click O
f. Close Active Directory Sites and Services.
g. Close Server Manager.
9.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, students will have Exchange Server 2013 pub
lished through TMG 2010.
Lab Answer Key: Module 6: Planning and Implemen
ting High Availability
Lab: Implementing High Availability
Exercise 1: Creating and Configuring a Database Availability Group
Task 1: Pre-stage the cluster network object for a DAG
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Co
2. In Active Directory Users and Computers, on the menu bar, click View, and then click Advanc
3. In the left pane, expand Adatum.com, click Computers, then right-click Computers, point to
4. In the New Object Computer dialog box, in the Computer name field, type DAG1, and the
5. In the right pane, right-click DAG1, and then click Properties.
6. In the DAG1 Properties dialog box, click the Security tab.
7. On the Security tab, click Add, and in the Enter the object names to select field, type Exchan
8. On the Security tab, click Add, and then click Object Types.
9. In the Object Types dialog box, click Computers, and then click OK.
10. In the Select Users, Computers, Service Accounts, or Groups window, in the Enter the obje
11. On the Security tab, select LON-MBX1 (ADATUM\LON-MBX1$), then in the Allow colum
12. On the Security tab, select Exchange Trusted Subsystem
(ADATUM\Exchange Trusted Subsystem), then in the Allow column in the Permissions for
13. In the Active Directory Users and Computers window, in the right pane, right-click DAG1, a
14. In the warning window, click Yes, and then on the next information window, click OK.
Task 2: Create a DAG and add mailbox servers to the DAG
1. Switch to LON-CAS1. Open Internet Explorer, and type https://lon-cas1.adatum.com/ecp, an
2. Sign in as Adatum\administrator with the password Pa$$w0rd.
3. In the EAC, in the Feature pane, click servers.
4. On tabs, click database availability groups, and then on the toolbar, click New.
5. In the New database availability group window, in the Database availability group name field
CAS1 in the Witness server field. Click Witnessdirectory, in the Witness directory field, type
6. In the list view, click DAG1, and on the toolbar, click Manage DAG membership.
7. In the manage database availability group membership window, click Add.
8. In the Select Server window, click LON-MBX1, click add, and then click LON-MBX2. Click a
9. In the manage database availability group membership window, click save.
10.In the Saving completed successfully window, click close.
Task 3: Create a mailbox database copy
1. In the EAC, in tabs, click databases, then click Mailbox Database 1 on the toolbar, click Mor
2. In the add mailbox database copy window, click browse.
3. In the Select Server window, click LON-MBX2, and then click ok.
4. In the add mailbox database copy window, click save.
5. Wait until the saving completes successfully, then click close.
Task 4: Verify successful completion of copying a database
1. In tabs, click Refresh, and wait until the details pane shows Mailbox Database 1\LON-
MBX2 as Passive Healthy. This might take several minutes and up to several hours depending
2. In the details pane, under Mailbox Database 1\LON-MBX2, click View details.
3. Make sure that the Status displays Healthy and the Content index state also displays Healthy
Task 5: Suspend and resume a database copy
1. In the EAC, in the details pane, click Mailbox Database 1, and then under Mailbox Database
2. In the Suspend database window, in the Comments field, type Test Suspend, and then click s
3. In the details pane, under Mailbox Database 1\LON-MBX2, click Resume. If the Resume bu
4. In the warning window, click yes.
5. In tabs, click Refresh, and then wait until the details pane shows Mailbox Database 1\LON-M
Results: After completing this exercise, students will have pre-
staged a cluster network object in Active Directory, created a DAG, added two Mailb
ox servers to the DAG, and made a database highlyavailable. Students also will have s
uspended a database copy and resumed it.
Exercise 2: Deploying Highly Available Client Access Servers
Task 1: Install the Network Load Balancing feature on Client Access servers
1. Switch to LON-CAS1.
2. Click the Server Manager icon on the taskbar to open Server Manager.
3. Click Add roles and features.
4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select installation type page, click Next.
6. On the Select destination server page, make sure that Select a server from the server pool is
7. On the Select server roles page, click Next.
8. On the Select features page, click Network Load Balancing, and in the Add Roles and Featu
9. On the Confirm installation selections page, click Install.
10. In the Add Roles and Features Wizard, wait until the feature installation has succeeded, and the
11. Switch to the LON-CAS2 virtual machine.
12. Click the Server Manager tile.
13. Click Add roles and features.
14. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
15. On the Select installation type page, click Next.
16. On the Select destination server page, make sure that Select server from the server pool is se
17. On the Select server roles page, click Next.
18. On the Select features page, click Network Load Balancing. In the Add Roles and Features
19. On the Confirm installation selections page, click Install.
20. In the Add Roles and Features Wizard, wait until the feature installation has succeeded, and t
Task 2: Create a load-balanced Client Access server cluster
1. Switch to LON-CAS1, and in Server Manager, on the menu bar, click Tools, and then in the T
2. In the Network Load Balancing Manager, on the menu bar, click Cluster, and then click New.
3. In the New Cluster: Connect dialog box, type LON-CAS1 in the Host field, click Connect, an
4. In New Cluster: Host Parameters dialog box, click Next.
5. In New Cluster: Cluster IP Address dialog box, click Add.
6. In the Add IP Address dialog box, type 172.16.0.6 as the IPv4 address, type 255.255.0.0 as the
7. In the New Cluster: Cluster IP Address dialog box, click Next.
8. In the New Cluster: Cluster Parameters dialog box, type webmail.adatum.com in the Full I
9. In New Cluster: Port Rules dialog box, click Finish.
10. In Network Load Balancing Manager, wait until the LON-CAS1 icon turns green.
11. In the left pane, right-click Webmail.adatum.com (172.16.0.6), and then click Add Host To C
12. In the Add Host to Cluster: Connect dialog box, type LON-CAS2 in Host field, click Conne
13. In the Add Host to Cluster: Host Parameters dialog box, click Next.
14. In the Add Host to Cluster: Port Rules dialog box, click Finish.
15. In Network Load Balancing Manager, wait until the LON-CAS2 icon turns green, and the Stat
Task 3: Create a DNS record for the virtual IP address
1. Switch to LON-DC1, and in Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, in the left pane, expand Forward Lookup Zones, select and then right-cl
3. In the New Host dialog box, in Name field type Webmail, in the IP address field, type 172.16
4. Click OK, and then click Done.
Results: After completing this exercise, the students will have installed and configure
d NLB, and created a DNS record for their load-balanced virtual IP address.
Exercise 3: Testing the High-Availability Configuration
Task 1: Simulate failure on LON-
CAS1 and verify Microsoft Outlook Web Access functionality
1. Switch to LON-CAS1, then in Network Load Balancing Manager, in the left pane, right-click L
2. Switch to LON-DC1, open Internet Explorer and type https://webmail.adatum.com/owa, an
3. In Outlook Web App, sign in as Adatum\administrator with the password Pa$$w0rd.
4. You should now see your Inbox. This indicates that LON-CAS2 is currently serving as the Clie
Task 2: Enable LON-CAS1 and simulate a LON-CAS2 failure
1. Switch to the LON-CAS1 virtual server, in Network Load Balancing Manager, in the left pane,
2. In Network Load Balancing Manager, wait until the LON-CAS1 (Ethernet) icon turns green, a
3. Switch to the Host machine, in Hyper-V Manager, right-click 20341B-LON-CAS2, and then c
4. Switch to the LON-DC1 virtual machine. In Internet Explorer, click Refresh (F5).
5. In Outlook Web App, if the sign in page appears, sign in as Adatum\administrator with the pa
6. In Outlook Web App, in the left pane click, Sent Items to make sure Outlook Web App is still
Task 3: Verify high availability of the database copies
1. Switch to LON-CAS1, and in the EAC, click servers, and then on tabs, click databases.
2. In list view, click Mailbox Database 1, and in the details pane, verify that Mailbox Database 1
3. Switch to the Host machine, in Hyper-V Manager, right-click 20341B-LON-MBX1, and then
4. Switch to the LON-CAS1 virtual machine. In Internet Explorer, click Refresh (F5).
Note: If you receive an error in Internet Explorer, close it and reopen it and reconnect to the EA
5. In the EAC, if the sign-in page appears, sign in as Adatum\administrator with the password P
6. In the EAC, in the Feature pane, click Servers.
7. On tabs, click databases, and then in the list view, click Mailbox Database 1.
8. Verify that in the details pane Mailbox Database 1\LON-MBX1 shows as Passive ServiceDow
9. Switch to the LON-
DC1 virtual machine, and in Internet Explorer and Outlook Web App, in the left pane, click Inb
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do th
is, complete the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3.In the Revert Virtual Machine dialog box, click Revert.
4.Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-CAS2, 20341B-LON-MBX1, and 20
Note: Although some of the servers are not running, you must still revert them.
5.In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6.In the Actions pane, click Connect. Wait until the virtual machine starts.
7.Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8.Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX
Results: After completing this exercise, the students will have tested their high-
availability configuration.
Lab Answer Key: Module 7: Planning and Implemen
ting Disaster Recovery
Lab: Implementing Disaster Recovery for Exchange
Server 2013
Exercise 1: Backing Up Exchange 2013
Task 1: Populate a mailbox with Outlook Web App
1. On LON-CAS1, open Internet Explorer. Type https://lon-cas1.Adatum.com/owa.
2. Sign in as Adatum\michael with the password Pa$$w0rd.
3. On the Language and Time zone page, click save.
4. Click new mail.
5. In the To section, type Mark Bebbington, and type Message before backup into the subject li
6. Click Send.
7. Sign out from Outlook Web App.
8. Sign in again as Adatum\mark with the password Pa$$w0rd.
9. On the Language and Time zone page, click save.
10. Check that the message is received.
11. Sign out from Outlook Web App.
12. Close Internet Explorer.
13. Switch to the Start screen, and click the Exchange Management Shell.
14. Type the following command, and press Enter:
Get-Mailbox mark@ADatum.com |fl name,database,guid
Notice the name and the GUID of the Mailbox Database. This is needed for the restore.
15. Close the Exchange Management Shell.
Task 2: Install Windows Server Backup
1. On LON-MBX1, on the Start screen, click Server Manager.
2. In the Dashboard, click Add roles and features. The Add Roles and Features Wizard opens.
3. On the Before You Begin page, click Next.
4. On the Installation Type page, select Role-based or feature-based installation, and click Nex
5. On the Server Selection page, select Select a server from the server pool, click LON-MBX1
6. On the Server Roles page, click Next.
7. On the Features page, scroll down in the Features list, select Windows Server Backup, and c
8. On the Confirmation page, do not select the Restart the destination server automatically if
9. On the Results page, click Close.
Task 3: Perform a backup of a mailbox database using Windows Server Backup
1. On LON-CAS1, open File Explorer, and create a folder named Backup on drive C:\.
2. Right-click the Backup folder, select Share with, and select Specific people.
3. Check that the Administrator account has Read/Write permissions, and click Share. Click Don
4. Close File Explorer.
5. On LON-MBX1, on the Start screen, click Administrative Tools.
6. Scroll down the tools list and double-click Windows Server Backup.
7. In the left navigation pane, select Local Backup.
8. In the Actions pane on the right side, click Backup Once.
9. In the Backup Once Wizard on the Backup Options page, select Different options, and click N
10. On the Select Backup Configuration page, select Full server (recommended), and click Nex
11. On the Specify Destination Type page, select Remote shared folder, and click Next.
12. On the Specify Remote Folder page, under Location type \\LON-CAS1\Backup, under Acce
13. In the Windows Security pop-up window, enter Administrator as the name and Pa$$w0rd as
14. On the Confirmation page, click Backup.
15. On the Backup Progress page, click Close.
16. When the backup completes, close Windows Server Backup. It may take 10 to 15 minutes to co
Task 4: Delete message in mailbox
1. On LON-CAS1, open Internet Explorer. Type https://lon-cas1.ADatum.com/owa.
2. Sign in as Adatum\Mark with the password Pa$$w0rd.
3. Delete the message received from Michael.
4. Empty the Deleted Items folder.
5. Right-click the Deleted Items folder and select recover deleted items.
6. In the recover deleted items window, select the message received from Michael, and click pur
7. Click ok to confirm the purge action on the selected item.
8. Close the recover deleted items window.
9. Sign out from Outlook Web App.
Results: After completing this exercise, you have successfully backed up the mailbox
databases.
Exercise 2: Restoring Exchange Server 2013 Data
Task 1: Restore the database using Windows Server Database
1. On LON-MBX1, open File Explorer, and create a folder named Restore on drive C:\.
2. On the Start screen, click Administrative Tools.
3. Scroll down the tools list, and double-click Windows Server Backup.
4. In the Actions pane, click Recover.
5. In the Recovery Wizard on the Getting Started page, select A backup stored on another loca
6. On the Specify Location Type page, select Remote shared folder, and click Next.
7. On the Specify Remote Folder page, type \\LON-CAS1\Backup, and click Next.
8. On the Select Backup Date page, select the date and time of the backup, and click Next.
9. On the Select Recovery Type page, select Applications, and click Next.
10. On the Select Applications page, verify that Exchange is selected.
11. Select Do not perform a roll-forward recovery of the application database, and click Next.
12. On the Specify Recovery Options page, select Recover to another location, and click Brows
13. In the Browse For Folder window, select the C:\Restore folder, and click OK. Click Next.
14. On the Confirmation page, click Recover.
15. On the Recovery Progress page, check that the status of the recovery is Completed, and click
16. Close Windows Server Backup.
Task 2: Create a recovery database with the Exchange Management Shell
1.On LON-MBX1, click to the Start screen, and then click Exchange Management Shell.
2.In the Exchange Management Shell, execute the following command. This command identifies the
Get-MailboxDatabase ID Mailbox Database 1 | fl name, guid, edbfilepath,
logfolderpath
3.In the Exchange Management Shell, type the following command to create the Recovery database,
New-MailboxDatabase Recovery Name RecoveryDB EdbFilePath C:\Restore\3c32c739-
a0ce-43bc-a299-2f56f2bcb20c\C_\Program Files\Microsoft\Exchange
Server\V15\Mailbox\Mailbox Database 1808842331\Mailbox Database 1808842331.edb
LogFolderPath C:\Restore\GUID\C_\Program Files\Microsoft\Exchange
Server\V15\Mailbox\Mailbox Database 1808842331 Server LON-MBX1
4.At the Exchange Management Shell prompt, type the following command, and then press Enter.
Restart-service msexchangeis
5.At the Exchange Management Shell prompt, type the following command, and then press Enter.
CD C:\Restore\3c32c739-a0ce-43bc-a299-2f56f2bcb20c\C_\Program
Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 1808842331
6.At the Exchange Management Shell prompt, type the followi