Vous êtes sur la page 1sur 746

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

10135A
Configuring, Managing and
Troubleshooting Microsoft® Exchange
Server 2010
ii Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

All other trademarks are property of their respective owners.

Product Number: 10135A

Part Number: X17-40190

Released: 01/2010
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION –
Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed
Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft
 updates,
 supplements,
 Internet-based services, and
 support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed
Content.

If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers,
press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT
Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or
through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning
Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products
(formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on
the subject matter of one (1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an
Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but
is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv)
Software. There are different and separate components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included
with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and
Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files
for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other
individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or
instruct an Authorized Training Session to Students on its behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students,
as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard
Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard
disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to
allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft Virtual PC or
Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes
of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content,
Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer
basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students
enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use
does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and
only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the
number of Devices accessing the Licensed Content on such server does not exceed the number of Students
enrolled in and the Trainer delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed
Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance
with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not
separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to
the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a
classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install
and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and
for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own personal training Use
and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement,
these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same
information and/or work the way a final version of the Licensed Content will. We may change it for the final,
commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any
Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no
obligation to provide them with any further content, including but not limited to the final released version of the
Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without
charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to
third parties, without charge, any patent rights needed for their products, technologies and services to use or interface
with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not
give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation
that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you
may not disclose confidential information to third parties. You may disclose confidential information only to
your employees and consultants who need to know the information. You must have written agreements with
them that protect the confidential information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You
must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the
information. Confidential information does not include information that
 becomes publicly known through no wrongful act;
 you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers;
or
 you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date
for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever
is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will
destroy all copies of same in the possession or under your control and/or in the possession or under the control of any
Trainers who have received copies of the pre-released version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print
and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you
will follow any additional terms that Microsoft provides to you for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista,
Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products
which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher,
then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the
install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before
it stops running. You may not be able to access data used or information saved with the Virtual Machines
when it stops running and may be forced to reset these Virtual Machines to their original state. You must
remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch
it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any
Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from
Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such
Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and
conditions of this agreement and the following security requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are
accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each
Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions
locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from
Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use, activation and
deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training
Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations,
sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized
Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their
personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation
Software” may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks.
Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session.
If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide
decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is
created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may
customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are
logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing
rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be
used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic
Materials. You may not make any modifications to the Academic Materials and you may not print any book (either
electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
 The use of the Academic Materials will be only for your personal reference or training use
 You will not republish or post the Academic Materials on any network computer or broadcast in any media;
 You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in
the format provided below:
Form of Notice:
© 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All
rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and company names
mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change
or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use
of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any
means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the
Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation,
you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any
technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
 install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the
Authorized Training Session;
 allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering
the Authorized Training Session if the Licensed Content is installed on a network server;
 copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;
 disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written
approval;
 work around any technical limitations in the Licensed Content;
 reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law
expressly permits, despite this limitation;
 make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this
limitation;
 publish the Licensed Content for others to copy;
 transfer the Licensed Content, in whole or in part, to a third party;
 access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized
by Microsoft to access and use;
 rent, lease or lend the Licensed Content; or
 use the Licensed Content for commercial hosting services or general business purposes.
 Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks
does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or
devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must
comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws
include restrictions on destinations, end users and end use. For additional information, see
www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR”
or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition”
or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact
the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with
the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a)
expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically
terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its
component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and
support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the
interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws
of the state where you live govern all other claims, including claims under state consumer protection laws, unfair
competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country
apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country.
You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does
not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it.
Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this agreement cannot change. To the extent permitted under your local laws,
Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-
infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND
ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES,
INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
 anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or
third party programs; and
 claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the
extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or
exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential
or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat
sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce
contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez
bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier.
La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier
et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de
5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux,
indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
 tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites
Internet tiers ou dans des programmes tiers ; et
 les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou
d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays
n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que
ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois
de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le
permettent pas.
Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010 ix
x Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Siegfried Jagott – Content Developer


Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and
Collaboration team in Siemens IT Solutions located in Munich, Germany. He has
planned, designed, and implemented some of the world’s largest Windows and
Exchange Server infrastructures for international customers. Additionally, he
hosted a monthly column for Windows IT Magazine called “Exchange & Outlook
UPDATE: Outlook Perspectives.” He writes for international magazines and
lectures about Windows and Exchange Server-related topics. He received an MBA
from Open University in England, and is a Microsoft Certified Systems Engineer
(MCSE) since 1997.

Stan Reimer – Content Developer


Stan Reimer is president of S. R. Technical Services Inc, and he works as a consultant, trainer and author.
Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some
of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft
Press, and is currently working on an Exchange Server 2010 Best Practices book, also for Microsoft Press.
For the last six years, Stan has been writing courseware for Microsoft Learning, specializing in Active
Directory and Exchange Server courses. Stan has been an MCT for 11 years.

Joel Stidley - Content Developer


Joel Stidley is a MCITP, MCSE, MCTS, and a Microsoft Exchange MVP with over 13 years of IT experience.
Currently, he is a principal systems architect at Terremark Worldwide, Inc., where he works with a variety
of directory, storage, virtualization, and messaging technologies. Joel has authored several books and
courses on Microsoft Technologies including Windows PowerShell, Microsoft Exchange Server and
Windows Server 2008. He also manages an Exchange Server blog and forum site.

Damir Dizdarevic - Technical Reviewer


Damir Dizdarevic is a manager of the Learning Center at Logosoft d.o.o. (Sarajevo, Bosnia and
Herzegovina) and an MCT. He has worked as a subject matter expert and technical reviewer on several
MOC courses, and has published more than 350 articles in various IT magazines such as Windows ITPro.
He is an MVP for Windows Server Infrastructure Management, and an MCSE, MCTS, and MCITP (Windows
Server 2008 and Exchange Server 2007). He specializes in Windows Server and Exchange Server.
Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010 xi

Contents
Module 1: Deploying Microsoft® Exchange Server 2010
Lesson 1: Overview of Exchange Server 2010 requirements 1-4
Lesson 2: Installing Exchange Server 2010 Server Roles 1-16
Lab A: Installing Exchange Server 2010 1-32
Lesson 3: Completing an Exchange Server 2010 Installation 1-37
Lab B: Verifying an Exchange Server 2010 Installation 1-46

Module 2: Configuring Mailbox Servers


Lesson 1: Overview of Exchange Server 2010 Administrative Tools 2-3
Lesson 2: Configuring Mailbox Server Roles 2-13
Lesson 3: Configuring Public Folders 2-32
Lab: Configuring Mailbox Servers 2-40

Module 3: Managing Recipient Objects


Lesson 1: Managing Mailboxes 3-3
Lesson 2: Managing Other Recipients 3-19
Lesson 3: Configuring E-mail Address Policies 3-26
Lesson 4: Configuring Address Lists 3-31
Lesson 5: Performing Bulk Recipient Management Tasks 3-37
Lab: Managing Exchange Recipients 3-41

Module 4: Managing Client Access


Lesson 1: Configuring the Client Access Server Role 4-3
Lesson 2: Configuring Client Access Services for Outlook Clients 4-18
Lab A: Configuring Client Access Servers for Outlook Anywhere Access 4-37
Lesson 3: Configuring Outlook Web App 4-43
Lesson 4: Configuring Mobile Messaging 4-53
Lab B: Configuring Client Access Servers for Outlook Web App
and Exchange ActiveSync 4-61

Module 5: Managing Message Transport


Lesson 1: Overview of Message Transport 5-3
Lesson 2: Configuring Message Transport 5-16
Lab: Managing Message Transport 5-32

Module 6: Implementing Messaging Security


Lesson 1: Deploying Edge Transport Servers 6-3
Lesson 2: Deploying an Antivirus Solution 6-19
Lab A: Configuring Edge Transport Servers and Forefront
Protection 2010 6-27
xii Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 3: Configuring an Anti-Spam Solution 6-31


Lesson 4: Configuring Secure SMTP Messaging 6-44
Lab B: Implementing Anti-Spam Solutions 6-57

Module 7: Implementing High Availability


Lesson 1: Overview of High Availability Options 7-3
Lesson 2: Configuring Highly Available Mailbox Databases 7-8
Lesson 3: Deploying Highly Available Non-Mailbox Servers 7-21
Lab: Implementing High Availability 7-26

Module 8: Implementing Backup and Recovery


Lesson 1: Planning Backup and Recovery 8-3
Lesson 2: Backing Up Exchange Server 2010 8-14
Lesson 3: Restoring Exchange Server 2010 8-25
Lab: Implementing Backup and Recovery 8-37

Module 9: Configuring Messaging Policy and Compliance


Lesson 1: Introducing Messaging Policy and Compliance 9-3
Lesson 2: Configuring Transport Rules 9-7
Lesson 3: Configuring Journaling and Multi-Mailbox Search 9-27
Lab A: Configuring Transport Rules and Journal Rules and Multi-Mailbox
Search 9-37
Lesson 4: Configuring Messaging Records Management 9-43
Lesson 5: Configuring Personal Archives 9-56
Lab B: Configuring Messaging Records Management and Personal
Archives 9-62

Module 10: Securing Microsoft® Exchange Server 2010


Lesson 1: Configuring Role Based Access Control 10-3
Lesson 2: Configuring Security for Server Roles in
Exchange Server 2010 10-20
Lesson 3: Configuring Secure Internet Access 10-24
Lab: Securing Exchange Server 2010 10-38

Module 11: Maintaining Microsoft Exchange Server 2010


Lesson 1: Monitoring Exchange Server 2010 11-3
Lesson 2: Maintaining Exchange Server 2010 11-13
Lesson 3: Troubleshooting Exchange Server 2010 11-20
Lab: Maintaining Exchange Sever 2010 11-26

Module 12: Upgrading from Exchange Server 2003 or Exchange


Server 2007 to Exchange Server 2010
Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview 12-3
Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010 xiii

Lesson 2: Upgrading from Exchange Server 2003


to Exchange Server 2010 12-10
Lesson 3: Upgrading from Exchange Server 2007
to Exchange Server 2010 12-27

Appendix A: Implementing Unified Messaging


Lesson 1: Overview of Telephony A-3
Lesson 2: Introducing Unified Messaging A-13
Lesson 3: Configuring Unified Messaging A-28
Lab: Implementing Unified Messaging A-39

Appendix B: Advanced Topics in Exchange Server 2010


Lesson 1: Deploying Highly Available Solutions for Multiple Sites B-3
Lesson 2: Implementing Federated Sharing B-9

Lab Answer Keys Appendix


xiv Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010
About This Course xiii

About This Course


This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.

Course Description
This course will provide you with the knowledge and skills to configure and manage a Microsoft®
Exchange Server 2010 messaging environment. This course will teach you how to configure Exchange
Server 2010, as well as provide guidelines, best practices, and considerations that will help you optimize
your Exchange server deployment.

Audience
This course is intended for people aspiring to be enterprise-level messaging administrators. Others who
may take this course include IT generalists and help desk professionals who want to learn about Exchange
Server 2010. People coming into the course are expected to have at least 3 years experience working in
the IT field—typically in the areas of network administration, help desk, or system administration. They are
not expected to have experience with previous Exchange Server versions.

Student Prerequisites
This course requires that you meet the following prerequisites:
• Experience managing Windows Server® 2003 or Microsoft Window Server 2008 operating systems.
• Experience with Active Directory® directory services or Active Directory Domain Services (AD DS).
• Fundamental knowledge of network technologies including Domain Name System (DNS) and firewall
technologies.
• Experience managing backup and restore on Windows Servers.
• Experience using Windows management and monitoring tools such as Microsoft Management
Console, Active Directory Users and Computers, Performance Monitor, Event Viewer, and Internet
Information Services (IIS) Administrator.
xiv About This Course

• Experience using Windows networking and troubleshooting tools such as Network Monitor, Telnet,
and NSLookup.
• Fundamental knowledge of certificates and Public Key Infractructur (PKI).

Course Objectives
After completing this course, students will be able to:
• Install and deploy Exchange Server 2010.
• Configure Mailbox servers and mailbox server components.
• Manage recipient objects.
• Configure the Client Access server role.
• Manage message transport.
• Configure the secure flow of messages between the Exchange Server organization and the Internet.
• Implement a high availability solution for Mailbox servers and other server roles.
• Plan and implement backup and restore for the server roles.
• Plan and configure messaging policy and compliance.
• Configure Exchange Server permissions and security for internal and external access.
• Monitor and maintain the messaging system.
• Transition an Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010.
• Configure the Unified Messaging Server role and Unified Messaging components.
• Implement high availability across multiple sites and implement Federated Sharing.

Course Outline
This section provides an outline of the course:

Module 1, “Deploying Microsoft® Exchange Server 2010” describes how to prepare for, and perform, an
installation of Exchange Server 2010. This module also provides details on the Exchange Server 2010
deployment.

Module 2, “Configuring Mailbox Servers” describes the Exchange Management Console and Exchange
Management Shell management tools. This module also describes the Mailbox server role, some of the
new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The
module concludes with a discussion about public-folder configuration and usage.

Module 3, ”Managing Recipient Objects “ describes how you can manage recipient objects, address
policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management
tasks in Exchange Management Shell.

Module 4, “Managing Client Access” describes how to implement the Client Access server role in
Exchange Server 2010.

Module 5, “Managing Message Transport” describes how to manage message transport in Exchange
Server 2010, which includes topics such as components of message transport, how Exchange Server 2010
routes messages, and how you can troubleshoot message-transport issues. Additionally, this module
provides details on deploying the Exchange Server 2010 Hub Transport server.
About This Course xv

Module 6, “Implementing Messaging Security” describes how to plan for and deploy an Exchange Server
2010 Edge Transport server role, and the security issues related to the deployment. Additionally, it
describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain
Security.

Module 7, “Implementing High Availability” describes the high-availability technology built into Exchange
Server 2010 and some of the outside factors that affect highly available solutions. This module provides
details about how to deploy highly available mailbox databases as well as other Exchange Server 2010
server roles.

Module 8, “Implementing Backup and Recovery” describes the Exchange Server 2010 backup and restore
features, and what you should consider when creating a backup plan.

Module 9, “Configuring Messaging Policy and Compliance” describes how to configure the Exchange
Server 2010 messaging policy and compliance features.
Module 10, “Securing Microsoft® Exchange Server 2010” describes how to secure your Exchange Server
deployment by configuring administrative permissions and securing the Exchange Server configuration.

Module 11, “Maintaining Microsoft® Exchange Server 2010” describes how to monitor and maintain
your Exchange Server environment. Additionally, it also describes troubleshooting techniques for fixing
problems that may arise.

Module 12, “Transitioning from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010”
describes the options that organizations have when they choose to implement Exchange Server 2010.
Additionally, it describes how to transition an existing Exchange Server 2003 or Exchange Server 2007
organization to Exchange Server 2010.
Appendix A, “Implementing Unified Messaging” describes how Unified Messaging works with your
telephony system and Exchange Server environment, and how to configure Unified Messaging.

Appendix B, “Advanced Topics in Exchange Server 2010” describes how to deploy two advanced
Exchange Server features: highly available Exchange Server across multiple data centers and Federated
Sharing.
xvi About This Course

Course Materials
The following materials are included with your kit:

• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.

• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.

• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s
needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:


Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN®, Microsoft Press®

Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the


Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.

• Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.

• To provide additional comments or feedback on the course, send e-mail to


support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
About This Course xvii

Virtual Machine Environment


This section provides the information for setting up the classroom environment to support the business
scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs.

Important: At the end of each lab, you must revert the virtual machine back to the state the virtual
machine was in before the lab started. To revert a virtual machine, perform the following steps: 1. In
Hyper-V Manager, right click the virtual machine name and click Revert. 2. In the Revert dialog box,
click Yes.

The following table shows the role of each virtual machine used in this course:

Virtual machine Role


10135A-NYC-DC1 Domain controller in the Contoso.com domain

10135A-NYC-SVR1 Member server in the Contoso.com domain

10135A-NYC-SVR2 Member server in the Contoso.com domain

10135A-VAN-DC1 Domain controller in the Adatum.com domain

10135A-VAN-EX1 Exchange 2010 server in the Adatum.com domain

10135A-VAN-EX2 Exchange 2010 server in the Adatum.com domain

10135A-VAN-EX3 Exchange 2010 server in the Adatum.com domain

10135A-VAN-EDG Exchange 2010 Edge Transport server

10135A-VAN-CL1 Client computer in the Adatum.com domain

10135A-VAN-TMG Microsoft Forefront Threat Management Gateway server in the


Adatum.com domain

10135A-VAN-Exchange Exchange 2010 server in the Adatum.com domain


Server 2003

10135A-VAN-SVR1 Standalone server

Software Configuration
The following software is installed on each VM:

• Windows Server 2008 R2, Release Candidate build


• Windows 7, Release Candidate build
• Exchange Server 2010, Release Candidate build
• Microsoft Office 2007, Service Pack 2
• Microsoft Forefront® Threat Management Gateway, Beta 3
xviii About This Course

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the
aforementioned virtual machines are deployed in each student computer.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor


• Dual 120 GB hard disks 7200 RM SATA or better*
• 8 GB RAM
• DVD drive
• Network adapter
• Super VGA (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers
*Striped

In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16-bit colors.
Deploying Microsoft® Exchange Server 2010 1-1

Module 1
Deploying Microsoft® Exchange Server 2010
Contents:
Lesson 1: Overview of Exchange Server 2010 requirements 1-3
Lesson 2: Installing Exchange Server 2010 Server Roles 1-16
Lab A: Installing Exchange Server 2010 1-32
Lesson 3: Completing an Exchange Server 2010 Installation 1-37
Lab B: Verifying an Exchange Server 2010 Installation 1-46
1-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

This module describes how to prepare for, and perform, an installation of Microsoft® Exchange Server
2010. The most important task in preparing for an Exchange Server 2010 installation is to ensure that the
Active Directory® directory services environment is ready. Exchange Server 2010 requires an Active
Directory deployment because Active Directory stores all configuration and recipient information that
Exchange Server uses.
This module also provides details on the Exchange Server 2010 deployment. To install Exchange
Server 2010 properly for your environment, you must be aware of the server roles that Exchange Server
can install. Additionally, you should be aware of the infrastructure, hardware, and software requirements
for introducing Exchange Server 2010 into a messaging environment. Finally, you should know how to
verify, troubleshoot, and secure the installation.

After completing this module, you will be able to:


• Describe the infrastructure requirements to install Exchange Server 2010.
• Install Exchange Server 2010 server roles.
• Complete an Exchange Server 2010 installation.
Deploying Microsoft® Exchange Server 2010 1-3

Lesson 1
Overview of Exchange Server 2010 Requirements

In this lesson, you will review the requirements for installing Exchange Server 2010. The most important
requirement is the Active Directory deployment, but you also must ensure that you implement the
appropriate Domain Name System (DNS) infrastructure. You also should be aware of the Exchange Server
2010 infrastructure requirements when you perform an installation, and when you need to troubleshoot
deployment issues.
After completing this lesson, you will be able to:
• Describe the Active Directory components.
• Describe the Active Directory partitions.
• Describe how Exchange Server 2010 uses Active Directory.
• Describe the DNS requirements for Exchange Server 2010.
• Prepare Active Directory for Exchange Server 2010.
• Describe the integration of Active Directory and Exchange Server 2010.
1-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Reviewing Active Directory Components

Key Points
Active Directory is the integrated, distributed directory service that is included with the Windows Server®
2008 R2, Windows Server 2008, Windows Server 2003, and Windows® 2000 Server operating systems.
Many applications, such as Exchange Server 2010, integrate with Active Directory. This creates a link
between user accounts and applications, which enables single sign-on for applications. Additionally, the
Active Directory replication capabilities enable distributed applications to replicate application-
configuration data.

Discussion Questions
Based on your experience, consider the following questions:

Question: What is the definition of a domain?

Question: What is the definition of a forest?

Question: Under what circumstances would an organization deploy multiple domains in the same forest?

Question: Under what circumstances might an organization deploy multiple forests?

Question: What are trusts?

Question: What type of information do domains in a forest share?

Question: What is the functionality of a domain controller?

Question: What is a global catalog server?

Question: What is the definition of an Active Directory site?


Deploying Microsoft® Exchange Server 2010 1-5

Question: What is Active Directory replication?

Question: How do Active Directory sites affect replication?


1-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Reviewing Active Directory Partitions

Key Points
Active Directory information falls into four types of partitions: domain, configuration, schema, and
application. These directory partitions are the replication units in Active Directory.

Domain Partition
A domain partition contains all objects in the domain’s directory. Domain objects replicate to every
domain controller in that domain, and include user and computer accounts, and groups.
A subset of the domain partition replicates to all domain controllers in the forest that are global catalog
servers. If you configure a domain controller as a global catalog server, it holds a complete copy of its own
domain’s objects and a subset of attributes for every domain’s objects in the forest.

Configuration Partition
The configuration partition contains configuration information for Active Directory and applications,
including Active Directory site and site link information. Additionally, some distributed applications and
services store information in the configuration partition. This information replicates through the entire
forest so each domain controller has a replica of the configuration partition.

Schema Partition
The schema partition contains definition information for all object types and their attributes that you can
create in Active Directory. This data is common to all domains in the forest, and Active Directory replicates
it to all domain controllers in the forest. However, only one domain controller maintains a writable copy
of the schema. By default, this domain controller, known as the Schema Master, is the first domain
controller installed in an Active Directory forest.

Application Partitions
An administrator or an application during installation creates application partitions manually. Application
partitions hold specific application data that the application requires. The main benefit of application
Deploying Microsoft® Exchange Server 2010 1-7

partitions is replication flexibility. You can specify the domain controllers that hold a replica of an
application partition, and these domain controllers can include a subset of domain controllers throughout
the forest. Exchange Server 2010 does not use application partitions to store information.
1-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Exchange Server 2010 Uses Active Directory

Key Points
To ensure proper placement of Active Directory components in relation to computers running Exchange
Server, you must understand how Exchange Server 2010 communicates with Active Directory Domain
Services (AD DS) and uses Active Directory information to function.

Note: The Exchange Server 2010 Edge Transport server role does not use Active Directory to store
configuration information. Instead, the Edge Transport server role uses Active Directory Lightweight
Directory Services (AD LDS). For more details, see Module 6, “Implementing Messaging Security”.

Forests
An Exchange Server organization and an Active Directory forest have a one-to-one relationship. You
cannot have an Exchange Server organization that spans multiple Active Directory forests. You also cannot
have multiple Exchange Server organizations within a single Active Directory forest.

Schema Partition
The Exchange Server 2010 installation process modifies the schema partition to enable the creation of
Exchange Server-specific objects. The installation process also adds Exchange Server-specific attributes to
existing objects.

Configuration Partition
The configuration partition stores configuration information for the Exchange Server 2010 organization.
Because Active Directory replicates the configuration partition among all domain controllers in the forest,
configuration of the Exchange Server 2010 organization replicates throughout the forest.
Deploying Microsoft® Exchange Server 2010 1-9

Domain Partition
The domain partition holds information about recipient objects. This includes mailbox-enabled users, and
mail-enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-enabled have
preconfigured attributes, such as e-mail addresses.

Global Catalog
When you install Exchange Server 2010, the e-mail attributes for mail-enabled and mailbox-enabled
objects replicate to the global catalog. The following is true:
• The global address list is generated from the recipients’ list in an Active Directory forest’s global
catalog.
• Exchange Hub Transport servers access the global catalog to find the location of a recipient mailbox
when delivering messages.
• Exchange Client Access servers access the global catalog server to locate the user Mailbox server and
to display the global address list to Microsoft Office Outlook®, Microsoft Outlook Web App, or
Exchange ActiveSync® clients.

Important: Because of the importance of the global catalog in an Exchange Server organization, you
must deploy at least one global catalog in each Active Directory site that contains an Exchange 2010
server. You must deploy enough global catalog servers to ensure adequate performance.

Note: Windows Server 2008 provides a new type of domain controller—a read-only domain
controller (RODC). Exchange Server 2010 does not use RODCs or RODCs that you configure as global
catalog servers (ROGC). This means that you should not deploy an Exchange 2010 server in any site
that contains only RODCs or ROGCs.
1-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Reviewing DNS Requirements for Exchange Server 2010

Key Points
Each computer running Exchange Server must use DNS to locate Active Directory and global catalog
servers. As a site-aware application, Exchange Server 2010 prefers to communicate with directory servers
that are located in the same site as the computer running Exchange Server.

Role of DNS
Exchange Server services use DNS to locate a valid domain controller or global catalog. By default, each
time a domain controller starts the Netlogon service, it updates DNS with service (SRV) records that
describe it as a domain controller and global catalog server, if applicable.

SRV Resource Records


SRV resource records are DNS records. These records identify servers that provide specific services on the
network. For example, an SRV resource record can contain information to help clients locate a domain
controller in a specific domain or site.

All SRV resource records use a standard format, which consists of several fields. These fields contain
information that AD DS uses to map a service back to the computer that provides the service. SRV
resource records use the following format:

_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target

The SRV records for domain controllers and global catalog servers are registered with several different
variations to allow locating domain controllers and global catalog servers in several different ways. One
option is to register DNS records by site name, which enables computers running Exchange Server to find
domain controllers and global catalog servers in the local Active Directory site. Exchange Server always
performs DNS resource queries for the local Active Directory site first.
Deploying Microsoft® Exchange Server 2010 1-11

Host Records
Host records provide a host name to IP address mapping. Host records are required for each domain
controller and other hosts that need to be accessible to Exchange Servers or client computers. Host
records can use IPv4 (A records) or IPv6 (AAAA records).

MX Records
A Mail Exchanger (MX) record is a resource record that allows servers to locate other servers to deliver
Internet e-mail using the Simple Mail Transfer Protocol (SMTP). An MX record identifies the SMTP server
that will accept inbound messages for a specific DNS domain. Each MX record contains a host name and a
preference value. When you deploy multiple SMTP servers that are accessible from the Internet, you can
assign equal preference values to each MX record to enable load balancing between the SMTP servers.
You also can specify a lower preference value for one of the MX records. All messages are routed through
the SMTP server that has the lower preference-value MX record, unless that server is not available.

Note: In addition to SRV, Host, and MX records, you also may need to configure Sender Policy
Framework (SPF) records to support Sender ID spam filtering. Module 6 provides more information
on SPF records. Additionally, some organizations use reverse lookups as an option for spam filtering,
so you should consider adding reverse lookup records for all SMTP servers that send your
organization’s e-mail.
1-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Preparing Active Directory for Exchange Server 2010

Key Points
To install Exchange Server 2010, you need to run the Exchange Server 2010 setup command for preparing
the Active Directory forest for the installation. You can use the setup command with the following
switches.

Setup switch Explanation

/PrepareAD • Prepares the global Exchange Server objects in Active Directory, creates
/OrganizationName: the Exchange Universal Security Groups in the root domain, and
“organizationname” prepares the current domain
• Must be run by a member of the Enterprise Admins group
/PrepareLegacy • Necessary if the organization contains Exchange Server 2003 servers
ExchangePermissions • Modifies the permissions assigned to the Enterprise Exchange Servers
group to allow the Recipient Update Service to run
• Must be run by a member of the Enterprise Admins group
/PrepareSchema • Prepares the schema for the Exchange Server 2010 installation
• Must be run by a member of the Enterprise Admins and Schema
Admins groups

/PrepareDomain • Prepares the domain for Exchange Server 2010 by creating a new
/PrepareDomain global group in the Microsoft Exchange System Objects container
domainname called Exchange Install Domain Servers
/PrepareAllDomains • Not required in the domain where /PrepareAD is run
• Can prepare specific domains by adding the domain’s fully qualified
domain name (FQDN), or prepare all domains in the forest
• Must be run by a member of the Enterprise Admins and Domain
Admins groups
Deploying Microsoft® Exchange Server 2010 1-13

Important: You must prepare the Active Directory forest in the same domain and the same site as
the domain controller that hosts the Schema Master role.

Options for Preparing Active Directory


You have the following options when you prepare Active Directory for Exchange Server 2010:
• In an organization that is not running an earlier Exchange Server version, and which has a single
domain in the Active Directory forest, you do not need to prepare Active Directory before installing
the first Exchange server. In this scenario, you can just install Exchange Server 2010, and all of the
Active Directory schema changes are implemented during the install.
• If the user account that you are using to update the schema is a member of the Schema Admins and
the Enterprise Admins group, you do not need to run /PrepareLegacyExchangePermissions and
/PrepareSchema before running /PrepareAD. If your account has the right permissions, the
/PrepareAD process also configures the legacy permissions and makes the required schema changes.
1-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: Integration of Active Directory and Exchange Server 2010

Key Points
In this demonstration, you will review the integration of Active Directory and Exchange Server 2010.

Demonstration Steps
1. On a domain controller, open Active Directory Users and Computers.
2. In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational
unit.
3. Review the description and membership of the following Active Directory groups:
• Organization Management
• Recipient Management
• View-Only Organization Management
• Discovery Management
4. Open ADSI Edit, and connect to the domain partition. Review the information in the domain
partition.
5. Connect to the configuration partition. Review the information in the configuration partition, and in
the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container.
6. Connect to the schema partition. Review the information in the schema partition, and point out the
attributes and class objects that begin with
ms-Exch.

Question: How do you assign permissions in your Exchange organization? How will you assign
permissions using the Exchange security groups?
Deploying Microsoft® Exchange Server 2010 1-15

Question: Which Active Directory partition would you expect to contain the following information?
• User’s e-mail address
• Exchange connector for sending e-mail to the Internet
• Exchange Server configuration
1-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 2
Installing Exchange Server 2010 Server Roles

Before you install Exchange Server 2010, you need to understand the concept of Exchange Server 2010
server roles. Each server role provides a specific set of functionality that an Exchange Server organization
requires.
When you install Exchange Server 2010, you can install all server roles on the same computer, except for
the Edge Transport server role. Alternately, you can distribute the roles across multiple computers. After
you decide which server role to deploy in each Exchange server, you must ensure that the network
infrastructure and servers are ready for the Exchange Server 2010 installation.

After completing this lesson, you will be able to:


• Describe the server roles included in Exchange Server 2010.
• Describe the options for deploying Exchange Server 2010.
• Describe the hardware recommendations for combining server roles in Exchange Server 2010.
• Describe the options for integrating Exchange Server 2010 and Exchange Online Services.
• Describe the infrastructure requirements for installing Exchange Server 2010.
• Describe the server requirements for installing Exchange Server 2010.
• Describe the considerations for deploying Exchange Server 2010 servers as virtual machines.
• Describe the process for installing Exchange Server 2010.
• Describe the options for performing an unattended installation.
Deploying Microsoft® Exchange Server 2010 1-17

Overview of Server Roles in Exchange Server 2010

Key Points
Exchange Server 2010 provides functionality that falls into five separate server roles. When you install
Exchange Server 2010, you can select one or more of these roles for installation on the server. Large
organizations might deploy several servers with each role, whereas a small organization might combine all
server roles except the Edge Transport server role on one computer.

Important: Exchange Server 2010 server roles are a logical grouping of features and components
that perform a specific function in the messaging environment. You can install all server roles, except
the Edge Transport server role, on the same physical computer.

Exchange Server 2010 Server Roles


The following server roles are included in Exchange Server 2010:
• Hub Transport server role. The Hub Transport server role is responsible for message routing. The Hub
Transport server performs message categorization and routing, and handles all messages that pass
through an organization. You must configure at least one Hub Transport server in each Active
Directory site that contains a Mailbox server or a Unified Messaging server, and the server running the
Hub Transport server role must be a member of an Active Directory domain.
• Mailbox server role. The Mailbox server role is responsible for managing mailbox and public folder
databases. Mailboxes and public folders reside on the Mailbox servers. Mailbox servers contain
mailbox and public folder databases. You can enable high availability by adding mailbox servers to a
Database Availability Group (DAG). Because Mailbox servers require Active Directory access, you must
install this role on a member server in an Active Directory domain.
• Edge Transport server role. The Edge Transport server role is the Simple Mail Transport Protocol
(SMTP) gateway server between your organization and the Internet. To ensure security, you should
deploy the computer that runs the Edge Transport server role in a perimeter network, and it should
not be a member of your internal Active Directory forest. Because the Edge Transport server is not
1-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

part of an Active Directory domain, it cannot use Active Directory to store configuration information.
Instead, it uses AD LDS on Windows Server 2008 computers to access recipient and configuration
information.
• Client Access server role. The Client Access server role enables connections from all available client
protocols to the Exchange Server mailboxes. You must assign at least one Client Access server in each
Active Directory site that contains a Mailbox server. Client protocols that connect through a Client
Access server include:
• Messaging Application Programming Interface (MAPI) clients
• Outlook Web App clients
• Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients
• Outlook Anywhere, which is known as remote procedure call (RPC) over HTTP in Exchange Server
2003
• Exchange ActiveSync clients

Note: In previous Exchange Server versions, MAPI clients connect directly to the Mailbox servers. In
Exchange Server 2010, all clients, including MAPI clients, connect to the Client Access servers. MAPI
clients still connect directly to Mailbox servers when accessing public folders.

• Unified Messaging server role. The Unified Messaging server role provides the foundation of services
that integrate voice and fax messages into your organization’s messaging infrastructure. This role
requires the presence of three server roles: Hub Transport, Client Access, and Mailbox. The Unified
Messaging server provides access to voice messages and faxes.
Deploying Microsoft® Exchange Server 2010 1-19

Deployment Options for Exchange Server 2010

Key Points
You can deploy the server roles in Exchange Server 2010 in several different scenarios, depending on an
organization’s size and requirements. If you are an administrator, it is important to understand the
deployment scenarios when you plan an Exchange Server system.

Exchange Server 2010 Editions


Exchange Server 2010 is available as Standard Edition and Enterprise Edition. The Standard Edition should
meet the messaging needs of small and medium corporations, but also may be suitable for specific server
roles or branch offices. The Enterprise Edition is for large enterprise corporations, and enables you to
create additional databases apart from including other advanced features.

Feature Standard Edition Enterprise Edition

Database Support Five databases 100 databases

Database Storage No software storage limit; storage No software storage limit; storage limit is
Limit limit is hardware dependent hardware dependent

DAG membership Supported Supported

Exchange Server 2010 Client Access Licenses


Exchange Server 2010 has two client-access license (CAL) options:
• Exchange Server Standard CAL. Provides access to e-mail, shared calendaring, Outlook Web App, and
ActiveSync.
• Exchange Server Enterprise CAL. Requires a standard CAL, and provides access to additional features
such as unified messaging, per-user and per-distribution-list journaling, managed custom e-mail
folders, and Forefront® Protection for Exchange Server.
1-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Deployment Scenarios for a Simple Organization


In a small organization, you can install all the server roles—except the Edge Transport server role—on a
single computer. Small organizations might also consider using Exchange Online services.

Deployment Scenarios for a Standard Organization


Medium-sized organizations should consider installing the required services and Exchange server roles on
multiple computers. A typical deployment scenario for a medium-sized organization may include:
• Two domain controllers for each domain.
• Two Exchange servers configured with the Mailbox server role and other server roles, except the Edge
Transport server role.

Note: In Exchange Server 2007, Mailbox servers that were part of a failover cluster could not run
additional Exchange server roles. With Exchange Server 2010, Exchange servers that are part of a DAG
also can host other Exchange server roles, except the Edge Transport server role.

• One Exchange server configured with the Edge Transport server role.

Deployment Scenarios for a Large or Complex Organization


A large or complex organization needs to deploy dedicated servers for each server role, and may have to
deploy multiple servers for each role. A typical deployment scenario for a large organization can include:
• Two domain controllers and global catalog servers for each organizational domain. If the
organization includes multiple Active Directory sites, and you are deploying Exchange servers in a site,
you should deploy global catalog servers in the site.
• One or more Exchange servers configured with the Mailbox server role. You can deploy multiple
Mailbox servers in each Active Directory site.
• One or more Exchange servers dedicated to each of the other server roles. You must deploy at least
one Hub Transport server and Client Access server in each Active Directory site that includes a
Mailbox server.
• If the organization has a smaller branch office, you can deploy multiple Exchange servers hosting all
the server roles except for the Edge Transport server role, and configure the Mailbox servers to be
part of a DAG.
• One or more Exchange servers configured with the Edge Transport server role. Multiple servers
provide redundancy and scalability.
Deploying Microsoft® Exchange Server 2010 1-21

Hardware Recommendations for Combining Server Roles

Key Points
You can install all roles, except the Edge Transport server role, on a single computer. When you design the
hardware configuration for servers on which you install multiple server roles, consider the following
recommendations:
• You should plan for at least two processor cores, at a minimum, for a server with multiple server roles.
The recommended number of processor cores is eight, while 24 is the maximum recommended
number.
• You should design a server with multiple roles to use half of the available processor cores for the
Mailbox role and the other half for the Client Access and Hub Transport roles.
• You should plan for the following memory configuration for a server with multiple server roles: 8
gigabytes (GB) and between 2 megabytes (MB) and 10 MB per mailbox. This can vary based on the
user profile and the number of storage groups. We recommend 64 GB as the maximum amount of
memory you need.
• To accommodate the Client Access and Hub Transport server roles on the same server as the Mailbox
server role, you should reduce the number of mailboxes per core calculation, based on the average
client profile by 20 percent.
• You can deploy multiple Exchange server roles on a mailbox server that is a DAG member. This means
that you can provide full redundancy for the Mailbox, Hub Transport, and Client Access server roles
on just two Exchange servers.
1-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Integrating Exchange Server 2010 and Exchange Online


Services

Key Points
One deployment option available in Exchange Server 2010 is to integrate your messaging system with
Exchange Online Services. Exchange Online Services is part of the Business Productivity Online services
that Microsoft offers.

Business Productivity Online


The Business Productivity Online is a set of Microsoft-hosted messaging and collaboration solutions,
including Microsoft Exchange Online, Microsoft SharePoint® Online, Microsoft Office Live Meeting®, and
Microsoft Office Communications Online. These services are available on a subscription basis.

Exchange Online Services


When you subscribe to Exchange Online Services, you can take advantage of the following features:
• E-mail and calendar functions. Exchange Online delivers e-mail services, including spam filtering,
antivirus protection, and mobile-device synchronization. Through Microsoft Office Outlook® 2007
and Outlook Web App, you can use the advanced e-mail, calendar, contact, and task management
features of Exchange Online.
• E-mail coexistence and migration tools. The Business Productivity Online Standard Suite includes e-
mail coexistence and migration tools. If you have Active Directory directory services and Microsoft
Exchange Server, the Microsoft Online Services Directory Synchronization tool synchronizes your user
accounts, contacts, and groups from your local environment to Microsoft Online Services. This tool
also makes your Microsoft Exchange Global Address List (GAL) available in Exchange Online.

Exchange Online Services and Exchange Server 2010


Exchange Server 2010 provides additional functionality with Exchange Online Services. With Exchange
Server 2010, you can host some of the mailboxes in an internal Exchange organization, which displays as
the On-Premise Exchange organization in the Exchange Management Console. Additionally, you can host
Deploying Microsoft® Exchange Server 2010 1-23

some of your organization’s mailboxes on Exchange Online. You can use the Exchange Management
Console to move mailboxes to the Exchange Online Services and manage those mailboxes.

For more information on Exchange Online Services, refer to the links provided on the CD.
1-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Infrastructure Requirements for Exchange Server 2010

Key Points
Before you deploy Exchange Server 2010 in your organization, you need to ensure that your organization
meets Active Directory and DNS requirements.

Active Directory Requirements


You must meet the following Active Directory requirements before you can install Exchange Server 2010:
• The domain controller that is the schema master must have Windows Server 2003 Service Pack 1
(SP1) or later, Windows Server 2008, or Windows Server 2008 R2 installed. By default, the schema
master runs on the first Windows domain controller installed in a forest.
• In each of the sites where you deploy Exchange Server 2010, at least one global catalog server must
be installed and run Windows Server 2003 SP1 or later, Windows Server 2008, or Windows Server
2008 R2.
• The Active Directory domain and forest functional levels must run Windows Server 2003, at the
minimum.

DNS Requirements
Before you install Exchange Server 2010, you must ensure that your organization meets the following
requirements:
• You must configure DNS correctly in your Active Directory forest. All servers that run Exchange Server
2010 must be able to locate Active Directory domain controllers, global catalog servers, and other
Exchange servers.
Deploying Microsoft® Exchange Server 2010 1-25

Server Requirements for Exchange Server 2010

Key Points
Exchange Server 2010 requires a minimum level of hardware, and specific software, before you can install
it.

Hardware Requirements
You can deploy Exchange Server 2010 only on 64-bit versions of Windows Server 2008 or Windows Server
2008 R2 running on 64-bit hardware.

Resource Requirement

Processor • x64 architecture-based computer with Intel processor that supports Intel 64
architecture (formerly known as Intel EM64T).
• AMD processor that supports the AMD64 platform.
• Intel Itanium IA64 processors not supported.
Memory A minimum of 2 GB of system memory, plus 2 to 6 MB per mailbox. This
recommendation is based on the number of mailbox databases and the user-usage
profile.

Disk 1.2 GB disk space for Exchange Server files and 200 MB of free disk space on the
system drive.

File system Drives formatted with NTFS file system—for all Exchange Server—related volumes.

Important: Exchange Server 2010 is available only in 64-bit versions, which means that you can
install all components, including the Exchange Management tools, only on 64-bit operating systems.
1-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exchange Server 2010 Prerequisite Software


All Exchange Server 2010 servers must have the following software installed:
• Active Directory Domain Services (AD DS) management tools, which is required on all Exchange
Server 2010 servers, except for Edge Transport servers
• Microsoft .NET Framework 3.5 (SP1) or later
• Windows Remote Management (WinRM)
• Windows PowerShell™ Version 2

Important: The Net.Tcp Port Sharing Service must be configured to start automatically before
starting the Exchange server installation.

Server Role Installation Requirements


Each server role in Exchange Server 2010 has slightly different installation requirements. All server roles,
except for the Edge Transport server role, require some Web Server components, such as Internet
Information Services (IIS).
Deploying Microsoft® Exchange Server 2010 1-27

Considerations for Deploying Exchange Server 2010 as a Virtual Machine

Key Points
One option with Exchange Server 2010 is to deploy the servers as virtual machines.

Benefits of Using Virtual Machines


Deploying Exchange Server 2010 servers as virtual machines provides the same advantages as deploying
other servers as virtual machines. You can deploy all Exchange Server 2010 server roles as virtual
machines, except for the Unified Messaging server role.
The benefits of deploying Exchange Servers as virtual machines include:
• Increases hardware utilization and decreases the number of physical servers. In many organizations,
the servers deployed in data centers have very low hardware utilization.
• Deploying Exchange Servers as virtual machines provides server-management options that are not
available for physical servers. Because virtual machines are just a set of files, you may have additional
management options with virtual machines. For example, to increase a virtual machine’s hardware
level, you can assign more of the host resources to the virtual machine, or move the virtual machine
files to a more powerful host server.

Note: Microsoft supports Exchange Server 2010 running as virtual machines for all virtualization
vendors that are validated through the Windows Server Virtualization Validation Program. See
http://go.microsoft.com/fwlink/?LinkId=179865 for details.

Considerations for Deploying Exchange Server 2010 Servers as Virtual Machines


While running Exchange Server 2010 as a virtual machine provides some benefits, you also should
consider the following issues:
• Exchange servers can be designed to ensure that that the servers fully utilize the available hardware.
For example, in a large organization, you can deploy several thousand mailboxes to a Mailbox server
1-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

or deploy a Client Access server with sufficient client connections so that your organization fully
utilizes all hardware resources.
• One of the benefits of running virtual machines is that you can configure high availability within the
virtual machine environment. For example, you can deploy Quick Migration in Windows Server 2008
Hyper-V™ or Live Migration in Windows Server 2008 R2 Hyper-V. However, Microsoft does not
support running both DAGs and a virtual machine-based high availability solution. If you require high
availability, you should use the Exchange Server 2010 solution.
• The storage used by the Exchange Server guest machine can be virtual storage of a fixed size, SCSI
pass-through storage, or Internet SCSI (iSCSI) storage. Pass-through storage is storage that is
configured at the host level and dedicated to one guest machine. To provide the best performance
for Exchange server storage, use either pass-through disks or fixed-size virtual disks.
• Running Exchange servers as virtual machines can complicate performance monitoring. The
performance data between the host and virtual machine is not consistent because the virtual machine
uses only some part of the host’s resources.
• One of the most common performance bottlenecks for Mailbox servers is network input/output (I/O).
When you run Mailbox servers in a virtual environment, the virtual machines have to share this I/O
bandwidth with the host machine and other virtual machine servers deployed on the same host. A
heavily utilized Mailbox server can consume all of the available I/O bandwidth, which makes it
impractical to host additional virtual machines on the physical server.
• If you are planning to deploy Exchange Server 2010 as a virtual machine, ensure that you plan the
virtual hardware requirements carefully. You must assign the same hardware resources to the
Exchange Server virtual machine as you would assign to a physical server running the same workload.
Deploying Microsoft® Exchange Server 2010 1-29

Process for Installing Exchange Server 2010

Key Points
The Exchange Server 2010 graphical setup program guides you through the installation process. The
following steps provide a high-level installation overview:
1. Install the prerequisite software. If you install Exchange Server on Windows Server 2008 R2, the
correct versions of Windows PowerShell and Windows Remote Management are installed already.
2. To start the installation, run setup.exe from the installation source. The Setup program checks to
ensure that the correct software is installed on the computer.
3. After you finish installing all the required software, you can proceed with the installation of Exchange
Server 2010.
4. Exchange Server 2010 provides the option to install additional language packs that will enable the
management tools to display in languages other than English. You can choose to install the language
packs during the installation.
5. The Installation Type page of the wizard presents you with the option to perform a Typical
Exchange Server Installation or a Custom Exchange Server Installation. The typical installation
option installs the Hub Transport server role, the Client Access server role, the Mailbox server role,
and the Exchange Management tools. The custom installation option allows you to choose the roles
you want to install.

6. If this is the first Exchange Server 2010 server in the deployment, and you do not run setup
/PrepareAD, you are prompted for the Exchange organization name.
7. If you chose the Mailbox server role, the Exchange Setup program prompts you if you have any Office
Outlook 2003 or Entourage clients in the organization. If you choose Yes, Exchange Setup creates the
public folders required by these clients for the offline address book and for sharing calendar
information.
8. If you choose to install the Client Access server role, you also can configure the external domain name
for the Client Access server. Clients use this external domain name to connect to the server from the
Internet.
1-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: Exchange Server 2010 supports Office Outlook 2003 SP1 or later clients. The only Entourage
version supported by Exchange Server 2010 is Entourage 2008, Web Services Edition. This version of
Entourage requires public folders.
Deploying Microsoft® Exchange Server 2010 1-31

Unattended Installation Options

Key Points
You can use the command line to perform an unattended Exchange Server 2010 installation. When you
use the command line, you can use parameters to install specified roles or configure other setup options.

Note: To run an unattended installation with setup parameters, you must run setup.com or setup
rather than setup.exe. To see all the parameters available for use with setup.com, run the command
with the /? parameter.

The syntax for this command is:

Setup.com [/roles:<roles to install>] [/mode:<setup mode>] [/console]


[/?][/targetdir:<destination folder>] [/prepareAD] [/domaincontroller]

For example, if you want to install Exchange Server 2010 into the default path, and specify the roles of
Hub Transport, Client Access, and Mailbox, you would enter the command:

Setup.com /r:H,M,C
1-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab A: Installing Exchange Server 2010

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. In Hyper-V Manager, click 10135A--NYC-DC1, and in the Actions pane, click Start.
• 10135A- NYC-DC1: Domain controller in the Contoso.com domain.
3. In the Actions pane, click Connect. Click the CTRL+ALT+DELETE button in the top-left corner of the
Virtual Machine Connection window.
4. Log on using the following credentials:
• User name: Administrator
• Password: Pa$$w0rd
• Domain: Contoso
5. Repeat these steps to start, and log on to the 10135A--NYC-SVR2 virtual machine.
• 10135A- NYC-SVR2: Member server in the Contoso.com domain.

Lab Scenario
You are working as a messaging administrator in Contoso Ltd. Your organization is preparing to install its
first Exchange Server 2010 server. Contoso Ltd. is a large multinational organization that includes offices
in Seattle, Washington, in the United States, and in Tokyo, Japan.

Contoso Ltd. does not have a previous version of Exchange Server deployed so you do not have to
upgrade a previous messaging system. Before installing Exchange Server 2010, you must verify that the
Active Directory environment is ready for the installation. You also must verify that all computers that will
run Exchange Server 2010 meet the prerequisites for installing Exchange.
Deploying Microsoft® Exchange Server 2010 1-33

Exercise 1: Evaluating Requirements for an Exchange Server Installation


Scenario
The Active Directory administrators at Contoso Ltd. are testing the Exchange Server 2010 deployment by
deploying a domain controller in a test environment. The server administration team has deployed a
Windows Server 2008 R2 server that you can use to deploy the first Exchange Server 2010 server in the
test organization.

You need to verify that the Active Directory environment and the server meet all prerequisites for
installing Exchange Server 2010. Use the following checklist to verify that the prerequisites are met.

Prerequisite Achieved?

Active Directory domain controllers: Windows Server 2003 Yes or No


SP2 or later

Active Directory domain and forest functional level: Yes or No


Windows Server 2003 or higher

DNS requirements Yes or No

Exchange Server 2010 schema changes Yes or No

Active Directory Domain Services (AD DS) management Yes or No


tools

Microsoft .NET Framework 3.5 or later Yes or No

Windows Remote Management (WinRM) Yes or No

Windows PowerShell Version 2 Yes or No

2007 Office System Converter: Microsoft Filter Pack Yes or No

Web Server (IIS) server role along with the following role Yes or No
services:
• ISAPI Extensions
• IIS 6 Metabase Compatibility
• IIS 6 Management Console
• Basic Authentication
• Windows Authentication
• Digest Authentication
• Dynamic Content Compression
• .NET Extensibility
Windows Server 2008 features Yes or No
• WCF HTTP Activation
• RPC over HTTP Proxy

The main tasks for this exercise are as follows:

1. Evaluate the Active Directory requirements.


2. Evaluate the DNS requirements.
3. Evaluate the server requirements.
1-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

 Task 1: Evaluate the Active Directory requirements


1. On NYC-DC1, evaluate whether the domain controller requirements are met.
2. Evaluate whether the domain and forest functional level requirements are met.
3. Use Adsiedit.msc to evaluate whether the Exchange schema changes are applied.

 Task 2: Evaluate the DNS requirements


• On NYC-SVR2, use Ipconfig, Ping, and NSLookup to evaluate DNS name resolution functionality.

 Task 3: Evaluate the server requirements


1. On NYC-SVR2, evaluate whether the required Windows Server 2008 features, including the required
AD DS administration tools, are installed.
2. Evaluate whether the Microsoft Internet Information Services (IIS) components are installed.
3. Evaluate whether the prerequisite software is installed.

Results: After this exercise, you should have evaluated whether your organization meets the Active
Directory, DNS, and server requirements for installing Exchange Server 2010. You should have
identified the additional components that need to be installed or configured to meet the
requirements.
Deploying Microsoft® Exchange Server 2010 1-35

Exercise 2: Preparing for an Exchange Server 2010 Installation


Scenario
Now that you have identified which prerequisites are not met in the current AD DS and server
configuration, you need to update the environment to meet them.

The main tasks for this exercise are as follows:


1. Install the Windows Server 2008 server roles and features.
2. Prepare AD DS for the Exchange Server 2010 installation.

 Task 1: Install the Windows Server 2008 server roles and features
1. On NYC-SVR2, in Server Manager, install the prerequisite server roles and features for Exchange
Server 2010.
2. Configure the Net.Tcp Port Sharing Service to start Automatically.

 Task 2: Prepare AD DS for the Exchange Server 2010 installation


1. In Hyper-V Manager, connect C:\Program Files\Microsoft Learning
\10135\Drives\EXCH201064.iso as the DVD drive for NYC-SVR2.
2. From a command prompt, run the Exchange Server setup program with the /PrepareAD parameter.
Configure an Exchange organization name of Contoso.

Results: After this exercise, you should have prepared the Active Directory and server configuration
for the Exchange Server 2010 installation.
1-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 3: Installing Exchange Server 2010


Scenario
After you prepare the environment, continue with the Exchange Server 2010 server installation.

The main task for this exercise is as follows:


• Install Microsoft Exchange Server 2010.

 Task 1: Install Microsoft Exchange Server 2010


1. Start the Exchange Server 2010 installation.
2. Choose to install only the languages on the DVD.
3. Perform a Typical Exchange Server Installation.
4. Choose to enable access for Outlook 2003 or Entourage clients.

Results: After this exercise, you should have installed Exchange Server 2010.
Deploying Microsoft® Exchange Server 2010 1-37

Lesson 3
Completing an Exchange Server 2010 Installation

After you install the necessary server roles in Exchange Server 2010, you should verify the installation and
perform post-installation tasks, including securing Exchange Server 2010 and installing additional third-
party software, if necessary. This lesson describes the post-installation tasks that you should perform.
After completing this lesson, you will be able to:
• Verify an Exchange Server 2010 installation.
• Verify an Exchange Server 2010 deployment.
• Describe how to troubleshoot an Exchange Server 2010 installation.
• Describe how to finalize an Exchange Server 2010 installation.
1-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: Verifying an Exchange Server 2010 Installation

Key Points
If all prerequisites are met, the Exchange Server installation should complete successfully. However, you
should verify that the installation was successful.

Demonstration Steps
1. On VAN-EX1, open the Services management console, and review the Microsoft Exchange services
that were added during the installation.
2. Open Windows Explorer, and browse to C:\ExchangeSetupLogs.
3. Review the contents of the ExchangeSetup.log file.
4. Describe some of the other files in this folder:
5. Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders
in this location.
6. Open the Exchange Management Console.
7. Under Server Configuration, verify that the server that you installed is listed.
8. Click Toolbox and review the installed tools.
9. In the left pane, click Recipient Configuration. Create a new mailbox.
10. Open Internet Explorer®, and connect to the Outlook Web App site on a Client Access server. Log on
using the credentials for the new mailbox that you created.
11. Send an e-mail to the mailbox that you created. Verify that the message’s delivery.

Additional Tests to Verify Installation


After the Exchange Server 2010 installation finishes, you also can take the following steps to verify that the
installation was successful:
• Check the Exchange setup log files. The installation process creates several log files that the
C:\ExchangeSetupLogs directory stores. Review the setup logs for errors that occur during installation.
• Ensure that the Exchange Management Console opens and displays the installed Exchange server.
Deploying Microsoft® Exchange Server 2010 1-39

• Create a user account with a mailbox and connect to that mailbox using an Office Outlook client or
Outlook Web App.

For more information: For detailed information about each of the log files created during the
installation, see Exchange Server Help.
1-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: Verifying the Exchange Server 2010 Deployment

Key Points
The Microsoft Exchange Server Best Practices Analyzer Tool automatically examines an Exchange Server
deployment and determines whether the configuration meets with Microsoft best practices. Microsoft
performs periodic updates on the definitions that the Exchange Server Best Practices Analyzer uses, so
they typically reflect the latest version of the Microsoft best practices recommendations. We recommend
running the Exchange Server Best Practices Analyzer after you install a new Exchange server, upgrade an
existing Exchange server, or make configuration changes. You can find the Exchange Server Best Practices
Analyzer in the Toolbox node of the Exchange Management Console.

In this demonstration, your instructor will run the Exchange Server Best Practices Analyzer and review the
generated reports.

Note: For more information about the Exchange Server Best Practices Analyzer, view the Exchange
Server Best Practices Analyzer Help that is available with the Exchange Server Best Practices Analyzer
Tool.

Demonstration Steps
1. On VAN-EX1, open Exchange Management Console, and click Toolbox.
2. Start the Best Practices Analyzer, and clear the options to check for updates and to join the
customer improvement program. Go to the Welcome page.
3. Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed.
4. When the scan finishes, view the following tabs and reports:
• Critical Issues
• All Issues
• Recent Changes
Deploying Microsoft® Exchange Server 2010 1-41

• Informational Items
• Tree reports
• Other reports
1-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Troubleshooting an Exchange Server 2010 Installation

Key Points
The Exchange Server installation should complete successfully if you meet all prerequisites. However, if the
installation does not complete properly, it is important for you to follow a consistent troubleshooting
process.

Troubleshooting Process
Each time you troubleshoot any application or service, you should follow a consistent process, as this
ensures that you do not miss steps and that problems are resolved quickly.

Potential Problems and Resolutions


Some common installation problems and solutions are:
• Net.TCP Port Sharing Service not set to start automatically. You must set this service to start
automatically.
• Insufficient disk space. Your server might not have the necessary disk space to install Exchange Server
2010. To resolve this, either increase your server’s disk space or remove unnecessary files to create
more free space.
• Missing software components. Your server might not have all of the required software components
for the server roles you want to implement. To resolve this, determine the required software
components, download them if necessary, and install them.
• Incorrect DNS configuration. Exchange Server 2010 relies on global catalog servers to perform many
operations, and uses DNS to find global catalog servers. If the DNS configuration is incorrect, your
server might not be able to find a global catalog server. To verify the problem, use the dcdiag tool. To
resolve the problem, ensure that the Exchange server and domain controllers are all using the
appropriate internal DNS servers.
Deploying Microsoft® Exchange Server 2010 1-43

• Incorrect domain functional level. All domains with Exchange Server 2010 recipients or servers must
be at Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 functional level. To
resolve this problem, raise the domain functional level to the appropriate functional level.
• Insufficient Active Directory permissions. When you install Exchange Server 2010, you need sufficient
permissions to extend the Active Directory schema and modify the Active Directory configuration
partition. To perform the initial schema extension, you must be a member of the Enterprise Admins
and Schema Admins groups.
• Insufficient Exchange permissions. To install Exchange Server 2010 into an existing organization, you
must be a member of the Exchange Admins group. You also must run Setup.exe with the
/PrepareLegacyExchangePermissions switch. Wait for replication throughout the Exchange Server
organization before you continue.
1-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Finalizing the Exchange Server Installation

Key Points
After finishing the Exchange Server installation, you might need to perform additional steps to finalize the
server deployment.

Configuring Exchange Server Security


Security is important for all the servers in your environment. However, security is even more important for
computers running Exchange Server. For most organizations, messaging is a critical part of the network.
People rely on messaging to perform their jobs.
Use the following steps to secure computers running Exchange Server 2010:
• Restrict physical access. Like all servers, physical access to a computer running Exchange Server should
be restricted. Any server that you can access physically also can be compromised easily.
• Restrict communication. You can use firewalls to restrict the communication between servers, and
between servers and clients.
• Reduce the attack surface. To limit software flaws that hackers can use, eliminate unnecessary
software and services from your Exchange servers. In particular, Edge Transport servers should have
only the necessary services and software running because they are exposed to the Internet.
• Restrict permissions. Evaluate who has permissions to manage Active Directory in your organization.
Users who are domain administrators can add themselves to any group, and so they could manage all
Exchange Server recipients and computers running Exchange Server in that domain. Reduce
delegated Active Directory management permissions in a more granular way if you do not want all of
the domain administrators to be capable of managing Exchange Server as well.

Configure Additional Software


Before you install any additional software, ensure that it Microsoft certifies it for use with Exchange Server
2010.
Deploying Microsoft® Exchange Server 2010 1-45

Some of the additional software you might want to install or configure includes:
• Antivirus software. Antivirus software can be used with the Edge Transport server and internal servers.
You can install ForeFront Protection for Exchange Servers on Exchange Server 2010, or deploy and
configure third party antivirus solutions.
• Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial e-mail
messages that your users receive, and have to manage. Exchange Server 2010 provides anti-spam
features on the Edge Transport server role and the Hub Transport server role. Most organizations that
deploy anti-spam software on Exchange Server 2010 will deploy it on the Edge Transport server, but
you also can enable and configure anti-spam features on Hub Transport servers. Many organizations
choose to deploy third-party anti-spam solutions.
• Backup software. To back up Exchange Server 2010 servers, you must deploy backup software that
uses Volume Shadow Copy Service (VSS) to perform the backup.
• Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center
Operations Manager. Operations Manager allows you to proactively monitor and manage your
Exchange servers by installing monitoring agents on them.

Important: There are additional tasks that you must perform for each server role. Later modules
cover these tasks.
1-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab B: Verifying an Exchange Server 2010 Installation

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-NYC-DC1 and the 10135A-NYC-SVR2 virtual machines are running.
• 10135A- NYC-DC1: Domain controller in the Contoso.com domain.
• 10135A- NYC-SVR2: Member server in the Contoso.com domain.
3. If required, connect to the virtual machines.

Lab Scenario
You have completed the installation of the first Exchange Server at Contoso Ltd. You now need to verify
that the installation completed successfully. You also should ensure that the installation meets the best
practices that Microsoft suggests.
Deploying Microsoft® Exchange Server 2010 1-47

Exercise 1: Verifying an Exchange Server 2010 Installation


The main tasks for this exercise are as follows:

4. View the Exchange Server services.


5. View the Exchange Server folders.
6. Create a new user, and send a test message.
7. Run the Exchange Server Best Practices Analyzer Tool.

 Task 1: View the Exchange Server services


1. Open the Services console.
2. Review the status for each Exchange Server service.

 Task 2: View the Exchange Server folders.


• Using Windows Explorer, browse to C:\Program Files\Microsoft
\Exchange Server\v14. This list of folders includes ClientAccess, Mailbox, and TransportRoles. The
three roles were installed as part of the typical setup.

 Task 3: Create a new user, and send a test message


1. Open the Exchange Management Console.
2. Under Recipient Configuration, create a new mailbox with a new user account named TestUser and
a password of Pa$$w0rd.
3. Using Internet Explorer, open https://NYC-SVR2/owa.
4. Log on as TestUser, and send a message to Administrator.
5. Log on to Outlook Web App as Administrator, and verify that the message was delivered.

 Task 4: Run the Exchange Server Best Practices Analyzer tool


1. Start the Exchange Server Best Practices Analyzer.
2. Run a Health Check scan with a name of Post-Installation Test. Scan only
NYC-SVR2.
3. Review the information in the Exchange Server Best Practices Analyzer report.

Results: After this exercise, you should have verified that the Exchange Server 2010 server installation
completed successfully.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.


2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.
1-48 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

6. Wait for 10135A-VAN-DC1 to start, and then start 10135A-VAN-EX1. Connect to the virtual
machine.
7. Wait for 10135A-VAN-EX1 to start, and then start 10135A-VAN-EX3. Connect to the virtual machine.
Deploying Microsoft® Exchange Server 2010 1-49

Module Review and Takeaways

Review Questions
1. The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot
the issue?
2. What factors should you consider while purchasing new servers for your Exchange Server 2010
deployment?

3. How would the deployment of additional Exchange Server 2010 servers vary from the deployment of
the first server?

Common Issues Related to Installing Exchange Server 2010


Identify the causes for the following common issues related to installing Exchange Server 2010 and
explain the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

You start the Exchange installation and • Verify that you are logged on to the domain.
get an error message stating that you • Verify the account has sufficient permissions.
do not have sufficient permissions.

You start the Exchange installation and • Verify that the server meets the software requirements.
the prerequisite check fails.

You run setup with /PrepareAD • Ensure that you are running setup in the same Active
parameter and receive an error Directory site as the schema master domain controller.
message.
1-50 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Real-World Issues and Scenarios


1. An organization has a main office and multiple smaller branch offices. What criteria would you use to
decide whether to install an Exchange server in a branch office? What additional factors should you
consider if you decide to deploy an Exchange server in the branch office?

2. An organization has deployed Active Directory directory services within two different forests. What
issues will this organization experience when they deploy Exchange Server 2010?
3. An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on
Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning?

Best Practices for Deploying Exchange Server 2010


Supplement or modify the following best practices for your own work situations:
• Plan the hardware specifications for your Exchange Server 2010 servers to allow for growth. In most
organizations, the amount of e-mail traffic and the size of the user mailboxes are growing rapidly.
• Consider deploying at least two Exchange Server 2010 servers. With two servers, you can provide
complete redundancy for the core Exchange server roles.
• When deploying multiple Exchange servers with dedicated server roles for each server, deploy the
server roles in the following order:
a. Client Access server
b. Hub Transport server
c. Mailbox server
d. Unified Messaging server

You can deploy the Edge Transport server at any time, but it does not integrate automatically with your
organization until you deploy a Hub Transport server.
Configuring Mailbox Servers 2-1

Module 2
Configuring Mailbox Servers
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools 2-3
Lesson 2: Configuring Mailbox Server Roles 2-13
Lesson 3: Configuring Public Folders 2-32
Lab: Configuring Mailbox Servers 2-40
2-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

The Microsoft® Exchange Server management tools provide a flexible environment that enables
administrators to manage all sizes of Microsoft Exchange Server 2010 messaging deployments. Successful
Exchange Server messaging professionals need to understand where configuration elements reside within
the Exchange Management Console and the basics of the Exchange Management Shell. This module
describes these management tools.
This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and
the most common Mailbox server role post-installation tasks. The module concludes with a discussion
about public folder configuration and usage.
After completing this module, you will be able to:
• Describe the Exchange Server 2010 administrative tools.
• Configure mailbox server roles.
• Configure public folders.
Configuring Mailbox Servers 2-3

Lesson 1
Overview of Exchange Server 2010 Administrative
Tools

This lesson introduces you to the Exchange Management Console, Exchange Management Shell, and the
Exchange Control Panel (ECP). These tools are the main interfaces that Exchange Server administrators use
daily, so a detailed understanding of when and how to use each interface is vital.
After completing this lesson, you will be able to:
• Describe the Exchange Management Console.
• Describe the Exchange Management Shell and Windows® PowerShell™.
• Identify the benefits of using remote Windows PowerShell.
• Use Exchange Management Shell cmdlets.
• Work with the Exchange Management Shell.
• Apply Exchange Manage Shell cmdlet examples.
• Describe the Exchange Control Panel.
2-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: What Is the Exchange Management Console?

Key Points
In this demonstration, you will review how to navigate the Exchange Management Console, and use it to
manage Exchange Server.
The Exchange Management Console uses the Microsoft Management Console 3.0 (MMC) paradigm of a
four-pane environment.
The Console Tree is a unique feature of the Exchange Management Console, and it has four main nodes:
Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. These four nodes
have four distinct functions.

Organization Configuration
The Organization Configuration node contains all configuration options for each Exchange server role
that affects the messaging system’s functionality. This node allows you to configure database
management, ActiveSync® policies, journal and transport rules, message-formatting options, and e-mail
domain management.

Server Configuration
The Server Configuration node contains the configuration options for each Exchange server in the
organization. Settings that you can manipulate include server diagnostic-logging settings, product-key
management, and the per-server configuration of the Microsoft Outlook® Web App.

Recipient Configuration
The Recipient Configuration node contains the configuration and creation tasks for mailboxes, distribution
groups, and contacts. You also can use it to move or reconnect mailboxes.
Configuring Mailbox Servers 2-5

Toolbox
The Toolbox node contains utilities and tools that you can use to monitor, troubleshoot, and manage
Exchange Server. These tools include Exchange Best Practices Analyzer, Public Folder Management
Console (PFMC), Messaging Tracking, and Database Recovery Management.

You also can use the Exchange Management Console to manage both onsite and hosted Exchange Server
2010 environments, most notably the Microsoft Business Productivity Online Suite (BPOS).
The Console Tree’s root node also includes two tabs in the Content pane: Organizational Health and
Customer Feedback. The Organizational Health tab displays a report on the overall status of the Exchange
Server organization that includes information about the number of deployed databases, servers, and
Client Access Licenses. Use the Customer Feedback tab to enable the Customer Experience Improvement
Program and to access Exchange Server documentation.

Demonstration Steps
1. Open the Exchange Management Console.
2. Note the console’s layout: Console Tree on the left, Content pane in the middle, and Actions pane on
the right.
3. Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration,
Recipient Configuration, and Toolbox.
4. Expand each Console Tree section to view the available nodes.
5. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the
information available in the Content pane.
6. In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in
the Content pane.
7. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information
in the Content pane.
Question: Does the Exchange Management Console organization seem logical to you? Why?

Question: Does the Exchange Management Console have the same functionality as it did in previous
Exchange Server versions? What is different about this version?
2-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are the Exchange Management Shell and Windows PowerShell?

Key Points
The Exchange Management Shell and the Exchange Management Console run on top of Windows
PowerShell version 2.0 command-line interface. They use cmdlets, which are commands that run within
Windows PowerShell. Each cmdlet completes a single administrative task, and you can combine cmdlets
to perform complex administrative tasks.

In Exchange Management Shell, there are approximately 700 cmdlets that perform Exchange Server
management tasks, and even more non-Exchange Server cmdlets that are in the basic Windows
PowerShell shell design.

Exchange Management Shell is more than just a command-line interface that you can use to manage
Exchange Server 2010. Exchange Management Shell is a complete management shell that offers a
complex and extensible scripting engine that has sophisticated looping functions, variables, and other
programmatic features so that you can create powerful administrative scripts quickly.
Configuring Mailbox Servers 2-7

The Benefits of Remote Windows PowerShell

Key Points
Exchange Server 2010 builds on the success of Microsoft Exchange Server 2007 usage of Windows
PowerShell 1.0 by leveraging its remote Windows PowerShell functionality within Windows PowerShell 2.0.
By using the remote Windows PowerShell feature, Exchange Server 2010 includes many new features.

New Features in Exchange Server 2010


Exchange Server 2010 contains the following new features:
• Role Based Access Control (RBAC). RBAC enables you to assign granular permissions to
administrators, and more closely align the roles that you assign users and administrators to the actual
roles they hold within your organization. In Exchange Server 2007, the server-permissions model
applied only to the administrators that managed the Exchange Server 2007 infrastructure. However,
RBAC now controls both the administrative tasks that you can perform and the extent to which users
can perform their own administrative tasks. RBAC controls who can access what, and where,
through management roles, assignments, and scopes. Using remote Windows PowerShell allows you
to run the cmdlets on the server while controlling how they execute.
• Client/server management model. All cmdlets run remotely from an Exchange server rather than from
the management client. This allows the server to process the client requests, thereby reducing their
impact. Since the cmdlets run on the remote server, and not the client, you only need to install
Windows PowerShell 2.0 on the management machine if you do not need the graphical user interface
(GUI) tools.
• Standard protocols that allow easier management through firewalls. Remote Windows PowerShell
leverages Windows Remote Management (WinRM) for connectivity through standard HTTPS
connections. Since corporate firewalls often allow HTTPS by default, using Windows PowerShell
requires no additional firewall configuration.
These new features enable scenarios such as simplified cross-domain management, management from
workstations that do not have installed management tools, management through firewalls, and the ability
to throttle resources that management tasks consume.
2-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exchange Management Shell Cmdlets

Key Points
All shell cmdlets present as verb-noun pairs. A hyphen (-) without spaces separate the verb-noun pair, and
the cmdlet nouns are always singular. Verbs refer to the action that the cmdlet takes. Nouns refer to the
object on which the cmdlet takes action. For example, in the Get-User cmdlet, the verb is Get, and the
noun is User. All cmdlets that manage a particular feature share the same noun.

For detailed information about using cmdlets, refer to the CD content.

Using Cmdlets Together


Pipelining is the process of using multiple cmdlets simultaneously to gather information, which you then
can pass to other cmdlets for additional processing. Pipelining allows you to chain one cmdlet to another
so that the previous cmdlet’s results act as input to the next cmdlet. To pipeline information from one
cmdlet to another, specify the pipe character between the cmdlets. The pipe character is a vertical bar (|).
You can pipeline more than two cmdlets. In fact, you can use as many as necessary to achieve the results
you desire.
Configuring Mailbox Servers 2-9

Demonstration: Working with the Exchange Management Shell

Key Points
In this demonstration, you will review how to create a mailbox, and how to use Windows PowerShell
scripting and pipelining to change the address on multiple mailboxes. The instructor also will describe
basic cmdlet aliases.

Demonstration Steps
The instructor will run the following cmdlets:
• Get-Mailbox
• Get-Mailbox | Format-List
• Get-Mailbox | fl
• Get-Mailbox | Format-Table
• Get-Mailbox | ft Name, Database, IssueWarningQuota
• Get-Help New-Mailbox
• Get-Help New-Mailbox -detailed
• Get-Help New-Mailbox -examples
• $Temp = “Text”
• $Temp
• $password = Read-Host “Enter password” –AsSecureString
• New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris -Database “Mailbox
Database 1” -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName
Chris -LastName Ashton -DisplayName “Chris Ashton” -ResetPasswordOnNextLogon $true
2-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: Assign a password to a new user by specifying the Read-Host cmdlet with the -AsSecureString
switch, because passwords cannot be stored as simple strings.
Configuring Mailbox Servers 2-11

Exchange Management Shell Examples

Key Points
One of the best ways to become proficient with Windows PowerShell is to review cmdlets that
administrators use the most often. The following example retrieves a list of all the users, filters only users
that are located in the Sales organizational unit (OU), and then mail-enables the users:

Get-User | Where-Object {$_.distinguishedname -ilike "*ou=sales,dc=contoso,dc=com"} |


Enable-Mailbox -database "Mailbox Database 1"

The following example returns all members in the RemoteUsers distribution group, and then sets the
MaxReceiveSize on each of the members’ mailboxes:

Get-DistributionGroup "RemoteUsers" | Get-DistributionGroupMember | Set-Mailbox -


MaxReceiveSize 10MB

The following example retrieves a list of all mailboxes on VAN-EX1, and then moves these mailboxes to
Mailbox Store 2:

Get-Mailbox -server VAN-EX1 | New-MoveRequest -Local -targetDatabase " "Mailbox Store 2"

The following example removes all messages from addresses that start with the word “Tom” from the
message queue:

Get-Message -Filter {FromAddress -like "Tom*" } | Remove-Message

The following example returns the status of all mailbox copies from the local server:

Get-MailboxDatabaseCopyStatus
2-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Introducing the Exchange Control Panel

Key Points
The ECP is a new feature in Exchange Server 2010. It enables end users and Exchange Server specialists to
manage many aspects of the messaging environment from a secure Web page that includes inbox rules,
public groups, account information, call-answering rules, and retention policies.
You can assign permissions to ECP users by assigning and customizing one of the preconfigured RBAC
groups.
The ECP runs on the Client Access servers, and you access it either from the Options menu in Outlook
Web App.
Configuring Mailbox Servers 2-13

Lesson 2
Configuring Mailbox Server Roles

This module describes how to configure the Mailbox server after you install it. Since the Mailbox server
stores all of the mailbox and public folder data, it is a critical component in an Exchange Server messaging
system. You also will learn about databases, database storage considerations, and managing the number
and size of databases.

After completing this lesson, you will be able to:


• Describe your initial mailbox configuration tasks.
• Configure the Mailbox server role.
• Describe mailbox and public folder databases.
• Describe database file types.
• Describe the process for updating mailbox databases.
• Configure database options.
• Identify Exchange Server 2010 storage improvements.
• Describe your database storage options.
• Describe direct attached storage.
• Describe storage area networks.
• Manage mailbox size limits.
• Identify the criteria to consider when implementing databases.
2-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Initial Mailbox Configuration Tasks

Key Points
Complete the following steps after deploying the Mailbox server role:
• Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the
server, which includes configuring permissions at the organizational and server levels. This reduces
the Exchange Server’s attack surface.
• Create and configure databases. Exchange Server 2010 uses mailbox databases or public folder
databases to store messages. As a result, before creating mailboxes on the server, you need to create
the required databases.
• Configure public folders. Although recent Exchange Server versions de-emphasize the role of public
folders, Microsoft continues to support public folders fully, and you must configure them if you have
Outlook 2003 or earlier clients. However, if you are using Office Outlook 2007 or later clients, public
folders are not required to support offline address-book distribution or calendar information. During
the installation of the first Exchange Server 2010 into a new Active Directory® Domain Service (AD
DS) or Active Directory directory service forest, you have the option to support older Office Outlook
and Entourage clients. Exchange Server creates a public folder database if you choose this option. You
also can create public folders after installation if you do not configure them during setup.
• Configure recipients, including resource mailboxes. The Mailbox server role manages all user
mailboxes, so deploying the Mailbox server role includes configuring recipients.
• Configure the offline address book. Outlook 2007 (and higher) clients support retrieving offline
address books with HTTP, rather than only with public folders, as in previous Office Outlook versions.
Configuring Mailbox Servers 2-15

Demonstration: How to Configure Mailbox Server Role Configuration


Options

Key Points
In this demonstration, you will review how to configure the Mailbox server role with the Exchange
Management Console.

Demonstration Steps
1. Open the Exchange Management Console.
2. In the Console Tree, expand Server Configuration, and then click Mailbox.
3. Note the available options in the Actions pane: Manage Diagnostic Logging Properties, Enter
Product Key, and Properties.
4. View the properties of the server and review the options on the General, System Settings,
Messaging Records Management, and Customer Feedback Options tabs.
5. View the Manage Diagnostic Logging options.
Question: What additional tasks do you need to perform on the Mailbox server role after the Exchange
Server 2010 installation occurs?
2-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Mailbox and Public Folder Databases?

Key Points
To manage Mailbox servers properly, you need to know how they store mailbox and public folder
contents. Exchange Server 2010 stores mailbox and public folder contents in databases, which enhances
performance and reduces storage utilization.
Mailbox servers can maintain mailbox databases and public folder databases, and each database consists
of a single rich-text database (.edb) file. Exchange Server 2010 mailbox servers store all messages in this
database regardless of which type of client sends or reads the messages.
Mailbox databases store the messages for mailbox-enabled users. Users cannot have a mailbox without a
mailbox database. Public folder databases store the contents of public folders. Unlike previous Exchange
Server versions that required unique database names only within a storage group, Exchange Server 2010
requires unique database names across the entire Exchange Server organization.

In Exchange Server 2010, each database has a single set of transaction logs, which store database changes.
Database changes include all messages sent to or from the database. Transaction logs are an essential part
of disaster recovery if you need to restore a mailbox or public folder database.

By default, all databases and transaction logs are stored in one folder within the Exchange Server directory
(C:\Program Files\Microsoft\Exchange Server\v14
\Mailbox). Each database has its own folder. Although Exchange Server 2010 does not require separating
databases and transaction logs, given the appropriate redundancy, performing this separation increases
recoverability. You should consider it if your organization does not employ other availability options. If
the disk storing a database fails, you will need the transaction logs to recover activity since your last
backup. If your transaction logs also are lost, along with the database, you can recover only to the point of
your last back up.
The Exchange Server 2010 database schema was changed significantly to improve its performance over
previous Exchange Server versions. The new database schema now performs larger and more-sequential
input/output (I/O) transactions, optimizes performance on lower end disk systems, and reduces
Configuring Mailbox Servers 2-17

the database maintenance that you must perform. These improvements were accomplished by removing
single-instance storage and increasing the page size from 8 kilobytes (KB) to 32 KB.

In Microsoft Exchange 2000 Server and Exchange Server 2003, there was an option to create multiple
databases and have them share a set of transaction logs. This was called a storage group. In Exchange
Server 2007, having multiple databases in a storage group was available only for databases that did not
have high availability features enabled. In Exchange Server 2010, there is no option to have multiple
databases to share a single set of transaction logs.
2-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are the Database File Types?

Key Points
A database consists of a collection of file types, each of which performs different functions.
• <Log Prefix>.chk. This checkpoint file determines which transactions require processing to move the
checkpoint file from the transaction log file to the database. Each database’s log prefix determines its
checkpoint file name. For example, the checkpoint file name for a database with prefix E00 would be
E00.chk. This checkpoint file is several kilobytes in size, and does not grow.
• <Log Prefix>.log. This is the database’s current transaction log file. An example is E00.log. The
maximum amount of data storage for this file is 1 megabyte (MB). When this file reaches its
maximum storage of 1 MB, Exchange Server renames it and creates a new current transaction log.
• <Log Prefix>xxxxxxxx.log. Exchange Server renames and files this transaction log file. Log files use
sequential hexadecimal names. For example, the first log file for the first database on a server would
be E0000000001.log. Each transaction log file is always 1 MB.
• <Log Prefix>res00001.jrs and <Log Prefix>res00002.jrs. These are the reserved transaction logs for the
database. Exchange Server 2010 uses these only as emergency storage when the disk becomes full
and it can write no new transactions to disk. An example is E00res00001.jrs. When Exchange Server
2010 runs out of disk space, it writes the current transaction to disk, and then dismounts the
database. The reserved transaction logs ensure minimal loss of data that is in transit to the database.
The reserved transaction logs always are 1 MB each.
• Tmp.edb. This temporary workspace is for processing transactions. Exchange Server 2010 deletes the
contents of this file when it dismounts the database or when the Microsoft Exchange Information
Store service stops. This file typically is a few megabytes in size.
• <Log Prefix>tmp.log. This is the transaction log file for the temporary workspace. An example is
E00tmp.log. This file does not exceed 1 MB.
• <File Name>.edb. This is the rich-text database file that stores content for mailbox and public folder
databases. An example is Database.edb. Each mailbox or public folder database is contained in a
single file. Database files can grow very large, depending on the content that the database stores.
Configuring Mailbox Servers 2-19

Mailbox Database Update Process

Key Points
The following process takes place when a Mailbox server receives a message:

1. The Mailbox server receives the message.


2. The Mailbox server writes the message to the current transaction log and memory cache
simultaneously.

Note: If the current transaction log reaches 1 MB of storage, Exchange Server 2010 renames it and
creates a new current transaction log.

3. The Mailbox server writes the transaction from memory cache to the appropriate database.
4. The Mailbox server updates the checkpoint file to indicate that the transaction was committed
successfully to the database.
5. Clients can access and read the message in the database.
2-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: Configuring Database Options

Key Points
Several configuration options are set at the database level. Three key management tabs contain these
options: Maintenance, Limits, and Client Settings. In this demonstration, you will review these tabs, and
explain how you can use them to configure your database options.

The Maintenance Tab


Use the Maintenance tab to specify a journal recipient when you are using database journaling. However,
we recommend using journaling rules for journaling in Exchange Server 2010.
The maintenance schedule is the period of time in which Exchange Server performs database
maintenance. In Exchange Server 2010, online defragmentation occurs continually, so you use the
maintenance window primarily to remove deleted items and mailboxes.

The Maintenance tab has a checkbox that you can select to keep the database from mounting at startup.
You typically use this checkbox, and another that allows the database to be overwritten by a restore,
during recovery or database-maintenance tasks. The checkbox for enabling circular logging sets the
transaction-logging mode so that Exchange Server 2010 overwrites the transaction logs after they are
committed to the database. Circular logging does not allow you to recover a database to a point in time
other than when the last full backup was completed. We recommend circular logging only in test
environments or in high availability configurations in which adequate redundancy negates the need for
this type of recovery.

The Limits Tab


Use the Limits tab to set the maximum size for mailboxes that the database stores, and to specify the
notification schedule for sending messages to users who are approaching these limits.

The deletion settings specify how long the database stores deleted items and mailboxes after the user
deletes them. You can use the dumpster to recover items that users have deleted and purged from their
Deleted Items folder, without having to perform a restore from a backup.
Configuring Mailbox Servers 2-21

The Client Settings Tab


Use the Client Settings tab to configure the default public folder, if necessary, and the default offline
address book for all mailboxes in the database.

Demonstration Steps
1. Open the Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization
Configuration, and then click Mailbox.
3. Select the Database Management tab, and then view the properties of a mailbox database.
4. View the properties on the General, Maintenance, Limits, and Client Settings tabs.
5. Run the Move Database Path Wizard to move the database files.

Question: When would you need to move the path of the transaction logs or databases?

Question: When might you use circular logging?


2-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exchange Server 2010 Storage Improvements

Key Points
Exchange Server 2010 introduces several significant changes that reduce storage costs and improve
performance, including changes to the database schema, the use of compression, and the change to 32
KB database pages. Additionally, further improvements minimize database fragmentation by writing data
sequentially on disk, which also improves disk performance. Lastly, when you combine the reduced
storage input/output (I/O) requirements with the new database high availability features, you may be able
to leverage inexpensive direct-attached storage for larger Exchange Server deployments.

Since the storage I/O requirements are lower in Exchange Server 2010, more storage options are available.
Still, you should ensure that your storage method meets the business and technical requirements for the
Exchange Server deployment. Tools such as Load Simulator and JetStress are available to approximate
usage patterns, and you can use these tools to test various hardware configurations in your environment.
Configuring Mailbox Servers 2-23

Options for Database Storage

Key Points
Exchange Server 2010 now supports several disk storage options, including Serial Advanced Technology
Attachment (SATA), Solid-state disk (SSD), and Serial Attached small computer system interface (SCSI), or
SAS. When selecting which storage solution to use, the goal is to ensure that the storage will provide the
performance that your environment requires.

JBOD (Just a Bunch Of Disks)


JBOD is a collection of disks that have no redundancy or fault tolerance. Usually, JBOD solutions are lower
cost than solutions that use redundant array of independent disks (RAID). JBOD adds fault tolerance by
using multiple copies of the databases on separate disks.

RAID
RAID increases disk-access performance and fault tolerance. The most common RAID options are:
• RAID 0 (striping). Increases read and write performance by spreading data across multiple disks.
However, it offers no fault tolerance. Performance increases as you add more disks. You add fault
tolerance by using multiple copies of the databases on separate RAID sets.
• RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Read
performance is faster than a single disk, but write performance is slower than RAID 0. Half of the disks
are used for data redundancy.
• RAID 5 (striping with parity). Increases fault tolerance by spreading data and parity information across
three or more disks. If one disk fails, the missing data is calculated based on the remaining disks. Read
and write performance for RAID 5 is slower than RAID 0. At most, only one third of the disks are used
to store parity information.
• RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This provides
very fast read and write performance, and excellent fault tolerance.
2-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• RAID 6 (striping with double parity). Increases fault tolerance by spreading data and parity information
across four or more disks. If up to two disks fail, RAID 6 calculates the missing data based on data and
parity information stored on the remaining disks. Read and write performance for RAID 6 typically is
slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID 6 is the
ability to rebuild missing data if you have two failures per RAID group, and to reduce the impact of
rebuilding the RAID set when a disk fails.
• RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved
performance, but increases complexity. The difference between RAID 0+1 and RAID 1+0 is that RAID
1+0 creates a striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0 performs
better and is more fault tolerant than RAID 0+1.
Configuring Mailbox Servers 2-25

Data Storage Options: Direct Attached Storage

Key Points
Direct attached storage is any disk system that connects physically to your server. This includes hard disks
inside the server or those that connect by using an external enclosure. Some external enclosures include
hardware-based RAID. For example, external disk enclosures can combine multiple disks in a RAID 5 set
that appears to the server as a single large disk.

In general, direct attached storage provides good performance, but it provides limited scalability because
of the unit’s physical size. You must manage direct attached storage on a per-server basis. Exchange
Server 2010 performs well with the scalability and performance characteristics of direct attached storage.

Direct attached storage provides the following benefits:


• Lower cost Exchange Server solution. Direct attached storage usually provides a substantially lower
purchase cost than other technologies.
• Easy implementation. Direct attached storage typically is easy to manage, and requires very little
training.
• Distributed failure points. Each Exchange server has separate disk systems, so the failure of a single
system does not affect the entire Exchange messaging system negatively, assuming that you
configure your Exchange servers for high availability.
2-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Data Storage Options: Storage Area Networks

Key Points
A storage area network (SAN) is a network dedicated to providing servers with access to storage devices.
A SAN provides advanced storage and management capabilities, such as data snapshots, and high
performance. SANs use either Fibre Channel switching or Internet SCSI (iSCSI) to provide fast and reliable
connectivity between storage and applications. Fibre Channel switching or iSCSI allows many servers to
connect to a single SAN.
Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Because Fibre Channel is
specifically for SANs, it is the fastest architecture available, and most SANs use it.

SANs are complex and require specialized knowledge to design, operate, and maintain. Most SANs also
are more expensive than direct attached storage.

SANs provide the following benefits:


• A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requirements
of Exchange Server 2010 make it more likely that an iSCSI-based SAN will meet your requirements in
small and medium-sized deployments. However, you should test all hardware configurations
thoroughly before deployment to ensure that they meet your organization’s required performance
characteristics.
• Highly scalable storage solutions. Messaging systems are growing continually, and require larger
storage over time. As your needs expand, a SAN allows you to add disks to your storage. Most SANs
incorporate storage virtualization, which allows you to add disks and allocate the new disks to your
Exchange server.
• Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers
running Exchange Server, and then divide the storage among them.
Configuring Mailbox Servers 2-27

• Enhanced backup, recovery, and availability. SANs use volume mirroring and snapshot backups.
Because SANs allow multiple connections, you can connect high performance back-up devices to the
SAN. SANs also allow you to designate different RAID levels to different storage partitions.
For cost-conscious SAN implementations, iSCSI may be a viable option. An iSCSI network encapsulates
SCSI commands in TCP/IP packets over standard Ethernet cabling and switches. You should implement
this technology only on dedicated storage networks that are 1 gigabit per second (Gbps) or faster.
2-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Manage Mailbox Size Limits

Key Points
In this demonstration, you will review how to use the Exchange Management Console to configure
storage quotas, and how to use the Exchange Management Shell to configure storage quotas in bulk or
simultaneously.
You can enforce size limits either on a specific mailbox or on a database, which applies the settings on all
mailboxes in the database, by default. The three options available to set a limit on mailboxes and on the
database are:
• Issue warning at (KB). When a mailbox reaches the size you specify, at a predetermined schedule
(daily by default), mailbox-enabled users receive a message indicating that their mailboxes have
become too large.
• Prohibit send at (KB). When a mailbox reaches the size you specify, the user no longer can send
messages and receives a warning message that the mailbox is too large. The mailbox can still receive
messages.
• Prohibit send and receive at (KB). When a mailbox reaches the size you specify, the user can no longer
send or receive messages, and receives a warning message that the mailbox is too large. If the
organization uses a Unified Messaging server, prohibiting e-mail reception can result in lost e-mail
messages, voice-mail messages, and faxes. Most organizations elect not to use this option.

You also can use mailbox database defaults to set limits on the database. Exchange Server 2010 enables
this by default, and if you use it, the mailbox inherits any settings that you assign to the database that
stores the mailbox.

Deleted item retention settings work similarly to size limits in that you can assign them either on the
mailbox or database. By default, all mailboxes also inherit deleted time retention from the database.
Configuring Mailbox Servers 2-29

Demonstration Steps
1. Open the Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and click Mailbox.
3. Right-click a user mailbox, and click Properties.
4. Click the Mailbox Settings tab, and double-click Storage Quotas.
5. Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at
(MB).
6. Open Exchange Management Shell.
7. Configure the database limits with the Get-MailboxDatabase cmdlet.
8. Configure just the user mailboxes that are contained in the Marketing department with the Get-
Mailbox.
2-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Considerations for Implementing Databases

Key Points
It is important to plan properly for any changes you want to make in the Exchange Server environment.
When considering which sort of storage to use for new databases, note the following:
• Give each set of transaction logs its own hard disk. You likely will achieve the best performance when
transaction logs do not share disks with any other data. However, if you do not require high
performance, and there are enough copies of the data, you may not require this.
• Use RAID 5 to enhance performance and fault tolerance for databases. RAID 5 increases read and
write performance for random disk access and fault tolerance.
• Use RAID 1 to provide fault tolerance for transaction logs. RAID 1 keeps two complete copies of
transaction logs for fault tolerance, and it provides good write performance for data that is written
serially.
• Use a SAN, which provides excellent scalability and manageability for storage in large Exchange
Server organizations. A Fibre Channel SAN provides the best performance, but this high level of
performance may be more than you need to support your organization’s requirements. SANs also
add considerable cost and complexity.
• Use the prohibit send at storage limit to manage storage growth. This storage limit forces users to
address the size of their mailbox before sending additional messages. Halting message reception is
risky, because important business data might get lost. However, a warning may not be enough
encouragement for users to lower their mailbox size.

Question: What should you consider when naming databases?

Question: When would you want or need to create multiple databases

Question: Why would you want to reduce the number of databases?


Configuring Mailbox Servers 2-31

Question: What should you consider when planning to build additional Mailbox servers?
2-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 3
Configuring Public Folders

This lesson covers public folders, and details how you can configure them. Although public folders have
been deemphasized since Exchange Server 2007, they remain a useful feature of Exchange Server 2010. It
is essential to understand when to use public folders and how to configure them properly.
After completing this lesson, you will be able to:
• Describe public folders.
• Configure public folder replication.
• Describe how clients access public folders.
• Configure public folders.
• Identify when to use SharePoint instead of public folders.
Configuring Mailbox Servers 2-33

What Are Public Folders?

Key Points
A public folder is a repository for different information types, such as e-mail messages, text documents,
and multimedia files. A public folder database stores public folder contents, which you can share with
Exchange Server organization users.
Organizations typically use public folders as:
• A location to store contacts for the entire organization.
• Centralized calendars for tracking events.
• Discussion groups.
• A location in which to receive and store messages for a workgroup, such as the Help desk.
• A storage location for custom applications.
Additionally, system public folders support legacy Office Outlook versions for free/busy information,
custom forms, and offline address books.
One alternative to public folders is Windows SharePoint® Services, which is a
Web-based platform that stores data centrally for the enterprise, workgroups, and individuals. You can
create multiple SharePoint sites for specific tasks, including:
• Team collaboration
• Project management
• Help-desk management
• Expense reimbursement
• Vacation scheduling
2-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

For collaboration, Windows SharePoint Services goes beyond the capabilities that public folders offer.
Some of the features that a SharePoint site offers are:
• Document collaboration, including checking in, checking out, and version control. This feature allows
you to track changes to documents and prevent team members from editing multiple versions of a
single document.
• Alerts sent out when content changes. Alerts enable you to monitor content and act when that
content changes. For example, a project team could be alerted automatically when the project
schedule changes.
• Extensibility by developers for building applications. In some cases, you can use public folders to
manage application data, but SharePoint sites can perform many of the same tasks.
One area in which SharePoint services does not provide similar functionality to Exchange Server is in the
ability to perform multimaster replication. Because Windows SharePoint Services is tied to Microsoft SQL
Server®, only one writable copy of the data is available at a time, whereas public folders can have
multiple readable and writable copies of a public folder available around the globe. The next topic details
public folder replication.
Configuring Mailbox Servers 2-35

Configuring Public Folder Replication

Key Points
Public folder content replication is an e-mail-based process for copying public folder content between
computers running Exchange Server. When you modify a public folder or its contents, the public folder
database that contains the replica of the public folder that you change sends a descriptive e-mail message
to the other public folder databases that host a replica of the public folder. To reduce network traffic,
Exchange Server includes information about multiple changes in one e-mail message. If any message
exceeds the specified size limit, that message is sent as a separate replication message. Exchange Server
routes these replication messages the same way that it routes other e-mail messages. By default, public
folder content replicates every 15 minutes, and you cannot set replication to less than every minute.
Because AD DS and Active Directory store the public folder configuration objects, AD DS and Active
Directory replication must be working correctly to ensure that the configuration is available to all
Exchange servers.

When you create a public folder, only one replica of that public folder exists within the Exchange Server
organization.

Using multiple replicas allows you to place public folder content in the physical server locations where
users are located. This results in faster access to public folder content and reduced communication across
wide area network (WAN) links between physical locations. Public folder replication also provides fault
tolerance for public folders.

Note: You also need to replicate the public folder tree.


2-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Clients Access Public Folders

Key Points
The public folder connection process for Messaging Application Programming Interface (MAPI)-based
clients is:
1. If the public folder is located on the user account’s default public folder database, Exchange Server
directs the client to this database for the public folder contents.
2. If the public folder contents are not stored in the user account’s default public folder database,
Exchange Server redirects the client to a public folder database on a computer running Exchange
Server 2010 in the local Active Directory site.
3. If no computer running Exchange Server 2010 or Exchange Server 2007 on the local Active Directory
site has a copy of the public folder contents, Exchange Server redirects the client to the Active
Directory site with the lowest cost site link that does have a copy of the public folder contents.
4. If there is no computer running Exchange Server 2010 or Exchange Server 2007 that has a copy of the
public folder contents, Exchange Server redirects the client to a computer running Microsoft
Exchange Server 2003 that has a copy of the public folder contents, using the cost assigned to the
routing group connector(s). Exchange Server 2010 does not enable this by default. Rather, you must
enable it with the Set-RoutingGroupConnector cmdlet.
5. If no public folder replica exists on the local Active Directory site, a remote Active Directory site, or on
a computer running Exchange Server 2003, the client cannot access the contents of the requested
public folder.

Note: For Outlook Web App clients to view public folders, a replica of the public folder must be
available on an Exchange Server 2010 mailbox server.
Configuring Mailbox Servers 2-37

Demonstration: How to Configure Public Folders

Key Points
In this demonstration, you will review how to use the PFMC, Exchange Management Shell, and Office
Outlook to configure public folders. You will see how to:
• Use the PFMC to add replicas and set permissions on a public folder.
• Use Exchange Management Shell to add permissions to a public folder.
• Open Outlook, and then view the permissions for the public folder.

Demonstration Steps

 Use the PFMC to add replicas and set permissions on a public folder
1. Open the Exchange Management Console.
2. Open the PFMC, and then connect to a Mailbox server.
3. Create a new public folder named Sales.
4. View the properties of the Sales public folder, and then view the options on the General, Statistics,
Limits, and Replication tabs.
5. Add a replica to the Sales public folder.

 Use the Exchange Management Shell to add permissions to a public folder


The instructor will run the following cmdlets:

Get-PublicFolderClientPermission \Sales

Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason


2-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

 Use Outlook to view and edit public folder permissions


1. Logon to VAN-CL1 as Adatum\Administrator.
2. Open Outlook.
3. View the permissions for the Sales public folder.
Configuring Mailbox Servers 2-39

When to Use SharePoint Instead of Public Folders

Key Points
Exchange Server 2010 fully supports public folders. However, there are several reasons that another
complementary technology may be a better solution. You need to move custom applications that use
Exchange Server event sinks or organizational forms to a supported platform, such as SharePoint, by using
the InfoPath® information-gathering program. If you are using public folders to share documents,
consider moving these documents to SharePoint for additional features, such as versioning and file
locking. Depending on its scope, a new Exchange Server deployment that includes calendar sharing,
contact sharing, discussion forums, or distribution group archives, can use Exchange Server public folders
or SharePoint. Additionally, when deploying new custom applications, use Exchange Web Services and/or
SharePoint, depending on the application’s scope.

Question: For what does your company currently use public folders and SharePoint?
2-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab: Configuring Mailbox Servers

Lab Setup

Important: If required, start the 10135A-VAN-DC1 virtual machine first, and ensure that it is fully
started before starting the other virtual machines.

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX3 virtual machines are
running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain
3. If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator,
using the password Pa$$w0rd.

Lab Scenario
You are a new messaging administrator at A. Datum Corporation, and your manager has left instructions
indicating that you need to create and configure a database for the executive group, and then move the
existing database for the accounting group to a new location. Additionally, you need to add an additional
public folder database, and then replicate data to it.
Configuring Mailbox Servers 2-41

Exercise 1: Configuring Mailbox Databases


Scenario
You must configure the executive’s database so that the mailbox does not send or receive messages after
the mailbox size reaches 1,024 MB. Additionally, you should ensure that a warning is sent to users if their
mailbox reaches 850 MB.

The main tasks for this exercise are:

1. Create a new database for the Executive mailboxes.


2. Configure the Executive mailbox database with appropriate limits.
3. Move the existing Accounting database to a new location.

 Task 1: Create a new database for the Executive mailboxes


1. On VAN-EX1, open the Exchange Management Console.
2. Create a new database named Executive on VAN-EX1.
3. Store database files in C:\Mailbox\Executive.
4. Store log files in C:\Mailbox\Executive.

 Task 2: Configure the Executive mailbox database with appropriate limits


1. Configure the limits on the Executive database:
• Prohibit send and receive: 1024000
• Issue warning: 850000

 Task 3: Move the existing Accounting database to a new location


1. Move the Accounting database files.
2. Store database files in C:\Mailbox\Accounting.
3. Store log files in C:\Mailbox\Accounting.

Results: After this exercise, you should have created a new database, set the specified limits, and
moved the existing Accounting database to a new folder.
2-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Configuring Public Folders


Scenario
Before creating a new public folder database and replicating it, you must check the numbers of items and
size in the Executive public folder so that you can later verify that the replication was successful.

The main tasks for this exercise are as follows:


1. Check Executives public folder statistics.
2. Create a public folder database on VAN-EX3.
3. Add a replica of the Executives public folder on VAN-EX3.
4. Verify replication between VAN-EX1 and VAN-EX3.

 Task 1: Check Executives public folder statistics


1. On VAN-EX3, open the Exchange Management Console, and in the Toolbox node, open the Public
Folder Management Console.
2. In the Public Folder Management Console, connect to VAN-EX1, and view the number of items and
size in the Executives public folder on VAN-EX1.
• Write down Total Items ______________________
• Write down Size (KB) ________________________

 Task 2: Create a public folder database on VAN-EX3


• Create a new public folder database on VAN-EX3 named PF-VAN-EX3.
• Store database files in C:\Mailbox\PF-VAN-EX3\PF-VAN-EX3.edb.
• Store log files in C:\Mailbox\PF-VAN-EX3.

 Task 3: Add a replica of the Executives public folder on VAN-EX3


• Add PF-VAN-EX3 as a replica for the Executives public folders, and then wait for replication to
complete.

Note: It can take up to 15 minutes for replication to complete.

 Task 4: Verify replication between VAN-EX1 and VAN-EX3


• Verify the number and size of items in the Executives public folder on
VAN-EX3.

Results: After this exercise, you should have created a new public folder database on VAN-EX3 and
added replicas for each public folder.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
Configuring Mailbox Servers 2-43

3. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

4. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
5. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
2-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Review and Takeaways

Review Questions
1. Which tools can you use to manage Exchange Server 2010?

2. What customizations can you make on mailbox databases?


3. When can you use public folders?

Common Issues Related to Designing Mailbox Databases


Identify the causes for the following common issues related to designing and implementing Exchange
Server mailbox databases and fill in the troubleshooting tips. For answers, refer to relevant lessons in the
module.

Issue Troubleshooting tip

You are planning to deploy a new Use performance-testing tools, such as Exchange Load Generator
Mailbox server on a different server or Jet Stress, to ensure the Mailbox server will perform
and storage platform. adequately.

After applying limits on each of the Verify that the mailboxes are set to inherit limit settings from the
mailbox databases, some of the database, rather than having to be set separately.
users are exceeding these limits.

You are migrating from Exchange Verify that a replica of the required public folders exists on an
Server 2003, and none of the users Exchange Server 2010 server.
with Exchange Server 2010
mailboxes can access legacy public
folders via Outlook Web App.
Configuring Mailbox Servers 2-45

Real-World Issues and Scenarios


1. Your organization needs to determine which storage solution to deploy for the new Exchange Server
2010 messaging environment. What information should you consider when selecting the hardware?

2. Your organization would like to automate creation of user mailboxes for employees based on their
status in your organization’s human-resources system. What can you use to perform this automation?

3. Your organization wants to reduce administrative costs. One suggestion is to give department heads
and administrative assistants the necessary access to manage departmental and project-based
groups. What can you use to accomplish this task?

Best Practices Related to Public Folder Deployment Planning


Supplement or modify the following best practices for your own work situations:
• Determine the public folder features that your organization needs, such as multiple master
replications.
• Determine whether other solutions, such as SharePoint or InfoPath, meet user needs better.
• Define specific age and size limits, so that public folder data does not grow uncontrolled and
outdated.

Tools
Tool Use for Where to find it

Exchange Management • Configuring the Exchange Start menu


Console Server organization, its
servers, and its recipients

Exchange Management • Configuring the Exchange Start menu


Shell Server organization, its
servers, and its recipients
• Completing bulk-
management tasks

Exchange Control Panel • Managing recipients Outlook Web App


2-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010
Managing Recipient Objects 3-1

Module 3
Managing Recipient Objects
Contents:
Lesson 1: Managing Mailboxes 3-3
Lesson 2: Managing Other Recipients 3-19
Lesson 3: Configuring E-Mail Address Policies 3-26
Lesson 4: Configuring Address Lists 3-31
Lesson 5: Performing Bulk Recipient Management Tasks 3-37
Lab: Managing Exchange Recipients 3-41
3-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

In any messaging system, you need to create recipients and configure them to send and receive e-mail. As
a Microsoft® Exchange Server messaging administrator, you often must create, modify, or delete recipient
objects. Therefore, it is important to have a good understanding of recipient management. In Exchange
Server 2010, you can easily perform bulk management of Exchange Server recipient objects by using the
Exchange Management Shell.
This module describes how you can manage recipient objects, address policies, and address lists in
Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange
Management Shell.
After completing this module, you will be able to:
• Manage mailboxes in Exchange Server 2010.
• Manage other recipients in Exchange Server 2010.
• Configure e-mail address policies.
• Configure address lists.
• Perform bulk recipient management tasks.
Managing Recipient Objects 3-3

Lesson 1
Managing Mailboxes

Apart from creating mailboxes, you may need to modify mailbox options to meet the needs of users and
ensure optimal performance of the messaging environment. Based on your organization’s requirements,
and its users, you also may have to move mailboxes to different servers or databases, and configure
resources.

This lesson provides an overview of Exchange Server recipient objects and the available configuration
options. Additionally, this lesson covers the reasons and procedures for moving mailboxes, and explains
how to configure resource mailboxes.

After completing this lesson, you will be able to:


• Identify the different recipient object types in Exchange Server 2010.
• Manage mailbox user accounts.
• Describe how to configure mailbox settings.
• Configure mailbox permissions.
• Describe the reasons for moving mailboxes.
• Move mailboxes by using the Exchange Management Console.
• Describe the purpose and functionality of resource mailboxes.
• Describe how to design resource booking policies.
• Manage resource mailboxes.
3-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Types of Exchange Server Recipients

Key Points
In Microsoft Exchange Server 2003, you can use the Active Directory Users and Computers functionality to
perform all individual recipient management tasks. However, in Microsoft Exchange Server 2007, and
subsequently in Exchange Server 2010, you cannot use Active Directory Users and Computers to manage
Exchange Server recipients. You must configure all Exchange Server-specific recipient settings in the
Exchange Management Console or the Exchange Management Shell.
Exchange Server recipients are mail-enabled when they have associated e-mail addresses, but do not have
Exchange mailboxes. For example, a contact that has been mail-enabled becomes a mail contact.
Exchange Server 2010 supports the following recipient types:
• User mailboxes. A mailbox that you can assign to an individual user in your Exchange Server
organization. It typically contains messages, calendar items, contacts, tasks, documents, and other
important business data.
• Mail users or mail-enabled Active Directory® users. These are users outside the Exchange Server
organization that have an external e-mail address. All messages sent to the mail user are routed to
this external e-mail address. A mail user is similar to a mail contact, except that a mail user has Active
Directory logon credentials and can access resources.
• Resource mailboxes (Room mailboxes and Equipment mailboxes). A resource mailbox that you can
assign to a meeting location, or to a resource such as a projector. You can include resource mailboxes
as resources in meeting requests, which provides a simple and efficient way of scheduling resource
usage.
• Mail contact or mail-enabled contacts. These contacts contain information about people or
organizations that exist outside an Exchange Server organization and that have an external e-mail
address. Exchange Server routes all messages sent to the mail contact to this external e-mail address.
• Mail-enabled security and distribution groups. You can use a mail-enabled Active Directory security
group object to grant access permissions to Active Directory resources, and you also can use it to
Managing Recipient Objects 3-5

distribute messages. You can use a mail-enabled Active Directory distribution group object to
distribute messages to a group of recipients.
• Dynamic distribution groups. A distribution group that uses recipient filters and conditions to derive
its membership at the time messages are sent.
• Linked mailboxes. You can assign a linked mailbox to an individual user in a separate, trusted forest.

You can use a mail-enabled user when Exchange Server 2010 is not responsible for sending and receiving
mail for an Active Directory user, but you want that user to appear in the global address list (GAL). You
might do this for remote sales people that prefer to use e-mail based on their own Internet service
providers (ISP).

You can only mail-enable universal security groups and universal distribution groups in Exchange Server
2010, similar to Exchange Server 2007.

Question: How is a mail-enabled contact different from a mail-enabled user?


3-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Manage Mailboxes

Key Points
In this demonstration, you will see how to manage mailboxes by performing common operations such as
creating, deleting, and removing mailbox user accounts.

Demonstration Steps
Use the Exchange Management shell to mail-enable an existing user:

1. Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users
container.
2. Open Exchange Management Shell, and run the following cmdlets:
• Enable-MailUser “Daniel Brunner” –externalemailaddress Daniel@contoso.com
• Disable-MailUser “Daniel Brunner”
3. In Active Directory Users and Computers, verify that the Daniel Brunner user still exists.

Create a new mail-enabled user with the Exchange Management Console.


1. Open Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.
3. Run the New Mailbox Wizard, and create a new user account and mailbox for Kim Akers. Create the
mailbox in the Accounting mailbox database.

Note: Remove-mailbox deletes the specified user account and mailbox, and disable-mailbox
removes the mailbox, but leaves the user account enabled.

Question: What tools do you prefer to use for managing mailbox users?
Managing Recipient Objects 3-7

Question: How does your organization delegate Exchange and Active Directory management tasks?
3-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Configuring Mailbox Settings

Key Points
Exchange Server 2010 provides several options for configuring a single mailbox. Many of these options
are similar to those available for managing an Active Directory domain services environment. Mailbox
configuration options include:
• General
• User Information
• Address and Phone
• Organization
• Account
• Member Of
However, some configuration options are unique to Exchange Server such as:
• Mail Flow Settings. There are three mail-flow settings: delivery options, message-size restrictions, and
message-delivery restrictions:
• Use the delivery options to set:
• Who can send an e-mail message from that mailbox.
• A recipient to whom all messages are forwarded.
• The maximum number of recipients to which the mailbox can send a single message.
• Use the message-size restrictions options to specify the maximum size for the messages that the
mailbox sends or receives.
• Use the message delivery restrictions options to control the recipients that can send messages to
the mailbox.
Managing Recipient Objects 3-9

• Mailbox Features. Use these options to configure the mailbox’s specific features, such as Microsoft
Outlook® Web App, Exchange ActiveSync®, Unified Messaging, Post Office Protocol version 3
(POP3), Internet Message Access Protocol version 4 (IMAP4), and the Archive mailbox.
• Calendar Settings. Use this option to configure how a mailbox processes meeting requests.
• Mailbox Settings. There are four mailbox settings: messaging records management, federated sharing,
storage quotas, and archive quota.
• E-Mail Addresses. Use this option to configure the e-mail addresses assigned to the mailbox.

Question: Why would you configure mailbox size limits on individual mailboxes?
3-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Mailbox Permissions

Key Points
In this demonstration, you will see how to assign Full Access and Send As permissions to a mailbox.

Demonstration Steps
Assign Wei Yu send as permissions on Kim Akers’s mailbox:
1. Open Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.
3. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send
As Permission.
4. In the Manage Send As Permission Wizard, click .
5. In the Select User or Group dialog box, choose Wei Yu, and then click OK.
6. Click Manage.
7. Click Finish.

Assign Wei Yu full access to Kim Akers’s mailbox:

1. Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission.
2. In the Manage Full Access Permission Wizard, click Add.
3. In the Select User or Group dialog box, choose Wei Yu, and then click OK.
4. Click Manage, and then click Finish.

Question: When would more than one user need to access the same mailbox?

Question: What is the difference between Send on behalf of permissions and Send As permissions?
Managing Recipient Objects 3-11

Reasons for Moving Mailboxes

Key Points
You might need to move your organization’s mailboxes. The following scenarios list the common reasons
for moving mailboxes:
• Transition. When you transition an existing Exchange Server 2007 or Exchange Server 2003
organization to Exchange Server 2010, you need to move mailboxes from the existing Exchange
servers to an Exchange Server 2010 Mailbox server.
• Realignment. You can move mailboxes to realign based on specific values. For example, you may
want to move a mailbox from one database to another that has a larger mailbox size limit.
• Investigating an issue. If you need to investigate an issue with a mailbox, you can move that mailbox
to a different server. For example, you can move all mailboxes that have corrupted messages to one
server.
• Corrupted mailboxes. If you encounter corrupted mailboxes, you can move the mailboxes to a
different server or database to fix the corruption.
• Physical location changes. You can move mailboxes to a server that is in a different Active Directory
site. For example, if a user moves to a different physical location, you can move that user’s mailbox to
a server that is in a site closer to the new location.
• Separation of administrative roles. A company may want to separate the administration of Microsoft
Exchange from administration of Microsoft Windows® accounts. To do this, you can move mailboxes
from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside
in one forest and their associated Windows user accounts reside in a separate forest.
• Outsourcing e-mail administration. A company may want to outsource the administration of e-mail
and retain the administration of Windows user accounts. To do this, you can move mailboxes from a
single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one
forest and their associated Windows user accounts reside in a separate forest.
3-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Integrating e-mail and user-account administration. A company might want to change from a
separated or outsourced e-mail administration model to a model in which e-mail and user accounts
are managed from the same forest. To do this, you can move mailboxes from a resource forest
scenario to a single forest, in which the Microsoft Exchange mailboxes and Windows user accounts
reside in the same forest.
• Reducing Database size. In cases where data has been removed from a database and there is a lot of
white-space, rather than performing an offline defragmentation on the database, you can move the
contained mailboxes online to a new database and delete the original database.
While a move request is in progress, the mailbox stays online, allowing the user to continue sending and
receiving e-mail. You can view the move request status in the Exchange Management Console and
Exchange Management Shell. The request can have one of the following statuses:
• Queued for move
• Move in progress
• Ready to complete
• Completing
Managing Recipient Objects 3-13

Demonstration: How to Move Mailboxes

Key Points
In this demonstration, you will see how to move mailboxes by using the Exchange Management Console.

Demonstration Steps
Move Kim Akers’s mailbox to Mailbox Database 1:
1. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and
then click Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.
3. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request.
4. In the New Local Move Request Wizard, click Browse.
5. Select Mailbox Database 1, and then click OK.
6. Click Next.
7. Verify that Skip the mailbox is selected, and then click Next.
8. Click New.
9. Click Finish.
Question: What is the benefit of scheduling mailbox moves?
3-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Resource Mailboxes?

Key Points
Resource mailboxes are specific types of mailboxes that you can use to represent meeting rooms or
shared equipment, and you can include them as resources in meeting requests. The Active Directory user
that is associated with a resource mailbox is a disabled account.
• Room mailboxes. These are resource mailboxes that you can assign to meeting locations, such as
conference rooms, auditoriums, and training rooms.
• Equipment mailboxes. These are resource mailboxes that you can assign to non-location-specific
resources, such as portable computer projectors, microphones, or company cars.
You can include both types of resource mailboxes as resources in meeting requests, and thus provide a
simple and efficient way to utilize resources for your users. You can configure resource mailboxes to
automatically process incoming meeting requests based on the resource booking policies that are defined
by the resource owners. For example, you can configure a conference room to automatically accept
incoming meeting requests except recurring meetings, which can be subject to approval by the resource
owner.

You can create a resource mailbox as a room or as equipment. After creating the resource mail box, you
must configure properties such as location and size. Then, you must define the resource booking policy
and enable the resource booking attendant.
Managing Recipient Objects 3-15

Designing Resource Booking Policies

Key Points
A resource booking policy specifies:
• Who can schedule a resource.
• When the resource can be scheduled.
• What meeting information will be visible on the resource’s calendar.
• The response message that meeting organizers will receive.
Exchange Server 2010 provides various resource mailboxes, such as meeting rooms and equipment. You
can invite these resources to meetings as a way of reserving the meeting room or equipment. Exchange
Server 2010 provides several options for managing users who can book meetings using resource
mailboxes.

Options for Configuring Automate Processing Settings


Exchange Server 2010 provides several options that you can use for configuring resource mailbox settings
and to customize it to meet most business needs. There are three values for Automate Processing: None,
Booking Attendant (AutoAccept), and Calendar Attendant (AutoUpdate). By default, the Calendar
Attendant is enabled on each resource mailbox. For the resource mailbox to process and accept meeting
requests, you must enable the Booking Attendant. In Exchange Server 2010, both the Exchange
Management Console and Exchange Management Shell can be used to configure resource mailboxes.

Three common scheduling scenarios used are automatic booking, manual approval by delegates, and
manual approval from the resources.
• To enable automatic booking, the booking attendant should be enabled and the policy should be
configured.
3-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• To enable manual approval by delegates, the booking attendant should be enabled, and then All
Book In Policy should be disabled. Next the All Request In Policy should be enabled, and the
delegates should be specified.
• To enable manual approval from the mailbox, the booking attendant should be left disabled.

Considerations for Developing a Resource Booking Policy


When designing the resource booking policy, you must consider:
• Who can schedule a resource and whether all users should be able to book a resource for a meeting.
You might accept the default settings for most resources in the organization, but consider restricting
who can book heavily used or important resources. For example, if you use a resource room mailbox
to manage the schedule for a large conference room, you may want to restrict who can book
meetings in the conference room.
• When users can schedule the resource. You may want to set restrictions on the time of day when
meetings can be booked with a resource, or restrict the meeting length or meeting recurrence.
• The automatic acceptance policy for the meeting resource. By default, all resource mailboxes are
configured to accept all new appointment requests as tentative, until a user approves the request.
Because the meeting is set to tentative, this also enables other users to book the meeting resource for
the same time. By changing the Automate Processing attribute for the resource mailbox, you can
modify the default behavior. The default value is configured as Auto Update. If you set the value to
Auto Accept, the resource mailbox accepts all meetings from authorized users automatically, and
prevents other users from booking the resource at the same time.

Question: How will you use resource mailboxes in your environment?


Managing Recipient Objects 3-17

Demonstration: How to Manage Resource Mailboxes

Key Points
In this demonstration, you will use Exchange Management Console to create a resource mailbox, and then
configure it to accept appointments and create a delegate for the resource.

Demonstration Steps
1. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and
then click Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.
3. Create a new room mailbox with the following information:
• Name: Conference Room 1
• User logon name (User Principal Name): ConferenceRoom1
• Password: Pa$$w0rd
• Alias: ConferenceRoom1
4. After creating the room mailbox, modify the properties, and enable the resource booking attendant.
5. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the
password of Pa$$w0rd.
6. In Outlook Web App, create a new Meeting Request.
7. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To
field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant
tab.
8. Select a Start time and an End time.
9. Click the down arrow next to Select Rooms, and then click More.
10. In the Address Book window, double-click Conference Room 1, and then click OK.
11. Send the meeting request and verify that the resource accepted the invitation.
3-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Question: How does your organization use resource mailboxes?

Question: Which attributes are useful for your resource mailboxes?


Managing Recipient Objects 3-19

Lesson 2
Managing Other Recipients

Exchange Server also includes other recipient types that provide additional functionality, such as sending
e-mail to an entire company department or sharing e-mail addresses between users, for recipients outside
your company.
In this lesson, you will be introduced to the other recipient types in Exchange Server 2010 such as contacts
and distribution groups.
After completing this lesson, you will be able to:
• Describe the functionality of mail contacts and mail users.
• Describe the purpose of a distribution group.
• Explain the options for configuring distribution groups.
• Manage distribution groups by using the Exchange Control Panel.
3-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Mail Contacts and Mail Users?

Key Points
Mail contacts are mail-enabled Active Directory contacts. These contacts contain information about
people or organizations that exist outside your Exchange Server organization. You can view mail contacts
in the GAL and other address lists, and you can add them as members to distribution groups. Each contact
has an external e-mail address, and all e-mail messages that are sent to a contact are automatically
forwarded to that address.

If multiple people within your organization contact a trusted external person, you can create a mail
contact with the person’s e-mail address. This allows Exchange Server users to select that person from the
GAL for sending e-mail.

Mail users are similar to mail contacts. Both have external e-mail addresses, they contain information
about people outside your Exchange Server organization, and you can display them in the GAL and other
address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can
access resources to which they are granted permission.

If a person external to your organization requires access to resources on your network, you should create
a mail user instead of a mail contact. For example, you may want to create mail users for short-term
consultants who require access to your server infrastructure, but who will use their own external e-mail
addresses.
In another scenario, you can create mail users for whom you do not want to maintain an Exchange Server
mailbox. For example, after an acquisition, the acquired company may maintain its own messaging
infrastructure, but it may also need access to your network’s resources. For those users, you might want to
create mail users instead of mailbox users.

Question: When would you use mail-enabled contacts?

Question: Why would you use a mail-enabled contact rather than a mail-enabled user?
Managing Recipient Objects 3-21

What Are Distribution Groups?

Key Point
You can use mail-enabled groups to allow end users to send e-mail to multiple recipients. Mail-enabled
groups also allow you to assign permissions simultaneously to multiple users for Exchange Server objects,
such as private mailboxes and public folders. In Exchange Server 2010, mail-enabled groups belong to
one of the following four categories:
• Universal Security groups. Can be mail-enabled and can be assigned permissions outside of Exchange
Server.
• Distribution groups. Are mail-enabled and can only be assigned Exchange Server permissions for
things such as Public folders. The two types of distribution groups are:
• Static
• Dynamic
• Public groups. End users can manage these distribution groups through the Exchange Control Panel.
Within Exchange Control Panel, the end user can add or remove group members, moderate the
group, or even request access to other public groups.
• Moderated groups. These are distribution groups that allow the group manager to approve or reject
either all messages sent to the group or from specific users. You can use moderated groups to restrict
the conversations that occur between group members.

Question: When would your organization use distribution groups?

Question: When would your organization use public and moderated groups?
3-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Configuring Distribution Groups

Key Points
Similar to the options available for configuring mailboxes, there are a number of options available for
configuring mail-enabled groups.

You can configure several options for Exchange Server distribution groups, including:
• Group membership. These are the objects that are in the distribution group.
• Maximum message size. Use this option to set the maximum size for messages that can be sent to the
distribution group.
• Message delivery options. Use these options to configure which users can send messages to the
group.
• Address list visibility. Use this option to hide the group from the address list. You can use this option
when the distribution group is used mainly for receiving e-mail from the Internet, and internal users
do not need it.
• Delivery of out-of-office messages. Enable this option to send out-of-office messages back to the
message sender, if one of the distribution group recipients has enabled out-of-office notifications.
• Non-delivery reports. Use this option to configure non-delivery reports (NDR). You can choose to
send an NDR or specify whether they are sent to the distribution list’s manager or to the message
originator.
• E-mail addresses for the group. Use this option to configure the distribution group’s e-mail address.
• Message moderation. Use these options to assign moderators permissions to review all messages that
are sent to the distribution list. You also can configure a list of users that do not require moderation.
Additionally, you can configure notifications to alert the message originators if their message is
approved or not.
• Membership approval. Use these options to control if and how users can join or leave the group:
Managing Recipient Objects 3-23

• Choose whether owner approval is required to join the group. If you choose Open, users can join
this distribution group without the approval of the distribution group owners. If you choose
Closed, only distribution group owners can add members to the group. Requests to join this
distribution group will be rejected automatically. If you choose owner approval, users can request
membership on this distribution group. The distribution group owner must approve requests to
join the group before the user can join.
• Choose whether the group is open to leave. If you choose Open, users can leave this distribution
group without the approval of the distribution group owners. If you choose Closed, only
distribution group owners can remove members from this distribution group. Requests to leave
this distribution group will be rejected automatically.

Question: What is the advantage of enforcing a naming convention for distribution groups?
3-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Manage Groups by Using the Exchange Control


Panel

Key Points
Public groups is a new feature that enables users that have the requisite permissions to add distribution
groups, manage membership, and moderate content.

Demonstration Steps
Add Kim Akers to the Recipient Management role group:
1. On VAN-EX1, in Active Directory Users and Computers, add Kim Akers to the Recipient
Management role group.
2. Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group.
3. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd.
4. Select Public Groups, and create a new Public Group.
5. In the New Group window, configure the following information:
• Display name: Sales
• Alias: Sales
• Description: Sales Department
6. Add the following members:
• Manoj Syamala
• Rohinton Wadia
• Paul West
7. Expand Membership Approval, and select Owner Approval.
8. Click Save.
9. Sign out of Exchange Control Panel.
Managing Recipient Objects 3-25

Log on to ECP as Wei Yu, and ask to join the Sales group:

1. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd.


2. In the left pane, select Groups.
3. In the Public Groups I Belong to section, click Join.
4. In the All Groups window, select Sales, and then click Join.
5. Click Close.
6. Sign out of Exchange Control Panel.
Approve Wei Yu’s request to be added to the Sales Group:

1. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd.


2. Double-click the Request to Join Distribution Group message in the inbox.
3. In the Request to Join Distribution Group message pane, click Approve.
4. Close Outlook Web App.
Question: When would you use public groups?
3-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 3
Configuring E-Mail Address Policies

In many messaging systems, you might host multiple Single Mail Transfer Protocol (SMTP) domains, and
thus you would need to manage the e-mail addresses assigned to the Exchange recipients. To ensure that
recipients have appropriate e-mail addresses, you can create and apply e-mail address policies.
In this lesson, you will learn about e-mail address policies and how to configure them.

After completing this lesson, you will be able to:


• Describe the purpose and functionality of e-mail address policies.
• Configure e-mail address policies.
Managing Recipient Objects 3-27

What Are E-Mail Address Policies?

Key Points
For a recipient to send or receive e-mail messages, the recipient must have an e-mail address. E-mail
address policies generate the primary and secondary e-mail addresses for your recipients so they can
receive and send e-mail. You must create an accepted domain so that a domain in an e-mail address
policy functions properly. An accepted domain is an SMTP namespace that you can configure Exchange
servers to send messages to, or from which they can receive messages.

By default, Exchange Server contains an e-mail address policy for every mail-enabled user. This default
policy specifies the recipient’s alias as the local part of the e-mail address and uses the default accepted
domain. The local part of an e-mail address is the name that appears before the @ symbol. However, you
can configure how your recipients’ e-mail addresses display. To specify additional e-mail addresses for all
recipients or just a subset, you can modify the default policy or create additional e-mail address policies.

Creating an E-mail Address Policy


Exchange Server applies an e-mail address policy to recipient group based upon an OPATH filter. OPATH
is a querying language designed to query object-data sources. The filter defines the search scope in the
Active Directory forest and the attributes to match.

The New E-mail Address Policy Wizard provides a standard list of recipient scope filters. These include:
• All recipient types. Select this check box if you do not want to filter recipient type.
• Users with Exchange mailboxes. Select this check box if you want your e-mail address policy to
apply to users who have Exchange Server 2010, Exchange Server 2007, and Exchange Server 2003
mailboxes. Users with Exchange mailboxes are those that have a user domain account and a mailbox
in the Exchange organization.
• Users with external e-mail addresses. Select this check box if you want your e-mail address policy
to apply to users who have external e-mail addresses. Users with external e-mail accounts have user
domain accounts in the Active Directory directory service, but use e-mail accounts that are external to
the organization. This enables them to be included in the GAL and added to distribution lists.
3-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Resource mailboxes. Select this check box if you want your e-mail address policy to apply to
Exchange resource mailboxes. Resource mailboxes let you administer company resources, such as a
conference room or company vehicle, through a mailbox.
• Contacts with external e-mail addresses. Select this check box if you want your e-mail address
policy to apply to contacts with external e-mail addresses. Mail-enabled groups resemble distribution
groups, as messages sent to a mail-enabled group account will go to several recipients.
• Mail-enabled groups. Select this check box if you want your e-mail address policy to apply to
security groups or distribution groups that have been mail-enabled.
The second part of the E-mail Address Policy filter has conditions in one of the following categories:
• Recipient is in a State or Province. Select this check box if you want the e-mail address policy to
include only recipients from specific states or provinces. The Address and Phone tabs in the recipient’s
properties contains this information.
• Recipient is in a Department. Select this check box if you want the e-mail address policy to include
only recipients in specific departments. The Organization tab in the recipient’s properties contains this
information.
• Recipient is in a Company. Select this check box if you want the e-mail address policy to include
only recipients in specific companies. The Organization tab in the recipient’s properties contains this
information.
• Custom Attribute equals Value. There are 15 custom attributes for each recipient. There is a
separate condition for each custom attribute. If you want the e-mail address policy to include only
recipients that have a specific value set for a specific custom attribute, select the check box that
corresponds to that custom attribute.
When creating an e-mail address policy, you can use the following e-mail address types:
• Precanned SMTP e-mail address. Precanned SMTP e-mail addresses are commonly used e-mail
address types that Exchange Server provides for you.
• Custom SMTP e-mail address. If you do not want to use one of the precanned SMTP e-mail addresses,
you can specify a custom SMTP e-mail address.
• NonSMTP e-mail address. Exchange Server 2010 supports a number of nonSMTP address types.
Managing Recipient Objects 3-29

Demonstration: How to Configure E-Mail Address Policies

Key Points
In this demonstration, you will see how to modify existing e-mail address policies, create new policies, and
configure an alias.

Demonstration Steps
Create a new e-mail address policy for Fourth Coffee recipients:

1. Open the Exchange Management Console.


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization
Configuration, and then select Hub Transport.
3. Create a new e-mail address policy named with these attributes:
• Name: Fourth Coffee
• Display Name: Fourth Coffee
• Recipient container to apply filter: Adatum.com
• Included recipient types: All Recipient types
4. Use the user Alias as the local part of the e-mail address.
5. Select fourthcoffee.com as the accepted domain.
6. Apply the e-mail address policy immediately.

Verify that the e-mail address policy has been applied:


1. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.
2. In the Results pane, double-click Jane Dow.
3. View the current E-Mail addresses that have been assigned.
4. Change the Company attribute to Fourth Coffee.
3-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

5. View the current e-mail addresses that have been assigned.


Managing Recipient Objects 3-31

Lesson 4
Configuring Address Lists

Address lists are similar to a telephone book in that they provide a clearinghouse in which users can
locate, send e-mail to, and find information about, other users. In larger or specialized organizations, you
may need to modify the list’s organization.
In this lesson, you will learn about address lists and how to manage them.

After completing this lesson, you will be able to:


• Explain the functionality of address lists.
• Explain the reasons for configuring address lists.
• Configure address lists.
• Describe how to configure offline address books.
• Describe the options for deploying offline address books.
3-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Address Lists?

Key Points
Address lists are recipient objects that are grouped together based on a Lightweight Directory Access
Protocol (LDAP) query for specific Active Directory attributes. You can use address lists to sort the GAL
into multiple views, which makes it easier to locate recipients. This is especially helpful for very large or
highly segmented organizations.

Similar to configuring e-mail address policies, you can configure address lists with recipient filters that
determine which objects belong in each address list. Address lists are evaluated every time a mail-enabled
account is modified to determine on which address lists it should appear.
Managing Recipient Objects 3-33

Discussion: Reasons for Configuring Address Lists

Key Points
For most small or medium organizations, you would not need to make changes to the default address
lists. However, in large organizations, you might need to modify the default configuration.

Question: What are the reasons for creating multiple address lists?
• Geographic organization.
• Departmental organization.
• Recipient type organization.

Question: How do you use address lists in your organization?

Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the
necessary information already in Active Directory accounts?
3-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Address Lists

Key Points
In this demonstration, you will see how to create and configure address lists.

Demonstration Steps
Create a new E-mail Address list for Fourth Coffee recipients:
1. Open Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization
Configuration, and then select Mailbox.
3. Create a new address list with the following attributes.
• Name: Fourth Coffee
• Display Name: Fourth Coffee
• Container: \
• Recipient container to apply filter: Adatum.com
• Included recipient types: All Recipient types
4. Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth
Coffee for their company attribute.
5. Preview the address list.
6. Apply the e-mail address list immediately.

Verify the new address list is working:

1. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd.


2. Open the Address book, and view the members of the Fourth Coffee address list.
3. Close Outlook Web App.
Managing Recipient Objects 3-35

Configuring Offline Address Books

Key Points
Exchange Server 2010 provides several configuration options for deploying offline address books offline
address books. Outlook uses the offline address book when you configure it to use a cached mode
Outlook profile or when it is in offline mode. The default offline address book contains the entire GAL, but
does not include any additional GALs that have been created.

By default, the offline address book is generated only once each day. This means that any additions,
deletions, or changes made to mail-enabled recipients are only committed to the offline address book
once each day, unless you modify the schedule to generate the offline address book more often. In many
environments, you would need to modify the offline address book generation schedule to accommodate
the rate of change in a particular Exchange Server organization.
As a best practice, whether you use a single offline address book or multiple offline address books,
consider the following factors as you plan and implement your offline address book strategy:
• Size of each offline address book in your organization.
• Number of offline address book downloads. How many clients will you need to download the offline
address book?
• Overall number of changes made to the directory. If a large number of changes are made, the size of
the differential offline address book downloads also will be large.
3-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Deploying Offline Address Books

Key Points
Public folder distribution is the distribution method by which Outlook 2003, or clients that are working
offline or through a dial-up connection, access the offline address book. With public folder distribution,
the generation process for the offline address book places the files directly in one of the public folders,
and then Exchange Server store replication copies the data to other public folder distribution points.

Outlook 2007 and newer clients that are working in cached mode, offline or through a dial-up
connection, use Web-based distribution to access the offline address book. Web-based distribution does
not require the use of public folders. With Web-based distribution, after the offline address book
generates, the Client Access server replicates the files. Web-based distribution uses HTTPS and BITS. If you
require redundancy, you can use multiple Client Access servers as publishing points.
Managing Recipient Objects 3-37

Lesson 5
Performing Bulk Recipient Management Tasks

Managing a large number of recipients can be time consuming. Manual changes also are also prone to
error. You can use the Exchange Management Shell to create scripts that automate these management
tasks.
In this lesson, you will be introduced to bulk management of recipients and using Exchange Management
Shell to manage multiple recipients.
After completing this lesson, you will be able to:
• Describe the benefits of managing recipients in bulk.
• Manage multiple recipients.
3-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Benefits of Managing Recipients in Bulk

Key Points
Exchange Management Shell cmdlets are powerful tools that you can use for managing multiple
recipients simultaneously. The cmdlets use features such as pipelining and filtering to sort the results of
one cmdlet and apply the result to another cmdlet. Exchange Management Shell also is a very powerful
scripting tool for managing multiple recipients in bulk. In small organizations, you might not need to
manage multiple recipients at the same time. However, in medium or large organizations, you may often
need to manage multiple users at the same time, and it is useful to know how to use Exchange
Management Shell to do that.

Question: Describe situations where you need to create multiple recipients.

Question: Describe situations where multiple recipients need to be modified.


Managing Recipient Objects 3-39

Demonstration: How to Manage Multiple Recipients

Key Points
Exchange Management Shell provides several features that you can use to perform bulk recipient
management. For relatively simple tasks, you can pipe output between cmdlets to retrieve a list of
appropriate objects, and then you can modify them. You can use scripting for complex tasks, such as
creating users from a .csv file.

Demonstration Steps
1. The instructor will run the following cmdlets:
Get-User –filter {Company –eq "Fourth Coffee"}
Disable-mailbox Jane
Get-User –filter {Company –eq "Fourth Coffee"} | Enable-Mailbox –database "Mailbox
Database 1"

2. The instructor will run the following script. The script will create mailboxes based on information
provided in a .csv file.
## Section 1
## Define Database for new mailboxes
$db="Mailbox Database 1"

## Define User Principal name


$upndom="Adatum.com"

## Section 2
## Import csv file into variable $users
$users = import-csv $args[0]

## Section 3
## Function to convert password string to secure string
function SecurePassword([string]$plainPassword)
{
$secPassword = new-object System.Security.SecureString
3-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Foreach($char in $plainPassword.ToCharArray())
{
$secPassword.AppendChar($char)
}

$secPassword
}

## Section 4
## Create new mailboxes and users
foreach ($i in $users)
{
$sp = SecurePassword $i.password
$upn = $i.FirstName + "@" + $upndom
$display = $i.FirstName + " " + $i.LastName
New-Mailbox -Password $sp -Database $db –DisplayName $display -UserPrincipalName
$upn -Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName -
OrganizationalUnit $i.OU
}

3. In Exchange Management Console, verify that the users listed in the .csv file have been created.

Question: Which tasks will you automate with PowerShell scripts?


Managing Recipient Objects 3-41

Lab: Managing Exchange Recipients

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-CL1 virtual machines are
running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-CL1: Windows 7 client computer in the Adatum.com domain.
3. If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator,
using the password Pa$$w0rd.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your company is purchasing a new
company called Adventure Works. Adventure Works recipients will need to maintain a separate e-mail
domain and address list. You also must create new mailboxes for the new department’s employees.
3-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 1: Managing Recipients


Scenario
Your manager wants you to complete several tasks in preparation for the Adventure Works acquisition
project.

The main tasks for this exercise are:


1. Create and configure a mailbox for called Adventure Works Questions.
2. Create a resource mailbox and configure auto-accept settings for the Adventure Works Project Room.
3. Move George Schaller’s mailbox to VAN-EX1\Mailbox Database 1.
4. Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank.
5. Create a moderated distribution list for Adventure Works Project, and delegate an administrator.

 Task 1: Create and configure a mailbox called Adventure Works Questions


1. On VAN-EX1, open the Exchange Management Console.
2. Create a new mailbox named Adventure Works Questions in the Mailbox Database 1 database.
Configure a user logon name of AdventureWksQ, and a password of Pa$$w0rd.
3. Assign George Schaller full access to the Adventure Works Questions mailbox.

 Task 2: Create a resource mailbox, and configure auto-accept settings for the
ProjectRoom
1. In Exchange Management Console, create a new room mailbox named ProjectRoom in the Mailbox
Database 1 database. Configure a user logon name of ProjectRoom, and a password of Pa$$w0rd.
2. Enable the Booking Attendant on ProjectRoom.

 Task 3: Move George Schaller’s mailbox to VAN-EX1\Mailbox Database 1


• In Exchange Management Console, create a new local move request to move George Schaller’s
mailbox to VAN-EX1\Mailbox Database 1.

 Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank
• In Exchange Management Console, create a new mail-enabled contact for Ian Palangio, using an
alias of IanPalangioWB and an e-mail address of ian.palangio@woodgrovebank.com.

 Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1. In Exchange Management Console, create a new Distribution group called Adventure Works Project
with an alias of AdventureWorksProject.
2. Add the following recipients to the Adventure Works Project group:
• George Schaller
• Ian Palangio
• Wei Yu
• Paul West
3. Specify George Schaller as the group moderator, and enable moderation of all messages.

 Task 6: Verify that changes were completed successfully


1. Log on to VAN-CL1 as Administrator, and open Outlook.
Managing Recipient Objects 3-43

2. Create and send a new meeting request. Invite the Adventure Works Project group, and specify
ProjectRoom as the room.
3. On VAN-EX1, open Outlook Web App, log on as Adatum\George, using the password Pa$$w0rd,
and accept the meeting request message. Send the response now.

Results: After this exercise, you should have completed all of the assigned tasks, which include
creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a
moderated distribution group.
3-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Configuring E-Mail Address Policies


Scenario
Adventure Works maintains a distinct identity for customers, but some functions, such as accounting, are
integrated with A. Datum Corporation. To ensure that users receive all e-mail properly, they must be able
to receive e-mail at all domains, but use their own domain as the reply-to address.

The main tasks for this exercise are:

1. Create an e-mail address policy for Adventure Works users.


2. Verify that addresses were applied to A. Datum users.

 Task 1: Create an e-mail address policy for Adventure Works users


3. On VAN-EX1, open the Exchange Management Console.
4. Create a new e-mail address policy with the following configuration:

a. Apply to all recipients with a company attribute of Adventure Works the Adatum.com domain.
b. SMTP address: first name.last name@adventure-works.com.
c. Accepted domain: Adventure-works.com.

 Task 2: Verify that addresses are applied correctly


1. In the Exchange Management Console, view the properties for George Schaller, and modify his
company description to Adventure Works.
2. Confirm that George Schaller has an e-mail address using the adventure-works.com domain.

Results: After this exercise, you should have created an e-mail address policy for Adventure Works
users.
Managing Recipient Objects 3-45

Exercise 3: Configuring Address Lists


Scenario
New address lists and offline address books are necessary to organize the address books for users in the
combined A. Datum and Adventure Works organization. However, each organization requires a separate
address to make it easier to find users. You also must create a new offline address book that includes
those address lists to support sales people with portable computers.

The main tasks for this exercise are:


1. Create an empty container address list named Companies.
2. Create a new address list for Adventure Works recipients.
3. Create a new address list for A. Datum recipients.
4. Verify the new address list is available in Outlook.
5. Create a new offline address book for the Adventure Works address list.

 Task 1: Create an empty container address list named Companies


1. On VAN-EX1, open the Exchange Management Console.
2. In the Mailbox node of the Organization Configuration work center, create a new address list named
Companies with no recipients.

 Task 2: Create a new address list for Adventure Works recipients


• Create a new address list Adventure Works in Companies for all recipients with the Company
Adventure Works.

 Task 3: Create a new address list for A. Datum Corporation recipients


• Create a new address list A Datum in Companies for all recipients with the Company A. Datum.

 Task 4: Verify the new address list is available in Outlook


1. Log on to VAN-CL1 as Administrator, and open Outlook.
2. Verify that the address book contains the address lists for A. Datum and Adventure Works.
3. Log off VAN-CL1.

 Task 5: Create a new offline address book for the Adventure Works address list to
support both Office Outlook 2003 and Outlook 2007 clients
1. On VAN-EX1, open Exchange Management Console.
2. Create a new offline address book named Companies with the Adventure Works and A. Datum
address lists, and enable distributions through Web-based distribution and public folders. Use the
OAB folder on VAN-EX1 for Web-based distribution.
3. Close the Exchange Management Console.

Results: After this exercise, you should have created an address list for the A. Datum and Adventure
Works users, and an offline address book for each organization.
3-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 4: Performing Bulk Recipient Management Tasks


Scenario
Your manager left you a number of recipient management tasks to complete for the new Adventure
Works users:
• Add a header line to the .csv file exported from the Human Resources (HR) system.
• Modify the CreateUsersLab.ps1 script, and import Adventure Works users from a .csv file.
• Define mailbox limits for all users in the Adventure Works company.
The main tasks for this exercise are:

1. Add a header line to the .csv file exported from the Human Resources (HR) system.
2. Modify the CreateUsersLab.ps1 script to Adventure Works users from a .csv file.
3. Create the AdventureWorks OU in the Adatum.com domain
4. Run CreateUsersLab.ps1 to Adventure Works users from a .csv file.
5. Define mailbox limits for all Adventure Works company users.

 Task 1: Add a header to the .csv file exported from the HR system
1. On VAN-EX1, open D:\Labfiles\Users.csv in Notepad.
2. Add a header line that defines each column:
• FirstName
• LastName
• Password
3. Save the changes to Users.csv, and close Notepad.

 Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a
.csv file
1. Open D:\Labfiles\CreateUsersLab.ps1 in Notepad.
2. Modify CreateUsersLab.ps1 as required to:
• Configure the database to create users as Mailbox Database 1.
• Configure the user principal name to be adatum.com.
• Place users in the AdventureWorks OU.
• Configure the .csv import file to be D:\Labfiles\Users.csv.
• Configure the $pwd to be based on the password field in the Users.csv.
• Configure the first and last name.
• Configure the user principal name (UPN) as first name@adatum.com.
• Configure the alias to be the first name and last name, with no space between the names.
• Configure the display name to be the first name and last name, with a space between the names.
3. Save the changes to CreateUsersLab.ps1, and close Notepad.

 Task 3: Create the AdventureWorks Organizational Unit


1. Open Active Directory Users and Computers.
2. Create an OU named AdventureWorks.
Managing Recipient Objects 3-47

 Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users


1. Open the Exchange Management Shell.
2. Run D:\Labfiles\CreateUsersLab.ps1.

 Task 5: Set mailbox limits for all Adventure Works users


1. Run Get-Mailbox cmdlet to retrieve a list of all Adventure Works users:
• OrganizationalUnit: AdventureWorks
2. Set mailbox limits by piping the list of mailboxes to the Set-Mailbox cmdlet:
• IssueWarningQuota 100MB
• ProhibitSendQuota 150MB

Results: After this exercise, you should have created all of the additional Adventure Works users with
an Exchange Management Shell script, and then have set the storage quota.

 To Prepare for the Next Module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V™ Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.

Important: If you are using Windows Server 2008 R2 as the host operating system, complete the
following steps before starting VAN-CL1.

1. In the Hyper-V Management console, in the Virtual Machines pane, right-click


10135A-VAN-CL1, and click Settings.
2. Click Network Adapter, and select the Enable spoofing of MAC addresses
check box. Click OK.

This step is required in order for the Windows Mobile Device emulator to communicate on the virtual
network.

8. Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
3-48 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Review and Takeaways

Review Questions
1. How would you ensure that meeting requests to room mailboxes are validated manually before being
approved?
2. How would you give access to allow a user to send messages from another mailbox, without giving
them access to the mailbox contents?

3. What should you consider when configuring offline address book distribution?

Common Issues Related to Configuring Offline Address Books


Identify the causes for the following common issues related to configuring offline address books, and fill
in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

The offline address book is not up- Check to make sure that the offline address book is scheduled to be
to-date with changes made during generated more than one time each day.
the day.

Outlook 2003 clients are not able Check to make sure the offline address book is being distributed in
to download the offline address a public folder.
book.

Real-World Issues and Scenarios


1. A company that has two large divisions and one Exchange Server organization. Employees in each
division rarely communicate with each other. What can you do to reduce the number of recipients
the employees of each division see when they open the Exchange address list?
Managing Recipient Objects 3-49

2. An organization has a large number of projects that leverage distribution groups. Managing group
members takes considerable time. You need to reduce the time the help desk spends managing
groups so that they can work on other issues.

3. You employ contractors that need an e-mail address from your company. The company needs to
enable the contracts to receive these messages in their current third-party mailboxes.

Best Practices Related to Managing Recipient Objects


Supplement or modify the following best practices for your own work situations:
• Define clear naming conventions and adhere to them. Naming conventions help identify location and
purpose of recipient objects, and helps both end users and administrators locate recipients easily.
• Test global changes prior to making them in production. Changes to global settings, like e-mail
address policies, should be tested in a lab environment before you make changes in production. This
avoids configuration errors.
3-50 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010
Managing Client Access 4-1

Module 4
Managing Client Access
Contents:
Lesson 1: Configuring the Client Access Server Role 4-3
Lesson 2: Configuring Client Access Services for Outlook Clients 4-18
Lab A: Configuring Client Access Servers for Outlook Anywhere Access 4-37
Lesson 3: Configuring Outlook Web App 4-43
Lesson 4: Configuring Mobile Messaging 4-53
Lab B: Configuring Client Access Servers for Outlook Web App
and Exchange ActiveSync 4-61
4-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

Microsoft® Exchange Server 2010 provides access to user mailboxes for many different clients. All
messaging clients access Exchange Server mailboxes through a Client Access server. Because of the
importance of this server role, you must understand how to configure it to support all different client
types. This module provides details on how to implement the Client Access server role in Exchange Server
2010.
After completing this module, you will be able to:
• Configure the Client Access server role.
• Configure Client Access services for Outlook Clients.
• Configure Microsoft Office Outlook® Web App.
• Configure mobile messaging.
Managing Client Access 4-3

Lesson 1
Configuring the Client Access Server Role

You can implement the Client Access server role on an Exchange server that has other roles except the
Edge Transport server role. Alternately, you can deploy the Client Access server role on one or more
dedicated servers. In many organizations, the Client Access server is accessible from the Internet, thus
securing the Client Access servers is an important part of deployment. This lesson describes the process
for deploying and securing a Client Access server.
After completing this lesson, you will be able to:
• Describe how client access works in Exchange Server 2010.
• Describe how client access works with multiple sites.
• Describe the Client Access server deployment options.
• Configure a Client Access server.
• Secure a Client Access server.
• Explain Client Access server deployment considerations.
• Configure Client Access server certificates.
• Describe the configuration options for Post Office Protocol 3 (POP3) and Internet Message Access
Protocol 4 (IMAP4) client access.
• Describe how to configure the Client Access server for secure Internet access.
4-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Client Access Works

Key Points
In Exchange Server 2010, all messaging clients connect to a Client Access server when accessing an
Exchange Server mailbox. For users to access their mailbox, you must deploy a Client Access server in the
same site as the Mailbox server.

Important: In Exchange Server 2007 or earlier Exchange server versions, MAPI clients such as
Microsoft Office Outlook, connect directly to Mailbox servers. In Exchange Server 2010, with the
introduction of the Remote Procedure Call (RPC) Client Access service, MAPI clients no longer
connect directly to the Mailbox servers for mailbox access.

How Client Access Servers Work


The following steps describe what happens when a messaging client connects to the Client Access server:
1. If the client connects from the Internet using a non-MAPI connection, then the client connects to the
Client Access server using the client protocol. Only the protocol ports for client connections must be
available on the external firewall.
2. If the client connects from the internal network using Office Outlook configured as a MAPI client,
then the client connects to the Client Access server using MAPI RPC connections.
3. The Client Access server connects to a Microsoft Active Directory® directory service domain
controller by using Kerberos to authenticate the user. Internet Information Services (IIS) or the RPC
Client Access service on the Client Access server performs the authentication. The Client Access server
uses a Lightweight Directory Access Protocol (LDAP) request to a global catalog server to locate the
Mailbox server that manages the user’s mailbox.
4. The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to the
mailbox database, or to read messages.
Managing Client Access 4-5

How Client Access Works with Multiple Sites

Key Points
Deploying Client Access servers in an environment with multiple Active Directory sites adds complexity to
deployment planning, particularly when you consider the options for providing Internet access to those
Client Access servers.

How Client Access Works with Multiple Internet Access Points


If you have multiple Active Directory sites, you can provide Internet access to each site’s Client Access
servers. To enable this option, you must configure an external URL for each Client Access server. You also
must ensure that clients can resolve the URL name in the Domain Name System (DNS) and can connect to
the Client Access server using the appropriate protocol.
When an Internet client connects to the Client Access server from the Internet in this scenario, the Client
Access server authenticates the user, and then queries a global catalog server for the user mailbox
location. At this point, the Client Access server has two options:
1. If the user’s mailbox is located in the same site as the Client Access server, then the Client Access
server connects to the mailbox server to fulfill the client request.
2. If the user’s mailbox is located in a different site from the Client Access server, the Client Access server
contacts a domain controller to locate the Client Access server in the site where the user mailbox is
located. If you configure the Client Access server with an external URL, then the Client Access server
redirects the client request to the Client Access server in the site that contains the user mailbox. If you
do not configure an external URL for the Client Access server in the site that contains the user
mailbox, the Client Access server receiving the request proxies the client request to the Client Access
server in the appropriate site.
4-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: Exchange Server 2010 can redirect only Outlook Web App clients to another Client Access server
in a different site. It proxies all other Client Access server client requests to a Client Access server in the
same site as the user mailbox. To optimize access for non-Outlook Web App clients, you must configure
the clients to connect directly to a Client Access server in the user’s home site.

How Client Access Works with a Single Internet Access Point


The Client Access server in the site containing the user mailbox might not be accessible from the Internet,
or it might not have an external URL configured. In this scenario, when the user connects to a Client
Access server in a site that does not contain the user mailbox, the Client Access server proxies the client
request to the Client Access server in the site where the user’s mailbox is located. This proxy process uses
the same protocol as the client. In the destination site, the Client Access server then uses RPC to connect
to the Mailbox server managing the user mailbox.

For the Client Access server to proxy the client request, you must configure the Client Access servers that
are not accessible from the Internet to use Integrated Windows® authentication.
Exchange Server supports proxying for clients that use Outlook Web App, Microsoft
Exchange ActiveSync®, and Exchange Web Services.

Best Practice: To optimize user mailbox access, you should enable Internet access to the Client Access
servers in each site. This access is particularly important if you have slow network connections between
Active Directory site locations.
Managing Client Access 4-7

Deployment Options for a Client Access Server

Key Points
When planning your Client Access server deployment, you must meet certain requirements to ensure a
successful deployment. Additionally, there are options for deploying Client Access servers in scenarios
where servers require higher availability, or you have multiple sites.

Requirements for Client Access Server Deployment


When you deploy Client Access servers, you must meet the following requirements:
• You must have at least one Client Access server in each Active Directory site where you have Mailbox
servers deployed.
• Client Access servers should have a fast network connection to Mailbox servers, to support RPC
connectivity.
• Client Access servers should have a fast network connection to domain controllers and global catalog
servers.
• If users need to access their mailboxes from the Internet through the Client Access server, then the
server must be accessible from the Internet using HTTP or HTTPS, IMAP4, or POP3.

Best Practice: Because the server running the Client Access server role must be a member server in
an Active Directory domain, you cannot deploy the Client Access server role in a perimeter network.
Instead, use an application layer firewall, such as Microsoft Forefront® Threat Management Gateway,
to publish the Client Access server services to the Internet.

Options for Client Access Server Deployment


The Client Access server role performs a critical function in your Exchange Server organization. You have
the following options when deploying the Client Access server role:
4-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• You can deploy the Client Access server role on the same computer as all other Exchange Server 2010
server roles—except for the Edge Transport server role. Installing all server roles on a single server
does not provide additional availability, and does offer limited scalability.
• You can deploy the Client Access server role on a dedicated server. This deployment provides
additional scalability and performance benefits.
• You also can deploy multiple servers running the Client Access server role. To provide high availability
for Client Access servers, you can deploy Network Load Balancing, or deploy a hardware network load
balancer to manage connections to the Client Access servers. In Exchange Server 2010, you also can
configure Client Access arrays to provide failover and redundancy. A Client Access array is a container
object used by Exchange Server 2010 Client Access servers. When you deploy database availability
groups (DAGs) Exchange Server 2010 uses Client Access arrays to track which mailbox databases are
located in each Active Directory site, and to manage the client connection failovers to the local
mailbox databases.

Note: You can install Client Access servers on Mailbox servers that are DAG members. However, just
adding the Client Access server to a DAG member does not provide high availability for the Client
Access server. To provide high availability for Client Access servers, you need to implement a Client
Access array, and deploy a network load balancing solution. For more information on Client Access
arrays, see Module 7, “Implementing High Availability”.
Managing Client Access 4-9

Demonstration: How to Configure a Client Access Server

Key Points
In this demonstration, you will see how to configure the global Client Access server settings, as well as the
settings for each Client Access server in the organization.

Demonstration Steps
1. Open the Exchange Management Console.
2. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand
Organization Configuration, and then click Client Access. You apply settings to all Client Access
servers and mailboxes while in the Organization Configuration node.
3. Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync
Mailbox Policies tabs.
4. In the left pane, expand Server Configuration, and then click Client Access.
5. Examine the properties of one of the listed Client Access servers. These properties display information
only, and cannot be used to configure the server settings.
6. In the results pane, review the settings available on each of the tabs. These settings configure the
Client Access server settings for the Client Access server virtual directories.

Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync
polices, rather than just use the default policies?

Question: Why would you modify the server settings on one Client Access server to be different from
those on another Client Access server?
4-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Securing a Client Access Server

Key Points
In many organizations, the Client Access server is accessible from the Internet for Outlook Anywhere,
Outlook Web App, or Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client
Access server that faces the Internet is as secure as possible.

Securing Communications Between Clients and Client Access Servers


To encrypt the network traffic between messaging clients and the Client Access server, you must secure
the network traffic using Secure Sockets Layer (SSL). To configure the Client Access server to use SSL,
complete the following steps:
1. Obtain and install a server certificate on the Client Access server. Ensure that the certificate name
exactly matches the server name that users will use to access the Client Access server. Also ensure that
the certificate that the Certification Authority (CA) issues is trusted by all of the client computers and
mobile devices that will be accessing the server.
2. Configure the Client Access server virtual directories in IIS to require SSL.

Configuring Secure Authentication


Exchange Server 2010 provides several authentication options for clients communicating with the Client
Access server. If the server has multiple authentication options enabled, it negotiates with the client to
determine the most secure authentication method that both support.

Standard Authentication Options


The following standard authentication options are available on the Client Access server:
• Integrated Windows authentication. Integrated Windows authentication is the most secure standard
authentication option.
Managing Client Access 4-11

Important: When using a single Internet-accessible Client Access server for all sites, you must enable
Windows Integrated authentication on all of the Client Access servers that are not Internet accessible.
For example, the outward-facing Outlook Web App server can use forms-based authentication, but
the internal Client Access servers must be configured to allow Integrated Windows authentication.

• Digest authentication. Digest authentication secures the password by transmitting it as a hash value
over the network.
• Basic authentication. Basic authentication transmits passwords in clear text over the network:
therefore, you should always secure Basic authentication by using SSL encryption. Basic
authentication is the authentication option that is most widely supported by clients.

Forms-Based Authentication
Forms-based authentication is available only for Outlook Web App and ECP. When you use this option, it
replaces the other authentication methods. This is the preferred authentication option for Outlook Web
App because it provides enhanced security. When you use forms-based authentication, Exchange Server
uses cookies to encrypt the user logon credentials in the client computer's Web browser. Tracking the use
of this cookie allows Exchange Server to time-out inactive sessions.

The time required before an inactive session times out varies depending on the computer type selected
during logon. If you choose a public or shared computer, the session times out after 15 minutes of
inactivity. If you choose a private computer, the session times out after 12 hours of inactivity.

Note: You can configure the time-out values for public and private computers by modifying the
Client Access server registry. You can do this by using the Regedit utility, or the Set-ItemProperty
cmdlet. For more information about how to configure these settings, see the “Set the Forms-Based
Authentication Private Computer Cookie Time-Out Value” topic in Exchange Server 2010 Help.

Forms-based authentication is enabled by default for Outlook Web App, and for ECP.

Protecting the Client Access Server with an Application Layer Firewall


To provide an additional layer of security for network traffic and to protect the Client Access server,
deploy an application-layer firewall or reverse proxy, such as Microsoft Internet Security and Acceleration
(ISA) Server 2006 or Forefront Threat Management Gateway, between the Internet and the Client Access
server. Application layer firewalls provide the following benefits:
• You can configure the firewall as the endpoint for the client SSL connection.
• You can offload SSL decryption to the firewall.
• If you use ISA Server 2006 or Forefront Threat Management Gateway as the application layer firewall,
you can configure the firewall to pre-authenticate all client connections using forms-based
authentication.

Note: If you use certificate-based authentication for Exchange ActiveSync, you must configure a
server-publishing rule that forwards the client traffic to the Exchange Server computer without
decrypting the packets on the ISA Server computer.
4-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Considerations for Implementing Client Access Server Certificates

Key Points
Because of the importance of using SSL secure network traffic between Client Access servers and
messaging clients, you must ensure that you deploy the appropriate certificates on the Client Access
servers. You can secure all client connections to the Client Access server using SSL.

Note: By default, the Client Access server is configured with a self-signed certificate that is not trusted
by clients. You should remove this certificate and install a certificate from a trusted CA.

Choosing a Certification Authority


One of the most important considerations when planning the use of certificates is identifying the source
of the certificates. Exchange Server 2010 can use self-signed certificates, certificates issued by a public CA,
or certificates issued by a private CA.

In an Exchange Server 2010 environment, you can use the self-signed certificates for internal
communication, such as for securing Simple Mail Transfer Protocol (SMTP) connections between Hub
Transport servers. You also can use these certificates to secure client connections to Client Access servers.
However, because none of the client computers trusts this certificate, we do not recommend this solution.
Rather, you should consider obtaining a certificate from a public CA or internal CA for all Client Access
servers.
In most cases, you should deploy a certificate issued by a public CA if users access the Client Access server
from the Internet. If users access the Client Access server from the Internet, it is important that the clients
trust this certificate, and that they have access to certificate revocation lists from any location.

If only computers that are members of the internal domain access the Client Access server, you could
consider using an internal, or private, CA. By deploying an Enterprise CA, you can automate the process of
distributing and managing certificates and certificate revocation lists.
Managing Client Access 4-13

Note: If you are planning to enable Federated Sharing, you must obtain a certificate for your
Internet-accessible Client Access servers from a public, trusted CA.

Identifying the Client Protocols Required


As you plan the certificate deployment, you need to determine the client protocols that are used to
connect to the Client Access server, and ensure that your certificate is configured for each certificate type.

Planning the Certificate Names


For clients to connect to the Client Access server using SSL without receiving an error message, the names
on the certificate must match the names that the clients use to connect to the server.

You can implement this configuration by using the following options:


• Obtain a separate certificate for each client protocol that requires a unique name. This may require
multiple certificates for all Client Access servers. This may also require multiple Web sites in IIS. This is
the most complicated option to configure.
• Configure all clients to use the same server name. For example, you could configure all clients to use
the server name mail.contoso.com, and obtain a certificate for just that one name.
• Obtain a certificate with multiple subject alternative names. Most public CAs support the use of
multiple names in the certificate’s subject alternative name extension. When you use one of these
certificates, clients can connect to the Client Access server using any of the names listed in the subject
alternative name.
• Use a certificate with a wildcard name. Most public CAs also support the use of wildcards in the
certificate request. For example, you could request a certificate using the subject of *.contoso.com,
and use that certificate for client connections.

Note: Not all clients support wildcard certificates. Microsoft Outlook, Microsoft Internet Explorer®,
and Window Mobile® 6 or newer clients support wildcard certificates, but you need to verify this
functionality for all messaging clients that are used in your organization before deploying these
certificates. Deploying wildcard certificates is also considered a security risk in many organizations
because the certificate can be used for any server name in the domain. If this certificate is
compromised, all hosts names for the organization are also compromised.
4-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Certificates for Client Access Servers

Key Points
In this demonstration, you will see how to configure a Windows Server 2008 Certification Authority to
support certificate requests with multiple subject alternative names. You will then see how to use the New
Exchange Certificate Wizard to request a certificate for a Client Access server, and how to install that
certificate.

Demonstration Steps
By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple
subject alternative names, so you will need to modify the server configuration. To enable the CA to issue
these certificates, perform the following steps:
1. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and
then restart the Certificate Services.
2. In the Exchange Server, open the Exchange Management Console, select Server Configuration,
and then click Client Access.
3. Click Configure External Client Access Domain, and configure the external domain name for Client
Access servers in the organization.
4. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard.
This wizard helps you determine what type of certificates you need for your Exchange organization.
5. On the Introduction page, enter a user-friendly name for your certificate.
6. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box.
7. On the Exchange Configuration page, configure the certificate request to include Outlook Web App
on the Internet and Intranet, Exchange ActiveSync and Autodiscover.
8. On the Certificate Domains page, accept the names that will be added to the certificate request.
Managing Client Access 4-15

9. On the Organization and Location page, enter information about your Exchange organization. Click
the Browse button to select a location for the certificate request file, and enter the desired file name.
10. On the Certificate Completion page, verify that all the information you have entered is correct. If it
is, click the New button.
11. On the Completion page, click Finish.
12. Provide the certificate request file to your CA. After the certificate has been issued, complete the
certificate installation process.
13. In the Exchange Management Console, select Server Configuration.
14. In the Actions pane, click Complete Pending Request.
15. Import the certnew.cer file.
16. In the Actions pane, click Assign Services to Certificate.
17. Assign the certificate to Internet Information Services on VAN-EX1.

Question: What would you need to change in this procedure if you were also enabling secure access to
IMAP4 using a server name of IMAP4?

Question: How would this process change if you were requesting a certificate from an external, public
CA?
4-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Configuring POP3 and IMAP4 Client Access

Key Points
By default, Exchange Server 2010 supports POP3 and IMAP4 client connections, but the services are set to
start manually. If you want to enable user access for these protocols, you must start the services and
configure them to start automatically.

Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following settings.

Option Description

Bindings Enables the configuration of the local server addresses that will be used for
unencrypted TLS or SSL connections.

Authentication Enables the configuration of supported authentication options. Support


options include basic authentication, Integrated Windows authentication,
and secure logon requiring TLS. The default setting is secure logon.

Connection settings Enables the configuration of server settings, such as time-out settings,
connection limits, and the command relay or proxy target port (used for
connections to an Exchange Server 2003 back-end server).

Retrieval settings Enables the configuration of the message formats used for these protocols,
and for configuring how clients will retrieve calendar requests.

User access On each user account, you can enable or disable access for the POP3 and
IMAP4 protocols. By default, all users are enabled for access.
Managing Client Access 4-17

Configuring the Client Access Server for Internet Access

Key Points
To enable access to the Client Access server from the Internet, you need to complete the following steps:
1. Configure the external URLs for each of the required client options. You can configure all of the Client
Access server Web server-based features with an external URL. This URL is used to access the Web site
from external locations. By default, the external URL is blank. For Internet-facing Client Access servers,
the external URL should be configured to use the name published in DNS for that Active Directory
site. The external URL should also use the same name as the one used for the server certificate. For
Client Access servers that will not have an Internet presence, the setting should remain blank.
2. Configure external DNS name resolution. For each Client Access server that you are exposing to the
Internet, you need to verify that the host name can be resolved on the Internet.
3. Configure access to the Client Access server virtual directories. Each of the client access methods uses
a different virtual directory. If you are using a standard firewall or application layer firewall that filters
client requests based on the virtual directory, you need to ensure that all virtual directories are
accessible through the firewall.
4. Implement SSL certificates with multiple subject alternative names. If you are using multiple host
names for the Client Access services, or if you are publishing Autodiscover to the Internet, then ensure
that the SSL certificates that you deploy on each Client Access server have the required server names
listed in the subject alternative name extension.
5. Plan for Client Access server access with multiple sites. If your organization has multiple locations and
Active Directory sites, and you are deploying Exchange servers in each site, your first decision is
whether you will make the Client Access servers in each site accessible from the Internet. If you
choose not to make the Client Access server accessible, you should not configure an external URL for
it. All client requests to that server will then be proxied from an Internet-accessible Client Access
server.
4-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 2
Configuring Client Access Services for Outlook Clients

The Client Access servers in Exchange Server 2010 provide several services for Office Outlook clients. For
the most part, these services are enabled by default for Outlook clients on the internal network, but you
may need to modify some of the settings. Additionally, you can make some of these services available to
Outlook clients connecting the Exchange servers from outside the environment. In this case, you need to
enable these features, and ensure that they are configured correctly.
After completing this lesson, you will be able to:
• Describe the services provided by a Client Access server for Outlook clients.
• Describe the RPC client access services feature.
• Describe Autodiscover functionality.
• Configure Autodiscover.
• Describe the Availability Service, and its purpose.
• Explain the MailTips purpose and functionality.
• Configure MailTips.
• Describe the Outlook Anywhere functionality.
• Configure Outlook Anywhere.
• Explain how to troubleshoot Outlook client connectivity.
Managing Client Access 4-19

Services Provided by a Client Access Server for Outlook Clients

Key Points
In Exchange Server 2010, the Client Access server role provides critical services for all messaging clients,
including Office Outlook clients. The following table lists the services provided for Outlook clients:

Service Description

RPC Client Access Enables MAPI clients such as Outlook to connect to user mailboxes. The client
services connects to the Client Access server using a MAPI connection.

Autodiscover The Autodiscover service configures client computers that are running Outlook
2007 or later, or supported mobile devices. The Autodiscover process configures
the Outlook client profile, including the mailbox server, Availability service, and
offline address book download locations.

Availability The Availability service is used to make free/busy information available for
Outlook 2007 and Outlook Web App clients. The Availability service retrieves
free/busy information from Mailbox servers or Public folders, and presents the
information to the clients.

MailTips The MailTips feature provides notifications for users regarding potential issues
with sending a message, before they send the message.

Offline Address The Client Access server makes offline address book available through a Web
Book download service. Only Microsoft Office Outlook 2007 or later clients are capable of
retrieving OABs from a Web service.

ECP The ECP is a Web–based management interface that can be used to enable self–
service for mailbox users, and enables users to perform specific management
tasks without having access to the entire Exchange management interface.

Exchange Web Exchange Web Services enables client applications to communicate with the
Exchange server. You also can access Exchange Web Services programmatically. It
4-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Service Description

Services provides access to much of the same data made available through Office Outlook.
Exchange Web Services clients can integrate Outlook data into line-of-business
(LOB) applications.

Outlook Anywhere Outlook Anywhere enables Outlook 2003 or later clients to access the user
mailbox by using RPCs encapsulated in an HTTP or HTTPS packet. This enables
secure access to user mailboxes from clients located on the Internet.
Managing Client Access 4-21

What Is RPC Client Access Services?

Key Points
One the most significant architectural changes in Exchange Server 2010 is that the Client Access server
now supports all client connections, including MAPI client connections from Outlook clients. In previous
Exchange Server versions, Outlook configured as a MAPI client always connects to the Mailbox server
directly, rather than connecting to a front-end or Client Access server. In Exchange Server 2010, all clients
connect to the Client Access server role, regardless of the client protocol used.

How RPC Client Access Services Works


Because of the change in the messaging architecture, the client communication with the mailbox server
has changed in the following way:
• In Exchange Server 2010, when a MAPI client starts, it connects to a Client Access server. The client
protocol has not changed, and it remains compatible with older Outlook versions, up to Outlook
2003 SP2.
• When the client connects to the Client Access server, the Client Access server uses a MAPI RPC
connection to communicate with the Mailbox server.
• When the client such as an Outlook Web App client requests the Global Address List (GAL), the Client
Access server role now provides a Name Service Provider Interface (NSPI) service, and it queries the
GAL on behalf of the client. This means that all client connections for address book lookups are now
sent to the Client Access server rather than a Global Catalog server.

RPC Client Access Services Benefits


RPC Client Access services provide a number of benefits:
• All clients now use the same mailbox access architecture.
• For organizations that deploy highly available Mailbox servers, client outages have been reduced in
situations where a mailbox database fails over to another server. When a mailbox fails over to another
server, the Client Access server is notified, and the client connections are redirected to the new server
4-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

within seconds. In a failover scenario, clients in Exchange Server 2007 would be disconnected for one
to 15 minutes. In Exchange Server 2010, if one Client Access server in a Client Access server array fails,
the client will immediately reconnect to another Client Access server in the array. If a mailbox server
fails, the client is disconnected for 30 seconds.
• Mailboxes can now be moved from one Mailbox server to another, even while the user is online and
connected to the mailbox.
• The new architecture supports more concurrent client connections to the mailbox server. In Exchange
Server 2007, each mailbox server can handle 64,000 connections. That number increases to 250,000
RPC context handle limit in Exchange 2010.
Managing Client Access 4-23

What Is Autodiscover?

Key Points
The Autodiscover service in Exchange Server 2010 simplifies Office Outlook 2007 or later client
configuration. Autodiscover provides configuration information that Outlook requires to create a profile
for the client. Outlook clients can also use the Autodiscover service to repair Exchange Server connection
settings if a profile is corrupted, or if the user mailbox is moved to a different server. The Autodiscover
service uses a user’s e-mail address and password to provide profile settings to Outlook 2007 or later
clients, and supported mobile devices.

How Autodiscover Works


Outlook 2010 connects to Exchange Server 2010 in the following manner:
1. When you install the Client Access server role, a service connection point (SCP) is configured
automatically in Active Directory for the Client Access server. This SCP includes the Client Access
server URL.
2. When Outlook 2010 starts for the first time, Outlook uses the user name or the user’s e-mail address
and password to configure the MAPI profile automatically. Exchange Server uses configuration
information from the Active Directory directory service to build an Outlook configuration template.
The configuration template includes information about Active Directory and the Exchange Server
2010 organization and topology.
3. Outlook also uses the SCP to locate the Autodiscover service on an Exchange Server 2010 computer
with the Client Access server role installed. The information includes the download location for the
Availability Web service, and the Offline Address Book.
4. Outlook downloads the required configuration information from the Autodiscover service.
5. Outlook then uses the appropriate configuration settings to connect to Exchange Server 2010.

Supported Clients and Protocols


Autodiscover supports the following clients and protocols:
4-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Client application Protocol

Office Outlook 2010 RPC over TCP/IP

Outlook Anywhere RPC over HTTP

Exchange ActiveSync Exchange ActiveSync over HTTP

Entourage 2008, Exchange Web Services Edition Exchange Web Services (HTTPS)

Note: Exchange Server 2010 supports Autodiscover for Exchange ActiveSync Service clients. However,
the Exchange ActiveSync Service client must be running Windows Mobile 6 to support this feature.
Managing Client Access 4-25

Configuring Autodiscover

Key Points
By default, the Autodiscover settings for internal clients are automatically configured, and Outlook 2007
or later clients are automatically configured to use the appropriate services. In some cases, you may want
to modify the default settings. For external clients, you need to configure the appropriate DNS settings to
ensure that external clients can locate the Client Access server that is accessible from the Internet.

Configuring the Autodiscover Settings


To enable Autodiscover, you must have at least one Client Access server that is running the Autodiscover
service. When you install the Client Access server role, the Autodiscover virtual directory is created
automatically in IIS.
To manage Autodiscover settings, you must use the following Exchange Management Shell cmdlets.

Task Exchange Management Shell cmdlet

Configure the Autodiscover SCP Set-ClientAccessServer

Create a new Autodiscover virtual directory New-AutodiscoverVirtualDirectory

Remove an Autodiscover virtual directory Remove-


AutodiscoverVirtualDirectory

Configure an Office Outlook provider Set-OutlookProvider

Locate an Office Outlook provider or providers on the virtual Get-OutlookProvider


directory
4-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Configuring Autodiscover for Multiple Sites


If your organization has deployed Exchange servers in multiple Active Directory sites, you should consider
configuring site affinity for the Autodiscover service. To use site affinity, you specify which Active Directory
sites are preferred for clients to connect to a particular Autodiscover service instance.

To configure site affinity, use a cmdlet as shown in the following example:

Set-ClientAccessServer -Identity "ServerName"


-AutodiscoverServiceInternalURI "https://VAN-EX1/autodiscover/autodiscover.xml"
AutodiscoverSiteScope "HeadOffice"

This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to use the VAN-EX1
server.

Configuring DNS to Support Autodiscover


For external clients to be able to locate the appropriate Client Access servers, you must configure DNS
with the correct information. When the Outlook client attempts to locate the Client Access server, it first
tries to locate the SCP information in the Active Directory directory service. If the client is outside the
network, Active Directory is not available. Therefore, the client queries DNS for a server name based on
the SMTP address that the user provides. Office Outlook queries DNS for the following URLs:
• https://autodiscover.e-maildomain/autodiscover/autodiscover.xml
• https://<e-maildomain/autodiscover/autodiscover.xml
To enable Autodiscover, you must configure a DNS record on the DNS server that the client uses to
provide name resolution for that request. The DNS record should point to a Client Access server that is
accessible from the Internet.

Using the Test E-mail AutoConfiguration Feature in Outlook 2010


You can use the Test E-mail AutoConfiguration feature in Outlook 2010 to test whether Autodiscover is
working correctly.

Note: You also can use the Exchange Management Shell cmdlet Test-OutlookWebServices to test
the Autodiscover settings on a Client Access server.
Managing Client Access 4-27

What Is the Availability Service?

Key Points
Exchange Server 2010 makes free/busy information available to both Outlook 2007 or later, and Outlook
Web App clients, by using the Availability service. The Availability service replaces the public folder used
to store free/busy information in previous Exchange Server versions.

Note: Only Outlook 2007 or later and Outlook Web App use the Availability service. Outlook 2003
clients continue to use the Schedule+ Free Busy Information public folder. This folder must be
available on an Exchange server for these clients to function.

How Availability Service Works

Availability service provides free/busy information by using the following process:


1. When you start the Scheduling Assistant in Outlook 2007 or Outlook Web App, the client sends a
request to the URL provided to the client during Autodiscover. The request includes all invited users,
including resource mailboxes.
2. The Client Access server Availability service queries Active Directory to determine the user mailbox
location. For any mailbox in the same site as the Client Access server, the request is sent directly to
the Mailbox server to retrieve the user’s current free/busy information.
3. If the mailbox is in a different site than the Client Access server, the request is sent by proxy to a
Client Access server in the site where the user mailbox is located. The Client Access server in the
destination site extracts the availability information from the Mailbox server, and replies to the
requesting Client Access server.
4. If the mailbox for one of the invited users is on a computer running Exchange Server 2003, Availability
service queries the public folder that contains the free/busy information for the user.
4-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

5. Availability service combines the free/busy information for all invited users, and presents it to the
Outlook 2007 or Outlook Web App client.

Deploying Availability Service


Availability service is deployed by default on all Client Access servers and does not need configuration
except in scenarios where you are integrating the free/busy information from multiple forests.

Autodiscover delivers the service location for Availability service to Outlook 2007 clients. Availability
service is located at the URL http://servername/EWS.
Managing Client Access 4-29

What Are MailTips?

Key Points
MailTips are informative messages displayed to users before they send a message. MailTips inform a user
about issues or limitations with the message the user intends to send. Exchange Server 2010 analyzes the
message, including the list of recipients to which it is addressed. If it detects a potential problem, it
notifies the user with MailTips prior to sending the message. With the help of the information provided by
MailTips, senders can adjust the message they compose to avoid undesirable situations or nondelivery
reports (NDRs).

Types of MailTips
Exchange Server 2010 provides several default MailTips, including the following examples:
• Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if your
organization has implemented a Prohibit Receive restriction for mailboxes over a specified size.
• Recipient Out of Office. This MailTip displays the first 250 characters of the out-of-office reply
configured by the recipient, if a recipient has configured an out-of-office rule.
• Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrictions
are configured, and prohibits this sender from sending the message.
• External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a
distribution group that contains external recipients.
• Large Audience. This MailTip displays if the sender adds a distribution group that has more than the
large audience size configured in your organization. By default, Exchange Server displays this MailTip
for messages to distribution groups that have more than 25 members.
You can also configure custom MailTips in the Exchange Management Shell. A custom MailTip can be
assigned to any recipient. For example, you could configure a custom MailTip for a recipient who is on an
extended leave, or for a distribution group where all members of the group will be out of the office.
Alternately, you can create a custom MailTip for a distribution group that explains the purpose of the
4-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

group and thus reduces its misuse. When you configure a custom MailTip, it displays when a user
composes a message for a specified recipient.

Note: MailTips are available only in Exchange Server 2010 Outlook Web App, or when using
Microsoft Office Outlook 2010 or later. MailTips are not available in Outlook 2007.

How MailTips Work


MailTips are implemented as a Web service in Exchange Server 2010. When a sender composes a
message, the client software makes an Exchange Web service call to Exchange Server 2010 server with the
Client Access server role installed, to get the list of MailTips. The Exchange Server 2010 server responds
with the list of MailTips that apply to that message, and the client software displays the MailTips to the
sender.

The Client Access server uses the following process to compile MailTips for a specific message:
1. The mail client queries the Web service on the Client Access server for MailTips that apply to the
recipients in the message.
2. The Client Access server gathers MailTip data:
• The Client Access server queries the Active Directory Domain Service (AD DS) and reads group
metrics data.
• The Client Access server queries the Mailbox server to gather the Recipient Out-of-Office and
Mailbox Full MailTips. If the recipient's mailbox is on another site, then the Client Access server
requests MailTips information from the Client Access server in the remote site.
3. The Client Access server returns MailTips data back to the client.

Note: Several MailTips are available when the Outlook client is offline. To enable this functionality,
the redesign of the structure of the offline address book now includes some of the information that
MailTips requires. MailTips that require current information from Active Directory or the user mailbox,
are the only MailTips that will not work while the Outlook client is offline. MailTips that will not work
offline are the Invalid Internal Recipient, the Mailbox Full, and the Recipient Out-of-Office MailTips.
Managing Client Access 4-31

Demonstration: How to Configure MailTips

Key Points
In this demonstration, you will see how to review and configure default MailTips for an Exchange Server
2010 organization, and how to configure custom MailTips. You will also confirm that the MailTips
functions as expected.

Demonstration Steps
1. In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default
configuration for MailTips.
2. Use the Set-OrganizationConfig –MailTipsLargeAudienceThreshold 10 cmdlet to modify the
large distribution group threshold setting.
3. Use the Set-DistributionGroup Marketing –MailTip ‘The marketing team will be at a conference till
next week.’ cmdlet to configure a custom MailTip.
4. Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips
work as expected.

Question: Will you leave MailTips enabled in your organization? How will you modify the default
configuration?
4-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Outlook Anywhere?

Key Points
When you enable Outlook Anywhere, an Outlook 2003 or later client can connect to a server running
Exchange Server 2010 or Exchange Server 2007 using RPCs encapsulated in an HTTP or HTTPS packet. This
feature is a secure option for connecting to the Exchange server from the Internet while using a MAPI
client.

How Does Outlook Anywhere Work?


To deploy Outlook Anywhere, you need to deploy the Outlook 2007 or Outlook 2003 client and the RPC
proxy service running on Windows Server 2008. The following is a description of the communication
process between all components in an RPC-over-HTTP configuration:
1. All communication between the Outlook client and the Client Access server is sent using HTTPS. The
client establishes a connection to the Client Access server for each RPC request that it sends, and then
establishes a second connection for responses from the Client Access server.
2. When the client connects, the Client Access server authenticates the user by forwarding the
authentication request to a domain controller.
3. After the user is authenticated, the Client Access server uses an RPC connection to communicate with
the Mailbox server hosting the user mailbox.
4. If the client requests a Global Address List lookup, the NSPI component on the Client Access server
will send a Lightweight Directory Access Protocol (LDAP) query to a global catalog server.
Managing Client Access 4-33

Demonstration: How to Configure Outlook Anywhere

Key Points
When configuring Outlook Anywhere, you must configure the Exchange Client Access server, and then
configure the Outlook clients.

Implementing Outlook Anywhere


To configure Outlook Anywhere on Exchange Server 2010, you must perform the following high-level
steps:
1. Configure a computer running Windows Server 2008 as the RPC proxy server by installing the RPC
over HTTP Proxy feature in Server Manager. When you select this feature, the required Web Server
(IIS) role services are installed on the server. You should install the RPC over HTTP Proxy feature on
the Client Access server.
2. Install a server certificate on the RPC proxy server. By default, Outlook Anywhere requires SSL
encryption. Configure the RPC virtual directory to require SSL.
3. Enable Outlook Anywhere in the Exchange Management Console. When you enable RPC over HTTP,
you must configure both an external host name and authentication method.
4. Configure the Outlook 2007 or Outlook 2003 profile on the client to use RPC over HTTP to connect to
the Client Access server.

Demonstration Steps
1. On the Client Access server, use the following cmdlet to review the Autodiscover configuration:
Get-ClientAccessServer –id VAN-EX1 | FL

2. On the Client Access server, verify that the RPC over HTTP Proxy feature is installed.
3. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere,
using a host name that is resolvable from the Internet.
4-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

4. On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual
directory is configured to use SSL and that it is configured to accept Basic and Windows
Authentication.
5. On the client computer, configure the Outlook account properties to Connect to Microsoft
Exchange using HTTP, and then click Exchange Proxy Settings.
6. In the Microsoft Exchange Proxy Settings dialog box, complete the following information:
• Use the URL (https://): external host name for the Client Access server.
• Connect using SSL only: enable (default)
• On fast networks, connect using HTTP first, then connect using TCP/IP: enable
• On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)
• Proxy authentication setting: NTLM Authentication (default)
7. From the client, open Outlook and connect to the server.
8. Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7
operating system notification area. Click Connection Status. Confirm that the Conn column lists
HTTPS as the connection method.
9. Press and hold CTRL, and then click the Outlook icon in the notification area of the Windows task
bar. Click Test E-mail AutoConfiguration.
10. Click Test. View the information displayed on both the Results and Log tabs.
Managing Client Access 4-35

Troubleshooting Outlook Client Connectivity

Key Points
To troubleshoot Outlook with MAPI connectivity to an Exchange server, use the following steps:
1. Identify network connectivity issues. If the Outlook client or the Exchange server experiences
problems connecting to the network, Outlook shows a status of Disconnected, and no new messages
can be transferred between the client and the server.
2. Identify name resolution issues. Outlook clients must be able to resolve the name of the Exchange
server to which they are connecting. By default, Outlook 2007 clients use DNS host-name resolution
to resolve the name of the Exchange server to its IP address.
3. Identify client configuration issues. A client configuration issue can occur in Outlook or Windows
configurations. An improperly configured client can prevent the computer from connecting to the
Exchange server, or create intermittent connectivity problems.
4. Identify server configuration or service-availability issues. A configuration error can prevent some or
all users from connecting to the Exchange server. Based on the symptom that the user is
experiencing, you can verify configuration by using the Exchange Server Best Practices Analyzer Tool,
or examine server properties by using the Exchange Management Console.
5. If the client computer is using Outlook Anywhere to connect to the Client Access server, it may be a
Client Access server certificate issue. Outlook Anywhere relies on valid server certificates to provide
secure communication with the server. Invalid names on certificates, expired certificates, or
nontrusted certificates can cause connectivity issues between these clients and a Client Access server.

Tip: To ensure that a valid server certificate is trusted and can be used for connecting with Outlook
Anywhere, you should connect from a Web browser to the RPC virtual directory on the Exchange
server. If the user receives a prompt with a warning message about the certificate authenticity, then
there is an issue with the certificate configuration. This will lead to problems with Outlook Anywhere,
Autodiscover, and Exchange ActiveSync.
4-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

6. You can use the Test E-Mail AutoConfiguration Wizard in Outlook 2007 to test whether Autodiscover
is configured correctly. When you run the wizard, it will provide information whether the client could
connect to the Autodiscover service on a Client Access server, and it will display the information that
it received through the Autoconfiguration process.
Managing Client Access 4-37

Lab A: Configuring Client Access Servers for Outlook


Anywhere Access

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1
virtual machines are running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-CL1: Client computer in the Adatum.com domain

Important: If you are using Windows Server 2008 R2 as the host operating system, you must
complete the following steps before starting VAN-CL1.
1. In the Hyper-V Management console, in the Virtual Machines pane, right-click
10135A-VAN-CL1, and click Settings.
2. Click Network Adapter, and select the Enable spoofing of MAC addresses
check box. Click OK.
This step is required in order for the Windows Mobile Device emulator to communicate on the virtual
network.

3. If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as
Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
4-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to
deploy Client Access servers so that the servers are accessible from the Internet for a variety of messaging
clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server,
and configure a certificate on the server that will support the messaging client connections. You also need
to configure the server to support Outlook Anywhere connections.
Managing Client Access 4-39

Exercise 1: Configuring Client Access Servers


Scenario
As a messaging administrator in A. Datum Corporation, you have deployed the Exchange Server
environment, and you are now working on configuring the Client Access servers. The organization has
decided to use a certificate from the internal CA to secure all client connections to the server. You need to
enable this configuration, and then you need to ensure that Outlook clients can still connect to the server.

The main tasks for this exercise are as follows:


1. Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names.
2. Configure an External Client Access Domain for VAN-EX2.
3. Prepare a Server Certificate request for VAN-EX2.
4. Request the certificate from the CA.
5. Import and assign the IIS Exchange service to the new certificate.
6. Verify Outlook connectivity to the Exchange Server.

 Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple subject
alternative names
1. On VAN-DC1, open a command prompt and use the certutil -setreg policy
\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA policy.
2. Restart the Certificate Services.

 Task 2: Configure an External Client Access Domain for VAN-EX2


1. On VAN-EX2, open the Exchange Management Console and configure an External Client Access
Domain named mail.Adatum.com.
2. Apply the external domain name just to VAN-EX2.
3. Verify that the External Client Access Domain was applied to the owa (Default Web Site) virtual
directory.

 Task 3: Prepare a Server Certificate request for VAN-EX2


1. On VAN-EX2, run the New Exchange Certificate Wizard using the following configuration options:
• Friendly name: ADatum Mail Certificate
• Outlook Web App is on the intranet
• mail.adatum.com as the server name for all services
• Outlook Web App is on the Internet
• Exchange ActiveSync is enabled
• Autodiscover is used on the Internet
• Long URL is used for AutoDiscover
• Organization: A Datum
• Organizational Unit: Messaging
• Country/region: Canada
• City/locality: Vancouver
4-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• State/province: BC
2. Save the file using the name CertRequest.req.

 Task 4: Request the certificate from the CA


1. Copy the text of the certificate request file to the clipboard.
2. Connect to http://van-dc1/certsrv, and create a new certificate request using the contents of the
certificate request file. Use an advanced certificate request using a base-64-encoded CMC or
PKCS#10 file. Copy and paste the contents of the CertRequest.req file into the Saved Request field.
Request a Web server certificate.
3. Download the certificate and save it.
4. View the certificate. Verify that the certificate includes several subject alternative names, and then
click OK.

 Task 5: Assign the IIS Exchange Service to the new certificate


1. In the Exchange Management console, use the Complete Pending Request Wizard to import the
Adatum Mail certificate.
2. In the Exchange Management console, use the Assign Services to Certificate Wizard to assign the
Adatum Mail certificate to the Internet Information Services service.

 Task 6: Verify Outlook connectivity to the Exchange Server


1. On VAN-CL1, log on as Molly using the password Pa$$w0rd.
2. Open Microsoft Office Outlook 2007, and verify that a profile is automatically created for Molly.
3. In Office Outlook, click Tools, and then click Account Settings. Verify that the Outlook profile is
configured to use VAN-EX2 as the mailbox server.

Results: After this exercise, you should have configured the security settings for VAN-EX2 by using
the Security Configuration Wizard, and installed a server certificate from the internal CA on the server.
You should have also verified Outlook client connectivity to the Exchange server.
Managing Client Access 4-41

Exercise 2: Configuring Outlook Anywhere


Scenario
A. Datum Corporation has several users who are frequently out of the office. These users all have laptop
computers, and they want to use Office Outlook to connect to their Exchange Server mailboxes while in
the office or out of the office. You need to configure the Client Access server to enable Outlook
Anywhere, and then configure a client to connect to the server using RPC over HTTPS. Finally, you need to
verify that the connection works.

The main tasks for this exercise are as follows:


1. Configure a DNS record for Mail.Adatum.com.
2. Configure Outlook Anywhere on VAN-EX2.
3. Configure the Outlook profile to use Outlook Anywhere.
4. Verify Outlook Anywhere connectivity.

 Task 1: Configure a DNS record for Mail.Adatum.com


• On VAN-DC1, create a new host record for Mail.adatum.com using an IP address of 10.10.0.21.

 Task 2: Configure Outlook Anywhere on VAN-EX2


1. On VAN-EX2, verify that the RPC over HTTP Proxy feature is installed.
2. In the Exchange Management Console, enable Outlook Anywhere for
VAN-EX2.
3. Configure an external host name of Mail.adatum.com, and choose NTLM authentication.
4. Restart VAN-EX2.

 Task 3: Configure the Outlook profile to use Outlook Anywhere


1. On VAN-CL1, ensure that you are logged on as Adatum\Molly.
2. Modify the profile for Molly to connect to Microsoft Exchange using HTTP.
3. Configure the Exchange Proxy server settings as follows:
• Use this URL (https://): mail.adatum.com
• Connect using SSL only: enable (default)
• On fast networks, connect using HTTP first, then connect using TCP/IP: enable
• On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)
• Proxy authentication setting: NTLM Authentication (default)
4. Close Outlook.

 Task 4: Verify Outlook Anywhere connectivity


1. On VAN-CL1, open Outlook and verify that you are connected to the Exchange server.
2. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area.
Confirm that the Conn column lists HTTPS as the connection method. You may need to click the up
arrow in the Windows 7 notification area to view the Office Outlook icon.
3. Use the E-mail AutoConfiguration tool to review the settings Autodiscover provided to the client.
4. Log off VAN-CL1.
4-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Results: After this exercise, you should have enabled Outlook Anywhere on VAN-EX2, and configured
a client profile to use Outlook Anywhere. You also verified the Outlook Anywhere functionality.

 To prepare for the next lab


• Do not shut down the virtual machines and revert them back to their initial state when you finish this
lab. The virtual machines are required to complete the last lab in this module.
Managing Client Access 4-43

Lesson 3
Configuring Outlook Web App

Exchange Server 2010 uses Outlook Web App to provide access to user mailboxes through a Web
browser. Many organizations provide users with access to Outlook Web App from the Internet. Some
organizations also use Outlook Web App internally. In both scenarios, deploying Outlook Web App is
quite easy because only a Web browser is required as a client. This lesson describes how to configure
Outlook Web App for Exchange Server 2010.
After completing this lesson, you will be able to:
• Describe Outlook Web App features.
• Identify Outlook Web App configuration options.
• Describe the file and data access options in Outlook Web App.
• Configure Outlook Web App.
• Configure Outlook Web App policies.
• Configure user options using the ECP.
4-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Outlook Web App?

Key Points
Outlook Web App allows users to access their mailboxes through a Web browser. The feature set in
Outlook Web App closely mimics features available in Outlook 2010, and may provide features that are
not available in previous Outlook versions. In some cases, it may be possible to use Outlook Web App in
place of Outlook 2010.

Outlook Web App has been redesigned in Exchange Server 2010 to include features such as chat, text
messaging, mobile phone integration, and enhanced conversation view. In Exchange Server 2010, these
features are accessible from an expanded set of Web browsers, including Microsoft Internet Explorer 6.0
or later, Firefox, Safari, and Google's Chrome.

Benefits of Outlook Web App


Outlook Web App provides many important benefits for an organization. These include:
• All communication between the Outlook Web App client and the Client Access server is sent using
HTTP. You can easily secure this information using SSL. This also means that it is easy to configure
firewalls or reverse proxies to enable Internet access to Outlook Web App, as only a single port is
required.
• Outlook Web App does not require that you deploy or configure a messaging client; all client
computers, including computers that run Linux or Macintosh, have a Web browser available. This
means that users can access their mailbox from any client that can access the Client Access server’s
URL.
• Outlook Web App in Exchange Server 2010 also provides access to some features that are only
available through Outlook Web App or Outlook 2010. For example, features such as the archive
mailbox or conversation view can be accessed through Outlook Web App without deploying Outlook
2010.
Managing Client Access 4-45

Limitations of Outlook Web App


Outlook Web App cannot provide offline access to mailboxes. If the Exchange server hosting Outlook
Web App is offline, users cannot read or send messages. If offline access to files is required, you must
select another remote-access method to the Exchange server. Outlook 2007 using Outlook Anywhere,
POP3, and IMAP clients can cache messages to provide offline access.

Question: What is Outlook Web App for Exchange Server 2010?

Question: What are the benefits of Outlook Web App?

Question: When would you use Outlook Web App instead of Outlook or Windows Mail?
4-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Configuration Options for Outlook Web App

Key Points
Although Outlook Web App is available automatically on Client Access servers, you must configure
Outlook Web App to support your users’ specific requirements.

Outlook Web App Configuration Tasks


When configuring Outlook Web App, you need to complete the following tasks:
• Install and configure a server certificate to enable SSL for all client connections.
• Configure the Outlook Web App virtual directory. When you install the Client Access server role, an
Outlook Web App virtual directory is configured in the default IIS Web site on the Client Access
server. In most cases, you might not need to modify the Outlook Web App virtual directory settings,
other than configuring the default Web site to use a CA certificate for SSL, and to set the
authentication options.
• Configure segmentation settings. You can enable or disable specific Outlook Web App features for
Exchange Server 2010 Outlook Web App users. Access the Outlook Web App virtual directory
properties in the Exchange Management Console to configure the segmentation settings.
• Modify the attachment handling settings. You can configure the attachment settings by configuring
the WebReady Document Viewing settings on the Outlook Web App virtual directory.
• Configure Gzip compression settings. Gzip enables data compression, which is optimal for slow
network connections.
• Configure Web beacon settings. A Web beacon is a file object—such as a transparent graphic or an
image—that is put on a Web site or in an e-mail message. Web beacons are typically used together
with HTML cookies to monitor user behavior on a Web site, or to validate a recipient's e-mail
address when an e-mail message containing a Web beacon is opened. Web beacons and HTML forms
also can contain harmful code, and can be used to circumvent e-mail filters. By default, Web beacons
and HTML forms are set to UserFilterChoice. This blocks all Web beacons and HTML forms, but lets
the user unblock them on individual messages. You can use the Exchange Management Shell to
Managing Client Access 4-47

change the type of filtering that is used for Web beacon and HTML form content in Outlook Web
App. If you change the setting to ForceFilter, this blocks all Web beacons and HTML forms. If you
change the setting to DisableFilter, this allows all Web beacons and HTML forms.
4-48 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is File and Data Access for Outlook Web App?

Key Points
File and data access provide Outlook Web App users different levels of access to files that are attached to
messages or that are located in Microsoft Windows SharePoint® Services document libraries, and shared
folders on the internal network. When using the Windows SharePoint Services and Windows file shares
integration option, users can access documents from a link embedded in an e-mail message.

Configuring File and Data Access


You can configure the following settings when configuring file and data access for Outlook Web App
users:
• Enable WebReady Document Viewing or force WebReady Document Viewing. When you enable
WebReady Document Viewing, and a user attempts to open a file in the message window, the file is
converted to HTML, and then displayed in the Web browser. This enables users to view the files on
the local computer even if the native application for the file is not installed on the computer. If only
WebReady Document Viewing is enabled, users cannot save the document to the local hard disk or
view the document in its native application. By default, only a limited number of file types can be
viewed through WebReady Document Viewing.
• Direct file access. Direct file access lets users open files that are attached to
e-mail messages and files that are stored in Windows SharePoint Services document libraries and in
Windows file shares.
• Configure different settings for public or private computers. When users connect to Outlook Web
App, they can choose whether they are connecting from public or private computers. You can
configure different direct file access and WebReady Document Viewing settings for each option.
• Configure access to Windows SharePoint Services document libraries or Windows file shares. By
default, if you enable direct file access, users can access files on both Windows SharePoint Services
document libraries or Windows file shares. You can configure access to these features by using the
Set-OwaVirtualDirectory cmdlet. For example, to disable access to file shares from public
Managing Client Access 4-49

computers, use the Set-OwaVirtualDirector -Identity “owa (default web site)” –


UNCAccessOnPublicComputersEnabled $false cmdlet.
• Restrict or enable access. You can configure how users interact with files by using the Allow, Block, or
Force Save options for direct file access and by configuring the file extensions for WebReady
Document Viewing. You can also configure which servers will be accessible through Outlook Web
App.
4-50 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Outlook Web App

Key Points
In this demonstration, you will see how to configure several different Outlook Web App aspects. As you
will see in this demonstration, you may need to use several different tools to configure Outlook Web App.

Demonstration Steps
1. On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use
SSL, and is using the correct server certificate.
2. In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the
external URL with the required authentication and segmentation settings.
3. In the Exchange Management Shell, use the set-owavirtualdirectory ‘owa (Default Web Site)’ –
ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk
before they can be opened.
4. Use the set-owavirtualdirectory ‘owa (Default Web Site)’ –GzipLevel Off, cmdlet to disable Gzip
compression for Outlook Web App.
5. Use the Set-OwaVirtualDirectory -identity “Owa (Default Web Site)” -
FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.
Managing Client Access 4-51

Demonstration: How to Configure Outlook Web App Policies

Key Points
One of the new features in Exchange Server 2010 is the option to configure multiple Outlook Web App
policies for users. In previous Exchange Server versions, all users receive the same settings when they
connect to Outlook Web App. With Exchange Server 2010 Outlook Web App policies, you can configure
unique policies and assign them to users.

Demonstration Steps
1. In Exchange Management Console, in the Organization Configuration node, click Client Access.
2. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the
policy settings.
3. After creating the policy, you can configure additional settings by accessing the policy properties.
4. Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox
Features tab.
5. Log on to Outlook Web App as the user, and test the policy application.
4-52 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure User Options Using the ECP

Key Points
Another new feature in Exchange Server 2010 is the ECP. You can use the ECP to perform several different
administrative functions, but users also can use the ECP to modify their mailbox settings. In this
demonstration, you will see how you can configure the ECP virtual directory and view some of the
available ECP configuration options.

Demonstration Steps
1. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory.
2. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual
directory on each Client Access server.
3. As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp.
4. Log on to the ECP, and review the settings that can be modified by the user.
Managing Client Access 4-53

Lesson 4
Configuring Mobile Messaging

Exchange Server 2010 supports mobile devices as a messaging client. With Exchange Server 2010, you can
synchronize mailbox content and perform most of the same tasks with mobile devices as you can with
other messaging clients. Exchange Server 2010 also provides administrative options for managing mobile
devices. This lesson describes how to implement and manage mobile access for Exchange Server 2010.

After completing this lesson, you will be able to:


• Describe the purpose and functionality of Exchange ActiveSync.
• Configure Exchange ActiveSync.
• Identify security options for Exchange ActiveSync.
• Configure Exchange ActiveSync policies.
• Manage mobile devices.
4-54 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Exchange ActiveSync?

Key Points
Exchange ActiveSync provides mobile devices with access to Exchange Server 2010 mailboxes. The
Exchange ActiveSync communication process is optimized to function over high-latency and low-
bandwidth networks. By default, Exchange ActiveSync is available for all users after you install a Client
Access server.

Note: Exchange ActiveSync has been licensed to many different mobile device manufacturers that
produce devices that run Windows Mobile or another operating system. Exchange ActiveSync
features are dependent on the mobile device and the operating system version running on the
mobile device. You will need to verify which features are supported on your mobile device.

How Exchange ActiveSync Works


When users connect to the Client Access server with a mobile device, the following process occurs:
1. The Exchange ActiveSync client connects using HTTPS, to the Microsoft Server ActiveSync virtual
directory on the Client Access server. The Client Access server authenticates the client.
2. If the user’s mailbox is on a Mailbox server in the same site as the Client Access server, then the Client
Access server connects to the user’s Mailbox server using an RPC connection. If the Mailbox server is
in a different site, then the Client Access server proxies the client request to a Client Access server in
the appropriate site.
3. If the mobile client is running the Messaging and Security Feature Pack for Microsoft Windows
Mobile 5.0 or later, or is a non-Windows Mobile device that is Direct Push-capable, Exchange
ActiveSync can use Direct Push technology to ensure that messages are delivered to the mobile client
when they connect to the Exchange server. With Direct Push technology, the mobile device maintains
a constant HTTPS connection to the Client Access server, resulting in instant message retrieval and
real-time access to e-mail.
Managing Client Access 4-55

Demonstration: How to Configure Exchange ActiveSync

Key Points
In this demonstration, you will see how to configure the Exchange ActiveSync settings on a Client Access
server and how to configure a Windows Mobile device to use ActiveSync to synchronize with the
Exchange server.

Demonstration Steps
1. On the Client Access server, in IIS Manager, clear the option to require SSL for the Exchange
ActiveSync virtual directory.

Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual
directory. You are disabling SSL only because the mobile emulator does not trust the server
certificate.

2. In Exchange Management Console, configure authentication and remote file server settings on the
Microsoft-Server-ActiveSync virtual directory.
3. On the mobile device emulator, configure the network settings so that the emulator can
communicate with the Client Access server.
4. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the
Client Access server using an account that is enabled for Exchange ActiveSync.
5. Synchronize the device.
6. Test ActiveSync by sending a message from another user to the user logged on to the mobile device.
Verify that the message arrives, and respond to the message.
4-56 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Securing Exchange ActiveSync

Mobile clients such as Exchange ActiveSync clients, are difficult to secure. Because the devices are small
and portable, they are susceptible to being lost or stolen. At the same time, they may contain highly
confidential information. The storage cards that fit into mobile device expansion slots can store
increasingly large amounts of data. While this data-storage capacity is important to the mobile-device
user, it also heightens the concern about data falling into the wrong hands.

Mobile clients also are difficult to manage using centralized policies because the devices might rarely, or
never, connect to the internal network. The devices also do not require Active Directory accounts, so you
cannot use Group Policy Objects (GPOs) to manage the client settings.

Note: System Center Mobile Device Manager 2008 is a System Center products available from
Microsoft is. If you deploy this product, Windows Mobile 6.1 devices can be listed in Active Directory,
and managed through Active Directory and Mobile Device Manager policies.

Implementing Exchange ActiveSync Policies


Exchange ActiveSync policies provide one option for securing mobile devices. When you apply the policy
to a user, the mobile device automatically downloads the policy the next time the device connects to the
Client Access server.

To ensure that mobile devices are as secure as possible, you should configure Exchange ActiveSync
policies that require device passwords, and encrypt the data stored on the mobile device.

Managing Mobile Devices


You can manage mobile devices using either the Exchange Management Console or the Exchange
Management Shell. With these tools, you can perform the following tasks:
• View a list of all mobile devices that any enterprise user is using.
• Send or cancel remote wipe commands to mobile devices.
Managing Client Access 4-57

• View the status of pending remote-wipe requests for each mobile device.
• View a transaction log that indicates which administrators have issued remote-wipe commands, and
the mobile devices to which those commands pertain.
• Delete an old or unused partnership between devices and users.

Note: The option to manage a mobile device for a user mailbox in the Exchange Management
Console is available only after the user has synchronized with the Exchange Server from a mobile
device. You also can manage mobile devices in the Exchange Management Shell by using the
Remove-ActiveSyncDevice and the Clear-ActiveSyncDevice cmdlets.

Configuring Self-Service Mobile Device Management


Users also can manage their own mobile devices by accessing the ECP. One of the options available is the
Phone tab. From this tab, users can wipe a device that they have configured, and can delete partnerships
for devices that they no longer use.

Self-service management is enabled by default for all users who are assigned to a
Microsoft Exchange ActiveSync mailbox policy.

Enabling SSL for the Mobile Device Connections


To ensure that the communication between the mobile device and the Client Access server is secure, you
should ensure that the Microsoft Server ActiveSync virtual directory is configured to require SSL.

Installing CA Root Certificates on Mobile Devices


Just like desktop computers, mobile devices are configured to trust the root certificates for most public
CAs. However, if you choose to use an internal CA to provide certificates for your Client Access servers,
you must configure the mobile devices to trust the root CAs by installing the root certificates on the
device.
To install a CA certificate on a Windows Mobile phone, you might need to copy the root certificate
directly to the mobile device, and then install the certificate. You can use an ActiveSync connection
between the device and a desktop or portable computer to copy the certificate file to the device, or
transfer the file using a storage card. If you do not enable SSL for the Exchange ActiveSync connection,
you also can e-mail a root certificate to the device. After copying the certificate to the device, you can
install the certificate manually by double-clicking the .cer file. If you use Windows Mobile 2003 or older
devices, you can use a tool such as SmartPhoneAddcert.exe to install the certificate.
4-58 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Exchange ActiveSync Policies

Key Points
One of the features in Exchange Server 2010 is that you can manage mobile users and devices with
Exchange ActiveSync mailbox policies. When you create a policy, you can configure the following options:
• Allow or block nonprovisionable devices. This option permits you to specify whether devices that do
not fully support the device security settings can synchronize with the Exchange Server computer.
• Enable, disable, or limit attachment downloads. This option allows you to enable or disable
attachment downloads, and configure a maximum attachment download size.
• Configure devices to require passwords. If you choose to require passwords, you also can configure
the following attributes:
• Minimum password length.
• A requirement for alphanumeric passwords.
• Inactivity time before the password is required.
• The option to enable password recovery.
• A requirement for device encryption.
• Number of failed attempts allowed. This option specifies whether you want the device memory
wiped after a specific number of failed logon attempts.
• Options for disabling removable storage, cameras, Wi-Fi, or Bluetooth.
• Options for configuring synchronization settings such as message size limits.
• Options for enabling additional mobile device applications such as Web browsers, unsigned
applications, or for defining allowed and blocked applications.
Managing Client Access 4-59

Note: Some of these features were implemented with Windows Mobile 5.0 devices. Some features,
such as encryption on the local device, and Windows SharePoint Services and Windows File Shares
integration, are available only with Windows Mobile 6 or later. Some settings also require an
Enterprise Client Access License for each mailbox.

In this demonstration, you will see how to configure Exchange ActiveSync policies.

Demonstration Steps
1. In the Exchange Management Console, access the Organization Configuration node, and then click
Client Access.
2. Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings.
3. After creating the policy, access the policy properties and configure the additional settings.
4. Access a user mailbox’s properties. On the Mailbox Features tab, click Exchange ActiveSync, and
then click Properties. Assign the appropriate Exchange ActiveSync policy.
5. Confirm that the policy is being applied to the user.
4-60 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Manage Mobile Devices

Key Points
In this demonstration, you will view the options that a user has for managing their mobile devices, using
ECP. You will then see how an administrator can also manage the user's mobile device.

Demonstration Steps
1. As a user, connect to the ECP site on a Client Access server.

2. Log on and access the Phone tab on the user Properties page.

3. As an Exchange administrator, access the user in the Exchange Management Console Mailbox
container, and then click OK.

4. In the Actions pane, click Manage Mobile Device.

5. On the Manage Mobile Device page, view the options available to manage the mobile device,
including wiping the device.
Managing Client Access 4-61

Lab B: Configuring Client Access Servers for Outlook


Web App and Exchange ActiveSync

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1
virtual machines are running:
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-CL1: Client computer in the Adatum.com domain.
3. If required, connect to the virtual machines.

Lab Scenario
To enable client access to the server, your organization has decided to enable both Outlook Web App and
Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined
security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you
need to enable the security features for both Outlook Web App and Exchange ActiveSync.
4-62 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 1: Configuring Outlook Web App


Scenario
A. Datum Corporation has several users who work regularly from outside the office. These users should be
able to check their e-mail from any client computer, including client computers located in public areas. To
provide this functionality, you must configure the server settings for Outlook Web App, and configure
Outlook Web App policies. You also need to verify that the settings have been successfully applied.

The main tasks for this exercise are as follows:


1. Configure IIS to use the Internal CA certificate.
2. Configure Outlook Web App settings for all users.
3. Configure an Outlook Web App Mailbox Policy for the Branch Managers.
4. Verify the Outlook Web App configuration.

 Task 1: Configure IIS to use the Internal CA certificate


1. On VAN-EX2, in Internet Information Services (IIS) Manager, verify that the owa virtual directory
under the Default Web Site is configured to require SSL
2. Verify that the Default Web Site is configured to use the Adatum Mail Certificate. .

 Task 2: Configure Outlook Web App settings for all users


1. On VAN-EX2, in Exchange Management Console, verify that the owa virtual directory is configured to
use forms-based authentication. Modify the forms-based authentication to use the user name only
and to use the Adatum.com domain automatically.
2. Disable the Tasks and Rules display for all users.
3. Use the set-owavirtualdirectory ‘owa (Default Web Site)’ –ForceSaveFileTypes .doc cmdlet to
force all users to save Word documents before opening them.
4. Use the set-owavirtualdirectory ‘owa (Default Web Site)’ –GzipLevel Off cmdlet to disable GZip
compression.
5. Use the Set-OwaVirtualDirectory -identity “Owa (Default Web Site)” -
FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons and HTML forms.
6. Use the IISReset /noforce command to restart IIS.

 Task 3: Configure an Outlook Web App Mailbox Policy for the branch managers
1. Create a new Outlook Web App Mailbox policy, and configure the policy with the name Branch
Managers Policy.
2. Configure the policy to prevent branch managers from changing their password.
3. Apply the policy to all users in the Branch Managers organizational unit (OU).

 Task 4: Verify the Outlook Web App configuration


1. On VAN-EX1, connect to https://mail.Adatum.com/owa.
2. Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the
Branch Managers’ OU.
3. Verify that the Tasks folder is not displayed in the user mailbox, and that Sharon cannot configure a
new Inbox rule in the ECP.
Managing Client Access 4-63

4. Connect to OWA again, and log on as Adatum\Johnson using the password Pa$$w0rd. Johnson is
in the Branch Managers’ OU.
5. Verify that the Tasks folder is listed in the user mailbox, but that Johnson is not able to change his
password.

Results: After this exercise, you should have configured Outlook Web App on VAN-EX2. This
configuration includes assigning the internal CA certificate to the Default Web Site, and configuring
Outlook Web App settings for all users, as well as for specific users. You also should have verified the
Outlook Web App settings.
4-64 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Configuring Exchange ActiveSync


Scenario
A. Datum Corporation has several users who use Windows Mobile devices to access their mail. You need
ensure that these users can access their mailboxes using Exchange ActiveSync. To ensure that the client
connection is secure, you must configure an Exchange ActiveSync policy, and apply it to a user account.
You will also install a root certificate on the mobile device, and configure SSL security. Lastly, you need to
manage the mobile device as both an administrator and a user using ECP.

The main tasks for this exercise are as follows:


1. Disable SSL for Exchange ActiveSync.
2. Verify the Exchange ActiveSync virtual directory configuration.
3. Connect to the server using Exchange ActiveSync.
4. Create a new Exchange ActiveSync mailbox policy.
5. Validate the Exchange ActiveSync mailbox policy.
6. Install a root CA on the mobile device.
7. Wipe the mobile device.

 Task 1: Disable SSL for Exchange ActiveSync


• On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-Server-
ActiveSync virtual directory so that it does not require SSL. You are configuring this setting just for
the initial testing.

 Task 2: Verify the Exchange ActiveSync virtual directory configuration


• On VAN-EX2, in Exchange Management Console, review the configuration for the Microsoft Server
ActiveSync virtual directory on VAN-EX2.

 Task 3: Connect to the server using Exchange ActiveSync


1. On VAN-CL1, log on as Adatum\Administrator. Start the Windows Mobile 6.1.4 Professional
emulator.

2. On the emulator properties, enable NE2000 PCMIA network adapter, and configure it to bind to
the connected network card.

3. In Windows Mobile 6 Professional, click Start, and then click Settings.

4. On the Connections tab, configure the network adapter settings to connect to the Internet using the
NE2000 Compatible Ethernet Driver.

5. Configure the network adapter to use the following settings:


• IP address: 10.10.0.51
• Subnet mask: 255.255.0.0
• Default gateway: 10.10.0.1
• DNS server: 10.10.0.10

6. In Windows Mobile 6 Professional, start ActiveSync, and start the process for setting up the device to
sync with Exchange Server.

7. Use the following information to configure the client:


Managing Client Access 4-65

• E-mail address: ScottMacdonald@adatum.com


• User name: Scott
• Password: Pa$$w0rd
• Domain: Adatum
• Server address: VAN-EX2.adatum.com
• SSL: Disabled
• Synchronize all Calendar and E-mail items

8. Verify that the synchronization succeeds.

9. On VAN-CL1, connect to https://mail.adatum.com/owa, and log on as adatum\Wei using the


password Pa$$w0rd.

10. Send a test message to Scott.

11. On the mobile device, verify that Scott received the message, and reply to it.

12. In Outlook Web App, verify that the reply message was received.

 Task 4: Create a new Exchange ActiveSync mailbox policy


1. On VAN-EX2, in Exchange Management Console, create a new Exchange ActiveSync Mailbox policy
with the following configuration:
• Name: EAS Policy 1
• Enable non-provisionable devices
• Enable attachments to be downloaded to the device
• Require passwords
• Enable password recovery

2. Review the other Exchange ActiveSync Mailbox policy settings.

3. Apply the Exchange ActiveSync Mailbox policy to Scott MacDonald.

 Task 5: Validate the Exchange ActiveSync mailbox policy


1. On VAN-CL1, synchronize the mobile client.

2. Verify that the new policy is applied, and provide a password of 12345.

 Task 6: Install a root CA on the mobile device


1. On VAN-CL1, open Internet Explorer, and connect to
http://van-dc1/certsrv.
2. Download the CA certificate chain from the CA, and save the file.
3. Open Outlook Web App, and send a message to Scott. Attach the certificate file to the message.
4. In Windows Mobile device, synchronize the mailbox.
5. Open the message with the certificate and double-click the file. Accept the certificate installation.
6. On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-Server-
ActiveSync virtual directory to require SSL.
4-66 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

7. On VAN-CL1, in the Windows Professional emulator, modify the ActiveSync settings to use SSL.
8. Verify that the client can synchronize successfully.

 Task 7: Wipe the mobile device


1. On VAN-CL1, open Internet Explorer, and connect to
https://van-ex1.adatum.com/ecp.
2. Log on as Adatum\Scott, and verify that you can manage the mobile device.
3. On VAN-EX2, in the Exchange Management Console, perform a remote wipe of Scott's device.
4. On VAN-CL1, verify that the mobile device restarts the next time it synchronizes.

Results: After this exercise, you should have configured the Exchange server environment to support
Exchange ActiveSync. You first verified that Exchange ActiveSync worked, and then enhanced the
security configuration by creating a more secure Exchange ActiveSync Mailbox policy, and by
enabling SSL for all Exchange ActiveSync connections.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Microsoft Hyper-V™ Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Managing Client Access 4-67

Module Review and Takeaways

Review Questions
1. You need to ensure that users from the Internet can connect to a Client Access server by using
Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access
server?
2. You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the
exception of the Executives group. This group requires higher security settings. What should you do?
3. You have deployed an Exchange Server 2010 server in an organization that includes several Exchange
Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes
on the Exchange Server 2003 servers?

Common Issues Related to Client Connectivity to the Client Access Server


Identify the causes for the following common issues related to client connectivity to the Client Access
server, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

Users using Web browsers Although Exchange Server 2010 supports most Web browsers, your Web
other than Internet Explorer browser may not support forms-based authentication or Windows
may have trouble Integrated Authentication. As a last resort, you can use Basic
authenticating. Authentication with SSL.

Clients receive certificate- Ensure that the certificate configured on the Client Access server is
related errors when they trusted by all clients. The best way to do this is to obtain a certificate
connect to the Client Access from a trusted Public CA.
server.

Users from the Internet are Use a tool such as Microsoft Exchange Server Remote Connectivity
not able to connect to the Anaylzer to identify the issue. Many components must be functioning to
4-68 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Issue Troubleshooting tip

Client Access server. enable connectivity. The Remote Connectivity Anaylzer tool will check
information such as DNS records, authentication, certificate issues, and
Autodiscover.

Real-World Issues and Scenarios


1. Your organization has two locations with an Internet connection in each location. You need to ensure
that when users access their e-mail using Outlook Web App from the Internet, they will always
connect to the Client Access server in their home office.

2. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access
to your Client Access server. You want to ensure that all client connections are secure by using SSL,
and that none of the clients receives errors when they connect to the Client Access server. You plan
on requesting a certificate from a Public CA. What should you include in the certificate request?

3. You have deployed two Client Access servers in the same Active Directory site. When one of the Client
Access servers shuts down, users can no longer access their e-mail. What should you do?

Best Practices Related to Planning the Client Access Server Deployment


Supplement or modify the following best practices for your own work situations.
When designing the Client Access server configuration, consider the following recommendations:
• The recommended processor configuration for Client Access servers is eight processor cores, and the
maximum recommended number of processor cores is 12. You should deploy at least two processor
cores for Client Access servers—even in small organizations—because of the addition of the RPC
Client Access service on the Client Access server.
• As a general guideline, you should deploy three Client Access server processor cores in an Active
Directory site for every four Mailbox server processor cores.
• The recommended memory configuration for Client Access server is 2 gigabytes (GB) per processor
core, with a maximum of 8 GB.
• Deploying Client Access servers on a perimeter network is not a supported scenario. The Client Access
server must be deployed on the internal network. The Client Access server role must be installed on a
member server, and it must have access to a domain controller and global catalog server, as well as
the Mailbox servers inside the organization.

Tools
Tool Use for Where to find it

Microsoft Exchange Server • Troubleshooting Internet http://go.microsoft.com/fwlink


Remote Connectivity Anaylzer connectivity for messaging /?LinkId=179969
clients.

Test E-Mail • Troubleshooting Outlook Open Outlook, press and hold CTRL,
AutoConfiguration Connectivity to the Client right-click the Outlook connection
Access server. object, and then click Test E-Mail
AutoConfiguration.

Internet Information Server • Configuring SSL settings for Administrative Tools


4-69

Tool Use for Where to find it

(IIS) Manager Client Access server virtual


directories.
4-70 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010
Managing Message Transport 5-1

Module 5
Managing Message Transport
Contents:
Lesson 1: Overview of Message Transport 5-3
Lesson 2: Configuring Message Transport 5-16
Lab: Managing Message Transport 5-32
5-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

This module details how to manage message transport in Microsoft® Exchange Server 2010. To
implement message transport in Exchange Server 2010, it is important to understand the components of
message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot message-
transport issues.

This module also provides details on deploying the Exchange Server 2010 Hub Transport server, and the
options that you can configure.

After completing this module, you will be able to:


• Describe message transport in Exchange Server 2010.
• Configure message transport.
Managing Message Transport 5-3

Lesson 1
Overview of Message Transport

In this lesson, you will review message flow and the components that message transport requires,
especially when you implement multiple Exchange Server 2010 Hub Transport servers. To understand
message flow, you should know how message routing works within an Exchange Server organization, and
how Exchange Server routes messages between Active Directory® Domain Services (AD DS) sites or
outside the Exchange Server organization. Exchange Server 2010 provides several tools for
troubleshooting Simple Mail Transfer Protocol (SMTP) message delivery, and this lesson describes how
you can use these troubleshooting tools.

After completing this lesson, you will be able to:


• Describe message flow.
• Describe the components of message transport.
• Describe how an Exchange Server organization routes messages.
• Describe message routing between Active Directory sites.
• Describe options for modifying the default message flow.
• Describe the tools for troubleshooting SMTP message delivery.
• Troubleshoot SMTP message delivery.
5-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Overview of Message Flow

Key Points
Exchange Server 2010 uses the SMTP message protocol standard. Therefore, it is important to understand
how SMTP works. Exchange Server 2010 also supports several message-flow scenarios. Based on your
organization’s messaging environment, you can implement a suitable message-flow scenario.

Discussion Questions
Based on your experience, consider the following questions:

Question: What is SMTP?

Question: What are the various message-flow scenarios?

Question: What type of message-flow scenarios do most organizations implement?


Managing Message Transport 5-5

Components of Message Transport

Key Points
The message transport pipeline in Exchange Server 2010 consists of several components that work
together to route messages. Messages from outside the organization enter the transport pipeline through
an SMTP Receive connector on an Edge Transport server, a Hub Transport server, or another SMTP server.
Messages inside the organization enter the transport pipeline through the SMTP connector on a Hub
Transport server, through agent submission, from the Pickup or Replay directory, or by direct placement
by the store driver in the Submission queue.

Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one Submission queue on
each Edge Transport server and Hub Transport server. The Submission queue stores all messages on disk
until the categorizer processes them for further delivery. The categorizer cannot process a message unless
a server promotes it to the Submission queue. While the categorizer processes a message, it remains in
the Submission queue. After the categorizer categorizes a message successfully, it removes it from the
Submission queue.

Store Driver
Messages sent by mailbox users enter the message-transport pipeline from the sender’s Outbox. The store
driver on the Hub Transport server retrieves messages from the sender’s Outbox, and submits them to a
Submission queue.

Microsoft Exchange Mail Submission Service


The Microsoft Exchange Mail Submission service is a notification service running on Mailbox servers. It
notifies a Hub Transport server role in the local Active Directory site when a message is available for
retrieval from a sender’s Outbox. The store driver on the notified Hub Transport server role picks up the
message from the sender’s Outbox.
5-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Categorizer
The categorizer retrieves one message at a time from the Submission queue, and always picks the oldest
message first. On an Edge Transport server, categorization of an inbound message is a short process in
which the categorizer verifies the recipient SMTP address and places the message directly into the delivery
queue. From the delivery queue, it routes the message to a Hub Transport server.

Pickup Directory
Most messages enter the message transport pipeline through SMTP Receive connectors or by submission
through the store driver. However, messages also can enter the message transport pipeline by being
placed in the Pickup directory on a Hub Transport server or an Edge Transport server.
Managing Message Transport 5-7

How Are Messages Routed in an Exchange Server Organization?

Key Points
In an Exchange Server messaging environment, you must deploy a Hub Transport server role in each
Active Directory site where a Mailbox server role or a Unified Messaging server is installed. Hub Transport
servers deliver all messages in an Exchange Server 2010 organization, including messages sent between
two recipients with mailboxes located in the same Mailbox database, on the same site, and between
Active Directory sites.
The following process describes how a Hub Transport server delivers mail within a single Active Directory
site:

1. The message flow begins when a message is submitted to the message store on an Exchange Server
2010 Mailbox server role.

2. When the Microsoft Exchange Mail Submission service detects that a message is available and waiting
in an Outbox, it picks an available Hub Transport server and submits a new message notification to
the store driver.
3. The store driver retrieves the message from the Mailbox server role. The store driver uses MAPI to
connect to the user’s Outbox and collect any messages that are awaiting delivery. The store driver
submits the messages to the categorizer submission queue, for processing, and also moves a copy of
the message from the user’s Outbox to the user’s Sent Items folder.

Note: While the message is passing through the Hub Transport server role, the server can use
transport agents to modify the message or the message flow. For example, transport agents can apply
custom routing or journaling rules, or perform antivirus filtering.

4. For messages destined to arrive at a Mailbox server on the same Active Directory site, the store driver
places the message in a local delivery queue and delivers the message through MAPI to the Mailbox
server role.
5-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

5. For messages destined to arrive at a Mailbox server on another Active Directory site, the Hub
Transport server uses the Active Directory site-link information to determine the route to the
destination site. After determining the path, the Hub Transport server connects directly to the server
on the remote site. If no Hub Transport server on the destination site is available, the store driver
routes the message to a Hub Transport server that is closer to the destination site.
6. For messages destined for the Internet, the Hub Transport server delivers the message to an Edge
Transport server, which delivers the message to the appropriate Internet e-mail server. If the
organization does not use an Edge Transport server, a Hub Transport server delivers the message
directly to the appropriate Internet e-mail server using SMTP.
Managing Message Transport 5-9

How Are Messages Routed Between Active Directory Sites?

Key Points
For remote mail-flow scenarios, the initial steps, in which the message passes from the Mailbox server to
the Hub Transport server, are identical to those of the local mail-flow scenario.

Understanding Remote Mail Flow


When a message is addressed to a recipient in the same Exchange Server organization, but in a different
Active Directory site, the following process takes place:
1. The local Mailbox server uses Active Directory site-membership information to determine which Hub
Transport servers are located in the same Active Directory site as the Mailbox server. The Mailbox
server submits the message to the local Hub Transport server. If more than one Hub Transport server
exists in the site, the Mailbox server will load-balance message delivery to all available Hub Transport
servers.
5-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

2. The Hub Transport server performs recipient resolution and queries AD DS to match the recipient e-
mail address to a recipient account. The recipient account information includes the fully qualified
domain name (FQDN) of the user’s Mailbox server. The FQDN determines the Active Directory site of
the user’s Mailbox server.
3. In a default configuration, the local Hub Transport server opens an SMTP connection to the remote
Hub Transport server in the destination site, and then delivers the message. After a Hub Transport
server in the destination Active Directory site receives the message, it forwards the message to the
appropriate Mailbox server in the destination Active Directory site.
4. If the message has multiple recipients whose mailboxes are in different Active Directory sites,
Exchange Server uses delayed fan-out to optimize message delivery. If the recipients share a portion
of the path, or the entire path, then Exchange Server sends a single copy of the message with these
recipients until the bifurcation point. Exchange Server then bifurcates and sends a separate copy to
each recipient.

For example, if the least-cost routes from Site1 to Site3 and Site4 both pass through Site2, then
Exchange Server sends a single copy of a message intended for recipients in Site3 and Site4 to a Hub
Transport server in Site2. Then, the Hub Transport server in Site2 sends two copies of the message:
one each to a Hub Transport server in Site3 and Site4.

How Exchange Server 2010 Deals with Message-Delivery Failure


If a Hub Transport server cannot deliver a message to a Hub Transport server in the destination site, the
Hub Transport server uses the least-cost routing path to deliver the message as close as possible to the
destination site. The source Hub Transport server attempts to deliver the message to a Hub Transport
server in the last site before the destination site, along the least-cost routing path. The Hub Transport
server continues to trace the path backward until it makes a connection to a Hub Transport server. The
Hub Transport server queues the messages in that Active Directory site, and the queue is in a retry state. If
Hub Transport servers are not available in any site along the least-cost route, the message is queued on
the local Hub Transport server. This behavior is called queue at point of failure.
Managing Message Transport 5-11

Options for Modifying the Default Message Flow

Key Points
In some cases, you may want to modify the default message routing configuration. You can do this by
configuring specific Active Directory sites as Hub sites, and by assigning Exchange Server-specific routing
costs to Active Directory site links. Hub sites are central sites that you define to route messages.
By default, Hub Transport servers in one site will try to deliver messages to a recipient in another site by
establishing a direct connection to a Hub Transport server in the remote Active Directory site. However,
you can modify the default message-routing topology in three ways.

Configuring Hub Sites


You can configure one or more Active Directory sites in your organization as hub sites. When a hub site
exists along the least-cost routing path between two Hub Transport servers, the messages are routed to a
Hub Transport server in the hub site for processing before they are relayed to the destination server.

Important: The Hub Transport server routes a message through a hub site only if it exists along the
least-cost routing path. The originating Hub Transport server always calculates the lowest cost route
first, and then checks if any of the sites on the route are hub sites. If the lowest cost route does not
include a hub site, the Hub Transport server will attempt a direct connection. Use the Set-ADSite –
Identity sitename –HubSiteEnabled $true cmdlet to configure a site as hub site.

Configuring Exchange-Specific Routing Costs


You also can modify the default message-routing topology by configuring an Exchange-specific cost to an
Active Directory IP site link. If you assign an Exchange-specific cost to the site link, the Hub Transport
server determines the least-cost routing path by using this attribute rather than the Active Directory-
assigned cost.
5-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: Use the Set-AdSiteLink –Identity ADsitelinkname –ExchangeCost value cmdlet to assign
Exchange specific routing costs. You also can use the Set-AdSiteLink –Identity ADsitelinkname –
MaxMessageSize value cmdlet to assign a maximum message size limit for messages sent between
Active Directory sites.

Configuring Expansion Servers for Distribution Groups


You also can modify the default routing topology by assigning expansion servers for distribution groups.
By default, when a message is sent to a distribution group, the first Hub Transport server that receives the
message expands the distribution list and calculates how to route the messages to each recipient in the
list. If you configure an expansion server for the distribution list, all messages sent to the distribution list
are sent to the specified Hub Transport server, which then expands the list and distributes the messages.
For example, you can use expansion servers for location-based distribution groups to ensure that the local
Hub Transport server resolves them.

Best Practice: You might need to review the Active Directory site design when you deploy Exchange
Server 2010, to adjust the IP site links and site-link costs so that you optimize delayed fan-out and
instead queue at the point of failure.
Managing Message Transport 5-13

Tools for Troubleshooting SMTP Message Delivery

Key Points
Similar to Exchange Server 2007, Exchange Server 2010 also provides several tools for troubleshooting
SMTP message delivery.

Tip: Exchange Server 2010 relies on the Active Directory site configuration for message routing.
Therefore, to troubleshoot a message-routing issue, you might need to use Active Directory tools to
validate or modify site, site link, or IP subnet information, and to verify Active Directory replication.
You can use the Active Directory Sites and Services tool to view IP subnets and site links.

Using Exchange Server Best Practices Analyzer


The Exchange Server Best Practices Analyzer is a tool that you can use to check the Exchange server
configuration and the health of your Exchange server topology. This tool automatically examines an
Exchange server deployment and determines whether the configuration is in line with Microsoft best
practices. You should run the Best Practices Analyzer after you install a new Exchange server, upgrade an
existing Exchange server, or make configuration changes.

Using the Mail Flow Troubleshooter


The Mail Flow Troubleshooter tool assists Exchange Server administrators in troubleshooting common
mail-flow problems.

Using the Queue Viewer


Like previous Exchange Server versions, messages waiting to be processed or delivered reside in message
queues on the Exchange Server Hub Transport servers. However, unlike Exchange Server versions before
2007, all message queues reside in a local Exchange Server database on the server. The message queues
provide a very useful diagnostic tool to locate and identify messages that have not been delivered.
5-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: For more information on the queues that Exchange Server 2010 uses, and the process for
troubleshooting message flow, see the Managing Queues page on the Microsoft Technet Web site.

Using Message Tracking and Tracking Log Explorer


You also can use message tracking to troubleshoot message flow. By default, message tracking is enabled
on Hub Transport servers, and all message-tracking logs are stored in the C:\Program
Files\Microsoft\Exchange Server
\TransportRoles\Logs\MessageTracking folder.

Note: To view the message-tracking logs, use the Message Tracking and Tracking Log Explorer tools
available in the Exchange Management Console Toolbox. In Exchange Server 2010, users also can
track their messages using the Exchange Control Panel (ECP). The Message Tracking tool does not
provide the level of detail that the Tracking Log Explorer provides. For example, sending a message
between two Exchange servers that are in the same Active Directory site does not show the Exchange
server names in Message Tracking whereas Tracking Log Explorer provides you with this information.

Using the Routing Log Viewer


You can use the routing log viewer to open a routing log file that contains information about how the
routing topology appears to the server. You can use this information when you troubleshoot message
routing within the organization or to the Internet.

Using Protocol Logging


You also can configure protocol logging to provide detailed information for troubleshooting message
flow. Protocol logging is enabled on the SMTP Send connector or SMTP Receive connector properties,
and the log files are stored in C:\Program Files\Microsoft\Exchange
Server\TransportRoles\Logs\ProtocolLog folder.

Using Telnet
You can use Telnet to check if the SMTP port responds, or to directly send a SMTP mail to a connector to
see if the connector accepts it. Telnet is a Windows Server 2008 feature, and you use it from the command
line using the following syntax: telnet <servername> SMTP or Port #. For example, you can use either
TELNET VAN-EX1 SMTP or TELNET VAN-EX1 25, both being basically the same.
Managing Message Transport 5-15

Demonstration: How to Troubleshoot SMTP Message Delivery

Key Points
In this demonstration, you will see how to use Telnet and Queue Viewer to troubleshoot SMTP message
delivery.

Demonstration Steps
1. Open the Command Prompt window.
2. To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail
using Telnet.
3. In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start
the Queue Viewer tool.
4. Suspend and resume the Submission queue.
5. Close Queue Viewer.
5-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 2
Configuring Message Transport

To configure message transport in an Exchange Server organization, you must first configure the Hub
Transport servers. It is important to understand the various message-transport concepts and components,
such as accepted and remote domains and SMTP connectors. This lesson also describes the various tasks
of configuring a Hub Transport server and message routing.

After completing this lesson, you will be able to:


• Describe the process for configuring Hub Transport Servers.
• Configure Hub Transport Servers.
• Describe the options for configuring message transport.
• Describe accepted domains.
• Describe remote domains.
• Configure accepted and remote domains.
• Describe an SMTP connector.
• Configure SMTP Send and Receive connectors.
• Describe the purpose and functionality of back pressure.
Managing Message Transport 5-17

Process for Configuring Hub Transport Servers

Key Points
By default, when you install a Hub Transport server in an Exchange Server 2010 organization, this enables
message routing within the organization. However, you might need to configure additional options on
the Hub Transport server role.
To configure a Hub Transport server, use the following process:

1. Configure server-specific settings. These settings include internal Domain Name System (DNS)
configuration and connection limits.
2. Configure authoritative domains and e-mail address policies. An authoritative domain is one for
which the Exchange Server organization accepts messages and has mailboxes. You first must
configure an authoritative domain before you can configure e-mail address policies to apply e-mail
addresses to recipients and accept inbound SMTP messages for those recipients.
5-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

3. Configure a postmaster mailbox. For each accepted domain, you must configure a postmaster
mailbox. The postmaster mailbox must meet the requirements of RFC 2822, and to receive NDRs and
DSNs. You can create a new mailbox, or you can add the postmaster alias to an existing mailbox user.
4. Configure Internet message flow. If you are not deploying an Edge Transport server, you will need to
configure the Hub Transport server to enable inbound and outbound mail flow. To enable inbound
mail flow, configure an SMTP Receive connector to accept anonymous connections on port 25 using
a network interface that is accessible from the Internet. To enable outbound e-mail flow, configure an
SMTP Send connector with an address space of “*”that can use DNS or a smart host to send messages
to the Internet.

If you are using the Hub Transport server to send and receive e-mail from the Internet, you should
configure antivirus and anti-spam agents on the Hub Transport server.

Note: We strongly recommend that you use an Edge Transport server role or some other SMTP relay
server to send and receive messages from the Internet. If you are using an SMTP gateway server other
than an Exchange Server 2010 Edge Transport server role, you still will need to configure the SMTP
Send connector and SMTP Receive connector. The only difference is that you should configure the
SMTP gateway server as the smart host on the SMTP Send connector and accept only connections
from the SMTP gateway server on the SMTP Receive connector. As an alternative to managing your
own Edge Transport server role, you should also consider Exchange Hosted Services.

5. Configure messaging policies. By default, messaging policies are not applied to messages passing
through the Hub Transport server role. As part of the Hub Transport server role deployment, you
must configure your organization’s transport and journaling rules.
6. Configure administrative permissions. As part of the Hub Transport server role deployment, you can
choose to delegate permissions to configure and monitor the server.
Managing Message Transport 5-19

Demonstration: How to Configure Hub Transport Servers

Key Points
In this demonstration, you will review the options for configuring Hub Transport servers.

Demonstration Steps
1. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server
2010, and then click Exchange Management Console.
2. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand
Organization Configuration, and then click Hub Transport.
3. On the Global Settings tab, double-click Transport Settings and review the options on the
Message Delivery tab.
4. In Exchange Management Console, expand Server Configuration, and then click Hub Transport.
Open Hub Transport server properties and review the options on the Log Settings tab and Limits
tab.
5. At the Exchange Management Shell command prompt, type
Get-TransportServer -I van-ex1 |fl, and then press ENTER.
5-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Configuring Message Transport

Key Points
Exchange Server 2010 supports various additional options that you can configure on the message
transport. These options include transport rules, Rights Protection using transport protection rules,
journaling, enhanced disclaimers, and moderated transport.

Note: This module provides a high-level overview of these options. Module 8 provides more details
on these options.

Transport Rules
Transport Rules inspect messages for conditions that the rule specifies, and then applies the rules to
messages that meet the conditions, and none of the exceptions. Exchange Server 2010 includes several
new predicates and actions, and provides additional flexibility in creating rules and additional options for
actions that you can apply to messages.

Rights Protection Using Transport Protection Rules


You can use transport protection rules to protect messaging content by rights-protecting e-mail messages
and attachments of supported file types, such as Microsoft® Office Word or Microsoft Office Excel®.
Transport protection rules apply Rights Management Services (RMS) templates to messages in transport,
which restrict the recipients that can access a message, and specify the actions that can be performed by
recipients of the message, such as printing a message or an attachment, and forwarding a message.
You can use the Active Directory Rights Management Services (AD RMS component of Exchange Server
2010 to protect messaging content.

Journaling
Journaling is the ability to record all communications, including e-mail communications, in an
organization for use in the organization’s e-mail retention or archival strategy.
Managing Message Transport 5-21

Enhanced Disclaimers
Exchange 2010 lets you add disclaimers that can include hyperlinks, images, and HTML-formatted text.
You also can insert Active Directory attributes that are substituted for the sender’s attributes when a
message triggers a disclaimer rule.

Moderated Transport
Using the moderated transport feature in Exchange Server 2010, you can make it mandatory that a
moderator approves all e-mail messages that are sent to specific recipients. You can configure any type of
recipient as a moderated recipient, and Exchange 2010 Hub Transport servers ensures that all messages
sent to those recipients go through an approval process.

Anti-Spam and Antivirus Protection


The built-in protection features in Exchange Server 2010 provide anti-spam and antivirus protection for
messages. Although these built-in protection features are for use in the perimeter network on the Edge
Transport server role, you also can configure the Edge Transport agents on the Hub Transport server.
Although, Exchange Server 2010 includes some antivirus protection features, such as transport rules that
you can configure to prevent a virus attack, it does not include any virus-scanning software. Therefore,
you should consider a third-party virus scanning software, such as Microsoft Forefront® Security for
Exchange to provide additional antivirus protection.
5-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Accepted Domains?

Key Points
As part of the Hub Transport server-configuration process, you should configure the domains for which
the Hub Transport server will accept e-mail, and configure users with alternate e-mail addresses.

Configuring Accepted Domains


The accepted domain property specifies one or more SMTP domain names for which the Exchange server
receives mail. If an SMTP Receive connector on the Exchange Server 2010 Hub Transport server receives a
message that is addressed to a domain that is not on the accepted domain list, it rejects the message and
sends an NDR.

To configure an accepted domain, access the Organization Configuration node, and then click Hub
Transport. You can view the current accepted domains in the Accepted Domains tab, and you can
create additional domains by clicking New Accepted Domain in the Actions pane.

When you create a new accepted domain, you have three options for the domain type you want to
create:
• Authoritative Domain. Select this option if the recipients using this domain name have mailboxes in
the Exchange Server organization.
• Internal Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept
the e-mail, but relay it to another messaging organization in another Active Directory forest. The
recipients in an internal relay domain do not have mailboxes in this Exchange organization, but do
have contacts in the global address list (GAL). When messages are sent to the contacts, the Hub
Transport server or Edge Transport server forwards them to another SMTP server.
• External Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept
the e-mail, but relay it to an alternate SMTP server. In this scenario, the transport server receives the
messages for recipients in the external relay domain, and then routes the messages to the
e-mail system for the external relay domain. This requires a Send connector from the transport server
to the external relay domain.
Managing Message Transport 5-23

Note: To configure accepted domains using the Exchange Management Shell, use the New-
AcceptedDomain or Set-AcceptedDomain cmdlet.
5-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Remote Domains?

Key Points
Remote domains define SMTP domains that are external to your Exchange organization. You can create
remote domain entries to define the settings for message transfer between the Exchange Server 2010
organization and domains outside your AD DS forest. When you create a remote domain entry, you
control the types of messages that are sent to that domain. You also can apply message-format policies
and acceptable character sets for messages that are sent from your organization’s users to the remote
domain. The settings for remote domains determine the Exchange organization’s global configuration
settings.

Creating Remote Domain Entries


You can create remote domain entries to define the mail-transfer settings between the Exchange Server
2010 organization and a domain that is outside your Active Directory forest. When you create a domain
entry, you provide a name to help the administrator identify the entry’s purpose when they view
configuration settings.

Configuring Remote Domain Settings


The configuration for a remote domain determines the out-of-office message settings for e-mail that is
sent to the remote domain and the message format settings for e-mail that is sent to the remote domain.

Out-of-Office Message Settings


The out-of-office message settings control the messages that are sent to recipients in the remote domain.
The types of out-of-office messages that are available in your organization depend on both the Microsoft
Office Outlook client version and the Exchange Server version on which the user’s mailbox is located.

An out-of-office message is set on the Outlook client but is sent by the Exchange server. Exchange Server
2010 supports three out-of-office message classifications: external, internal, and legacy.
Managing Message Transport 5-25

Message Format Options Including Acceptable Character Sets


You can configure multiple message format options to specify message delivery and formatting policies
for the messages that are sent to recipients in the remote domain.

The first set of options on the Message Format tab apply restrictions to the types of messages that can
be sent to the remote domain, how the sender’s name displays to the recipient, and the column width for
message text. These options include:
• Allow automatic replies.
• Allow automatic forward.
• Allow delivery reports.
• Allow nondelivery reports.
• Display sender’s name on messages.
• Use message text line-wrap at column.
• Meeting forward notification enabled.

Message Format Options


Use the Exchange rich-text format settings to determine whether e-mail messages from your organization
to the remote domain are sent by using Exchange Rich Text Format (RTF).

Character Sets
The Characters Sets options let you select a MIME character set and a non-MIME character set to use
when you send messages to a remote domain.
5-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Accepted and Remote Domains

Key Points
In this demonstration, you will review the default accepted domain configuration, and then see how to
configure accepted and remote domains.

Demonstration Steps
1. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand
Organization Configuration, and then click Hub Transport.
2. Click the Accepted Domains tab, and then double-click Adatum.com. Click OK.
3. Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay
Domain.
4. Click the Remote Domains tab, and review the default remote domain settings. Click OK.
5. Click New Remote Domain, and create a remote domain for contoso.com.
Managing Message Transport 5-27

What Is an SMTP Connector?

Key Points
For a Hub Transport server to send or receive messages using SMTP, at least two SMTP connectors must
be available on the server. An SMTP connector is an Exchange Server component that supports one-way
SMTP connections that route mail between Hub Transport and Edge Transport servers or between the
transport servers and the Internet. You create and manage SMTP connectors from the Exchange
Management Console or the Exchange Management Shell. Exchange Server 2010 provides two types of
SMTP connectors: SMTP Receive connectors and SMTP Send connectors.

Note: Exchange Server 2010 automatically creates the Send and Receive connectors that
intraorganization mail flow requires. These are implicit connectors that are not visible in the Exchange
management tools, and you cannot modify them.

What Are SMTP Receive Connectors?


An Exchange Server 2010 computer requires an SMTP Receive connector to accept any SMTP e-mail. An
SMTP Receive connector enables an Exchange Hub Transport or Edge Transport server to receive mail
from any other SMTP sources, including SMTP mail programs, such as Windows Mail and SMTP servers on
the Internet, Edge Transport servers, or other Exchange Server SMTP servers.
You create SMTP Receive connectors on each server running the Hub Transport server role. Use the
following naming protocol for the SMTP Receive connectors: Client SERVERNAME Receive connector,
which you configure to receive connections from SMTP clients such as Windows Mail; and Default
SERVERNAME Receive connector, which you configure to receive authenticated connections from other
SMTP servers. The default configuration for the two connectors is almost identical, but with one important
difference: you configure the Client SERVERNAME Receive connector to listen on port 587 rather than
port 25. As described in RFC 2476, port 587 has been proposed to be used only for message submission
from e-mail clients that require message relay.
5-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are SMTP Send Connectors?


An Exchange Server 2010 computer requires an SMTP Send connector to send any SMTP e-mail, and to
send e-mail to any SMTP server on the Internet or to any SMTP servers in the same Exchange Server
organization.

Note: By default, no SMTP Send connectors are configured on Hub Transport servers, except for the
implicit SMTP Send connectors. These are created dynamically to communicate with Hub Transport
servers in other sites.

How to Manage SMTP Connectors


You can use the Exchange Management Console or the Exchange Management Shell to create, configure,
or view SMTP connectors.

Note: Incorrect configuration of SMTP Receive connectors can lead to opened relay on the mail
server. Therefore, you must carefully test the configuration.
Managing Message Transport 5-29

Demonstration: How to Configure SMTP Send and Receive Connectors

Key Points
In this demonstration, you will see how to configure SMTP Send and Receive connectors.

Demonstration Steps
1. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand
Organization Configuration, and then click Hub Transport.
2. Click the Send Connectors tab and create a New Send Connector.
3. In Exchange Management Console, expand Server Configuration, and then click Hub Transport.
4. Click New Receive Connector and create a Receive connector that allows the anonymous group to
send messages.
5-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Back Pressure?

Key Points
Back pressure is a system-resource monitoring feature of the Microsoft Exchange Transport service that
exists on computers that have the Hub Transport server role or Edge Transport server role installed.
Back pressure monitors important system resources, such as available hard-disk drive space and available
memory. If utilization of a system resource exceeds the specified limit, the Exchange server stops
accepting new connections and messages. This prevents the system resources from being completely
overwhelmed, and enables the Exchange server to deliver the existing messages. When utilization of the
system resource returns to a normal level, the Exchange server accepts new connections and messages.

Back pressure can be used to:


• Monitor system resources, such as available hard disk drive space and memory.
• Restrict new connections and messages if a system resource exceeds a specified level.
• Prevent the server from being completely overwhelmed.
For each monitored system resource on a Hub Transport server or Edge Transport server, the following
three levels of resource utilization are applied:
• Normal. The resource is not overused. The server accepts new connections and messages.
• Medium. The resource is slightly overused. Back pressure is applied to the server in a limited manner.
Mail from senders in the authoritative domain can flow. However, the server rejects new connections
and messages from other sources.
• High. The resource is severely overused. Full back pressure is applied. All message flow stops, and the
server rejects all new connections and messages.

Options for Configuring Back Pressure


All configuration options for back pressure are available in the EdgeTransport.exe.config application
configuration file that is located in the C:\Program Files\Microsoft\Exchange Server\Bin directory.
Managing Message Transport 5-31

The EdgeTransport.exe.config file is an XML application configuration file that is associated with the
EdgeTransport.exe file. The Microsoft Exchange Transport service uses the EdgeTransport.exe and
MSExchangeTransport.exe executable files. This service runs on every Hub Transport server or Edge
Transport server. Exchange Server applies the changes that are saved to the EdgeTransport.exe.config file
after the Microsoft Exchange Transport service is restarted.
5-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab: Managing Message Transport

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are
running:
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
3. If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1 and VAN-EX2 as
Adatum\Administrator, using the password Pa$$w0rd.

Lab Scenario
You are a messaging administrator in A Datum Corporation., which is a large multinational organization
that has offices in London, Tokyo, and Vancouver, which is its headquarters. Your organization has
deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the
main site in Vancouver. As part of your job responsibilities, you need to set up the message transport to
and from the Internet and also ensure that the message flow works within and between the various sites.
Managing Message Transport 5-33

Exercise 1: Configuring Internet Message Transport


Scenario
Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages
should flow through the main site. As part of your job responsibilities, you need to set up the message
transport to and from the Internet. You also want to configure the Hub Transport server for anti-spam.

The main tasks for this exercise are as follows:

1. Configure a Send connector to the Internet.


2. Configure a Receive connector to accept Internet messages.
3. Enable anti-spam functionality on the Hub Transport server.
4. Verify that Internet message delivery works.

 To prepare for this lab


1. On VAN-EX2, click Start, right-click Network, and click Properties.
2. Click Change adapter settings.
3. Right-click Local Area Connection 2, and click Properties.
4. Click Internet Protocol Version 4 (TCP/IPv4), and click Properties.
5. Change the IP address to 10.10.11.21, and then click OK. Click Close.
6. Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then click
OK.
7. After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password
Pa$$w0rd.

Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.

 Task 1: Configure a Send connector to the Internet


1. On VAN-EX1, open Exchange Management Console.
2. Create a new Send Connector with the following configuration:
• Name: Internet Send Connector
• Use: Internet
• Address space: *
• Route all messages through VAN-DC1.adatum.com

 Task 2: Configure a Receive connector to accept Internet messages


1. On VAN-EX1, create a new Receive Connector with the following configuration:
• Name: Internet Receive Connector
• Use: Custom
• Local Network Settings: 10.10.0.10
2. Change the configuration on the Internet Receive Connector to enable anonymous users to send e-
mail and to enable verbose logging.

 Task 3: Enable anti-spam functionality on the Hub Transport server


1. On VAN-EX1, open the Exchange Management Shell.
5-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

2. Switch to the c:\Program Files\Microsoft\Exchange Server\v14\scripts directory and use the


install-AntispamAgents.ps1 cmdlet to install the anti-spam agents on the Hub Transport server
3. Restart the Microsoft Exchange Transport
4. Verify that anti-spam configuration options are now available on VAN-EX1 and at the organization
level.

 Task 4: Verify that Internet message delivery works


1. On VAN-EX1, log on to Outlook Web App as Wei, and send a message to Info@Internet.com.
2. From the Toolbox node in the Exchange Management Console, open the Queue Viewer. Check the
queues on VAN-EX1 to verify that the message was delivered.
3. On VAN-DC1, use Telnet to verify that VAN-EX1 accepts anonymous messages. Use Telnet to send a
message as Info@internet.com to WeiYu@adatum.com.

Results: After this exercise, you should have configured message transport to send and receive
messages to and from the Internet using a smart host. You also should have configured anti-spam
functionality on a Hub Transport server.
Managing Message Transport 5-35

Exercise 2: Troubleshooting Message Transport


Scenario
You have successfully installed Exchange Server 2010 in two sites. You now need to make sure that mail
flow is working correctly.

The main tasks for this exercise are as follows:


1. Check the routing log, and verify that mail delivery works correctly.
2. Troubleshoot message transport.

 Task 1: Check the routing log, and verify that mail delivery works correctly
1. On VAN-EX1, use the Routing Log Viewer to verify that VAN-EX1 is located in the Default-First-Site-
Name site, and the VAN-EX2 is located in the Site2 site.
2. Log on to Outlook Web App as Wei, and send an email to Anna, whose mailbox is on VAN-EX2.
Verify that the mail is received and that Anna can respond to the e-mail.

 Task 2: Troubleshoot message transport


1. On VAN-EX1, in Exchange Management Shell, run the
d:\ labfiles\Lab05Prep1.ps1 script.
2. Send another e-mail from Wei to Anna. Verify that the message is not delivered.
3. Use Queue Viewer to investigate mail flow problems.
4. Use Telnet to check connectivity from VAN-EX1 to VAN-EX2
5. Re-create the receive connector to make mail flow work correctly.
6. Use Queue Viewer to force an immediate retry of message delivery.
7. Verify that Anna received the message.

Results: After this exercise, you should have used the Routing Log Viewer to get an overview of your
routing topology. For troubleshooting, you should have used the Queue Viewer and Telnet to
investigate the mail-flow problem.
5-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 3: Troubleshooting Internet Message Delivery


Scenario
Your users complain that messages are not sent correctly to the internet. As part of your job
responsibilties, you need to track messages to find out why message flow to the Internet is not working
correctly.

The main tasks for this exercise are as follows:

1. Send a message to the Internet, and track it.


2. Implement user-based message tracking to verify mail delivery.
3. Troubleshoot Internet message delivery.

 Task 1: Send a message to the Internet, and track it


• On VAN-EX2, log on to Outlook Web App as Anna and send a message to Info@Internet.com.

 Task 2: Implement user-based message tracking to verify mail delivery


• Connect to the Exchange Control Panel as Anna, and use the Delivery Reports page to track the
message she sent. Search for messages sent to Info@Internet.com.

 Task 3: Troubleshoot Internet message delivery


1. On VAN-EX1, in Exchange Management Shell, verify that the shell is focused on c:\Program
Files\Microsof\Exchange Server\v14\scripts, and run d:\10135\labfiles\Lab05Prep2.ps1.
2. On VAN-EX2, send a second message from Anna to Info@Internet.com.
3. On VAN-EX1, in the Exchange Management Console, in the Toolbox node, access Message
Tracking.
4. Log on to Exchange Control Panel as Administrator, and track the message that Anna sent. Verify
that the message state is pending.
5. Use Mail Flow Troubleshooter to troubleshoot mail problems. When starting the Mail Flow
Troubleshooter, choose the option to troubleshoot the Messages are backing up in on one or more
queues on a server. Choose VAN-EX1 as the Exchange Server. Review the information on each wizard
page, and identify the proposed root cause for the issue.
6. On VAN-DC1, use nslookup to try to locate the MX records for internet.com.
7. Configure a smart host in your Send connector.
8. Verify that the messages are now delivered.

Results: After this exercise, you should have used tools like Mail Flow Troubleshooter, Queue Viewer,
Message Tracking, and nslookup to investigate why messages are not delivered to the Internet.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state by completing the following
steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
Managing Message Transport 5-37

5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

7. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
8. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
5-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Review and Takeaways

Common Issues Related to Managing Message Transport


Identify the causes for the following common issues related to Managing Message Transport, and fill in
the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

You configure a Send Connector to the Use Telnet on the Hub Transport server that is trying to send
Internet, but messages cannot be the mail, and connect to the target SMTP server in the
transferred over it. internet to see what the issue is. Many times you cannot
reach it because of DNS resolution or firewall settings.

You want to understand over what hops Use Message Tracking or view the header of the message in
the message has been transferred. Outlook Web App.

Your Exchange Server does not accept Verify that this domain is part of the Accepted Domains in
messages for the domain adatum- Organization Configuration under Hub Transport.
info.com.
Implementing Messaging Security 6-1

Module 6
Implementing Messaging Security
Contents:
Lesson 1: Deploying Edge Transport Servers 6-3
Lesson 2: Deploying an Antivirus Solution 6-19
Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 6-27
Lesson 3: Configuring an Anti-Spam Solution 6-31
Lesson 4: Configuring Secure SMTP Messaging 6-44
Lab B: Implementing Anti-Spam Solutions 6-57
6-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

The Edge Transport server role is designed to be placed directly in a perimeter network, therefore directly
in the Internet. Placing a server directly in the Internet can be the cause of numerous security concerns.
This module describes how to plan for and deploy a Microsoft® Exchange Server 2010 Edge Transport
server role, and the security issues related to the deployment.

This module describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as
Domain Security, a feature available in Exchange Server 2007 and later versions. The Edge Transport role
provides powerful anti-spam functionalities, and some antivirus features. As the Edge Transport role does
not include a virus scanner, you can integrate additional antivirus products such as Microsoft®
Forefront® Protection for Exchange Server.
After completing this module, you will be able to:
• Deploy Edge Transport servers.
• Deploy an antivirus solution.
• Configure an anti-spam solution.
• Configure secure SMTP messaging.
Implementing Messaging Security 6-3

Lesson 1
Deploying Edge Transport Servers

In any Exchange Server deployment, it is important that you do not expose too much information to the
Internet. You must ensure critical data such as e-mail messages are protected from unauthorized access
from the Internet. The Edge Transport server role provides functionalities that secure this data from
unauthorized Internet access. If you are planning to place a server in your perimeter network, you should
plan to use an Edge Transport server.
This lesson describes features and functionalities of the Edge Transport server role, and explains how you
can configure data synchronization between Active Directory® directory service and the Edge Transport
server.

After completing this lesson, you will be able to:


• Describe the Edge Transport server role.
• Identify the infrastructure requirements for the Edge Transport server role.
• Describe the functionality of Active Directory Lightweight Directory Services (AD LDS).
• Configure Edge Transport servers.
• Describe the purpose and functionality of Edge Synchronization.
• Explain how Internet message flow works in Exchange Server 2010.
• Describe the concept of cloned configuration.
• Configure Edge synchronization.
• Describe how to secure Edge Transport servers.
6-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is the Edge Transport Server Role?

Key Points
The Edge Transport server role in Exchange Server 2010 provides a secure SMTP gateway for all incoming
and outgoing e-mail in an organization. As an SMTP gateway, the Edge Transport server’s primary role is
to maintain message hygiene, which includes anti-spam and antivirus filtering. You also can use the Edge
Transport server to apply messaging policies to messages that are sent to the Internet.

Edge Transport Server Role Functionality


The Edge Transport server role provides the following functionalities.

Feature Description

Internet message delivery The Edge Transport server role accepts all e-mail coming into the
Exchange Server 2010 organization from the Internet, and from servers in
external organizations.

Antivirus and anti-spam The Exchange Server 2010 Edge Transport server role helps prevent spam
protection messages and viruses from reaching your organization’s users by using a
collection of agents that provide different layers of spam filtering and
virus protection.

Edge transport rules Edge transport rules control the flow of messages that are sent to, or
received from the Internet. Edge transport rules apply actions to
messages that meet specified conditions.

Address rewriting Address rewriting enables SMTP address modification for any of your
organization’s message senders or recipients.

Edge Transport Servers Deployment Considerations


When planning to deploy Edge Transport servers, consider the following factors:
Implementing Messaging Security 6-5

• You cannot combine the Edge Transport server role with any other Exchange Server 2010 server role.
To provide increased security, you must install the Edge Transport server role on a separate computer,
which can be virtual or physical.
• The computer should not be a member of an Active Directory domain.

Note: You should not install the Edge Transport server role on a computer that is a member of the
internal Active Directory domain, but you can install it in a perimeter network forest. Even if you
install the Edge Transport server role on a member server, the server still uses Active Directory
Application Mode (ADAM) or AD LDS to store its configuration and recipient information.

• You should deploy the Edge Transport server role in a perimeter network to ensure network isolation
from both the internal network and the internal Exchange servers.
6-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Edge Transport Server Role Infrastructure Requirements

Key Points
The Edge Transport server role is different from any other Exchange Server 2010 server role, because you
can install it on servers running the Windows Server® 2008 operating system that are not members of the
internal Active Directory Domain Services (AD DS). This configuration makes it much easier and more
secure to deploy Edge Transport servers in a perimeter network. When deploying Edge Transport servers,
consider the following infrastructure requirements:
• You can install Edge Transport servers either on standalone servers, or on servers that are members of
an extranet domain. The computer running the Edge Transport server role must have a fully qualified
domain name (FQDN) configured.
• You must deploy Edge Transport servers in a perimeter network. This configuration provides the
highest level of security.
• The firewall configuration required for Edge Transport servers is greatly simplified, because the server
does not need to be an internal domain member. The following table describes the firewall
configuration requirements.

Firewall Firewall rule Explanation

External Allow port 25 from all external IP This rule enables SMTP hosts on the Internet
addresses to the Edge Transport to send e-mail.
server.

External Allow port 25 to all external IP This rule enables the Edge Transport server
addresses from the Edge Transport to send e-mail to SMTP hosts on the
server. Internet.

External Allow port 53 to all external IP This rule enables the Edge Transport server
addresses from the Edge Transport to resolve Domain Name System (DNS)
server. names on the Internet.
Implementing Messaging Security 6-7

Firewall Firewall rule Explanation

Internal Allow port 25 from the Edge This rule enables the Edge Transport server
Transport server to specified Hub to send inbound SMTP e-mail to Hub
Transport servers. Transport servers.

Internal Allow port 25 from specified Hub This rule enables the Hub Transport servers
Transport servers to the Edge to send e-mail to the Edge Transport server.
Transport server.

Internal Allow port 50636 for secure This rule enables the Hub Transport server to
Lightweight Directory Access replicate information to the Edge Transport
Protocol (LDAP) from specified Hub servers using Edge Synchronization. This port
Transport servers to the Edge is not the default Secure LDAP port, but it is
Transport server. used specifically for the Edge
Synchronization process.

Internal Allow port 3389 for Remote This rule is used for optional remote desktop
Desktop Protocol (RDP) from the administration of the Edge Transport server.
internal network to the Edge
Transport server.

• If the Edge Transport server directly routes e-mail to the Internet, you must configure the server with
the IP addresses for Domain Name System (DNS) servers that can resolve DNS names on the Internet.
6-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is AD LDS?

Key Points
The Edge Transport server does not use the Active Directory directory service to store its configuration
information; instead, Edge Transport servers use AD LDS to store this data.

Note: AD LDS runs only on Windows Server 2008 computers, while the ADAM service can run on
Windows Server 2003 computers. AD LDS is an update of ADAM.

What Is AD LDS?
AD LDS is a special mode of the AD DS that stores information for directory-enabled applications. AD LDS
is an LDAP-compatible directory service that runs on servers running the Windows Server 2008 operating
system. AD LDS is designed to be a standalone directory service. It does not require the deployment of
DNS, domains, or domain controllers; instead, it stores and replicates only application-related information.

How AD LDS Works with Exchange Server 2010 Edge Transport Servers
AD LDS stores configuration and recipient data for the Exchange Server 2010 Edge Transport server role.
Before you can install the Edge Transport server role, you must install the AD LDS server role on a
Windows Server 2008 computer. AD LDS is then configured automatically when you install the Edge
Transport server role. The following types of information are stored in AD LDS:
• Schema
• Configuration
• Recipient information
Implementing Messaging Security 6-9

Managing AD LDS
The AD LDS database is stored in the %programfiles%\Microsoft\Exchange
Server\TransportRoles\data\Adam directory. The primary database is adamntds.dit, which is similar to the
databases that Exchange Server uses for mailbox stores and mail queue databases.

In general, minimal administration is required for the AD LDS instance running on an Edge Transport
server. You can make most changes to the AD LDS directory information using Exchange Server 2010
management tools.

Note: Before installing the Edge Transport server role, you must install AD LDS on the computer.
However, you do not need to perform any configuration steps in AD LDS before installing the Edge
Transport server role.
6-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Edge Transport Servers

Key Points
In this demonstration, you will review the Edge Transport server role default configuration before
implementing Edge Synchronization.

Demonstration Steps
1. Open the Exchange Management Console.
2. Review the Edge Transport server role’s default configuration settings including the default anti-spam
settings, Send and Receive Connectors and Accepted Domains.
Implementing Messaging Security 6-11

What Is Edge Synchronization?

Key Points
Edge synchronization is a process that replicates information from Active Directory directory service to AD
LDS on Edge Transport servers. Because Edge Transport servers are not joined to the internal Active
Directory domain, they cannot directly access the Exchange Server organization configuration or recipient
information that is stored in Active Directory. EdgeSync enables the shared information to be replicated
from Active Directory directory service to AD LDS.
You can deploy Edge Transport servers without using EdgeSync, but using EdgeSync can decrease the
effort needed to administer the Edge Transport servers. The Active Directory contains much of the
configuration information required by the Edge Transport server. For example, if you configure accepted
domains on the Hub Transport servers, these accepted domains can be replicated automatically to the
Edge Transport servers.

To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to
replicate the recipient information to AD LDS.

Best Practice: When you deploy Edge Transport servers, it is strongly recommended that you also
deploy Edge Synchronization.

Information Replicated by Edge Synchronization


After you enable Edge Synchronization, the Edge Synchronization process establishes connections
between a Hub Transport server and the Edge Transport server, and synchronizes configuration and
recipient information between Active Directory and AD LDS.

Important: The internal Hub Transport servers, and not the Edge Transport servers, always initiate
EdgeSync replication. EdgeSync replication traffic is always encrypted using Secure LDAP.
6-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

During synchronization, EdgeSync replicates the following data from Active Directory directory service to
AD LDS:
• Accepted domains
• Recipients (hashed)
• Safe senders (hashed)
• Send connectors
• Hub Transport server list (for dynamic connector generation)

Note: The recipient and the safe senders are hashed using a one-way hash, which prevents an
attacker from retrieving recipient information from the Edge Transport server.
Implementing Messaging Security 6-13

How Internet Message Flow Works

Key Points
The primary function of the Edge Transport server is to secure both inbound and outbound Internet e-
mail. After you configure an Edge subscription between your organization’s Hub Transport servers and the
Edge Transport servers in the perimeter network, both inbound and outbound Internet e-mail is enabled.

Default Message Transfer


After you enable EdgeSync, e-mail flows through the Exchange server organization using the following
steps:
1. A user submits a message through a Client Access server to the Mailbox server. The Hub Transport
server retrieves the message from the Mailbox server, and categorizes it for delivery. In this scenario,
the message recipient is outside the organization.
2. The Hub Transport server determines that it must use the “EdgeSync – sitename to Internet” Send
connector to send e-mail to the Internet. It locates the Edge Transport server that is configured as the
bridgehead server for the connector.
3. The Hub Transport server forwards the message to the Edge Transport server, which sends the e-mail
message to the Internet using the “EdgeSync – sitename to Internet Send Connector”.
4. For inbound messages, the sending SMTP connector connects to the Edge Transport server. The Edge
Transport server accepts this connection using the “Default internal receive connector SERVERNAME”,
which is configured to accept anonymous connections on port 25 from all IP addresses. The Edge
Transport server applies all virus and spam-filtering rules.
5. If the message is accepted, the Edge Transport server uses the “EdgeSync – Inbound to sitename”
connector to forward the message to a Hub Transport server configured to accept Internet messages.
6. The Hub Transport server uses the “Default SERVERNAME” connector to receive the message, and
then forwards the message to the appropriate Mailbox server.
6-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Note: You can modify the default message flow by creating additional SMTP connectors. For
example, you may need to create a new SMTP send connector to send e-mail to a specific destination
domain. You can do this by creating a new send connector, and then configuring the destination
domain name as the address space for the connector. Finally, configure the connector to support the
unique message-routing requirements for messages sent to the domain.
Implementing Messaging Security 6-15

Demonstration: How to Configure Edge Synchronization

Key Points
In this demonstration, you will see how to enable Edge synchronization and test its working. You also will
see how to configure address rewriting.

Demonstration Steps
1. On the Edge Transport server, in the Exchange Management Shell, run the New-EdgeSubscription -
FileName “c:\van-edge.xml” command on the Edge Transport server.
2. Import the Edge subscription file using the Exchange Management Console on the Hub Transport
server.
3. Use Start-EdgeSynchronization and Test-EdgeSynchronization to test Edge synchronization.
4. Review the changes made to the Edge Transport server after Edge Synchronization.
5. Configure address rewriting using the New-addressRewriteEntry command.
6-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Cloned Configuration?

Key Points
Cloned configuration is the process of configuring multiple Edge Transport servers with identical
configurations. The Exchange Server transport services running on Edge Transport servers do not support
Windows® Failover Clustering. A failover cluster provides high availability by making application software
and data available on several servers that are linked together in a cluster configuration. But since failover
clustering is not available with Exchange Server transport services, to achieve high availability for
messaging transport, you should ensure that multiple Edge Transport servers are available at all times.
You can use cloned configuration to ensure that all the Edge Transport servers have the same
configuration. You only configure one server, and export the configuration to an XML file that is then
imported to the target servers.

Note: Although AD LDS supports directory replication, Exchange Server 2010 does not provide an
option to use directory replication for configuring multiple Edge Transport servers. You must use
cloned configuration if you want to automate this process, and you must repeat the edge-cloning
steps each time you make a configuration change on one of the servers.

Configuring Cloned Configuration


To configure cloned configuration, use the ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 scripts to
export configuration information from one Edge Transport server to an identically configured Edge
Transport server. You can also use the tool to test configuration changes and offer rollback assistance or
to assist in disaster recovery when you deploy a new Edge Transport server, or replace a failed server.
To configure cloned configuration, you must perform the following three steps:

1. During the export configuration phase, export the configuration information from an existing Edge
Transport server into an XML file. Use the ExportEdgeConfig.ps1 script to export the information.
Implementing Messaging Security 6-17

2. Validate the configuration on the target server. In this step, you run the ImportEdgeConfig.ps1 script.
This script checks the existing information in the intermediate XML file to see whether the exported
settings are valid for the target server, and then it creates an answer file. The answer file specifies the
server-specific information used during the next step when you import the configuration on the
target server. The answer file contains entries for each source server setting that is not valid for the
target server. You can modify these settings so that they are valid for the target server. If all settings
are valid, the answer file contains no entries.
3. During the import-configuration phase, use the ImportEdgeConfig.ps1 script to import the
information from both the intermediate XML file and the answer file, into a new Edge Transport
server.

The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell™ scripts, not
individual cmdlets. The scripts are located in the %programfiles%\Microsoft\Exchange\v14\Scripts folder
on all servers running Exchange Server 2010.
6-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: Securing Edge Transport Servers

Key Points
The Edge Transport servers in an organization directly face the Internet, and consequently are most
susceptible to unauthorized security attacks. Therefore, it is critical that you secure the Edge Transport
servers. You can use the various options available in Exchange Server 2010 to secure Edge Transport
servers based on your organizational requirements.

Discussion Questions
Based on your experience, consider the following questions:

Question: Why is it important to secure Edge transport servers?

Question: What factors should you consider at the operating system level?

Question: How do you secure an Edge Transport server?


Implementing Messaging Security 6-19

Lesson 2
Deploying an Antivirus Solution

Although Exchange Server 2010 already provides some basic antivirus features, it is important to
implement a separate antivirus product such as Forefront Protection 2010 for Exchange Server. This lesson
describes the importance of protecting your Exchange Server organization from virus attacks, and also
describes the Forefront features Security.

After completing this lesson, you will be able to:


• Describe antivirus solution features.
• Describe the Forefront Protection 2010 for Exchange Server features.
• Explain the Forefront Protection 2010 deployment options.
• Explain the best practices for deploying an antivirus solution.
• Install and configure Forefront Protection 2010 for Exchange Server.
6-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Antivirus Solution Features in Exchange Server 2010

Key Points
E-mail is one of the most common ways to spread viruses from one organization to another. One of the
primary tasks in protecting your Exchange Server organization is to ensure that all messages containing
viruses are stopped at the messaging environment’s perimeter.
Exchange Server 2010 includes the following virus protection features:
• Continuing support of the Virus Scanning application programming interface (VSAPI). In Exchange
Server 2010, Microsoft maintains support for the same VSAPI used in Exchange Server 2003 and
Exchange Server 2007.
• Transport agents that filter and scan messages. Exchange Server 2010 introduces the concept of
transport agents—such as the attachment filtering agent—to reduce spam and viruses. By enabling
attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of
malware attachments before they enter the organization. Additionally, third-party vendors can create
transport agents that specifically scan for viruses. Because all messages must pass through a Hub
Transport server, this is an efficient and effective means to scan all messages in transit.
• Antivirus stamping. Antivirus stamping reduces how often a message is scanned as it proceeds
through an organization. It does this by stamping scanned messages with the version of the antivirus
software that performed the scan and the scan results. This antivirus stamp travels with the message
as it is routed through the organization, and determines whether additional virus scanning must be
performed on a message.
• Integration with Forefront Protection 2010 for Exchange Server. Forefront Protection 2010 for
Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2010 to
provide advanced protection, optimized performance, and centralized management. This helps
customers deploy and maintain a secure messaging environment. Forefront Protection 2010 for
Exchange Server provides:
• Advanced protection against viruses, worms, phishing, and other threats by using up to five
antivirus engines simultaneously at each layer of the messaging infrastructure.
Implementing Messaging Security 6-21

• Optimized performance through coordinated scanning across Edge Transport servers, Hub
Transport servers, and Mailbox servers and features, such as in-memory scanning, multithreaded
scanning processes, and performance bias settings.
• Centralized management of remote installation, engine and signature updating, and reporting
and alerts through the Forefront Online Server Security Management Console.
6-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Forefront Protection 2010 for Exchange Server?

Key Points
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that you can
integrate with Exchange Server 2010 to provide antivirus protection for the Exchange environment.
The following table lists the benefits of implementing Forefront Protection 2010 for Exchange Server.

Service Description

Antivirus scan with multiple engines You can automatically scan messages using multiple virus
pattern engines, not just a single one.

Full support for VSAPI Forefront Protection 2010 for Exchange Server fully
supports the Exchange VSAPI.

Microsoft IP Reputation Service Provides sender reputation information about IP addresses


that are known to send spam. This is an IP-block list
offered exclusively to Exchange Server.

Spam Signature updates Identifies the most recent spam campaigns. The signature
updates are available on a need basis, up to several times a
day.

Premium spam protection Includes automated updates for this filter, available on an
as-needed basis, up to several times a day.

Automated content filtering updates Automated content filtering updates for Microsoft
Smartscreen spam heuristics, phishing Web sites, and other
Intelligent Message Filter (IMF) updates.
Implementing Messaging Security 6-23

Forefront Protection 2010 Deployment Options

Key Points
When you implement Forefront Protection 2010 for Exchange Server, you must consider the various
deployment options.

Install Forefront Protection 2010


First, you need to determine the servers on which you plan to install Forefront Protection 2010. The
number of servers you install Forefront Protection 2010 on will also depend on financial considerations as
you will need to buy as many server licenses.
• As a baseline, you should at least deploy Forefront Protection 2010 for Exchange Server on all Edge
and Hub Transport servers.
• For full protection, you should deploy Forefront Protection 2010 for Exchange Server on all Edge
Transport, Hub Transport, and Mailbox servers.
You do not need to install Forefront Protection 2010 on the Client Access server role, because Forefront is
only needed on the Mailbox, Edge or Hub Transport server roles.
As previously mentioned, Forefront Protection 2010 for Exchange scans each
e-mail only once, and then stamps it with a special AV Stamp so that other servers do not scan that
message again. This also means that you do not need to scan the Mailbox servers, as any message that
comes in or leaves the system is eventually scanned by Forefront Protection 2010 when you install it on
the Edge and Hub Transport servers. However, it is up to your security team to decide on this matter.

Forefront Protection 2010 Scanning Considerations


After you decide the servers on which you want to deploy Forefront Protection 2010, you must consider
how many scan engines you should use to scan a message, and the types of scan engines that you should
use.
6-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

As a best practice, you should use five scanners as this provides an optimum combination with third-party
virus scanners. You can also change the selection of the virus scanners later.
Implementing Messaging Security 6-25

Best Practices for Deploying an Antivirus Solution

Key Points
Although implementing an antivirus solution in Exchange Server is straightforward, there are some factors
that you should keep in mind when choosing and configuring an antivirus solution.

Implementing Multiple Antivirus Layers


To provide enhanced security against viruses, you should implement multiple layers of antivirus
protection. A virus can enter your organization from the Internet through an e-mail, or from a non-
protected client within your company. Thus, it is a best practice to implement several layers of antivirus
protection such as a firewall, Edge Transport server, and at the client-computer level.

Maintaining Regular Antivirus Updates


Installing the antivirus product does not automatically mean that your organization is fully protected.
Regular antivirus pattern updates are critical to a well-implemented antivirus solution. You should also
monitor that your antivirus patterns are up-to-date frequently.

If you have a Microsoft System Center Operations Manager 2007 environment in your organization, you
can also use the Forefront Server Security Management Pack to monitor Forefront Protection 2010.
6-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Install and Configure Forefront Protection 2010


for Exchange Server

Key Points
In this demonstration, you will see how to install and configure Forefront Protection 2010 for Exchange
Server, and how to manage Forefront Protection 2010.

Demonstration Steps
1. Install Forefront Protection 2010 for Exchange Server.
2. Open the Forefront Protection 2010 administration console.
3. Configure Antimalware - Edge Transport settings.
4. Configure Antispam - Content Filter settings.
5. Configure Global Settings.
Implementing Messaging Security 6-27

Lab A: Configuring Edge Transport Servers and


Forefront Protection 2010

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines
are running:
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-SVR1: Standalone server
3. If required, connect to the virtual machines. Log on to VAN-DC1 and
VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd.
4. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.
5. On the host computer, in Hyper-V™ Manager, click VAN–SVR1, and in the Actions pane, click
Settings.
6. Click DVD Drive, click Image file, and then click Browse.
7. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then
click Open.
8. Click OK.
9. On VAN-SVR1, dismiss the Autoplay dialog box.
6-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization.
Your organization has deployed Exchange Server 2010 internally, and now must extend it so that
everyone within the corporation can send and receive Internet e-mail.

As part of your job responsibilities, you need to set up an Edge Transport server, and then install an
antivirus solution to scan all mail.
Implementing Messaging Security 6-29

Exercise 1: Configuring Edge Transport Servers


Scenario
Your organization has internally deployed Exchange Server 2010, and now wants to use the Edge
Transport server role to replace an existing smart host. You need to deploy the Edge Transport server role,
and verify that Internet message flow is working.

The main tasks for this exercise are as follows:

1. Install the Edge Transport Server role.


2. Configure Edge Synchronization.
3. Verify that EdgeSync is working and that AD LDS contains data.
4. Verify that Internet message delivery works.

 Task 1: Install the Edge Transport Server role


• On VAN-SVR1, install the Edge Transport Server role using the Exchange Management Shell.

 Task 2: Configure Edge Synchronization


1. Create a new Edge Subscription on the Edge Transport server by using the New-EdgeSubscription -
FileName “c:\VAN-SVR1.xml” cmdlet.
2. Copy the xml file to the C: drive on VAN-EX1.
3. On VAN-EX1, in the Exchange Management Console, add the edge subscription to the Hub Transport
server.

 Task 3: Verify EdgeSync is working, and that AD LDS contains data


1. On VAN-EX1, use the Start-EdgeSynchronization cmdlet to force an immediate Edge
Synchronization.
2. Use the Test-EdgeSynchronization cmdlet to test Edge Synchronization.
3. Run the Get-User -Identity Wei | ft Name, GUID cmdlet to obtain the globally unique identifier
(GUID) for Wei Yu.
4. On VAN-SVR1, open LDP and connect to VAN-SVR1 using port 50389.
5. Open the CN=Recipients,OU=MSExchangeGateway container and verify that Wei Yu’s GUID is
listed.

 Task 4: Verify that Internet message delivery works


1. Configure EdgeSync Send Connector to use 10.10. 0.10 as a smart host for
e-mail delivery.
2. Log on to Microsoft Outlook® Web App as Wei, and send a test message to the Internet to verify it is
working. If you do not receive a non-delivery report, the message has been sent outside the
organization.

Results: After this exercise, you should have installed an Edge Transport server role, and configured
Edge Synchronization between a Hub Transport and an Edge Transport server.
6-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers


Scenario
Virus prevention is critical to your organization’s security. As the messaging administrator, you are
required to install virus scanning software to scan every message and automatically remove viruses. To
implement this functionality, you must install antivirus software and configure it accordingly.

The main tasks for this exercise are as follows:

1. Install Forefront Protection 2010 for Exchange Server.


2. Configure Forefront Security for Exchange Server.
3. Verify antivirus functionality.

 Task 1: Install Forefront Protection 2010 for Exchange Server


1. On host computer, attach the c:\Program Files\Microsoft Learning
\10135\Drives\ForeFrontInstall.iso file to the 10135A-VAN-SVR1 virtual machine. Close the
Autoplay dialog box.
2. On VAN-SVR1, install Forefront Protection 2010 for Exchange Server. Accept all defaults, except
choose to enable anti-spam later.

 Task 2: Configure Forefront Protection 2010 for Exchange Server


1. Open the Microsoft Forefront Server Security Administration Console.
2. Configure the following antimalware settings:
• Scan messages with all engines.
• Delete messages with viruses.
• On the Policy Management pane, expand Global Settings, and then click Advanced Options.
3. Configure the following global settings:
• Increase the value of Maximum nested depth compressed files to 10 and Maximum nested
attachments to 50.
• Configure the Intelligent Engine management as manual.
• Change the update schedule for Norman Virus Control to update at 00:30 every day.

Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and
configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for
Exchange.

 To prepare for the next lab


• Do not shut down the virtual machines and revert them back to their initial state when you finish this
lab. The virtual machines are required to complete this module’s last lab.
Implementing Messaging Security 6-31

Lesson 3
Deploying an Anti-Spam Solution

Spam messages can adversely impact the messaging environment of an organization. Therefore,
implementing an anti-spam solution is a critical component of maintaining your organization’s messaging
environment hygiene. Exchange Server 2010 includes several features that you can use to implement anti-
spam protection in your organization.

This lesson provides an overview of the options available for anti-spam filtering, and describes how you
can configure your Edge Transport servers to reduce spam in your organization.

After completing this lesson, you will be able to:


• Describe the spam-filtering features available in Exchange Server 2010.
• Explain how Exchange Server 2010 applies spam filters.
• Describe the concept of Sender ID filtering.
• Describe the concept of Sender Reputation filtering.
• Describe the concept of content filtering.
• Configure anti-spam options.
6-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Overview of Spam-Filtering Features

Key Points
The spam-filtering functionality available on the Edge Transport server has a primary advantage when you
install it to route all e-mail to and from the Internet. You can implement this anti-spam functionality using
a series of Edge Transport server transport agents.

Note: Forefront Protection 2010 for Exchange Server does provide more frequent updates for the
anti-spam patterns than Exchange Server 2010 built-in anti-spam features. Typically, the built-in anti
spam pattern is updated daily, whereas in Forefront Protection 2010, you can configure the updates
to update multiple times a day.

Edge Transport Server Anti-Spam Agents


The following table lists the anti-spam agents implemented during the default installation of an Edge
Transport server:

Agent Default status Description

Connection Enabled Filters messages based on the IP address of the remote server
Filtering that is trying to send the message. Connection filtering uses IP
Block lists and IP Allow lists.

Content Enabled Filters messages based on the message contents. This agent uses
Filtering SmartScreen technology to assess the message contents. It also
supports safelist aggregation.

Sender ID Enabled Filters messages by verifying the IP address of the sending SMTP
server against the purported owner of the sending domain.

Sender Enabled Filters messages based on the sender in the MAIL FROM: SMTP
Implementing Messaging Security 6-33

Agent Default status Description

Filtering header in the message.

Recipient Enabled Filters messages based on the recipients in the RCPT TO: SMTP
Filtering header in the message.

Sender Enabled Filters messages based on many characteristics of the sender


Reputation accumulated over a specific period.
Filtering

Attachment Enabled Filters messages based on attachment file name, file name
Filter extension, or file Multipurpose Internet Mail Extensions (MIME)
content type.

Note: You can view all the agents installed on the Edge Transport server by using the Get-
TransportAgent cmdlet on the Edge Transport server. The default Edge Transport server installation
also includes other transport agents, such as the Address Rewriting Inbound Agent, the Address
Rewriting Outbound Agent, and the Edge Rule Agent. You cannot use these agents for spam filtering.

Safelist Aggregation
In Exchange Server 2010, the Content Filter agent on the Edge Transport server uses the Microsoft Office
Outlook® Safe Senders Lists, Safe Recipients Lists, and trusted contacts to optimize spam filtering. Safelist
aggregation is a set of anti-spam functionality that Outlook and Exchange Server 2010 share. This anti-
spam functionality collects data from the anti-spam safe lists that Outlook users configure, and makes this
data available to the anti-spam agents on the Edge Transport server. You must use the Update-Safelist
cmdlet to configure safelist aggregation.
6-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Exchange Server 2010 Applies Spam Filters

Key Points
The Edge Transport server role in Exchange Server 2010 uses spam-filtering agents to examine each SMTP
connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge
Transport server and initiates an SMTP session, the Edge Transport server examines each message using
the following sequence:
1. When the SMTP session is initiated, the Edge Transport server applies connection filtering using the
following criteria:
• Connection filtering examines the administrator-defined IP Allow list. Administrators might
include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP
address is on the administrator-defined IP Allow list, the server does not apply any other filtering
and accepts the message.
• Connection filtering examines the local IP Block list. Administrators might include the IP
addresses for the SMTP servers of known spam writers, or other servers from which the
organization does not want to receive e-mail, in the IP Block list. If the connection filtering agent
finds the IP address of the sending server on the local IP Block list, the server rejects the message
automatically, and other filters are not applied.
• Connection filtering examines the real-time block list (RBL) of any IP Block List Providers that you
have configured. If the agent finds the sending server’s IP address on an RBL, the server rejects
the message, and other filters are not applied.
2. The Edge Transport server compares the sender’s e-mail address with the list of senders configured in
sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the
connection, and no other filters are applied. Additionally, you can configure the server to accept the
message from the blocked sender, but stamp the message with the blocked sender information and
continue processing. The blocked sender information is included as one of the criteria when content
filtering processes the message.
Implementing Messaging Security 6-35

3. The Edge Transport server examines the recipient against the Recipient Block list configured in
recipient filtering. If Edge Synchronization is enabled, the Edge Transport server can use the
information about recipient filtering from Active Directory. If the intended recipient matches a filtered
e-mail address, the Edge Transport server rejects the message for that particular recipient. If multiple
recipients are listed on the message, and some are not on the Recipient Block list, further processing
is done on the message.
4. Exchange Server 2010 applies Sender ID filtering. Depending on how the Sender ID is configured, the
server might delete, reject, or accept the message. If the message is accepted, the server adds the
Sender ID validation failure to the message properties. The failed Sender ID status is included as one
of the criteria when content filtering processes the message.
5. The Edge Transport server applies content filtering and performs one of the following actions:
6. Content filtering compares the sender to the senders in the Safelist aggregation data from Office
Outlook users. If the sender is on the recipient’s Safe Senders List, the message is sent to the user’s
mailbox store. If the sender is not on the recipient’s Safe Senders List, the message is assigned a spam
confidence level (SCL) rating.
• If the SCL rating is higher than one of the configured Edge Transport server thresholds, content
filtering takes the appropriate action of deleting, rejecting, or quarantining the message.
• If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed
to a Hub Transport server for distribution to the Exchange Mailbox server containing the user’s
mailbox.

Tip: You can bypass spam filtering for a specific recipient by setting the AntispamBypassEnabled
property to True on the user’s mailbox. This causes the message to bypass filtering and be delivered
directly to the recipient’s mailbox.
6-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Sender ID Filtering?

Key Points
The Sender ID Framework is an industry standard that verifies the Internet domain from which each e-mail
message originates, based on the sender’s server IP address. The Sender ID Framework provides
protection against e-mail domain spoofing and phishing schemes. By using the Sender ID Framework, e-
mail senders can register all e-mail servers that send e-mail from their SMTP domain, and then e-mail
recipients can filter e-mail from that domain that does not come from the specified servers.

Sender Policy Framework (SPF) records


To enable Sender ID filtering, each e-mail sender must create a Sender Policy Framework (SPF) record and
add it to their domain’s DNS records. The SPF record is a single text (TXT) record in the DNS database that
identifies each domain’s e-mail servers. SPF records can use several formats, including those in the
following examples:
• Adatum.com. IN TXT “v=spf1 mx -all”. This record specifies that any server that has an MX record for
the Adatum.com domain can send e-mail for the domain.
• Mail IN TXT “v=spf1 a -all”. This record indicates that any host with an A record can send mail.
• Adatum.com IN TXT “v=spf1 ip4:10.10.0.20 –all”. This record indicates that a server with the IP
address 10.10.0.20 can send mail for the Adatum.com domain.

For more information: Microsoft provides the Sender ID Framework SPF Record Wizard to create
your organization’s SPF records. You can access the wizard on the Sender ID Framework SPF Record
Wizard page on the Microsoft Web site.

Sender ID Configuration
After you configure the SPF records, any destination messaging servers that use the Sender ID features
can identify your server using Sender ID.
Implementing Messaging Security 6-37

After you enable Sender ID filtering, the following process shows how all e-mail messages are filtered:

1. The sender transmits an e-mail message to the recipient organization. The destination mail server
receives the e-mail.
2. The destination server checks the domain that claims to have sent the message, and checks DNS for
that domain’s SPF record. The destination server determines if the IP address of the sending e-mail
server matches any of the IP addresses that are in the SPF record. The IP address of the server
authorized to send e-mail for that domain is called the purported responsible address (PRA).
3. If the IP addresses match, the destination server authenticates the mail and delivers it to the
destination recipient. However, other anti-spam scanners such as content filtering are still applied.
4. If the addresses do not match, the mail fails authentication. Depending on the e-mail server
configuration, the destination server might delete the message or forward it with additional
information added to its header indicating that it failed authentication.
6-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Sender Reputation Filtering?

Key Points
The Exchange Server 2010 Sender Reputation feature makes message filtering decisions based on
information about recent e-mail messages received from specific senders. The Sender Reputation agent
analyzes various statistics about the sender and the e-mail message, to create a Sender Reputation Level
(SRL). This SRL is a number between 0 and 9, where a value of 0 indicates that there is less than a 1
percent chance that the sender is a spammer, and a value of 9 indicates that there is more than a 99
percent chance of it. If a sender appears to be the spam source, then the Sender Reputation agent
automatically adds the IP address for the SMTP server that is sending the message to the list of blocked IP
addresses.

How Sender Reputation Filtering Works


When the Edge Transport server receives the first message from a specific sender, the SMTP sender is
assigned an SRL of 0. As more messages arrive from the same source, the Sender Reputation agent
evaluates the messages and begins to adjust the sender’s rating. The Sender Reputation agent uses the
following criteria to evaluate each sender:
• Sender open proxy test. An open proxy is a proxy server that accepts connection requests from any
SMTP server, and then forwards messages as if they originated from the local host. This also is known
as an open relay server. When the Sender Reputation agent calculates an SRL, it does so by
formatting an SMTP request in an attempt to connect back to the Edge Transport server from the
open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that
the proxy is an open proxy and updates that sender’s open proxy test statistic.
• HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the receiving
server with the domain name, such as Contoso.com, or the IP address of the sending SMTP server.
Spammers frequently modify the HELO/EHLO statement to use an IP address that does not match the
IP address from which the connection originated, or to use a domain name that is different from the
actual originating domain name. If the same sender uses multiple domain names or IP addresses in
the HELO or EHLO commands, there is an increased chance that the sender is a spammer.
Implementing Messaging Security 6-39

• Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from
which the sender transmitted the message matches the registered domain name that the sender
submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS
query by submitting the originating IP address to DNS. If the domain names do not match, the sender
is more likely to be a spammer, and the overall SRL rating for the sender is adjusted upward.
• SCL ratings analysis on a particular sender’s messages. When the Content Filter agent processes a
message, it assigns an SCL rating to the message. This rating is attached to the message as an SCL,
which is a numerical value between 0 and 9. The Sender Reputation agent analyzes data about each
sender’s SCL ratings, and uses it to calculate SRL ratings. More information on SCL ratings +can be
found in the next topic, “What is Content Filtering?”.
The Sender Reputation agent calculates the SRL for each unique sender over a specific time. When the SRL
rating exceeds the configured limit, the IP address for the sending SMTP server is added to the IP Block
list for a specific time.

Sender Reputation Configuration


You can configure the Sender Reputation settings on the Edge Transport server. By using the Exchange
Management Console, you can configure the Sender Reputation block threshold, and configure the
timeout period for how long a sender will remain on the IP Block list. By default, the IP addresses are
blocked for 24 hours.
6-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Content Filtering?

Key Points
The Content Filter agent uses SmartScreen technology to analyze the content of every e-mail message, to
evaluate whether it is spam. The Content Filter agent is similar to the Exchange Server 2003 Intelligent
Message Filter feature.
When the Edge Transport server receives a message, the Content Filter agent evaluates the message’s
content for recognizable patterns, and then assigns a rating based on the probability that the message is
spam. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. A
rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that
the message is very likely to be spam. This rating persists with the message when it is sent to other servers
running Exchange Server.
Depending on how you configure the content filter, if a message’s SCL score is greater than or equal to
the threshold you configure, then the Content Filter agent rejects, silently deletes, or quarantines the
message.

Content Filtering Configuration


Content filtering is enabled by default on Exchange Server 2010 Edge Transport servers, and is configured
to reject all messages with an SCL higher than 7. You can modify the default content filtering settings by
using the Exchange Management Console or the Exchange Management Shell. You can modify the
following settings in the Exchange Management Console:
• Configure custom words. You can specify a list of key words or phrases to prevent blocking any
message containing those words. This feature is useful if your organization must receive e-mail that
contains words that the Content Filter agent normally would block. You also can specify key words or
phrases that will cause the Content Filter agent to block a message containing those words.
• Specify exceptions. You can configure exceptions to exclude any messages to recipients on the
exceptions list, from content filtering.
Implementing Messaging Security 6-41

• Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the
Content Filter agent to delete, reject, or quarantine messages with an SCL higher than the value you
specify.

Note: When the Content Filter agent rejects a message, it uses the default response of 550 5.7.1
Message rejected due to content restrictions. You can customize this message using the set-
ContentFilterConfig cmdlet in the Exchange Management Shell.

Configuring the Quarantine Mailbox


When the SCL value for a specific message exceeds the SCL quarantine threshold, the Content Filter agent
sends the message to a quarantine mailbox. Before you can configure this option on the Edge Transport
server, you must configure a mailbox as the quarantine mailbox by configuring the –quarantinemailbox
parameter of the set-contentfilterconfig cmdlet. As a messaging administrator, you should regularly
check the quarantine mailbox to ensure that the content filter is not filtering legitimate e-mails.

Note: Messages are sent to the quarantine mailbox only when the SCL threshold exceeds the value
that you configured on the content filter. To see details on all actions that transport agents perform
on an Edge Server, use the scripts located in the %programfiles%\Microsoft\Exchange Server\Scripts
folder. The Get-AgentLog.ps1 script produces a raw listing of all actions that transport agents
perform. The folder contains several other scripts that produce formatted reports listing information
such as the top blocked sender domains, the top blocked senders, and the top blocked recipients. By
default, the transport agent logs are located at
%programfiles%\Microsoft\ExchangeServer\TransportRoles
\Logs\AgentLog.

The SCL Junk E-Mail Folder Threshold


If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, then the Mailbox
server places the message in the Outlook user’s Junk E-mail folder. If the SCL value for a message is lower
than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, then the Mailbox server
puts the message in the user’s Inbox.
6-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Anti-Spam Options

Key Points
In this demonstration, you will see how to configure the various anti-spam options available in Exchange
Server 2010, such as Connection filters, Sender filters, and Recipient filters. You will also see how to
configure the Sender ID, Sender Reputation, and content filtering features.

Demonstration Steps
1. Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab.
2. Configure the following Connection filters:
• IP Allow List
• IP Block List
• IP Block List Providers
Implementing Messaging Security 6-43

3. Add the zen.spamhaus.org domain to the IP Block List Providers list.


4. Configure the following filtering features:
• Sender filtering
• Recipient filtering
• Sender ID
• Sender Reputation
• Content filtering
5. Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.
6-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 4
Configuring Secure SMTP Messaging

To configure secure SMTP messaging, you can use Transport Layer Security (TLS) in Exchange server or
Domain security, which is a new feature in Exchange Server 2007 and Exchange Server 2010. This lesson
describes how to secure SMTP messaging by using the available options.
After completing this lesson, you will be able to:
• Describe the common SMTP security issues.
• Describe the options for securing SMTP e-mail.
• Configure SMTP security.
• Explain the concept of Domain Security.
• Explain how Domain Security works.
• Describe the Domain Security configuration process.
• Configure Domain Security.
• Explain how Secure MIME works.
Implementing Messaging Security 6-45

Discussion: SMTP Security Issues

Key Points
Although SMTP messaging is common in many organizations, there are a few security issues that you
must consider.

Question: What are the security issues with SMTP?

Question: How do you currently secure SMTP?


6-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

SMTP E-Mail Security Options

Key Points
Exchange Server 2010 offers several options to secure SMTP messaging traffic. All these options rely on
certificates to encrypt the traffic.
The following methods for securing SMTP require that you implement the option both on the source and
the target side. Since you most likely will not have access to the target side, the methods listed here have
limitations.

IPSec
IPSec provides a set of extensions to the basic IP protocol, and is used to encrypt server-to-server
communication. IPSec can be used to tunnel traffic, or peer- to-peer, to secure natively all IP
communications. Because IPSec operates on the transport layer and is network-based, applications
running on Exchange Server 2010 do not need to be aware of IPSec. You use IPSec normally to secure
server-to-server or client-to-server communication. You do not need another encryption method when
using IPSec.

VPN
Virtual private network (VPN) also operates on the transport layer, and very often uses IPSec as the
underlying protocol. VPN is used for site-to-site or client-to-site connections. Both operate on the
transport layer, which can be an advantage over application-layer protocols such as Secure MIME
(S/MIME) which does not require the application on both ends to know about the protocol.

TLS
The TLS protocol is the default protocol that is used in an Exchange Server 2010 organization to encrypt
server communication. It is a standard protocol that you can use to provide secure Web communications
on the Internet or intranet. TLS enables clients to authenticate servers, or optionally, servers to
authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest
version of the SSL protocol.
Implementing Messaging Security 6-47

Exchange Server 2010’s Domain Security feature uses TLS with mutual authentication—also known as
mutual TLS—to provide session-based authentication and encryption. Standard TLS is used to provide
confidentiality by encrypting but not authenticating the communication partners. This is typical of SSL,
which is the HTTP implementation of TLS.

S/MIME
S/MIME is a standard that you can use to implement public-key encryption, and
e-mail message signatures. You can use encryption to protect message contents so that only the intended
recipients can read it. If a message is signed, the recipient can verify whether the message has been
changed on the way from the sender to the recipient.

S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the
sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the
transport layer (such as TLS) the message also remains encrypted and signed within the mailbox. Even
administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing
S/MIME, you can perform the following tasks:
• Use digital signatures as a way to prove to your communication partners that the content was not
altered.
• Authenticate messages, especially for crucial functions, such as when your employer approves your
travel requests.
• Encrypt messages to prevent accidental content disclosure.
By default, Exchange Server 2010 fully supports S/MIME for message encryption and signatures. Unlike in
previous versions, where you must configure every mailbox database, you do not need to configure any
server-side setting to support S/MIME.

Because S/MIME provides end-to-end security, it is important that the e-mail application you use to read
and write S/MIME messages meets the following two requirements:
• The application must support S/MIME encryption and signatures.
• You must configure the digital signature in the e-mail application.

Note: When using S/MIME, you can send digitally signed messages to anyone, but you can only
encrypt messages to recipients whose certificates are available in the Global Address List (GAL) or in
contacts.

Alternate Options for Securing SMTP Traffic


Besides the mentioned options, you can also implement authentication and authorization on SMTP
connectors for security. This does not enforce traffic encryption, but can prevent unauthorized users from
sending SMTP messages to users in your organization, or relaying SMTP messages to the Internet.
Authentication and authorization can be configured based on user login, or on IP addresses or IP ranges.
6-48 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure SMTP Security

Key Points
In this demonstration, you will see how to configure an externally secured SMTP Connector and how to
configure an SMTP Connector that requires TLS and authentication.

Demonstration Steps
1. Use the Exchange Management Console to create a new Receive Connector.
2. Configure the Receive Connector to be externally secured.
3. Use Telnet to connect to Receive Connector.
4. Configure the Receive Connector to use TLS and authentication.
5. Use Telnet again to connect to Receive Connector.
Implementing Messaging Security 6-49

What Is Domain Security?

Key Points
Exchange Server 2010 can use TLS to provide security for SMTP e-mail. In most cases, you cannot use TLS
when sending or receiving e-mail because SMTP servers are not configured to use TLS. However, by
requiring TLS for all SMTP e-mail sent between your organization and other specified organizations, you
can enable a high security level for SMTP e-mail.

What Is Domain Security?


The Domain Security feature in Exchange Server 2010 provides a relatively low-cost alternative to S/MIME
or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity of the
other server by validating the certificate that is provided by the other server. It is an easy way for
administrators to manage secured message paths between domains over the Internet. This means that all
connections between the partner organizations are authenticated, and all messages are encrypted while in
transit on the Internet.

TLS with mutual authentication differs from TLS in its usual implementation. Typically, when you
implement TLS, the client verifies a secure connection to the intended server by validating the server’s
certificate, which it receives during TLS negotiation. With mutual TLS, each server verifies the connection
with the other server by validating a certificate that the other server provides.
6-50 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Domain Security Works

Key Points
Domain Security works in a manner similar to establishing a TLS connection to an SMTP Receive
connector. However, as mutual TLS is used, both the sender and the receiver authenticate one another
before they send data. The message takes the following route from one organization to the other when
using Domain Security:

1. The Edge Transport server receives the e-mail message from a source Hub Transport server.
2. The Edge Transport server initiates a mutual TLS session to the target Edge Transport server by
exchanging and verifying their certificates. This is only established when both the sending and
receiving SMTP connector can identify the sending domain. You must set the domain information on
the sending side by using the Set-TransportConfig -TLSSendDomainSecureList <domain name>
cmdlet. On the receiving side, use the: Set-TransportConfig -TLSReceiveDomainSecureList
<domain name> cmdlet to set the domain information.
Implementing Messaging Security 6-51

3. The message is encrypted and transferred to the target Edge Transport server.
4. The Edge Transport server delivers the e-mail to the target Hub Transport for local delivery. The
message is marked as Domain Secure, which will display in Outlook 2007 or later, and in Outlook
Web App.
6-52 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Process for Configuring Domain Security

Key Points
To configure Domain Security, you need to perform the following process:
1. On the Edge Transport server, generate a certificate request for TLS certificates. You can request the
certificate from an internal, private certification authority (CA) or from a commercial CA. The SMTP
server in the partner organization must trust the certificate. When you request the certificate, ensure
that the certificate request includes the domain name for all internal SMTP domains in your
organization, as well as the FQDN of the Edge Server name as Subject Alternative Name (SAN).
2. Import and enable the certificate on the Edge Transport server. After you request the certificate, you
must import the certificate on the Edge Transport server, and then enable the certificate for use by
the SMTP connectors that are used to send and receive domain-secured e-mail.
3. Configure outbound Domain Security. To configure outbound Domain Security, use Exchange
Management Shell cmdlets to specify the domains to which you will send domain-secured e-mail,
and then configure the SMTP Send connector to use domain-secured e-mail.
4. Configure inbound Domain Security. To configure inbound Domain Security, use Exchange
Management Shell cmdlets to specify the domains to which you will receive domain-secured e-mail,
and then configure the SMTP Receive connector to use domain-secured e-mail.
5. Notify partner to configure Domain Security Domain Security must be configured on both sides (on
the sending and receiving side) thus you also need to contact your partner’s administrator to
configure your domain for Domain Security.
6. Test message flow. Finally, send a message to the partner and vice-versa to verify that domain
security is working correctly. You can see an extra icon in Outlook and Outlook Web App.
Implementing Messaging Security 6-53

Note: When you install the Edge Transport server role, a self-signed certificate is issued to the server.
No others computers trust this certificate. When you require that the partner organization trust the
certificate, you should purchase a certificate from a commercial CA. You also can make cross-forest
trust, or import a CA’s certificate in the Trusted Root CA store on both sides, if you do not want to
purchase a certificate from a commercial CA.
6-54 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Domain Security

Key Points
In this demonstration, you will see how to configure Domain Security.

Demonstration Steps
1. Verify a computer certificate in the certificate store.
2. Enable Domain Security on the Receive connector.
3. Enable Domain Security on the Send connector.
4. Run Set-TransportConfig -TLSSendDomainSecureList and Set-TransportConfig -
TLSReceiveDomainSecureList to configure Domain Security partnership.
5. Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.
Implementing Messaging Security 6-55

How S/MIME Works

Key Points
S/MIME is a messaging client-based solution for securing SMTP e-mail. With S/MIME, each client
computer must have a certificate, and the user is responsible for signing or encrypting each e-mail.

How S/MIME Secures E-Mail


S/MIME provides e-mail security by using the following options:
• Digital signatures. When a user chooses to add a digital signature to a message, the sender’s private
key calculates and encrypts the message’s hash value, and then appends the encrypted hash value to
the message as a digital signature. The user’s certificate and public key are sent to the recipient.
When the recipient receives the message, the sender’s public key decrypts the hash value and checks
it against the message. Digital signatures provide:
• Authentication. If the public key can decrypt the hash value attached to the message, then the
recipient knows that the person or organization who claims to have sent the message did indeed
send it.
• Nonrepudiation. Only the private key associated with the public key could be used to encrypt the
hash value, so a message that is digitally signed helps to prevent its sender from disowning the
message.
• Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a
message that takes place will invalidate the digital signature.
• Message encryption. When a user chooses to encrypt a message using S/MIME, the messaging
client generates a one-time symmetric session key, and encrypts the entire message using the session
key. The session key then is encrypted using the recipient’s public key, and the encrypted session key
is combined with the encrypted message when the message is sent. When the message arrives at the
recipient, the recipient’s private key decrypts the message.
6-56 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Message encryption enhances confidentiality. You can decrypt a message using only the private key
associated with the public key that was used to encrypt it. Therefore, only the intended recipient can view
the contents.
Implementing Messaging Security 6-57

Lab B: Implementing Anti-Spam Solutions

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines
are running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-SVR1: Standalone server
3. If required, connect to the virtual machines.

Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization.
After configuring the Edge Transport server and installing an antivirus solution, you must implement an
anti-spam solution.
6-58 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers


Scenario
In your organization, users complain that they receive too many spam messages in their inbox, and they
want these spam messages automatically moved to the Junk e-mail folder. To limit the number of spam
messages received by your organization, you need to increase the SCL junk threshold value for the
organization and ensure that junk e-mail above a certain rating is rejected. You also want to configure a
Block List Provider.

The main tasks for this exercise are as follows:


1. Configure global SCL for junk mail delivery.
2. Configure content filtering to reject junk messages.
3. Configure an IP Allow List.
4. Configure a Block List Provider.

 Task 1: Configure DNS for Internet message delivery


1. On VAN-DC1, start DNS Manager
2. In the Adatum.com zone, create an MX record for VAN-SVR1.adatum.com.

 Task 2: Configure global SCL for junk mail delivery


1. On VAN-SVR1, configure the content filtering settings to not reject any messages based on SCL
values
2. On VAN-EX1, in Exchange Management Shell, use the Set-OrganizationConfig -SCLJunkThreshold
6 cmdlet to configure the global SCL levels..
Implementing Messaging Security 6-59

3. On VAN-EX1, in the Exchange Management Shell, run d:\labfiles\Lab6Prep.ps1. This script will send
11 messages from VAN-SVR1 with the following SCL ratings:

Mail Sender SCL Level

Msg1@contoso.com 7

Msg2@contoso.com 8

Msg3@contoso.com 7

Msg4@contoso.com 7

Msg5@contoso.com 8

Msg6@contoso.com 6

Msg7@contoso.com 8

Msg8@contoso.com 7

Msg9@contoso.com 6

Msg10@contoso.com 6

Msg11@contoso.com 8

4. Log on to Outlook Web App as Wei and verify that three messages were sent to the user mailbox,
and that eight messages were sent to the Junk E-Mail folder.
5. View the message details for one of the messages to verify the SCL value assigned to the message.

 Task 3: Configure content filtering to reject junk messages


1. On VAN-SVR1, configure content filtering to reject messages that have a SCL rating greater than or
equal to 7.
2. On VAN-EX1, run the D:\labfiles\Lab6Prep.ps1 script to send the test messages again.
3. Log on to Outlook Web App on VAN-EX1 as Wei. Verify that three messages are delivered to the
Inbox and no messages are delivered to the junk e-mail folder in Wei’s mailbox. Delete the messages
in the Inbox.

 Task 4: Configure an IP Allow List


1. On VAN-SVR1, configure the IP Allow List to accept connections from 10.10.0.10.
2. Run the script to send the test messages again.
3. Verify that all messages are delivered to the Inbox in Wei’s mailbox. The SCL rating should be -1.

 Task 5: Configure a Block List Provider


• Configure an IP Block List Provider named Spamhaus that uses zen.spamhaus.org as the lookup
domain,

Results: After this exercise, you should have configured different SCL levels, and verified the behavior
of junk mail in user mailboxes. You should also have configured a Block List Provider.
6-60 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.


2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
8. Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.
Implementing Messaging Security 6-61

Module Review and Takeaways

Review Questions
1. Is Edge Synchronization a mandatory requirement?
2. Which Exchange Server versions support the Domain Security feature?
3. Does the Edge Transport server role in Exchange Server 2010 include virus-scanning capabilities?

Common Issues Related to Edge Synchronization and Domain Security


Identify the causes for the following common issues related to implementing messaging security. For
answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

You configured Domain Security Ensure both domains trust each other’s CA. Also, Domain Security
with a partner domain, but must be configured on both the local side and the partner side.
messages only use TLS for message
encryption, not mutual TLS or
Domain Security.

Edge Synchronization is not Use Test-EdgeSychronization to verify that the connection is


working anymore. established. If that does not work, try to reestablish the Edge
Synchronization.

You’re logged on to your Windows When you use your own account instead of an administrator
Server 2008 machine using your account to log on to a Windows Server 2008 system, ensure that
own account. When you run Test- you always start the Exchange Management Shell in Administrator
EdgeSynchronization, it shows that mode. You sometimes need full access to run a cmdlet.
the connection is broken.
6-62 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010
Implementing High Availability 7-1

Module 7
Implementing High Availability
Contents:
Lesson 1: Overview of High Availability Options 7-3
Lesson 2: Configuring Highly Available Mailbox Databases 7-8
Lesson 3: Deploying Highly Available Non-Mailbox Servers 7-21
Lab: Implementing High Availability 7-26
7-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

Many people rely on messaging environments so that they can perform critical business tasks, and it is
extremely important for your messaging solution to be available for an extended time. Thus, many
organizations place strict availability requirements on e-mail and other critical applications.
As the Microsoft® Exchange Server product has improved over the last decade, it has become very stable
and resilient, even in standalone configurations. To be a truly high availability solution, however, further
designing and configuration was required. Not only are technology and configuration crucial, but also the
processes and procedures that you use to maintain the messaging system. This module describes the high
availability technology built into Exchange Server 2010 and some of the outside factors that affect highly
available solutions.
After completing this module, you will be able to:
• Describe high availability options.
• Configure highly available mailbox databases.
• Deploy highly available non-Mailbox servers.
Implementing High Availability 7-3

Lesson 1
Overview of High Availability Options

High availability is a commonly used term that refers to a specific technology or configuration that
promotes service availability. Although many technologies and configurations can lead to highly available
configurations, they are not by themselves truly highly available. Much more effort is required to provide
a high availability solution.

In this lesson, you will review high availability, and some of the factors that go into designing and
deploying a highly available solution.

After completing this lesson, you will be able to:


• Describe high availability.
• Identify the components of a high availability solution.
• Implement a high availability solution for Mailbox servers.
• Implement a high availability solution for non-Mailbox servers.
7-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is High Availability?

Key Points
High availability is a system design implementation that ensures a high level of operational continuity
over a specific time. Although many people attribute high availability to a specific technology, such as
failover clustering or load balancing, you can truly achieve high availability only with good design, testing,
training, and operational processes.

There are two types of downtime: planned and unplanned. Planned downtime is the result of events you
schedule, such as maintenance. By contrast, unplanned downtime is the result of events not within direct
control of information technology (IT) administrators. These events can be minor, such as a buggy
hardware driver or a processor that fails, or catastrophic, such as flood, fire, or earthquake.

Measuring Availability
Availability often is expressed as the percentage of time that a service is available for use. For example, a
requirement for 99.9 percent availability over a one-year period allows 8.75 hours of downtime. In
complex environments, organizations typically specify availability for a specific service, such as Exchange
messaging, which in turn may have availability goals tied to specific features such as Microsoft Outlook®
Web App, Simple Mail Transfer Protocol (SMTP) message delivery, and Outlook Anywhere.
For more information on high availability, refer to the CD content.
Implementing High Availability 7-5

Discussion: Components of a High Availability Solution

Key Points
Numerous components can comprise a messaging solution, and you should scrutinize them to ensure
that failures will not affect the entire solution’s availability. Once you identify these components, you can
mitigate failures.

Question: Which components are important for running a high availability solution?

Question: What are some common single points of failure in a messaging solution?
7-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

High Availability Solution for Mailbox Servers

Key Points
Exchange Server 2010 provides a number of improvements for mailbox availability. Although mailbox
high availability implementation differs in Exchange Server 2007, the basic concepts are the same.
Exchange Server 2010 improves upon many of the Exchange Server 2007 mailbox availability features. For
example, one database can have as many as 16 copies on 16 servers, and you can activate it on any of the
servers without disconnecting clients. Additionally, to provide increased insurance against corruption, you
can set these database copies to not apply transaction logs for up to 14 days. With the appropriate tools,
you can use these lag copies to recover database information from a point up to 14 days previously.
Details about how mailbox high availability works appears later in this module.
There are no changes to public folder high availability in Exchange Server 2010. Although you should
consider the location of the public folder servers, create a high availability environment by adding replicas
to multiple servers. Since this requires no additional configuration, this module does not discuss public
folder high availability.
Implementing High Availability 7-7

High Availability Solution for Non-Mailbox Servers

Key Points
It is as important to have high availability solutions for non-Mailbox server roles as for the Mailbox server
roles, because not having them affects connectivity with the Mailbox server. For each of the non-Mailbox
server roles, adding redundancy starts with adding multiple servers, and ends with configuring load
balancing, whether with configuration, or software or hardware load balancing. If you are familiar with the
high availability solutions for non-Mailbox server roles in Exchange Server 2007, these concepts largely
hold true in Exchange Server 2010. This module provides details about making each of the non-Mailbox
server roles highly available.
7-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 2
Configuring Highly Available Mailbox Databases

Historically, the Mailbox server role was the most complex and critical component in a highly available
Exchange Server deployment. Although this remains true, to a degree, Exchange Server 2010 reduces the
complexity of deploying a highly available Mailbox server. In doing so, it also reduces the likelihood that
administrators will configure an Mailbox server cluster improperly.

After completing this lesson, you will be able to:


• Describe database availability group (DAG).
• Describe Active Manager.
• Describe continuous replication.
• Describe how DAGs protect databases.
• Identify the differences between Exchange Server 2010 and Exchange Server 2007 mailbox availability
options.
• Configure databases for high availability.
• Create and configure a DAG.
• Describe the transport dumpster.
• Describe the failover process.
• Monitor replication health.
Implementing High Availability 7-9

What Is a Database Availability Group?

Key Points
A DAG is a collection of servers that provides the infrastructure for replicating and activating database
copies. The DAG leverages continuous transaction log replication to each of the passive database copies
within the DAG, which:
• Requires the failover clustering feature, although all installation and configuration tasks occur with
the Exchange Server management tools. Although a DAG requires the failover clustering feature,
Exchange Server does not use Windows failover clustering to handle database failover. Instead, it uses
Active Manager to control failover.
• Uses an enhanced version of the continuous replication technology that was in Exchange Server 2007.
The best continuous replication pieces from Exchange Server 2007 were improved.
• Can be created after you install the Mailbox server. You can set up a Mailbox server to host active
mailboxes, and then add it to the DAG later.
• Allows you to move a single database between servers in the group without affecting other
databases. Failover clustering occurs per mailbox database, not for an entire server, which makes
Exchange Server 2010 more flexible than previous Exchange Server versions.
• Allows up to 16 copies of a single database on separate servers. You can add up to 16 servers to a
DAG, which allows you to create up to 16 copies of a database. The database copies must be stored in
the same path on all servers. For example, if you store Mailbox Database 1 in D:\Mailbox\DB\Mailbox
Database 1\ on VAN-EX1, then you must also store it in D:\Mailbox\DB
\Mailbox Database 1\ on all other servers that host Mailbox Database 1 copies.
• Defines the boundary for replication since only servers within the DAG can host database copies. You
cannot replicate database information to Mailbox servers outside the DAG.
7-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Active Manager?

Key Points
Exchange Server 2010 includes a new component called Active Manager. Active Manager replaces the
resource model and failover management features that previous Exchange Server versions provided
during integration with the cluster service. Exchange Server no longer uses the cluster resource model for
high availability. Exchange Server uses a Windows failover cluster, but there are no cluster groups for
Exchange Server, and the cluster has no storage resources. In the Failover Cluster Management Console,
you will see only the core cluster resources (IP Address and Network Name).

The Active Manager runs on all Mailbox servers that are DAG members and runs as either the primary
active manager (PAM) or a standby active manager (SAM). The PAM is the Active Manager in a DAG that
decides which copies will be active and passive, and it is responsible for processing topology change
notifications and reacting to server failures.

Far from having a passive role, the SAM provides information about which server hosts the active copy of
a mailbox database to other components of Exchange Server, such as the RPC Client Access service and
the Hub Transport server. The SAM detects local database and local Information Store failures. It reacts to
failures by asking the PAM to initiate a failover (if the database is replicated).
Implementing High Availability 7-11

What Is Continuous Replication?

Key Points
Continuous replication was introduced for Mailbox servers in Exchange Server 2007. This feature creates a
passive database copy on another Exchange Server computer in the DAG, and then uses asynchronous log
shipping to maintain the copies.
The continuous replication process is as follows:

1. The active log is written, and then closed.


2. The Replication Service replicates the closed log to servers hosting the passive databases.
3. Since each copy of the database is identical, the transaction logs are inspected and then replayed or
applied to the database copies. The databases remain in sync.

Question: What other technologies use continuous replication?


7-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Are Databases Protected in a DAG?

Key Points
The active database copy uses continuous replication to keep the passive copies in sync based on their
lag-time setting. A DAG leverages the Windows Server® operating system failover clustering feature.
However, it relies on the Active Manager server to maintain the status of all of the DAG’s hosted
databases.
• You can switch or fail over a single database between DAG servers. However, it is only active on one
node at a time.
• At any given time, a copy is either the replication source or the replication target, but not both.
• A server may not host more than one copy of a given database.
• Not all databases need to have the same number of copies. In a 16-node DAG, one database can
have 16 copies, while another database is not redundant and contains only the one active copy.
Database failovers occur when failures cause the active database to go offline. Either a single server failure
or something specific to a database may cause the failure. A switchover occurs when an administrator
intentionally coordinates moving the active database from one server to another.
Implementing High Availability 7-13

Comparing Exchange Server 2010 to Exchange Server 2007 Mailbox


Availability Options

Key Points
Exchange Server 2010 extends and improves upon the continuous replication technology that Exchange
Server 2007 used. The new high availability model using the DAG is a more flexible and resilient solution
than previous high availability solutions.
The Exchange Server 2010 database high availability model:
• Has no single point of failure.
• Supports backups.
• Allows up to 16 copies of a database with a 14-day lag time.
• Can have multiple servers roles run on the same server as the mailbox server.
• Allows you to move a single database between servers.
7-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Configuring Databases for High Availability

Key Points
Creating a DAG is only the first step to providing database availability. You must create and configure
additional database copies. Not only can you create a database copy initially, but an administrator also
can create one at any time. You can distribute database copies across Mailbox servers in a flexible and
granular way. You can replicate one, some, or all mailbox databases on a server in several ways.

Specify the following information when creating a mailbox database copy:


• The name of the database you are copying.
• The name of the Mailbox server that will host the database copy.
• The amount of time (in minutes) for log replay delay. This is as the replay lag time, which sets how
long to wait before the logs are committed to the database copy. Setting the value for replay lag time
to 0 turns off log replay delay.
• The amount of time (in minutes) for log truncation delay. This is truncation lag time, which sets how
long to wait before truncating committed transaction logs. Setting the value for truncation lag time
to 0 turns off log truncation delay.
• An activation preference number. This is referred to as a preferred list sequence number, and it
represents the activation preference order of a database copy after a failure or outage of the active
copy.

DAG Networks
A DAG network is a collection of one or more subnets that Exchange Server uses for either replication
traffic or MAPI traffic. Although Exchange Server supports one network adapter and path, we recommend
a minimum of two DAG networks. In a two-network configuration, you typically dedicate one network to
replication traffic and the other network to MAPI traffic. You can create additional networks in a DAG and
configure them as replication networks for redundancy. We recommend that you do not use Internet SCSI
(iSCSI) networks for DAG replication.
Implementing High Availability 7-15

Question: How do you plan to use the preferred list sequence number?
7-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Create and Configure a DAG

Key Points
In this demonstration, you will review how to create a new database availability group, add member
servers to it, and create a copy of a mailbox database.

Demonstration Steps
1. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange
Management Shell.
2. Use the New-DatabaseAvailabilityGroup cmdlet to create a Database Availability Group named
DAG1 with a WitnessServer on VAN-DC1, and a WitnessDirectory of C:\FSWDAG1. Assign the
DAG an IP Address of 10.10.0.25.
3. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member.
4. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange
Management Console.
5. Use the Manage Database Availability Group Membership Wizard to add
VAN-EX2 as a member of DAG1.
6. Use the Add Mailbox Database Copy Wizard to add a copy of Mailbox Database 1 to the second
Mailbox server.

Note: Once you create a DAG, you then can create and configure DAG networks for replication or for
MAPI traffic. Add additional networks for redundancy or improved throughput.

Question: What information do you need before you can configure a DAG?
Implementing High Availability 7-17

What Is the Transport Dumpster?

Key Points
If a failure occurs and some transaction logs are not replicated to the passive copy, you can use the
transport dumpster to redeliver any recently delivered e-mail. The transport dumpster operates on the
Hub Transport servers within Active Directory® Domain Services (AD DS) or Active Directory directory
service. When a database failover occurs, a request will be made to the Hub Transport servers to redeliver
the lost e-mail messages. The next section details database failovers.
The transport dumpster only holds e-mail that has been delivered. The local submission queue holds any
pending e-mail. Once the transaction logs are replicated to each DAG server, the transport dumpster
purges the message.
7-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Understanding the Failover Process

Key Points
A failover occurs when the server hosting the active database goes offline or something causes the active
database to dismount. A switchover occurs when an administrator moves the active database from one
server to another. When a failure affecting the active database occurs, Active Manager uses several sets of
selection criteria to determine which database copy to activate. In the process for selecting the best copy
to activate, Active Manager:
1. Enumerates the available copies.
2. Ignores all unreachable servers.
3. Sorts available copies by how current they are. The factors considered include the content index, copy
queue length, and replay queue length.
4. Uses the activation preference, if a tie breaker is necessary.

Database Failovers
Before using the previously mentioned criteria to locate the best copy to activate, a process called attempt
copy last logs (ACLL) occurs. ACLL makes parallel remote procedure calls to each DAG Mailbox server that
hosts a copy of the mailbox database. This call checks if the server is available and healthy, and to
examine the LogInspectorGeneration value for the database copy. The mailbox database copy with the
highest LogInspectorGeneration value is the best source for copying log files.

After the ACLL process is complete, and if all missing log files were copied from the selected best source,
the database mounts without any data loss. This is known as a lossless failure. If the ACLL process fails,
then the configured AutoDatabaseMountDial value is consulted. If the number of lost logs is within
the configured AutoDatabaseMountDial value, then Exchange Server mounts the database. If the number
of lost logs falls outside the configured AutoDatabaseMountDial value, then Exchange Server does not
mount the database until either missing log files are recovered, or an administrator explicitly mounts the
database and accepts the larger data loss.
Implementing High Availability 7-19

Use the Set-MailboxServer cmdlet to configure the AutoDatabaseMountDial setting for each DAG
Mailbox server.
7-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Monitor Replication Health

Key Points
In this demonstration, you will review how to use the Exchange Management Console and Exchange
Management Shell to review the available information regarding database-replication health.

Demonstration Steps
1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click
Exchange Management Console.
2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization
Configuration, and then expand Mailbox.
3. Review the status of each of the Mailbox Database 1 database.
4. Close Exchange Management Console.

Question: Why is monitoring these statistics important?


Implementing High Availability 7-21

Lesson 3
Deploying Highly Available Non-Mailbox Servers

Other Exchange Server roles now handle some functionality that was handled by the Mailbox server in
previous Exchange Server versions. For example, Microsoft Office Outlook clients no longer directly
connect to the Mailbox server, but rather connect to the Client Access server for MAPI-based
communication. Additionally, the Mailbox server no longer processes mailbox. The Hub Transport server
now performs this task. With the other server roles performing more tasks, they become more important
to the messaging environment’s overall health. In this lesson, you will consider providing high availability
for these non-mailbox servers.

After completing this lesson, you will be able to:


• Describe and configure high availability for Client Access servers.
• Describe and configure high availability for Hub Transport servers.
• Describe and configure high availability for Edge Transport servers.
7-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How High Availability Works for Client Access Servers

Key Points
A client access array is a load-balanced collection of Client Access servers that is in a single site. Since all
client connections, including MAPI, rely on connections to Client Access servers, it is important to provide
a redundant server array to improve availability. To create a client access array, you first must deploy
multiple Client Access servers. Next, you need to use either hardware or software-based network load
balancing to create a cluster. Then, add the name for the network load-balanced cluster into the Domain
Name System (DNS). For example, you could add an A record for caa1.contoso.com that points to
10.10.10.25. After adding the DNS record, you can create the client access array and assign it to an Active
Directory site using the New-ClientAccessArray cmdlet. Finally, you must assign the client access array to
each of the mailbox databases in the site using the Set-MailboxDatabase cmdlet with the –
RpcClientAccess parameter.

A client access array can exist only in a single Active Directory site. Therefore, you would need to create a
client access array in each Active Directory site that needs to load balance client access servers.
Implementing High Availability 7-23

How Shadow Redundancy Provides High Availability for Hub Transport


Servers

Key Points
Exchange Server 2010 includes the shadow redundancy feature, which provides redundancy for messages
for the entire time they are in transit. This is in addition to the transport dumpster. With shadow
redundancy, the message deletion from the transport databases is delayed until the transport server
verifies that all of the next hops for that message have completed delivery. If any of the next hops fail
before reporting successful delivery, the transport server resubmits the message for delivery to that next
hop.
In the shadow redundancy scenario, the message flow follows these stages:

1. Hub delivers message to Edge.


a. Hub opens SMTP session with Edge.
b. Edge advertises shadow redundancy support.
c. Hub notifies Edge to track discard status.
d. Hub submits message to Edge.
e. Edge acknowledges the receipt of message and records the Hub’s name for sending discard
information for the message.
f. Hub moves the message to the shadow queue for Edge and marks Edge as the primary server.
Hub becomes the shadow server.
2. Edge delivers message to the next hop:
a. Edge submits message to third-party mail server.
b. Third-party mail server acknowledges the message’s receipt.
c. Edge updates the discard status for the message as delivery complete.
3. Hub queries Edge for discard status (success case):
a. At end of each SMTP session with Edge, Hub queries Edge for discard status on messages
previously submitted. If Hub has not opened any SMTP sessions with Edge after the initial
7-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

message submission, it will open an SMTP session with Edge to query for discard status after a
specific time.
b. Edge checks local discard status and sends back the list of messages that have been delivered,
and removes the discard information.
c. Hub server deletes the list of messages from its shadow queue.
4. Hub queries Edge for discard status and resubmits the message (failure case):
a. If Hub cannot contact Edge, Hub resumes the primary server role and resubmits the messages in
the shadow queue.
b. Resubmitted messages are delivered to another Edge server, and the workflow starts from step 1.
Within Exchange Server 2010, the Shadow Redundancy Manager (SRM) is the core component of a
Transport server that is responsible for managing shadow redundancy. The SRM is responsible for
maintaining the following information for all the primary messages that a server is currently processing:
• The shadow server for each primary message being processed.
• The discard status to be sent to shadow servers.
The SRM is responsible for the following, for all the shadow messages that a server has in its shadow
queues:
• Maintaining the list and checking primary server availability for each shadow message.
• Processing discard notifications from primary servers.
• Removing the shadow messages from the database once it receives all expected discard notifications.
• Deciding when the shadow server should take ownership of shadow messages, thus making it the
primary server.
Implementing High Availability 7-25

How High Availability Works for Edge Transport Servers

Key Points
Edge Transport servers provide both inbound and outbound e-mail delivery. For outbound delivery,
providing high availability is as simple as deploying multiple Edge Transport servers and creating an Edge
subscription. If you have deployed Exchange servers in multiple Active Directory sites, you may need
additional redundant Edge Transport servers.

Multiple DNS MX Records


The SMTP protocol was created with delivery redundancy in mind. It uses special DNS records called mail
exchanger (MX) resource records to locate the authoritative SMTP server for a domain. These records
point to the SMTP’s fully qualified domain name, which in this case are the Edge Transport servers. You
can create multiple MX records and assign them weights. The protocol uses the lower-weighted records
before the higher-weighted records. MX records with the same weight are load balanced in round-robin
load fashion. If one of the hosts fails to respond, Exchange Server attempts the next host on the list.

Hardware-Based Load Balancing


High availability for inbound e-mail delivery requires multiple load-balanced Edge Transport servers. You
can achieve load balancing either with a hardware load balancer or by using multiple DNS records. Using
a hardware load balancer balances inbound communication between Edge Transport servers and provides
redundancy in case of a server failure.

Like Hub Transport servers, Edge Transport servers also support shadow redundancy. However, shadow
redundancy does not cover all scenarios, because most of the messaging servers that the Edge Transport
role communicates with do not support shadow redundancy.
7-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab: Implementing High Availability

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-EX3
virtual machines are running:
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain.
3. If required, connect to the virtual machines. Log on to the virtual machines as
Adatum\Administrator, using the password Pa$$w0rd.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. You have completed the basic installation
for three Exchange servers. Now you must complete the configuration so that they are highly available.
Implementing High Availability 7-27

Exercise 1: Deploying a DAG


Scenario
You must complete the Mailbox server high availability configuration by creating a DAG and making the
Accounting database highly available.

The main tasks for this exercise are:


1. Create a DAG named DAG1 using the Exchange Management Shell.
2. Create a mailbox database copy of the Accounting database.
3. Verify successful completion of database copying.
4. Suspend the database copy on VAN-EX2.

 Task 1: Create a DAG named DAG1 using the Exchange Management Shell
1. On VAN-EX1, open the Exchange Management Shell.
2. Use the New-DatabaseAvailabilityGroup cmdlet to create a DAG with the following information:
• Name: DAG1
• WitnessServer: \\VAN-DC1\FSWDAG1
• WitnessDirectory: C:\FSWDAG1
• IP Address: 10.10.0.80
3. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member of DAG1.
4. On VAN-EX2, open the Exchange Management Console.
5. On the Database Availability Groups tab, add VAN-EX2 as a member of DAG1.

 Task 2: Create a mailbox database copy of the Accounting database


1. On VAN-EX1, open the Exchange Management Console.
2. On the Database Management tab, add a mailbox database copy of Accounting to VAN-EX2.

 Task 3: Verify successful completion of database copying


• On VAN-EX1, view the properties of the Accounting database, and ensure its status is Healthy.

 Task 4: Suspend the Accounting database copy on VAN-EX2


• On VAN-EX1, suspend the Accounting database copy on VAN-EX2.

Results: After this exercise, you should have created a DAG and a mailbox database copy of the
Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended
state.
7-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Deploying Highly Available Hub Transport and Client Access


Servers
Scenario
The network team used a hardware load balancer to load balance VAN-EX1 and VAN-EX2 for Client
Access connections. They have assigned a load balanced IP address of 10.10.0.30, and have created a DNS
record for the name CASArray.adatum.com. Now you must complete the Client Access configuration.

The main tasks for this exercise are:


1. Create and configure a client access array for CASArray.adatum.com.
2. Assign the client access array to the databases.

 Task 1: Create and configure a client access array for CASArray.adatum.com


1. On VAN-EX1, open Exchange Management Shell.
2. Use the New-ClientAccessArray cmdlet to create a new client access array named
CasArray.adatum.com for the Default-First-Site-Name Active Directory site.

 Task 2: Assign the client access array to the databases


1. On VAN-EX1, use the Exchange Management Shell to retrieve a list of all of the databases on VAN-
EX1 and VAN-EX2.
2. Use the Set-MailboxDatabase cmdlet to assign each database on VAN-EX1 and VAN-EX2 the
CasArray.adatum.com client access array as the RpcClientAccessServer.

Results: At the end of this exercise, you should have created a client access array and assigned it to
the databases.
Implementing High Availability 7-29

Exercise 3: Testing the High Availability Configuration


Scenario
You have completed the high availability configuration. You now must verify that the high availability
configuration is working properly.

The main tasks for this exercise are:


1. Create a SMTP connector associated with VAN-EX1 and VAN-EX2.
2. Stop the SMTP service on VAN-DC1.
3. Send an e-mail to an internal user and an external SMTP address.
4. Use Queue Viewer to locate the message in the queue.
5. Start SMTP service on VAN-DC1 to allow queued message delivery.
6. Verify that the messages were removed from the shadow redundancy queue.
7. Verify the copy status of the Accounting database copy and resume the database copy.
8. Perform a switchover on the Accounting database to make the VAN-EX2 copy active.
9. Simulate a server failure.

 Task 1: Create a SMTP connector associated with VAN-EX1 and


VAN-EX2
1. On VAN-EX2, if required, open Exchange Management Console.
2. Create an SMTP send connector named Internet Mail, and then configure an address space of “*” for
the connector.
3. Add VAN-DC1.adatum.com as the Smart host for the connector, and VAN-EX1 and VAN-EX2 as the
source servers.

 Task 2: Stop the SMTP server on VAN-DC1


• On VAN-DC1, stop the Simple Mail Transfer Protocol (SMTP) service.

 Task 3: Send an e-mail to an internal user and an external SMTP address


1. On VAN-EX1, log on to Outlook Web App as Adatum\Jason with a password of Pa$$w0rd.
2. Create and send a new e-mail addressed to terry@contoso.com and janedow@adatum.com.

 Task 4: Use Queue Viewer to locate the message in the queue


1. On VAN-EX2, open Queue Viewer.
2. Connect to VAN-EX1 and VAN-EX2 to locate which server queues the e-mail sent from Jason.
3. Make note of the server where the message is queued.
4. Examine the shadow redundancy queue on VAN-EX3.

 Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1. On VAN-DC1, open Server Manager.
2. Start the SMTP service.

 Task 6: Verify that the messages were removed from the shadow redundancy queue
1. On VAN-EX2, open Queue Viewer.
2. Connect to VAN-EX3, where the message was queued in the shadow redundancy queue, and then
verify that it is no longer queued.
7-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

 Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1. On VAN-EX2, open the Exchange Management Console.
2. View the database copy health on the Suspended copy on VAN-EX2.
3. Resume the database copy on VAN-EX2, and wait until the copy status is Healthy.

 Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy
active
1. On VAN-EX2, open the Exchange Management Console.
2. Verify that the active Accounting database is on VAN-EX1.
3. Select the Accounting database on VAN-EX2, and then activate the copy.

 Task 9: Simulate a server failure


1. On VAN-EX1, open the Exchange Management Console, and view the status of the Accounting
database.
2. In Hyper-V™ Manager, revert 10135A-VAN-EX2.
3. Verify the Accounting database is now active on VAN-EX1.

Results: After this exercise, you should have verified that the mailbox databases could fail over and
switch between DAG servers, and that Hub Transport shadow redundancy is working properly.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the
other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
Implementing High Availability 7-31

Module Review and Takeaways

Review Questions
1. Besides planning for Exchanger Server failures, what other failures should you consider?

2. In which scenarios might you use hardware load balancing with Edge Transport servers?

Common Issues Related to Creating High Availability Edge Transport Solutions


Identify the causes for the following common issues related to high availability Edge Transport servers,
and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

Inbound e-mail is not being Ensure that the DNS MX records have the same value. If the values
delivered evenly across all of the are not the same, only the records with the lowest value will be
Edge Transport servers. used.

After deploying highly available Verify that your outbound mail servers are configured with a host
Edge Transport servers, outbound name that is resolvable on the Internet. Many servers reject e-mail
e-mail is being returned as from servers that do not have a name or an IP address that can be
possible spam. resolved on the Internet.

Real-World Issues and Scenarios


1. An organization has several branch offices with a small number of employees. However, the
organization needs to deploy a high availability solution in the remote offices. What configuration
can it deploy to meet it business needs?
2. An organization uses a variety of service-level agreements for database availability for different
business units. It wants to minimize the number of mailbox servers it deploys. How can it do this?
7-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Best Practices Related to Designing a High Availability Solution


Supplement or modify the following best practices for your own work situations:
• Identify all possible failure points before designing a solution. Even the most elaborate and expensive
designs can have a simple and crippling failure point.
• Document all of the components to the solutions so that everyone involved in the deployment
understands the solution’s configuration how the solution is configured.
• Follow change-management procedures. In some environments, it may be tempting to skip these
steps. However, not following proper change-management procedures often leads to extended,
unplanned downtime.
Implementing Backup and Recovery 8-1

Module 8
Implementing Backup and Recovery
Contents:
Lesson 1: Planning Backup and Recovery 8-3
Lesson 2: Backing Up Exchange Server 2010 8-14
Lesson 3: Restoring Exchange Server 2010 8-25
Lab: Implementing Backup and Recovery 8-37
8-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

Your Exchange Server databases contain the messages for all of your users. Thus, these databases contain
the data that is most important for you to ensure is retained and backing up the databases that contain
these messages is one of your key concerns regarding your messaging system. Sometimes users
accidentally delete their e-mails, and you, as the administrator, must restore their messages. This can take
a long time.
Microsoft® Exchange Server 2010 contains new backup and restore features that you should consider
before using the traditional backup-to-tape approach that most organizations use. This module describes
the backup and restore features of Exchange Server 2010, and details what you need to consider when
you create a backup plan.
After completing this module, you will be able to:
• Plan backup and recovery.
• Backup Exchange Server 2010.
• Restore Exchange Server 2010.
Implementing Backup and Recovery 8-3

Lesson 1
Planning Backup and Recovery

Before deciding on which backup type you want to use and which software to buy, you first need to
consider your available options. Exchange Server 2010 provides many new options for backing up your
databases and restoring single items.
In this lesson, you will learn the important considerations for backing up and restoring Exchange Server
2010, so that you can create a good plan for your organization.
After completing this lesson, you will be able to:
• Describe the importance of planning for disaster recovery.
• Integrate high availability and disaster recovery.
• Identify and mitigate potential Exchange Server 2010 disasters.
• Recover deleted items.
• Describe the disaster-recovery options for Mailbox servers.
• Create a point-in-time database snapshot.
• Describe backup and restore scenarios.
8-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Discussion: The Importance of Planning for Disaster Recovery

Key Points
This discussion details the importance of disaster-recovery planning and of having an understanding of
the options that Exchange Server has available should a disaster occur.

Question: Why is it important to plan for a disaster?

Question: What current plan does your organization have for disaster recovery?
Implementing Backup and Recovery 8-5

Integrating High Availability and Disaster Recovery

Key Points
You can integrate your high availability deployment with disaster recovery, especially if you consider the
Exchange Server 2010 high availability features sufficient to satisfy your backup requirements.

Link Between High Availability and Disaster Recovery


Using Exchange Server 2010 high availability features, such as database availability groups (DAGs), allow
you to maintain 16 copies of a message database. Maintaining so many database copies lessens the need
for using backup for disaster recovery. You can spread database copies across multiple sites, which allows
you to address data-center failures and maintain an off-site copy of a database.

In Exchange Server 2010, high availability and disaster recovery go hand-in-hand. DAGs are the basis of
high availability, but you also can use them to recover from a disaster in a quick and reliable way.

High Availability Provides Options Beyond Traditional Backup and Restore


Using DAGs to configure a lagged, or point-in-time, copy of a database allows you to delay committing
changes to the database for 14 days. Thus, you always maintain a database at the state of the previous
day or week. Therefore, should a logical corruption of your current database occur, you can revert to a
lagged database copy and commit the transaction logs to a specific time that you decide.

The point-in-time database feature, together with maintaining many database copies across multiple sites,
means that organizations do not have to perform nightly backups. This is particularly true for medium and
large-size organizations.

Large Mailbox Considerations


Mailboxes that are more than 1 gigabyte (GB) in size require a more flexible backup and restore method,
because the amount of data they contain is dramatically more than those with which Exchange Server
administrators typically deal. Even though the Exchange Server 2010 database structure handles large
8-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

mailboxes better than previous versions, you should be aware of the additional data requirements for
backup.

The time it takes to restore a backup during disaster recovery skyrockets when you have large mailboxes.
When you implement large mailboxes, consider using backup-less Exchange Server and the recoverable
items folder in Exchange Server 2010 to recover data. These features provide you with two viable options
to move away from traditional backups.

Backup and Restore Requirements in a Highly Available Deployment


Even though it may appear that highly available deployments no longer require traditional backups, they
are still important. You may want to use existing backup strategies that provide offsite data storage at
secure locations. Sometimes backups also serve an archival purpose, and typically, organizations use tape
to preserve point-in-time data for extended periods, as compliance requirements mandate.

Additionally, remember that integrating high availability features as an alternative to backups only works
for the mailbox database, not for other Exchange Server resources, such as the Hub Transport
configuration. You still need to consider using traditional backup for the Hub Transport server.

Question: Why should you back up Exchange Server databases?


Implementing Backup and Recovery 8-7

Disaster Mitigation Options in Exchange Server 2010

Key Points
As you prepare to implement disaster-recovery solutions in Exchange Server 2010, you first must identify
the potential risks to the Exchange Server environment, and then identify the options for mitigating those
risks. The following table lists potential risks and the Exchange Server 2010 options for mitigating the risks:

Risks Risk mitigation strategies

Loss of a single • Configure recoverable items folder and deleted item retention settings
message • Recover messages from backup by using the recovery database
Loss of a single • Configure mailbox-retention settings to ensure that you can recover most
mailbox deleted mailboxes before they are deleted permanently
• Configure hold policy, and recover it from there using a discovery mailbox
• Recover mailbox using the recovery database
Loss of a database • Create a DAG on another server
or server • Back up the Exchange Server data, and recover lost mailbox databases from
backup
• Install Exchange Server 2010 with /m:RecoverServer
Loss or corruption • Create a lagged database copy in a DAG environment
of a mailbox • Back up the Exchange Server data, and recover lost mailbox databases from
database backup

Loss of a public • Implement public folder replicas on other computers running Exchange Server
folder database

Loss of an Exchange • Implement redundant computers running Exchange Server for each role
Server computer • Back up all information on the computer running Exchange Server, and
running the Hub
8-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Risks Risk mitigation strategies

Transport, Client recover the server from backup


Access, or the • Install Exchange Server 2010 on a new computer in Recover Server mode
Unified Messaging
server roles

Loss of an Exchange • Implement redundant databases using DAGs


Server computer • Implement a dial-tone recovery
running the Mailbox
server role
• Back up all information on the computer running Exchange Server, and
recover the server from backup
• Install Exchange Server 2010 on a new server in Recover Server mode
Loss of an Exchange • Implement redundant Exchange servers for each role
Server computer • Back up all information on the computer running Exchange Server, and restore
running the Edge the server from backup
Transport server role
• Back up the Edge Transport server configuration using ExportEdgeConfig, and
restore from backup

Loss of a supporting • Implement redundant servers for each of the required services
service, such as DNS • Implement a disaster-recovery plan for restoring Active Directory® Domain
or the Active Services (AD DS) or Active Directory directory service from backup
Directory
Implementing Backup and Recovery 8-9

Demonstration: Recovering Deleted Items

Key Points
In this demonstration, you will review how to configure the global hold policy for recoverable items, so
that you can recover a deleted folder using the Discovery Search Mailbox.

Demonstration Steps
1. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald -
SingleItemRecoveryEnabled:$true, and then press ENTER.
2. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role
‘Mailbox Import Export’ -User ‘adatum\administrator’, and then press ENTER.
3. In the Exchange Management Console, assign the Administrator account full access permissions to
the Discovery Search Mailbox.
4. In Scott MacDonald’s mailbox, create a new folder, populate that folder with messages, and then
delete the folder.
5. Login to Microsoft Outlook Web App as Administrator to define a Mailbox Search.
6. Open the Discovery Search Mailbox, and verify that it contains the deleted message.
7. Use the Export-Mailbox cmdlet to recover the folder to its original mailbox.
8. Verify that the message was recovered by accessing Scott MacDonald’s mailbox.

Question: What is the benefit of using this feature to recover mailboxes compared to existing brick-level
backup solutions?
8-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Disaster-Recovery Options for Mailbox Servers

Key Points
Exchange Server 2010 includes new recovery options for mailbox servers.

Disaster Recovery with DAGs


The ability to create up to 16 database copies, even on off-site servers, allows you to recover a copy
quickly and easily if one is destroyed or unavailable. Failover in the DAG is configured automatically, so
the clients should not encounter much disturbance.

Mailbox Servers in a DAG Can Host Other Server Roles


Unlike previous Exchange Server versions, each Mailbox server that hosts a DAG also can host other server
roles, such as Hub Transport and Client Access servers. Thus, you can deploy all server roles, including the
DAG, at a branch office or a remote site that does not have the budget to implement an expensive server
environment. All an organization needs is one Exchange server to support both its server and disaster-
recovery needs.

Point-in-Time Database Snapshot with Lagged Copy of DAG


If your organization requires a point-in time copy of mailbox data, use Exchange Server 2010 to create a
lagged copy in a DAG environment. You can use lagged database copies in the rare event that a logical
corruption replicates across the DAG databases, resulting in a need to return to a previous point in time.
For example, you can configure the lagged database to commit log files to a maximum of two weeks. You
also can place this database copy on a server at another site.

Recovery Database to Recover Mailboxes, Folders, or Items


In Exchange Server 2010, the recovery database replaces the Recovery Storage Group (RSG) found in
Exchange Server 2007. The recovery database is an additional database that you mount on your server to
recover single messages, folders, or entire mailboxes from an offline or online backup of your Exchange
database.
Implementing Backup and Recovery 8-11

Lower Cost of DAG Backup Compared to Traditional Backup


Evaluate the cost of your current backup infrastructure, including hardware, installation, and license costs,
as well as the management cost associated with recovering data and maintaining the backups. Depending
on your organization’s requirements, a DAG environment may provide lower total cost of ownership
(TCO) than a traditional backup environment.
8-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Create a Point-in-Time Database Snapshot

Key Points
In this demonstration, you will review how to configure a database copy on a remote server, and how to
configure a database copy to be a lagged database. Additionally, you also will see how to disable an
active server to prevent accidental activation.

Demonstration Steps
1. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup –Name DAG1 –
WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 –
DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER.

Note: You can only place the witness directory on a Hub Transport server when you are using the
Exchange Management Console. However, when using the Exchange Management Shell, you can
place the witness directory on any server, including a server that is not running the Exchange server
role.

2. On the Exchange Management Console, add VAN-EX1 and VAN-EX2 to DAG1, and then add a copy
of the Accounting database to VAN-EX2 with a replay lag time of 7 days.
3. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 –
DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER.
Implementing Backup and Recovery 8-13

Backup and Restore Scenarios

Key Points
Even though Exchange Server 2010 supports backup-less scenarios, there are cases in which your
organization may want to maintain its traditional backup methods.

No Available DAGs
Organizations that do not use DAGs need to consider traditional ways to back up their databases.

Single Exchange Server Implementation


Single Exchange Server implementations are not conducive to DAG usage because it requires adding
more server hardware. Traditional backups to disks or tapes are the option to follow here.

Utilize an Existing Backup Environment


Your company’s backup strategy might force you to follow other applications if you have an existing
backup environment available in which all other applications will back up their data. So even when you
maintain multiple copies of your database, you are required to have a copy of it in your backup
environment.

Backups Are Governed by Compliance Requirements


You typically use tape backups if there is an archival reason to preserve data for an extended time, as
governed by compliance requirements. Especially if the storage is long-term, sometimes up to 10 years,
you also need to ensure that you can access the data in the future.
8-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 2
Backing Up Exchange Server 2010

Backing up your company’s data is the most serious task in your Exchange Server installation. You cannot
recover necessary data if you have not backed it up correctly. In this lesson you will learn the different
ways that you can back up data with Exchange Server 2010.
After completing this lesson, you will be able to:
• Describe the backup changes in Exchange Server 2010.
• Describe the backup requirements for Exchange Server 2010.
• Describe backup strategies.
• Describe how a Volume Shadow Copy Service (VSS) backup works.
• Select an Exchange Server backup solution.
• Back up Exchange Server 2010.
Implementing Backup and Recovery 8-15

Changes to Backup in Exchange Server 2010

Key Points
Exchange Server 2010 changes to the backup application-programming interface (API) and the underlying
database structure affects how you backup the Exchange Server database.

Removal of ESE Streaming APIs for Backup and Restore


Previously, Exchange Server used Extensible Storage Engine (ESE) streaming APIs for backup and restore.
Now, Exchange Server 2010 supports only VSS-based backups. To back up and restore Exchange Server
2010, you must use an Exchange Server-aware application that supports the VSS writer, such as Microsoft
System Center Data Protection Manager or a third-party Exchange Server-aware, VSS-based application.

Storage Group Removal


One significant change in Exchange Server 2010 is the removal of storage groups. In Exchange Server
2010, each database is associated with a single log stream as represented by a series of 1 megabyte (MB)
log files. Each Mailbox server can host up to 100 active and passive databases.

Database Not Closely Linked to a Specific Mailbox Server


Another significant change for Exchange Server 2010 is that databases no longer link closely to a specific
Mailbox server. Database mobility expands the system’s use of continuous replication, by replicating a
database to multiple servers. This provides better database protection and increases availability. If failures
occur, the other servers with database copies can mount the database.

Use DAGs for Backup-Less Exchange Server


Because you can have multiple database copies hosted on multiple servers, you can also consider
maintaining a backup-less Exchange Server organization in which you enable circular logging on your
databases. This removes the transaction log files so they do not pile up. Transaction log files are removed
when you do a full Exchange Server backup. Circular logging accomplishes the same task in a backup-less
environment.
8-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Backup Requirements for Exchange Server 2010

Key Points
The backup requirements for Exchange Server 2010 computers differ depending on the Exchange server
roles that you install on the computers. The following table lists the information that you need to back up
for each Exchange server role:

Exchange server
role Backed-up data Purpose

All roles System State of server and System State includes the local configuration data
Active Directory database on of the machine
domain controllers AD DS and Active Directory store most Exchange
server configuration information, which is required
to rebuild the server using Recover Server mode

Mailbox server Databases and transaction logs Restore data if a database or storage group is lost

Client Access Server certificates used for Restore the server certificate on a new Client Access
server Secure Sockets Layer (SSL) server
Specific Internet Information Restore IIS configuration
Server (IIS) configuration

Hub Transport Message-tracking logs Restore tracking information for analysis


server, Edge
Transport server

Edge Transport Content-filtering database Restore the content-filtering configuration


server Restore the Edge Transport server configuration by
enabling edge synchronization

Unified Custom audio prompts Restore audio prompts


Implementing Backup and Recovery 8-17

Exchange server
role Backed-up data Purpose

Messaging server
The Exchange Server environment includes additional information, such as the Offline Address Book,
availability data that a local folder stores, and other configuration data. This information is rebuilt
automatically when you rebuild the Exchange Server environment. AD DS and Active Directory store much
of the configuration information, which you can restore only if an Active Directory domain controller is
available. You must ensure that your disaster-recovery planning includes backing up and restoring AD DS
and Active Directory.
8-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Backup Strategies

Key Points
You can use Windows Server® Backup in Windows Server 2008 or a third-party Exchange Server-aware
backup tool to implement different backup strategies. The backup strategies from which you can choose
include full, full plus incremental, full plus differential, copy, and brick-level backup. Each backup strategy
has advantages and disadvantages in terms of storage requirements and performance. The backup
strategy you select can affect how the restore process occurs.

Full Backups
A full backup performs an online backup of both the database files and transaction logs. After successful
completion of a full database backup, transaction logs that have been committed to the Exchange Server
database are deleted.

Note: If a backup is not functioning properly, transaction logs on a server can grow quickly and cause a
partition to run out of space. When the partition holding the transaction logs is out of space, the
databases will dismount and be unavailable for use.

A full backup each day is the preferred strategy. Restoring a full backup is simple, and it requires only one
backup set.

Full Plus Incremental Backups


An incremental backup captures only the data that changed since the last full or incremental backup.
Transaction logs are the only data included in this backup, and committed transaction logs are deleted
after a successful incremental backup. If you enable circular logging, this backup option is not available.
Implementing Backup and Recovery 8-19

Full Plus Differential Backups


A differential backup captures only the data that has changed since the last full backup. This backup
strategy only backs up the transaction logs. A differential backup never removes the transaction logs. If
you enable circular logging, this backup option is not available.

Copy Backups
A copy backup is equivalent to a full backup of the databases. However, the transaction logs are not
backed up, deleted, or marked in any way. This ensures that the copy does not affect scheduled
incremental or differential backups.

Brick-Level Backups
Brick-level backups copy every message in all mailboxes. As a result, identical messages stored in several
mailboxes all are backed up. This type of backup requires much more storage capacity and time than
standard backup strategies, and it results in a backup that is significantly larger than the Exchange Server
database.
For a brick-level backup, you need specific third-party backup software that is capable of storing the
backed-up data so you have single-item recovery. You use this when a user requests single-item recovery,
even though the item is not available in the Deleted Items folder anymore.
8-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Does a VSS Backup Work?

Key Points
Exchange Server 2007 and Exchange Server 2003 include two different options for data backup and
recovery: ESE streaming backup APIs and support for the VSS backup APIs. ESE streaming APIs are not
available in Exchange Server 2010, thus you must back up Exchange Server with VSS backup APIs.

What Is VSS?
VSS provides the backup infrastructure for Windows Server 2008, as well as a mechanism for creating
consistent point-in-time data copies, which are known as shadow copies.
VSS produces consistent shadow copies by coordinating with business applications, file-system services,
backup applications, fast-recovery solutions, and storage hardware. It includes the following components:
• Writer. The VSS writer that is included with Exchange Server 2010 and that coordinates Exchange
Server 2010’s input/output (I/O) with VSS.
• Requestor. Backup or restore application, such as Windows Server Backup.
• Provider. Low-level system or hardware interfaces, such as Storage Area Networks (SANs).

How VSS Backup Works


Backup solutions that use VSS create a shadow copy of the disk as the backup process begins. Then,
Exchange Server creates the backup with the shadow copy rather than the working disk, so that backup
does not interrupt normal operations.

This method offers the following advantages:


• It produces a backup of a volume that reflects that volume’s state when the backup begins, even if
the data changes while the backup is in progress. All the data in the backup is internally consistent,
and it reflects the volume’s state at a single point in time.
Implementing Backup and Recovery 8-21

• It notifies applications and services that a backup is about to occur. The services and applications,
such as Exchange Server, therefore can prepare for the backup by cleaning up on-disk structures and
flushing caches.

Exchange Server Support for VSS Backup


To perform a VSS backup, you must enable the VSS on the Exchange server, and the third-party backup
solution must support the VSS backup and restore APIs.

Exchange Server 2010 support for VSS has the following limitations:
• VSS support is at the database level.
• VSS support is for normal backups and copy backups, but not for incremental or differential backups.
8-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Considerations for Selecting an Exchange Server Backup Solution

Key Points
When selecting a backup solution for Exchange Server, you must consider your system’s characteristics
and those of the software and hardware.
System characteristics to consider include:

• The amount of data you are backing up.


• The time window in which the backup can occur.
• The type of backup you are performing.
• Recovery time requirements.
• Archiving requirements.

Backup Software Selection Criteria


The following table provides some basic criteria for selecting backup software. Select the software that
best meets the needs of your Exchange Server deployment and disaster-recovery requirements.

Selection criteria Explanation

Backup architecture Your backup software should provide support for any operating systems that
you have. Additionally, the backup software should be able to back up
Exchange Server to your desired media, either on the local computer or over
the network. Windows Server Backup is not capable of backing up to a remote
tape drive.

Scheduling Your backup software should support the ability to schedule backups that you
require for your organization. Most backup software allows you to schedule
jobs at any time you require. However, it is easier to configure in some
software packages.
Implementing Backup and Recovery 8-23

Selection criteria Explanation

Brick-level backup If desired, ensure that your software supports brick-level backups.
support

Exchange Server VSS Your backup software must support the Exchange Server Backup VSS API to
API support perform online backups successfully.

Tape management Different backup software has varying degrees of flexibility for tape
management. This includes automated naming of blank tapes and preventing
existing tapes from being overwritten accidentally.

Vendor support Vendor support is essential if you experience any problems during disaster
recovery. Ensure that vendor support is available for your backup software.

Disaster-recovery Some backup software has a disaster-recovery option that provides complete
support disaster recovery for a failed server, including Exchange Server.

Hardware support Your backup software must support the technologies that your company uses,
including clustering or SANs.

Windows Server Backup


When you install the Exchange Management Console on a server running Windows Server 2008, it
updates Windows Server Backup to support Exchange Server 2010. Windows Server 2008 enables you to
perform VSS-based backups of Exchange Server data.

For many smaller organizations, Windows Server Backup provides a sufficient solution. However, larger
organizations may require a more robust backup strategy. Windows Server Backup limitations include:
• Backups only performed at volume level. You can only perform full backups, not incremental or
differential backups.
• Backup support for active databases but not passive databases.
• Only available for Windows Server 2008 or Windows Server 2008 R2.
• Windows Server Backup command-line tools are not compatible with Exchange Server 2010.

Backup Hardware Selection Criteria


The two most common types of backup hardware are tape and disk. Which you use depends on your
requirements. The following table lists the characteristics of using either a tape or disk for backup:

Characteristic Tape Disk server Portable disk

Speed Slower Faster Faster

Capacity Up to 400 GB per tape Large 1+ terabyte (typical)


(Tape libraries allow the use of multiple tapes.) per disk

Off-site storage Yes Typically no Yes

Media durability Excellent Excellent OK


Many organizations use disk-based backup as the first tier, and then utilize tape as a second tier. This
allows you to perform primary backups quickly to disk. Typically, any data that you need to archive off site
is backed up to tape from the disk backup.
8-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Back Up Exchange Server 2010

Key Points
In this demonstration, you will review how to install the Windows Server Backup program and how to use
Windows Server Backup to back up Exchange Server 2010. You will also use the Event Viewer to verify that
the Exchange Server databases were backed up correctly.

Demonstration Steps
1. In Server Manager, add the Windows Server Backup feature.
2. In Windows Server Backup, create a backup set to back up the C: drive and run the backup.
3. In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have
been backed up successfully.
Question: Do you plan to can use Windows Server Backup as your primary Exchange Server backup
solution?
Implementing Backup and Recovery 8-25

Lesson 3
Restoring Exchange Server 2010

Another important component in ensuring availability of e-mail services is planning for recovery.
Organizations that implement high availability solutions still need to plan for scenarios in which the high
availability solutions are not enough. These scenarios might include something as minor as needing to
recover a single mailbox or message, to something as catastrophic as losing an entire data center. This
lesson discusses how to restore Exchange Server 2010.
After completing this lesson, you will be able to:
• Describe restore strategies.
• Recover data using the recovery database.
• Recover data by using the recovery database.
• Describe dial-tone recovery.
• Implement dial-tone recovery.
• Describe database mobility.
• Recover computers that run Exchange Server.
8-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Restore Strategies

Key Points
You can use several strategies to restore Exchange Server data. The strategy that you select depends upon
the data that you need to recover.

Hold Policy and Single Item Recovery


This is a new Exchange Server 2010 feature. When you enable the Single Item Recovery feature for a
mailbox, it keeps items that are purged from the Deleted Items folder in a new dumpster folder for a
specific time. This folder is not accessible to the end user, but it is accessible to administrators assigned to
the Discovery Management role. Essentially, you can ensure that items are not deleted for the duration
that you typically keep backups.

Deleted Mailbox Retention


By default, the mailbox database stores deleted mailboxes for 30 days. Within those 30 days, you can
reconnect the mailbox to another account and access its messages. After you connect the mailbox to an
account, the deleted mailbox retention period restarts if the mailbox is deleted again.

You can extend the deleted mailbox retention period on mailbox databases. However, extending the
deleted mailbox retention period causes the mailbox database to grow to hold the additional deleted
mailboxes.

Database Restores
Restoring a database overwrites the existing database with a restored copy of the database. After you
restore the database, you can replay the current transaction logs to bring the database to its current state.
You typically restore a database when it becomes corrupt or a disk fails.

Recovery Database
The recovery database restores databases without affecting current mailboxes. After you restore a
database to the recovery database, you can copy messages to a folder or merge them into user mailboxes.
Implementing Backup and Recovery 8-27

Dial-Tone Recovery
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring
data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible
after a database or server loss. This module discusses dial-tone recovery in more depth later.

Recovery Server
A recovery server is a dedicated server for restoring Exchange Server databases. This can be useful to test
backups to ensure they are capturing functions properly. However, improvements in recovery-database
performance has reduced the requirement to use a recovery server for data recovery.
8-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Process for Recovering Data Using the Recovery Database

Key Points
The recovery database is a recovered database that can coexist on the same server that hosts the original
database. Users cannot access it directly. Only administrators can access it to recover single items, folders,
mailboxes, or complete databases from the recovery database.
The recovery database replaces the recovery storage group from previous Exchange Server versions.

You can use the Exchange Management Shell to create a recovery database.

Recovering Data Using the Recovery Database


To recover data using the recovery database, complete the following steps:

1. Use the Exchange Management Shell to create a new recovery database.


2. Restore the database that you want to recover.
3. Mount the recovery database, and merge the data from the recovery database mailbox into the
production mailbox. You can use the Exchange Management Shell restore-mailbox cmdlet to
perform this task.

When to Use the Recovery Database


You can use the recovery database in the following scenarios:
• Dial-tone recovery. When you implement dial-tone recovery, you set up a dial-tone mailbox database
on the same server or on an alternate server to provide temporary access to e-mail services. You then
use the recovery database to restore the temporary data into the production database after you
recover the original database from backup.
• Individual mailbox recovery. You can recover individual mailboxes by restoring the database that
holds the mailbox to the recovery database. Then you can extract the data from the deleted mailbox,
and copy it to a target folder or mailbox in the production database.
Implementing Backup and Recovery 8-29

• Specific item recovery. If a message no longer exists in the production database, you can recover the
database that held the message to the recovery database. Then you can extract the data from the
mailbox and copy it to a target folder or mailbox in the production database. However, you also
should consider using hold policy for this situation, as recovering the database might be time
consuming.
8-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Recover Data by Using the Recovery Database

Key Points
In this demonstration, you will review how to create a recovery database and how to restore data to the
recovery database.

Demonstration Steps
1. Use Windows Server Backup to restore the Exchange Server databases to C:\DBBackup.
2. At the Exchange Management Shell prompt, type New-MailboxDatabase
-Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup
\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting
\Accounting.edb” -Logfolderpath “c:\DBBackup\C_\Program Files
\Microsoft\Exchange Server\V14\Mailbox\Accounting” -Recovery, and then press ENTER. This
command creates the recovery database using the recovered Accounting database.
3. Use the eseutil /p “c:\dbbackup\c_\Program Files\Microsoft\Exchange
Server\v14\Mailbox\Accounting\Accounting.edb” command to repair the recovered database.
4. At the Exchange Management Shell prompt, type Mount-Database “RecoverDB”, and then press
ENTER.
5. Use the Get-MailboxStatistics -Database “RecoverDB” command to display the mailboxes in the
recovery database.
6. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato -
RecoveryDatabase RecoverDB, and then press ENTER.

Question: What is the difference between using Single Item Recovery and performing a restore by using
the recovery database?
Implementing Backup and Recovery 8-31

What Is Dial-Tone Recovery?

Key Points
Dial-tone recovery is the process of implementing user access to e-mail services without first restoring
data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible
after a database or server loss. Users can send and receive e-mail messages, but they do not have access
to the historical mailbox data. You then can recover the database or server, and restore the historical
mailbox data. After you bring the recovered database back online, you can merge the dial-tone database
and the recovered database into a single up-to-date mailbox database.

When to Use Dial-Tone Recovery


Use the dial-tone recovery method when it is critical for users to regain messaging functionality quickly
after a mailbox server or database fails, and when you cannot restore historical data from a backup
quickly enough. The loss may result from hardware failure or database corruption. If the server fails, it will
take significant time to rebuild the server and restore the databases. If you have a large database that
fails, it may take several hours to restore the database from backup.

If the original mailbox server remains functional, or if you have an alternative mailbox server available, you
can restore messaging functionality within minutes using dial-tone recovery. This enables continued e-
mail use while you recover the failed server or database.
8-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Process for Implementing Dial-Tone Recovery

Key Points
There are several dial-tone recovery scenarios. However, all scenarios follow the same general steps.

Implementing Dial-Tone Recovery


Follow these general steps to implement dial-tone recovery:
1. Create the dial-tone database. For messaging client computers to regain functionality as quickly as
possible, create a new database for the client computers. There are two methods for creating the dial-
tone database:
• Create the dial-tone database on the same server as the failed database. Use this method if the
drive that contained the database failed or if the database is corrupt.
• Create the dial-tone database on a different server than the failed database. Use this method to
utilize a different server as a recovery server or if the original server fails.
2. If necessary, configure the mailboxes that were on the failed database to use the new dial-tone
database. You must configure the mailboxes to use the new database if you create the dial-tone
database on a different server.
3. If necessary, configure the Microsoft Office Outlook® client profiles:
• If the server with the failed database is operational, you do not need to reconfigure Office
Outlook client computers to use the new mailbox database. When the Outlook client computer
tries to connect to the mailbox, the client profile reconfigures automatically to use the mailbox
database on the original or new Mailbox server.
• If the original server is not available, and you are using AutoDiscover for Outlook 2007 client
computers, the user profile updates automatically.
• If you are using previous Outlook client computers, you need to reconfigure the user profiles
manually to use the new server.
Implementing Backup and Recovery 8-33

• If users are using Outlook Web App, they will connect automatically to their mailboxes when they
access Outlook Web App on a Client Access server.

Note: At this point, users can connect to their mailboxes in the dial-tone database. The dial-tone
database does not contain any data, so the mailboxes will be empty. Additionally, the database does
not retain user-specific settings, such as folder hierarchy, Inbox rules, meetings, and contacts.
However, users should have messaging functionality. If the client computers are running Outlook
2007 or Outlook 2003, and you configure the client computers to run in cached mode, users receive a
prompt to connect or work offline when they connect to the dial-tone database. If users choose to
connect to the server, they will see an empty mailbox (local cached copy is replaced with the empty
mailbox). If they choose to work offline, they will see all of the historical data stored in the offline
folders (.ost) file.

4. Restore the failed databases from backup. After the dial-tone database is operational and you
reconfigure the client computers to use the new database, if necessary, you can work on restoring the
failed database. If the original server is operational, you can restore the database on the failed server
using a recovery database. If the original server is not operational, you can recreate the failed
database on another server, and then restore both to the new server.
5. Merge the data in the two databases. Because you have restored messaging functionality by
implementing the dial-tone database, users will be sending and receiving e-mail while you are
restoring the original databases. When the recovery is complete, users should be able to access both
the original and the dial-tone data. This means that you must merge the contents of the dial-tone
database with those of the original database. To do this, you will use the recovery database.
8-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Database Mobility?

Key Points
Database mobility disconnects databases from servers, adds support for up to 16 copies of a single
database, and provides a native experience for adding database copies to a database. Additionally, DAGs
use database mobility to enable database copying between servers. In Exchange Server 2007, the
database portability feature enabled you to move a mailbox database between servers. A key distinction
between database portability and database mobility, however, is that all copies of a database have the
same globally unique identifier (GUID).

Other key characteristics of database mobility are:


• Because Exchange Server 2010 does not use storage groups, continuous replication now operates at
the database level. Transaction logs replicate to one or more other Mailbox servers, and replay into a
copy of a mailbox database that those servers store.
• A failover or switchover can occur at the database or server level.
• Database names for Exchange Server 2010 must be unique within the Exchange Server organization.
• When you configure a mailbox database with one or more database copies, the full path for all
database copies must be identical on all Mailbox servers that host a copy.
• You can back up any mailbox database copy (the active or any passive copy) by using an Exchange
Server-aware, VSS-based backup application.

Note: Only mailbox databases are mobile. Public folder databases are not portable because
replication between public folder databases is controlled by each database being linked to, and
accessed through, a specific server.
Implementing Backup and Recovery 8-35

Process for Recovering Computers That Run Exchange Server

Key Points
When recovering a failed Exchange Server, you have several options. The option you choose determines
the process that you use to restore the server.

Exchange Server Recovery Options


When you need to replace a failed server, you have the following options:
• Restore the server. You can restore the server from a full computer backup set, and then restore your
Exchange Server information. When you restore a server, you are reproducing the server
configuration, including the server security identifier. This option is feasible only if you have a full
server backup, including the System State backup, and you have replacement hardware that is very
similar to the failed server.
• Rebuild the server. This option involves performing a new installation of Windows Server and an
Exchange Server 2010 installation in Recover Server mode, which gathers the previous settings from
AD DS and Active Directory, and then restores your Exchange Server databases.
• Use a standby server. You can use a standby recovery server as part of the Mailbox server recovery
strategy. This option involves keeping recovery servers available with the operating system and other
software installed. Having available standby recovery servers reduces the time you need to rebuild a
damaged server.

What Is Recover Server Mode?


If an Exchange server fails, and is unrecoverable and needs replacement, you can perform a server
recovery operation. Exchange Server 2010 Setup includes a switch called /m:RecoverServer that you can
use to perform the server recovery operation.

Running Exchange Server Setup with the /m:RecoverServer switch causes Setup to read configuration
information from AD DS and Active Directory for the server with the same name as that from which you
are running Setup. Once you gather the server’s configuration information from AD DS and Active
8-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Directory, the original Exchange Server files and services then are installed on the server, and the
Exchange server roles and settings that AD DS and Active Directory stored then are applied to the server.

Important: When you run Exchange Server Setup in Recover Server mode, it must be able to connect
to AD DS and Active Directory, and read the Exchange Server configuration information that links to the
name of the computer that is running Exchange Server. This means that the computer account still must
exist in AD DS and Active Directory. If you delete the computer account, you will not be able to restore
the Exchange Server.
Implementing Backup and Recovery 8-37

Lab: Implementing Backup and Recovery

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines
are running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-SVR1: Standalone server
3. If required, connect to the virtual machines. Log on to VAN-DC1 and
VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd.
4. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.
5. In Microsoft Hyper-V™ Manager, click VAN–SVR1, and, in the Actions pane, click Settings.
6. Click DVD Drive, click Image file, and then click Browse.
7. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso and click
Open.
8. Click OK.
9. On VAN-SVR1, close the AutoPlay dialog box.

Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange
Server 2010. You now want to ensure that all Exchange Server-related data is backed up and that you can
restore not only the full server or database, but also a mailbox or mailbox folder.
8-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 1: Backing Up Exchange Server 2010


Scenario
You must create a backup of your Exchange Server 2010 mailbox database to ensure that you can restore
it when necessary.

The main tasks for this exercise are:


1. Populate a mailbox.
2. Perform a backup of the mailbox database using Windows Server Backup.
3. Delete a message and a mailbox.

 Task 1: Populate a mailbox


1. On VAN-EX1, log on to Parna’s mailbox by using Outlook Web App. Use the logon name
Adatum\Parna and the password Pa$$w0rd.
2. Send a message to George with the subject Message before Backup.
3. Restart the Microsoft Exchange Information Store service.

 Task 2: Perform a backup of the mailbox database using Windows Server Backup
1. Use Server Manager to install Windows Server Backup.
2. Perform a custom backup of the C:\ drive using a VSS full backup. Store the backup files on \\VAN-
DC1\Backup.

 Task 3: Delete messages in mailboxes


1. Log on to George’s mailbox using the logon name Adatum\George and the password Pa$$w0rd,
and then delete the message from Parna.
2. Log on to Parna’s mailbox using the logon name Adatum\Parna and the password Pa$$w0rd, and
then delete all messages from the Sent Items folder.

Results: After this exercise, you should have created a backup of an Exchange Server database, and
deleted messages.
Implementing Backup and Recovery 8-39

Exercise 2: Restoring Exchange Server Data


Scenario
Some of your users complain that they are missing messages from their mailboxes. You now need to use
the backup you created to recover their messages.

The main tasks for this exercise are:


1. Restore the database using Windows Backup.
2. Create a recovery database by using the backup files.
3. Recover a mailbox from the recovery database.

 Task 1: Restore the database using Windows Backup


• On VAN-EX1, using Windows Server Backup, recover the Exchange Server databases to an alternate
location: C:\DBBackup.

 Task 2: Create a recovery database by using the backup files


1. On VAN-EX1, create a recovery database using the restored database in C:\DBBackup. Use the
following command to create the recover database:
New-MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath
“c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14
\Mailbox\Accounting\Accounting.edb” -Logfolderpath “c:\DBBackup
\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox
\Accounting”-Recovery

2. In Exchange Management Shell, switch to the “c:\dbbackup\c_\Program


Files\Microsoft\Exchange Server\v14\Mailbox\Accounting” directory, enter the following
command in the PS prompt, and then press ENTER:

eseutil /R E02 /i /d

3. Mount the recovery database using the Mount-Database “RecoverDB” command.


4. List all mailboxes that are in the recovery database by using the Get-MailboxStatistics -Database
“RecoverDB” command.

 Task 3: Recover a mailbox from the recovery database


1. On VAN-EX1, recover a mailbox using the Restore-Mailbox -Identity ParnaKhot -
RecoveryDatabase RecoverDB cmdlet.
2. Verify that you restored the message in the Sent Items folder by logging onto Parna’s mailbox.
3. Use the Remove-Mailboxdatabase -Identity RecoverDB command to remove the RecoverDB
database.

Results: After this exercise, you should have created a recovery database, and restored a complete
mailbox from the recovery database to their original locations.
8-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 3: Restoring Exchange Servers (optional)


Scenario
After a hard-disk malfunction, one of your Exchange servers no longer is operational. You have a full
backup of the computer and the mailbox databases, so you need to restore everything to a newly
installed computer.

The main tasks for this exercise are:

1. Shutdown VAN-EX1 and reset the computer account.


2. Prepare VAN-SVR1 as VAN-EX1.
3. Install Exchange Server 2010 with the RecoverServer mode.
4. Recover the mailbox databases from backup.
5. Test the recovery.

 Task 1: Shutdown VAN-EX1 and reset the computer account


1. In Hyper-V Manager, revert VAN-EX1 to the previous snapshot.
2. Using Active Directory Users and Computers, reset the VAN-EX1 computer account.

 Task 2: Prepare VAN-SVR1 as VAN-EX1


1. Rename VAN-SRV1 to VAN-EX1.
2. Join the computer to ADATUM domain.

 Task 3: Install Exchange Server 2010 with the RecoverServer mode


1. On the new VAN-EX1 server, run d:\setup /m:RecoverServer.
2. In Exchange Management Console, change Database Properties to This database can be
overwritten by a restore for all databases on the VAN-EX1.

 Task 4: Recover the mailbox databases from backup


• Use Windows Server Backup to recover the Exchange Server databases.

 Task 5: Test the recovery


1. On the restored VAN-EX1, in the Exchange Management Console, mount the mailbox databases and
public folder database.
2. On VAN-DC1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on
as Adatum\Parna with a password of Pa$$w0rd, and then verify that the mailbox is accessible and
that all messages have been restored.

Results: After this exercise, you should have recovered a complete Exchange server by using a
different Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and
recovering the Exchange Server database from a backup. You have also tested the recovery.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Implementing Backup and Recovery 8-41

4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
8-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Review and Takeaways

Review Questions
1. What kind of backup options for Exchange Server 2010 do you find suitable for your organization?
2. What options does Exchange Server 2010 include for restoring a single item from a mailbox?

Common Issues Related to Recovering Messages


Identify the causes for the following common issues related to recovering messages, and fill in the
troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

Recover single mailbox items Try using Multi-Mailbox Search before you recover a database.
quickly

Restore fails when it is urgent You should try to restore a database regularly, as a practice
session, and verify that your backups work as you expect.

Best Practices Related to Backup and Restore


Supplement or modify the following best practices for your own work situations:
• Utilize your existing backup solution for Exchange Server backups, as you are already experienced
and familiar with it.
• Try always to perform a full backup of your Exchange Server databases if you use a VSS-aware backup
solution. This reduces the time you need to recover the database to its most current state.
• If you plan to follow the backup-less method, create one more database copy on cheap hard drives at
a different site. This guarantees that you have an additional backup of your database available.
Configuring Messaging Policy and Compliance 9-1

Module 9
Configuring Messaging Policy and Compliance
Contents:
Lesson 1: Introducing Messaging Policy and Compliance 9-3
Lesson 2: Configuring Transport Rules 9-7
Lesson 3: Configuring Journaling and Multi-Mailbox Search 9-27
Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox
Search 9-37
Lesson 4: Configuring Messaging Records Management 9-43
Lesson 5: Configuring Personal Archives 9-56
Lab B: Configuring Messaging Records Management and Personal
Archives 9-62
9-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

Microsoft® Exchange Server 2010 provides new tools for coping with a growing number of legal,
regulatory, and internal policy and compliance requirements that relate to e-mail. Most organizations
must be able to filter e-mail delivery based on several criteria, and to manage e-mail retention and
deletion. This module describes how to configure the Exchange Server 2010 messaging policy and
compliance features.
After completing this module, you will be able to:
• Describe messaging policy and compliance.
• Configure transport rules.
• Configure journaling and Multi-Mailbox Search.
• Configure Messaging Records Management (MRM).
• Configure Personal Archives.
Configuring Messaging Policy and Compliance 9-3

Lesson 1
Introducing Messaging Policy and Compliance

In most countries, governments have implemented legislation that restricts the storage and movement of
certain information. Additionally, many organizations have implemented corporate security policies that
limit how to share information within the organization. Because e-mail is a critical business tools in most
organizations, it is important that you configure your organization’s messaging system so that it is
compliant with government legislation and corporate policies.
Messaging policies in Exchange Server 2010 enable messaging administrators to manage e-mail messages
that are in transit and at rest, and ensure that your organization meets compliance requirements. This
lesson provides an overview of messaging policies and their use.

After completing this lesson, you will be able to:


• Describe messaging policy and compliance.
• Identify compliance requirements.
• Implement messaging policy and compliance.
9-4 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Messaging Policy and Compliance?

Key Points
Messaging compliance features in Exchange Server 2010 consist of a set of rules and settings that restrict
message flow and storage. You can use these features to apply rules to messages as your organization’s
users send and receive them. You can use the messaging policy and compliance features to regulate how
users store messages, and to search all user mailboxes for messages based on a variety of criteria. You can
apply these features to Exchange Server computers running the Edge Transport, Hub Transport, and
Mailbox server roles.

Types of Messaging Compliance Features


Exchange Server 2010 provides several options for implementing message policies and compliance:
• Transport policies are rules and settings that you apply as messages pass through the Exchange
Server transport components. Transport policies restrict message flow or modify message contents
based on organizational requirements.
• Exchange Server applies MRM policies to folders in users’ inboxes to automate and simplify message
retention. For example, you can configure a policy that retains messages in user mailbox folders for a
specific time, or you can configure a policy that automatically deletes messages within a specific
folder or within all the mailbox folders. Exchange Server 2010 also provides retention tags and
autotagging that simplify the process for users who want to apply message retention or deletion
policies.
• Journaling policies are rules and settings that enable you to save a copy of all messages that meet
specific criteria. For example, you can journal messages sent by a particular user or messages sent to a
particular distribution group. You can journal messages that recipients send or receive inside and
outside the organization.
• Mailbox searching may be required for audit purposes to determine whether user mailboxes contain
specific types of content. With Exchange Server 2010, you can use the Exchange Control Panel (ECP)
to search all user mailboxes for messages based on many different criteria.
Configuring Messaging Policy and Compliance 9-5

Discussion: Compliance Requirements

Key Points
E-mail is a primary means of communication in many organizations, and users typically send a great deal
of business information by e-mail. This information may include confidential information, such as
customer data or business intelligence. One use of Exchange Server 2010 messaging policies is to provide
features that help you comply with legal requirements and corporate messaging policies regarding e-mail
messages.

Question: What type of business does your organization conduct? What are some legislated compliance
requirements for your organization?

Question: What additional compliance requirements does your organization have?

Question: How are you currently meeting these compliance requirements?


9-6 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Enforcing Messaging Policy and Compliance

Key Points
Exchange Server 2010 provides many options for implementing messaging policies, including the
following:
• Transport rules. You can define transport rules on both the Edge Transport and Hub Transport
servers. On Edge Transport servers, you can restrict message flow based on message data, such as
specific words or text patterns in the message subject, body, header, or From address; the spam
confidence level (SCL); and attachment type. On Hub Transport servers, you configure rules that
support an extended set of conditions, which allows you to control message flow based on
distribution groups, internal or external recipients, message classifications, and message importance.
• Rights management integration. Exchange Server 2010 enables integration with Active Directory®
Rights Management Service (AD RMS) to apply policies that restrict what recipients can do with their
received messages.
• Message journaling. Exchange Server 2010 provides several options for saving copies of messages. For
example, you can configure journal rules on Hub Transport servers. You can journal messages
according to the message’s distribution scope, and you can define the conditions that trigger the
journaling action by specifying as criteria an individual user, the sender, or the recipient’s distribution-
list membership. You also can configure message journaling for specific mailbox databases, or
implement message journaling as part of a Messaging Records Management deployment.
• Mailbox searching. The Multi-Mailbox Search feature enables users with the appropriate permissions
to search all mailboxes for specific content. In Exchange Server 2010, the mailbox search functionality
is available through the Multi-Mailbox Search interface in the ECP.
• Message retention and deletion. Administrators can use the MRM features to retain messages that
organizations require for business or legal reasons, and to delete unnecessary messages.
• Personal Archives. Exchange Server 2010 allows you to create archive mailboxes for users so they can
store the contents of .pst folders and old messages that they want to retain. You can search and
manage archive mailboxes like any other mailboxes on the Exchange servers.
Configuring Messaging Policy and Compliance 9-7

Lesson 2
Configuring Transport Rules

You can implement messaging policies and compliance by applying transport rules to messages as users
send them within the organization. By implementing transport rules, you ensure that all e-mail messages
sent within the organization or to external recipients meet your organization’s compliance requirements.
You also can apply rights management policies to messages by using transport rules. This lesson describes
how to implement transport rules in Exchange Server 2010.
After completing this lesson, you will be able to:
• Describe transport rules.
• Describe transport rule components.
• Configure transport rules.
• Identify message classifications.
• Describe AD RMS.
• Describe how AD RMS components work together.
• Describe AD RMS interaction.
• Configure AD RMS integration.
• Describe options for moderated transport.
• Configure moderated transport.
9-8 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Transport Rules?

Key Points
Exchange Server applies transport rules to messages as they pass through Edge Transport or Hub
Transport servers. The Transport Rule agent applies transport rules on Hub Transport servers, and the
Edge Rule agent applies them on Edge Transport servers. Transport rules restrict message flow or content
modification while messages are in transit.

Transport Rules on Hub Transport Servers


Transport rules configured on one Hub Transport server automatically apply to all other Hub Transport
servers in the organization. Exchange Server stores the transport rules in the Configuration container in
Active Directory Domain Services (AD DS) or Active Directory directory service, and replicates them
throughout the Active Directory forest so that they are accessible to all other Hub Transport servers. This
means that Exchange Server applies the same transport rules to all
e-mail messages that users send or receive in the organization.

Transport Rules on Edge Transport Servers


Exchange Server applies transport rules that you configure on an Edge Transport server only to e-mail
messages that pass through that specific Edge Transport server. The transport rules are stored in Active
Directory Lightweight Directory Services (AD LDS), and Exchange Server does not replicate them to other
Edge Transport servers. Therefore, you can configure Edge Transport servers to apply distinct transport
rules depending on the e-mail messaging traffic that they manage.

If you have more than one Edge Transport server and you want to apply a consistent set of rules across all
Edge Transport servers, you must configure each server manually, or export the transport rules from one
server and import them into all other Edge Transport servers.
Configuring Messaging Policy and Compliance 9-9

Transport Rule Components

Key Points
All transport rules, whether they apply to Hub Transport or Edge Transport servers, have similar
configurations.

Transport Rule Components


When configuring transport rules, consider the following components:
• Conditions. Transport rule conditions indicate which e-mail message attributes, headers, recipients,
senders, or other parts of the message Exchange Server uses to identify the e-mail messages to which
it applies a transport rule action. If the data of the e-mail message that the condition is inspecting
matches the condition’s value, Exchange Server applies the rule as long as the condition does not
match an exception.
You can configure multiple transport rule conditions to narrow the rule’s scope to very specific
criteria. You also can decide not to apply any conditions, which means that the transport rule then
applies to all messages. There is no limit to how many conditions you can apply to a single transport
rule.
• Actions. Exchange Server applies actions to e-mail messages that match the conditions and for which
no exceptions are present. Each action affects e-mail messages in a different way, such as redirecting
the e-mail message to another address or dropping the message.
• Exceptions. Exceptions determine which e-mail messages to exclude from an action. Transport rule
exceptions are based on the same predicates that you use to create transport rule conditions.
Transport rule exceptions override conditions and prevent Exchange Server from applying a transport
rule action to an e-mail message, even if the message matches all configured transport rule
conditions.
You can configure multiple exceptions on a transport rule to expand the criteria for which Exchange
Server should not apply a transport rule action.
9-10 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Predicates. Conditions and exceptions use predicates to define which part of an e-mail message the
conditions and exceptions examine to determine whether Exchange Server should apply the transport
rule to that message. Some predicates examine the To: or From: fields, whereas other predicates
examine the subject, body, or attachment size. To determine whether Exchange Server should apply a
transport rule to a message, most predicates require that you specify a value that the predicates use
to test against the message.
Configuring Messaging Policy and Compliance 9-11

Demonstration: How to Configure Transport Rules

Key Points
In this demonstration, you will review how to configure transport rules. You can configure transport rules
by using either the Exchange Management Console or the Exchange Management Shell. If you are using
the Exchange Management Console on a Hub Transport server, access the Hub Transport container in the
Organization Configuration work area.

To configure transport rules using the Exchange Management Shell, run the following cmdlets:
• The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule,
Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport
rules.
• The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions.
• The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates.
• The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and
export a set of transport rules configured on a Hub Transport server or Edge Transport server.

Note: Implementing transport rules with security features, such as digital signatures or encryption,
can result in potential issues. For example, if you add a disclaimer to digitally signed messages, the
signature becomes invalid. When users open the message, the original message displays as an
attachment and only the signature that the transport rule adds is visible in plain text. If users encrypt
messages using Secure Multipurpose Internet Mail Extensions (S/MIME) or another encryption tool,
the transport rules can access the message envelope headers and process messages based on
unencrypted information. Transport rules that require inspection of message content, or actions that
may modify content, cannot process with encrypted messages.

Demonstration Steps
1. Open the Exchange Management Console.
9-12 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

2. Under Organization Configuration, in the Hub Transport node, create a new transport rule with
the following configuration:
• Name: Type Company Disclaimer HTML.
• Condition: Choose sent to users that are inside the organization.
• Action: Choose append disclaimer text and fallback to action if unable to apply.
• Disclaimer text: Type the following:
<html>
<body>
<br>&nbsp</br>
<br>&nbsp</br>
<b><font color=red>This e-mail and attachments are intended for the individual or
group addressed.</font></b>
</body>
</html>

3. Open the Exchange Management Shell.


4. Type the following cmdlet:
New-TransportRule -Name “Social Insurance Number Block Rule” -
SubjectOrBodyMatchesPatterns “\d\d\d-\d\d\d-\d\d\d” -RejectMessageEnhancedStatusCode
“5.7.1” -RejectMessageReasonText “This message has been rejected because of content
restrictions”
5. To test the transport rules:
• Send a message from one internal user to another. Verify that the HTML disclaimer is attached.
• Send a message from one internal user to another with the string 111-111-111 in the message
body. Verify that the sender receives a non-delivery report (NDR).

Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a
variety of pattern strings to search the message contents for a consistent pattern. For example, you
can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information
about configuring regular expressions in a transport rule, see the topic “Regular Expressions in
Transport Rules” in Exchange Online Help.

Question: What transport policies will you need to implement in your organization?
Configuring Messaging Policy and Compliance 9-13

What Are Message Classifications?

Key Points
Message classifications are Exchange Server 2007 or later and Outlook 2007 (or later) features that enable
users or transport rules to mark a message with a label. When a message is classified, the message
contains metadata that describes some information about the recipient or sender of the message, or some
other information about the message. Outlook 2007 and Outlook Web App then act on this metadata and
display the classification’s description to the message’s senders and receivers. In Exchange Server 2010,
you also can configure a transport rule that acts on the metadata by applying an action based on the
classification.

Managing Message Classifications


As an Exchange Server administrator, you can manage message classifications in the following ways:
• Review the message classifications configured on the server. Use the Get-MessageClassification
cmdlet to view the message classifications.
• Modify the default message classifications. Exchange Server administrators can customize the sender
description for each message classification and locale. Use the Set-MessageClassification cmdlet to
configure the message classification on the Exchange server.
• Create new message classifications. Use the New-MessageClassification cmdlet to create new
message classifications.
• Enable message classifications for Outlook 2007 clients. By default, Outlook 2007 does not support
message classifications. To enable message classifications, you must:
• Export the message classifications to an .xml file. To do this, run the Export-
OutlookClassification.ps1 script in the Scripts folder on an Exchange server. The output of this
script is an xml file describing all of the classifications available on the server.
9-14 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Deploy the .xml file that contains definitions of the message classifications to each client
computer that uses these classifications. You must recreate and redeploy this file whenever you
update the message classification list on an Exchange server.
• Create a new registry key that enables message classification and references the
Classifications.xml file on the client computer.

Note: For detailed information about deploying message classifications for Outlook 2007, see the
topic “Deploy Message Classification for Outlook 2007” in Exchange Server Help file.

Using Message Classifications


There are two options for using message classifications:
• Users can add a message classification to an e-mail when they create it. When using Outlook Web
App or Outlook 2007 with the appropriate configuration, users can classify any message.
• Administrators can add a message classification as the result of a transport rule. For example, when
the Attachment Filter agent removes an attachment from a message, the Attachment Removed
message classification attaches to the message. You also can create a transport rule that adds a
message classification to a message based on any conditions in the e-mail message.
Configuring Messaging Policy and Compliance 9-15

What Is AD RMS?

Key Points
AD RMS is an information-protection technology that works with AD RMS-enabled applications to help
safeguard digital information from unauthorized use.

Restrict Access to an Organization’s Intellectual Property


Use AD RMS to restrict access to digital information so that users can view, change, or print
documentation only. This protects data by preventing users from forwarding, copying, or otherwise
transporting sensitive data outside the company network.

Limit the Actions Users Can Perform on Content


Enforce restrictions that limit the specific actions that a user can perform on a document or e-mail
message. You can use Microsoft Office Word, Office Excel®, and PowerPoint® as AD RMS-enabled
applications. These applications allow you to set rights for viewing, changing, saving, and printing
documents, and to set the length of time a particular right is active.

AD RMS used with Outlook helps you protect e-mail content. You can prevent users from forwarding
sensitive e-mail messages to other e-mail users, printing
e-mail messages, using messages offsite, and giving the messages to unauthorized users.

Limit the Risk of Content Exposure Outside the Organization


You can set rights so that users do not have permission to print or forward e-mail content. This means
that users cannot forward the messages to recipients outside the organization. These options help reduce
the likelihood that an employee will disclose company information either maliciously or accidentally.

AD RMS Components
Several components interact with AD RMS. It is important to understand each of these components:
• Author. The user or service that generates the rights-protected document.
9-16 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• AD RMS-enabled applications. Specific applications are enabled for, and can interact with, AD RMS.
Authors can use these applications to create and protect content, and recipients can use them to read
protected content and apply the appropriate rights to them.
• Recipient. The user or service that accesses the rights-protected document.
• AD RMS server. The server with an installed AD RMS server role. This server is responsible for
providing the licenses that control access to content. When you install the first AD RMS server,
Exchange Server creates an AD RMS root cluster. You can add other AD RMS servers to the cluster.
• Database server. AD RMS requires a database service. The Windows Internal Database feature
deployed on the same server as the AD RMS server provides this service, as does the Microsoft SQL
Server® installed on another computer. The database stores configuration and other AD RMS-related
information.
• AD DS and Active Directory. These services authenticate authors and recipients so that Exchange
Server applies the appropriate rights to the content.
Configuring Messaging Policy and Compliance 9-17

How AD RMS Works

Key Points
The AD RMS components work together to enable secure creation, distribution, and consumption of
protected data.

How AD RMS Works


The following steps describe how AD RMS components interact to generate and protect rights-protected
content:
1. The first time a user tries to rights-protect content using AD RMS, the client application requests a
rights account certificate (RAC) and client licensor certificate (CLC) from the AD RMS server. This
request only occurs once for each user. It enables the user to publish online or offline, and to
consume rights-protected content.
2. The author then creates content using an AD RMS-enabled application. The author can create the file,
and then specify user rights. Additionally, the AD RMS server generates the policy license containing
the user policies.

3. The author sends the rights-protected content to the recipient.


4. The recipient receives the file and opens it using an AD RMS-enabled application or browser. If the
recipient’s computer does not contain an account certificate, the client application requests a
certificate, and the AD RMS cluster issues one. If this is the first time the recipient has tried to access
rights-protected content on the computer, the AD RMS server also issues a RAC.

The application sends a request for a use license to the AD RMS cluster that issued the publishing
license. However, if the file was published offline, the application also sends a request to the server
that issued the CLC. The request includes both the RAC and the publishing license for the file.
The AD RMS cluster confirms or denies the recipient’s authorization. If the AD RMS cluster denies the
user’s authorization, the cluster checks for a named user and then creates a use license for the user.
The cluster decrypts the content key using the cluster’s private key and re-encrypts the content key
9-18 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

with the recipient’s public key. It then adds the encrypted session key to the use license. This ensures
that only the intended recipient can access the file.

5. The AD RMS cluster sends the generated use license to the recipient’s computer. The application
examines both the license and the recipient’s account certificate. Exchange Server then grants the
user access per the content author’s specifications.
Configuring Messaging Policy and Compliance 9-19

How AD RMS Integration Works

Key Points
Exchange Server 2010 integrates with AD RMS to provide several options for ensuring content protection
as users send messages through e-mail. To use any of these features in an onsite Exchange Server
deployment, Exchange Server 2010 requires an on-premise Windows Server2008 AD RMS deployment.

Enable Users to Protect Content


After deploying AD RMS in an organization, Outlook users can control who reads, copies, or forwards
messages regardless of where the messages are stored. When users create e-mails, they can set limits on
what the message recipients can do with the messages. This functionality does not require any Exchange
Server components other than those used for message delivery.
Exchange Server 2010 provides additional functionality, and expands the scenarios by which users and
administrators can apply protection to e-mail—both inside and outside the organization.

Implement AD RMS Prelicensing


One of the issues with using the Rights Management Service (RMS) to protect
e-mail is that the recipient needs to be able to connect to the AD RMS server to read protected e-mail.
This is an issue when users access their e-mail while offline using Outlook Anywhere, read mail using an
Exchange ActiveSync® device, or access e-mail through Outlook Web App. AD RMS prelicensing enables
offline access to protected mail, and makes it faster to open protected mail from Outlook and other
mobile clients. In this scenario, protected messages already contain the recipient’s end-user license, which
Exchange Server requires to decrypt and view the message upon delivery.
In Exchange Server 2010, the RMS Prelicensing built-in agent is on all Hub Transport servers, and is
enabled by default for the Exchange Server organization. You can disable the prelicensing agent with the
Set-IRMConfiguration -PrelicensingEnabled $false cmdlet.
9-20 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Implement Outlook Protection Rules


Outlook Protection Rules allow you to rights-protect messages by applying a RMS template before the
message is sent. Outlook Protection Rules automatically trigger the client to apply an RMS template
(based on sender/receiver) to mail before it sends it. This feature also enables administrators to allow
users to manually add or remove protection policies from a message.

Note: Outlook Protection Rules are only available for Office Outlook 2010 or later clients.

Implement Transport Protection Rules


This feature allows you to use transport rules to apply rights protection to messages.

Transport Protection Rules help organizations implement messaging policies by encrypting sensitive e-
mail content and using rights-management to control access to the content.
AD RMS uses XML-based policy templates to allow compatible information rights management (IRM)-
enabled applications to apply consistent protection policies. In Windows Server 2008, the AD RMS server
is accessible through a Web service that you can use to enumerate and acquire templates.
Exchange Server 2010 includes just the Do Not Forward template. When you apply the Do Not Forward
template to a message, only the specified recipients can decrypt the message. The recipients cannot
forward the message to anyone else, copy content from the message, or print the message.

You can create additional RMS templates in the on-premise AD RMS deployment to meet rights-
protection requirements in your organization.

Enable Journal Report Decryption


When you enable Journal Report Decryption, you grant permission for the Journaling agent to attach a
decrypted copy of a rights-protected message to the journal report. If the rights-protected message
contains supported attachments that have been protected by the AD RMS cluster in your organization,
the attachments are also decrypted. The Journal Report Decryption agent performs decryption.

Enable Transport Decryption


When you enable Transport Decryption, Hub Transport servers can decrypt rights-protected messages to
enforce messaging policies. The first Hub Transport server to handle a message in an Active Directory
forest performs transport decryption. After decryption, unencrypted content becomes available to other
transport agents on that server. For example, the Transport Rule agent on a Hub Transport server can
inspect message content and apply transport rules. Any actions specified in the rule, such as applying a
disclaimer or modifying the message, can be applied to the unencrypted message. After other transport
agents have inspected the message and possibly made modifications to it, the message is encrypted again
with the same user rights that it had before being decrypted by the Decryption agent. The message is not
decrypted again by other Hub Transport servers in the organization.

Enable IRM in Outlook Web App


After you enable IRM in Outlook Web App, users can use Outlook Web App to:
• Send IRM-protected messages. Outlook Web App users can use the permissions feature when
composing a new message and select an applicable policy template to apply to the message. This
allows users to send IRM-protected messages from within Outlook Web App. The Client Access server
applies IRM protection to messages and message attachments.
• Read IRM-protected messages. Messages protected by senders using your organization’s AD RMS
cluster display in the Outlook Web App preview pane, without requiring additional add-ons or that
Configuring Messaging Policy and Compliance 9-21

the user’s computer is enrolled in the AD RMS deployment. When you open or view a message in the
preview pane, the message is decrypted using the use license added to message by the pre-licensing
agent. Once decrypted, the message displays in the preview pane. If a pre-license is not available,
Outlook Web App requests one from the AD RMS server before displaying the message.

Important: Before configuring Journal Report Decryption, Transport Decryption, or IRM for Outlook
Web App, you must provide Exchange servers with the right to decrypt IRM-protected content .Do
this by adding the Federated Delivery Mailbox to the super users group configured on the AD RMS
cluster. You must also use the Set-IRMConfiguration cmdlet to enable the required features.
9-22 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure AD RMS Integration

Key Points
In this demonstration, you will review how to configure and test AD RMS and Exchange Server 2010
integration. The first part of the demonstration will show you how to protect e-mail messages by using
AD RMS. This feature does not require any special Exchange Server functionality. The second part of the
demonstration will show you how to configure a transport rule that applies
AD RMS protection to a message based on message properties.

Demonstration Steps
1. Open Outlook 2007 and create a new message for an internal recipient.
2. In the Message ribbon, click the Permission icon.
3. In the Windows Security dialog box, log on as the mailbox user.
4. In the Permission dialog box, select the Restrict permission to this document check box.
5. When the message appears, verify that the message now contains the Do Not Forward header. Send
the message.
6. Log on as the message recipient, open Outlook 2007, open the restricted message, and then log on
using the user credentials. Verify that you do not have permission to forward the message.
7. On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot
\_wmcs\certification\servercertification.asmx file to grant Read and Execute access to the
Exchange Servers group and the anonymous Internet Information Services (IIS) user account.
8. Restart the IIS.
9. On an Exchange server, at the PS prompt, type the following cmdlet, and press ENTER. This cmdlet
enables AD RMS encryption on the Hub Transport server:
set-irmconfiguration –InternalLicensingEnabled:$true.
10. Use the test-irmconfiguration cmdlet to test the IRM configuration.
11. In the Exchange Management console, create a new transport rule named
AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent
between two specified users.
Configuring Messaging Policy and Compliance 9-23

12. Send a message from one of the specified users to the other. Verify that the Do Not Forward
template is applied to the message.

Question: Does your organization have AD RMS deployed? Are you planning to deploy AD RMS?

Question: How will Exchange Server 2010 make it easier to deploy AD RMS?
9-24 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Options for Configuring Moderated Transport

Key Points
The Exchange Server 2010 moderated transport feature enables you to require moderator approval for all
e-mail messages sent to specific recipients, and you can specify any type of recipient as a moderator. The
Hub Transport servers ensure that all messages sent to those recipients go through an approval process.
You can also use transport rules to enforce moderation. For example, you could configure a transport rule
that sends a message for moderation based on any of the available criteria.

How Moderated Transport Works


When you configure a recipient as a moderated recipient, all messages sent to the recipient go through
the following process:
1. The sender creates a new message and sends it to the moderated recipient.
2. The categorizer intercepts the message, marks it for moderation, and then reroutes it to the
arbitration mailbox.
3. The store driver stores the message in the arbitration mailbox and sends an approval request to the
moderator.
4. The moderator uses the buttons in the approval request to either accept or reject the message.
5. The store driver marks the moderator’s decision on the original message stored in the arbitration
mailbox.
6. The Information Assistant reads the approval status on the message stored in the arbitration mailbox,
and then processes the message based upon the moderator’s decision:
• If the moderator approves the message, the Information Assistant resubmits the message to the
submission queue, and the message is delivered to the recipient.
• If the moderator rejects the message, the Information Assistant deletes the message from the
arbitration mailbox, and then notifies the sender that the moderator rejected the message.
Configuring Messaging Policy and Compliance 9-25

Note: Previous Exchange Server versions do not support moderated recipients. If a message sent to a
moderated distribution group is expanded on a Hub Transport server that is running Exchange Server
2007, it will be delivered to all members of that distribution group, and bypass the moderation
process. If you have Exchange Server 2007 Hub Transport servers in your Exchange Server 2010
organization, and you want to use moderated distribution groups, you must designate an Exchange
Server 2010 Hub Transport server as the expansion server for the moderated distribution groups.
Doing this ensures that all messages sent to the distribution group are moderated.

For more information about moderation, refer to the CD content.


9-26 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Moderated Transport

Key Points
In this demonstration, you will review how to configure a distribution list for moderation and how to
configure a transport rule that enforces moderation for all messages sent to a distribution list.

Note: In this demonstration, you will configure a distribution list by using the Exchange Management
Console. If you need to enable a mailbox or contact for moderation, you will need to use the set-
mailbox cmdlet with the
–moderationenabled:$true and –moderationedby parameters.

Demonstration Steps
1. In the Exchange Management Console, under Recipient Configuration, click Distribution Group.
2. In the middle pane, right-click a distribution list, and then click Properties.
3. On the Mail Flow Settings tab, double-click Message Moderation.
4. In the Message Moderation dialog box, select the Messages sent to this group have to be
approved by a moderator check box. Add the group moderators and add any users who do not
require moderation to send to the group.
5. Create a new transport rule that forwards any message sent to a distribution list for moderation.
Choose a moderator for the rule, and then configure any exceptions that are required.
6. Send a message to the distribution group configured for moderation.
7. Send a message to the distribution group configured for moderation in the transport rule.
8. Open the mailbox of a moderator configured for both the distribution group and transport rule.
Approve both messages.

Question: Will you deploy moderated transport in your organization? If so, where would you use it?
Configuring Messaging Policy and Compliance 9-27

Lesson 3
Configuring Journaling and Multi-Mailbox Search

Message journaling and Multi-Mailbox Search, second only to transport rules, are important components
for enforcing messaging compliance. Message journaling allows you to archive all messages automatically
that meet criteria that you specify. You can archive journaled messages to any SMTP address, including an
Exchange mailbox, Microsoft SharePoint® document library, or a third-party archiving solution. In
addition to message journaling, Exchange Server 2010 also includes the Multi-Mailbox Search feature,
which enables an authorized user to search all of the organization’s mailboxes based on specific criteria.
This lesson describes how to configure and manage message journaling and Multi-Mailbox Search in
Exchange Server 2010.

After completing this lesson, you will be able to:


• Describe message journaling options.
• Configure message journaling.
• Manage the message journal mailbox.
• Describe Multi-Mailbox Search.
• Configure Multi-Mailbox Search.
9-28 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Message Journaling Options

Key Points
Journaling enables you to save copies of all e-mail messages in a collection mailbox when they are sent
to, or from, specified mailboxes, contacts, or distribution-group members. You also can configure
journaling based on messages sent to, or received from, mailboxes in a mailbox database, or configure
journaling as part of a messaging-records management rule.

Messages that meet the journaling criteria are sent to the collection mailbox as a journal report. This
report includes detailed information such as the recipient’s address, the sender’s address, and the
message’s subject.

How Journal Rules Work


When you create a journal rule, the Journaling agent, which runs only on Hub Transport servers, monitors
all messages sent through the server. When a message matches the journal rule criteria, the server
forwards a copy of the message to a journal mailbox. You can configure the journal mailbox using any
Exchange Server recipient. The recipient address can refer to another mailbox in the Exchange Server
organization, a document library on a Microsoft Windows SharePoint Services site, or an address used by
other third-party message-archival solutions.

Journal rules are based on message recipients and message senders. When you configure a journal rule,
you can choose any Exchange Server recipient including mailbox users, contacts, or distribution groups.
The Journaling agent sends to the journal mailbox a copy of all messages that the recipient sends or
receives.

You also can configure the following three journal rule scopes to limit which messages the Journaling
agent sends to the journal mailbox.

Scope Description

Internal Rules with this scope process messages sent and received by recipients inside the
Configuring Messaging Policy and Compliance 9-29

Scope Description

organization.

External Rules with this scope process messages sent to recipients or from senders outside the
organization.

Global Rules with this scope process all messages that pass through a computer that has a Hub
Transport server. These include messages that journal rules processed previously in the
Internal and External scopes.
Journal rules configured on a Hub Transport server apply to the entire Exchange Server organization.

How Mailbox Database Journaling Works


You can also configure a journal mailbox for a mailbox database. When you assign a journal recipient for
a mailbox database, all messages sent to or received from recipients with mailboxes in the database also
are sent to the journal recipient.

How Messaging Records Management Journaling Works


When you configure MRM, you can configure managed content settings that apply policies that are
located in user mailboxes. These managed content settings can specify retention or deletion time limits
and specify actions to take when you reach the time limit. When you configure managed content settings,
you can also configure a journal recipient so that all messages that match the criteria specified in the
managed content settings also are sent to the journal mailbox.

Note: Mailbox database journaling is a standard journaling option and is the only option available for
organizations with an Exchange Standard Client Access Licenses (CAL). Journaling rules and MRM
journaling are premium journaling options. To use premium journaling, you must have the Exchange
Enterprise CALs.

Journal Reports
When a message meets the journal criteria, a journal report is sent to the SMTP address that the rule lists.
The journal report is a new e-mail message that includes the original message, unaltered, as an
attachment.
The information that the journal report contains is organized so that every value in each header field has
its own line. The Journaling agent captures as much detail as possible about the original message. This
information is important in determining the message’s intent, its recipients, and its senders. For example,
how the message identifies recipients (directly addressed in the To field or the Cc field, or included in a
distribution list) may determine how the recipient is involved in the discussion occurring in the message.

For more information about the journal report, refer to the CD content.
9-30 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Message Journaling

Key Points
In this demonstration, you will review how to configure a message journaling rule using the Exchange
Management Console. You can configure journaling rules by using either the Exchange Management
Console or the Exchange Management Shell.
To configure transport rules with the Exchange Management Shell, use the following commands:
• Enable-JournalRule
• Disable-JournalRule
• Get-JournalRule
• Set-JournalRule
• New-JournalRule
• Remove-JournalRule

Demonstration Steps
1. In Exchange Management Console, under Organization Configuration, click Hub Transport.
2. Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages
that the rule affects will be sent to the journal mailbox.
3. Specify the journal rule scope and recipients. The scope defines whether only internal or only external
messages, or both, will be journaled. All messages that the recipient sends or receives are journaled.
4. Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to
the message.
5. Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both
the sent message and the reply message.
Configuring Messaging Policy and Compliance 9-31

Question: What are the advantages and disadvantages of using the Exchange Server 2010 message
journaling feature?
9-32 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Considerations for Managing the Message Journal Mailbox

Key Points
In a large organization or if you configure journaling for a large number of users, the journal mailbox can
grow very rapidly. Additionally, the journal mailbox may contain highly confidential information that
should not be accessible to most users. This means that you will need to develop policies for managing
the journal mailbox.

Using a SharePoint Document Library for Journaling


You can configure SharePoint document libraries with SMTP addresses that will accept e-mail messages.
In Exchange Server, you can configure a custom recipient using the SharePoint document library e-mail
address, and then configure journaling to use the custom recipient as the journal recipient.

Considerations for Managing the Journal Mailbox Size


When configuring a journaling mailbox to accept journal reports, you must determine the maximum size
of the journaling mailbox. As with any other mailbox, the maximum size depends on the data that the
mailbox will store, the hardware resources that are available, and the disaster-recovery capabilities for the
server that contains the journaling mailbox. Additionally, you also must consider what will occur if a
journaling mailbox exceeds the configured mailbox quota.
Avoid using the Prohibit send and receive at (KB) option to set the journaling mailbox’s storage limit.
When the mailbox exceeds the specified quota, it stops accepting journaling reports. When this happens,
NDRs are not sent to users or administrators, but rather are queued on Hub Transport servers. To reduce
the possibility that your journaling mailbox will reject journal reports because it has reached the
configured storage quota, either avoid configuring this option or configure your journaling mailbox’s
storage quota to the maximum size allowable for your hardware resources and disaster-recovery
capabilities. If you are backing up the mailbox on a daily basis, consider specifying a MRM rule to remove
backed-up messages regularly.
Configuring Messaging Policy and Compliance 9-33

Considerations for Managing Journal Mailbox Security


Security is an important consideration when managing the journal mailbox. Journaling mailboxes may
contain sensitive information. You must secure journaling mailboxes because they collect messages that
your organization’s recipients send and receive, and those messages may be part of legal proceedings or
subject to regulatory requirements. Create policies that govern who can access your organization’s
journaling mailboxes and limit access to only those individuals who have a direct need for access. Ensure
that legal representatives approve your plan to ensure that your journaling solution complies with all the
laws and regulations that apply to your organization.
9-34 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is Multi-Mailbox Search?

Key Points
Many organizations need to be able to search mailboxes for specific content while performing compliance
audits. By using the Exchange Server 2010 Multi-Mailbox Search feature, organizations can now easily
search all user mailboxes.

How Multi-Mailbox Search Works


In Exchange Server 2010, the mailbox search functionality is now available through the Multi-Mailbox
Search feature in the ECP. The Multi-Mailbox Search feature allows you to search multiple mailboxes for
mailbox items (including
e-mail, attachments, Calendar items, Tasks, and Contacts) across both primary and archive mailboxes.
Advanced filtering capabilities include: sender, receiver, expiry policy, message size, sent/receive date,
cc/bcc, and regular expressions.

Multi-Mailbox Search uses the content indexes that Exchange Search creates. Having a single content-
indexing engine ensures no additional resources are utilized for crawling and indexing mailbox databases
when information technology (IT) departments receive discovery requests.

Discovery Management Role


A user who is a member of the Discovery Management role group can perform a Multi-Mailbox Search.
The Discovery Management role group is a universal security group that you configure in AD DS or Active
Directory during the Exchange Server 2010 installation. The Discovery Management role group is assigned
to the Mailbox Search management role, which has permission to search all mailboxes in the organization.

Note: Exchange Server 2010 uses Role Based Access Control (RBAC) to define what actions users can
perform in the Exchange Server organization. RBAC uses management roles and management role
groups to manage these permissions. For more information on management roles and management
role groups, see Module 10.
Configuring Messaging Policy and Compliance 9-35

Viewing Search Results


Multi-Mailbox Search copies the search results to the Discovery Search Mailbox. It creates a new folder in
the target mailbox that bears the same name as the search, with a subfolder for each source mailbox that
was searched. Additionally, it copies messages that the search returns to the corresponding folder in the
target mailbox.
9-36 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Configure Multi-Mailbox Search

Key Points
In this demonstration, you will review how to configure Multi-Mailbox Search. To use Multi-Mailbox
Search feature, you must add the users who will perform the search to the Mailbox Search management
role. The easiest way to do this is to add the user to the Discovery Management universal security group
in AD DS or Active Directory. The user then can use the ECP to search for messages based on multiple
criteria.

Demonstration Steps
1. In Active Directory Users and Computers, add the user or group that will perform Discover searches to
the Discovery Management group.
2. Send a message with a key word or phrase in it. You will be searching on this key word or phrase.
3. Connect to the Exchange Control Panel on a Client Access server using the account that will
perform the search.
4. On the Reporting tab, under Multi-Mailbox Search, configure the search parameters.
5. Select the Send me an e-mail when the search is done check box, and then start the search.
6. Open the e-mail indicating the search is finished, and then click the Discovery Search Mailbox link.
7. Review the messages located by the search.
Configuring Messaging Policy and Compliance 9-37

Lab A: Configuring Transport Rules, Journal Rules, and


Multi-Mailbox Search

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are
running:
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-CL1: Client computer in the Adatum.com domain.
3. If required, connect to the virtual machines. Log on to VAN-DC1, and
VAN-EX1 as Adatum\Administrator using the password Pa$$w0rd.
4. Log on to VAN-CL1 as Adatum\Luca using the password Pa$$w0rd.

Lab Scenario
You are a messaging administrator in A. Datum Corporation. Your organization has deployed Exchange
Server 2010.
The legal and audit departments at A. Datum provided you with several requirements for implementing
messaging policy and compliance. These requirements include applying rights protection to some
messages sent inside and outside the organization, restricting message flow based on message
classifications, and restricting which messages are sent to critical distribution lists. You also must ensure
that you establish a separate and secure mailbox in which to retain all messages that the legal department
sends and receives.
9-38 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 1: Configuring Transport Rules


Scenario
A. Datum Corporation is completing its Exchange Server 2010 deployment and is preparing to implement
messaging policies to manage e-mail messages in transit and in user mailboxes. The project sponsors have
developed the following requirements for transport rules:
• All messages sent to users on the Internet must have a disclaimer that the legal department approves.
• Messages with an “Internet Confidential” classification must not be sent to the Internet.
• The transport rule should apply the Do Not Forward AD RMS template to all messages with the words
“confidential” or “private” in the subject.
• A member of the Marketing group must approve all messages sent to the All Company distribution
list before the message is delivered.
The main tasks for this exercise are:

1. Create a transport rule that adds a disclaimer to all messages sent to the Internet.
2. Enable message classifications for Outlook 2007 clients.
3. Create a transport rule that blocks all messages with an Internet Confidential classification from being
sent to the Internet.
4. Enable AD RMS integration for the organization.
5. Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the
words “confidential” or “private” in the subject.
6. Configure a moderated group.
7. Test the transport rule configuration.

 To start the lab, complete the following steps


1. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and
then click Exchange Management Console.
2. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click
Hub Transport.
3. In the Actions pane, click New Send Connector.
4. On the Introduction page, type Internet Connector as the connector name. In the Select the
intended use for this Send connector drop-down list, click Internet, and then click Next.
5. On the Address space page, click Add.
6. In the Address field, type *, click OK, and then click Next.
7. On the Network settings page, click Route mail through the following smart hosts, and click
Add.
8. In the IP address field, type 10.10.0.10, click OK, and then click Next.
9. On the Configure smart host authentication settings page, click Next.
10. On the Source Server page, click Next, click New, and then click Finish.

 Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet
• On VAN-EX1, create a new transport rule with the following settings:
• Name: Internet E-Mail Disclaimer
• Conditions: Sent to users outside the corporation
• Actions: Add a disclaimer
Configuring Messaging Policy and Compliance 9-39

• Disclaimer text: This e-mail is intended solely for the use of the individual to whom it is
addressed

 Task 2: Configure and enable message classifications for Outlook 2007 clients
1. On VAN-EX1, use the new-messageclassification -Name CompanyConfidential -
displayname”Company Confidential” -senderdescription “Do not forward to the Internet”
cmdlet to configure a new message classification.
2. Use the Export-Classification.ps1 script in the c:\Program Files
\Microsoft\Exchange Server\v14\scripts folder to export the message classifications to the
C:\Classifications.xml file.
3. Copy the Classifications.xml file to drive C on VAN-CL1.
4. On VAN-CL1, import the EnableClassifications.reg file from
\\van-ex1\d$\Labfiles.

 Task 3: Create a transport rule that blocks all messages with a Company Confidential
classification from being sent to the Internet
• Create a new transport rule with the following settings:
• Name: Company Confidential Rule
• Condition: Marked with classification Company Confidential
• Actions: Send rejection message to sender with enhanced status code
• Rejection message text: Company confidential e-mail messages cannot be sent to the Internet
• Enhanced status code: 5.7.1

 Task 4: Enable AD RMS integration for the organization


1. On VAN-DC1, grant the Exchange Servers group and the IIS_IUSRS read and execute permission to
the C:\inetpub\wwwroot\_wmcs\certification\ servercertification.asmx file.
2. Restart IIS on VAN-DC1.
3. On VAN-EX1, use the set-irmconfiguration –InternalLicensingEnabled:$true cmdlet to enable AD
RMS encryption.

 Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to
all messages with the words “confidential” or “private” in the subject
• Create a new transport rule with the following settings:
• Name: Confidential E-Mail Rule
• Condition: Where the subject contains the words Confidential or Private
• Actions: protect the message with the Do not Forward template

 Task 6: Configure a moderated group


1. On VAN-EX1, configure the All Company distribution group to require moderation.
2. Configure Andreas Herbinger as the group’s moderator.

 Task 7: Test the transport rule configuration


1. On VAN-CL1, verify that you are logged on as Adatum\Luca, and then open Office Outlook 2007.
2. Send two messages to Carol@contoso.com. The first message should contain no settings, and the
second message should have the Internet Confidential message classification assigned.
9-40 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

3. On VAN-DC1, open Windows Explorer. Browse to the C:\inetpub\mailroot


\queue folder. Open the EML file with Notepad. Scroll to the middle of the message, and verify that
the disclaimer has been added to the message.
4. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the
second message could not be delivered.
5. In Outlook, create a new message, and send it to the All Company distribution group.
6. Connect to the Outlook Web App site on VAN-EX1. Log on as Andreas. Approve the message.
7. In Outlook, verify that the message to the All Company distribution list has arrived.
8. In Outlook Web App, logged on as Andreas, create a new message with a subject of Private. Send
the message to Luca.
9. In Outlook, verify that Luca received the message and that it has the Do Not Forward template
applied. Verify that the Forward option is not available on the message.

Results: After this exercise, you should have configured a transport rule that ensures that all
messages sent to users on the Internet includes a disclaimer of which the legal department approves.
Additionally, you should have configured a transport rule that ensures that messages with an
“Company Confidential” classification are not sent to the Internet, and you should have configured a
transport rule that applies the Do Not Forward AD RMS template to all messages with the words
“confidential” or “private” in the subject. Lastly, you should have configured a moderated group using
the All Company distribution group.
Configuring Messaging Policy and Compliance 9-41

Exercise 2: Configuring Journal Rules and Multi-Mailbox Search


Scenario
In addition to requirements restricting message flow, the project sponsors at A. Datum Corporation also
have the following requirements for saving messages and enabling auditors to search all mailboxes:
• A copy of all messages sent to and from the Executives group will be saved. The journal mailbox
should be accessible only with a special auditor account.
• Implement an auditor account that has permission to search all user mailboxes and access the
journaled Executive messages.
The main tasks for this exercise are:
1. Create a mailbox for the Executives department journaling messages.
2. Create a journal rule that saves a copy of all messages sent to and from Executives department
members.
3. Create and configure the MailboxAuditor account.
4. Test the journal rule and Multi-Mailbox Search configuration.

 Task 1: Create a mailbox for the Executives department journaling messages


• Create a new recipient with the following attributes:
• First name: Executives Journal Mailbox
• User Logon name (User Principal Name): ExecutivesJournal
• Password: Pa$$w0rd
• Create the mailbox in Mailbox Database 1

 Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members
• Create a new journal rule with the following attributes:
• Rule name: Executives Department Message Journaling
• Journal mailbox: Executives Journal Mailbox
• Scope: Global
• Recipient: Executives distribution group

 Task 3: Create and configure the MailboxAuditor account


1. Create a new recipient with the following attributes:
• First name: Mailbox Auditor
• User Logon name (User Principal Name): MailboxAuditor
• Password: Pa$$w0rd
• Create the mailbox in Mailbox Database 1
2. Grant the Mailbox Auditor account full access to the Executives Journal Mailbox and Discovery
Management Mailbox mailboxes.
3. Add the Mailbox Auditor account to the Discovery Management Active Directory group.
9-42 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

 Task 4: Test the journal rule and Multi-Mailbox Search configuration


1. On VAN-CL1, if required, open Outlook.
2. Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives
group.
3. Connect to Outlook Web App as Marcel, and confirm that the message was delivered. Reply to the
message.
4. Connect to Outlook Web App as MailboxAuditor. Right-click Mailbox Auditor, and then click Open
Other User’s Inbox. Open the Executives Journal Mailbox and verify that the two journaled
messages are in the Inbox.
5. In Outlook, send a message with the following properties:
• To: George; Carol@contoso.com
• Subject: Customer Order
• Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.
6. Connect to the Exchange Control Panel as the MailboxAuditor.
7. Create a new search named Customer Number Discovery. Configure the search to look for the
phrase “customer number” in George Schaller and Luca Dellamore’s mailboxes.
8. Wait until the search finishes, and then in the bottom right pane, click the Open link. In Outlook Web
App, verify that the discovery folder named Customer Number Discovery contains two subfolders
and contains the discovered messages.

Results: After this exercise, you should have created a mailbox for the Executives department
journaling messages, and then created a journal rule that saves a copy of all messages sent to and
from Executives department members. You also should have created and configured the
MailboxAuditor account.

 To prepare for the next lab


• Do not shut down the virtual machines and revert them to their initial state when you finish this lab.
The virtual machines are required to complete this module’s last lab.
Configuring Messaging Policy and Compliance 9-43

Lesson 4
Configuring Messaging Records Management

An important requirement for many organizations is managing the e-mail stored in users’ mailboxes. In
some cases, organizations may need to retain some messages while deleting others after a specified time.
Exchange Server 2010 uses MRM to implement this functionality through retention policies and managed
folders. This lesson describes how to implement MRM in Exchange Server 2010.

After completing this lesson, you will be able to:


• Describe Retention Tags and retention policies.
• Configure Retention Tags and retention policies.
• Describe managed folders.
• Deploy managed folders.
• Implement managed custom folders and content settings.
• Identify options for implementing MRM.
9-44 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Are Retention Tags and Retention Policies?

Key Points
In Exchange Server 2010, you use Retention Tags to tag messages or folders for retention or deletion.
Each Retention Tag is associated with one or more managed content settings, which define the time for
which items are retained, and what will happen when the retention period expires. You can associate
multiple Retention Tags with a retention policy, which then is assigned to a user mailbox.

Retention Tags
Use Retention Tags to apply retention settings to mailbox folders and individual items. The following
types of Retention Tags are available:
• Retention Policy Tags: Retention Policy Tags are applied to default mailbox folders such as Inbox,
Deleted Items, and Junk Mail. A Retention Policy Tag has one or more Managed Content Settings
associated with it for retaining messages of different types. It may have an additional Managed
Content Settings associated with journaling settings.
• Default Policy Tag: A Default Policy Tag can be associated with a retention policy and applies to all
items in the mailbox that do not have a Retention Tag explicitly applied to them, or that do not
inherit a tag from the folder they reside in. A Default Policy Tag can have more than one Managed
Content Settings associated with it for different item types such as e-mail messages, voice mail, and
Contacts. Additionally, it can also have a Content Settings with journaling settings. You cannot have
more than one Default Policy Tag associated with a retention policy.
• Personal Tags: Personal Tags are Retention Tags available to users as part of their retention policy. A
user can opt-in to use additional Personal Tags using the ECP, and can apply them to folders or items
in the mailbox. Personal Tags can have only one managed content setting for expiry of all message
types.
Configuring Messaging Policy and Compliance 9-45

Managed Content Settings


Managed content settings define settings for message retention and journaling. They are associated with
Retention Tags. The content settings specify how long a message remains in a mailbox folder, and the
action that Exchange Server should take when the message reaches the specified retention age.

You can also configure journal settings to ensure that all message copies with the associated Retention
Tag are sent to another recipient.

Retention Policies
Retention policies group one or more Retention Tags and apply the tags to mailboxes. A Retention policy
consists of one or more Retention Policy Tags, a maximum of one Default Policy Tag, and any number of
Personal Tags. You can link or unlink tags from a retention policy at any time.

You can apply Retention policies to mailboxes using the Exchange Management Shell or the ECP. A
mailbox cannot have more than one retention policy.

Retention Policy Tags and Mailbox Folders


Retention Policy Tags apply to default folders as specified in the retention policy. Users cannot change the
Retention Policy Tags associated with default folders. However, users can apply a different tag to an item
in a default folder, thereby causing the item to have a different retention setting than the folder in which
it resides. Similarly, an item in a user-created folder can also have a different tag than the folder within
which it resides.
9-46 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

What Is AutoTagging?

Key Points
AutoTagging is an Exchange Server 2010 feature that optimizes the use of Retention Tags by
automatically applying Retention Tags to items based on past user behavior.

Based on User Behavior


AutoTagging uses a machine-learning algorithm that tracks users’ tagging behavior. Given a sampling
that is large enough for it to learn, AutoTagging can predict the user’s tagging behavior from the
sampling. The user must have manually tagged a minimum of 500 e-mail messages for AutoTagging to
start learning. The AutoTagging algorithm inspects message characteristics, content, and the user-
assigned Retention Tags, and creates a model to predict the user’s tagging behavior. Once learning is
complete, AutoTagging automatically assigns the appropriate Retention Tags to new items as they arrive.

User Management of AutoTagging


Users can enable AutoTagging from the ECP. The mailbox should have at least 500 messages tagged
before AutoTagging is enabled. You also can use cmdlets to enable or disable AutoTagging for one or
more mailboxes, and to determine the AutoTagging status of users.

Users can disable AutoTagging at any time. They also can override the Retention Tag automatically
applied to a message by applying a different tag that may be more appropriate, or they can move a
message to a folder to which a tag is applied. User-applied tags always take precedence, and
AutoTagging never alters them.

Administrative Control
Regardless of whether a user or administrator enables AutoTagging on a mailbox, Exchange Server 2010
lets the administrator control AutoTagging functionality, as necessary. Administrators can enable or
disable AutoTagging for a mailbox. To do this, use the Set-MailboxComplianceConfiguration -Identity
user -RetentionAutoTaggingEnabled cmdlet to assign a value of $true or $false.
Configuring Messaging Policy and Compliance 9-47

Demonstration: How to Configure Retention Tags and Policies

Key Points
In this demonstration, you will review how to configure the three types of Retention Tags, and how to
configure content settings for the Retention Tags. Then you will see how to combine the Retention Tags
into a retention policy and how to assign the retention policy to a user.

Demonstration Steps
Use the following cmdlets to configure Retention Tags and policies:
• New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -
RetentionEnabled $true -AgeLimitForRetention 365
-RetentionAction PermanentlyDelete –isprimary:$true
This cmdlet creates a new default Retention Policy Tag that applies to all folders named DefaultTag.
The retention policy content settings will apply to all messages that do not have another Retention
Tag assigned to them, and will permanently delete all messages after 365 days.
• New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:*
-AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems
This cmdlet sets a Retention Tag for the Inbox folder and configures a content setting to move all
messages to the Deleted Items folder after 30 days.
• New-RetentionPolicyTag “Business Critical” -Type:Personal
-MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True
-RetentionAction:MoveToArchive
This cmdlet creates a Personal Tag named Business Critical that sets a retention period of about three
years and moves the messages to the user archive mailbox when the retention period expires.
• New-RetentionPolicy AllTagsPolicy
-RetentionPolicyTagLinks:DefaultTag,InboxTag,”Business Critical
9-48 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

This cmdlet creates a new retention policy named AllTagsPolicy, and adds all of the Retention Tags to
the policy.
• Set-Mailbox Luca -RetentionPolicy AllTagsPolicy

Question: Do you think you will implement retention policies?

Question: Which MRM option are you more likely to implement: managed custom or default folders, or
retention policies?
Configuring Messaging Policy and Compliance 9-49

What Are Managed Folders?

Key Points
In addition to retention policies, you can implement MRM by configuring managed folders. When you
configure managed folders, you can configure managed content settings that specify how long to retain
messages in specified e-mail folders. You can apply managed content settings to the default e-mail
folders or to managed custom folders that you create in user mailboxes. You then can create managed
folder mailbox policies that apply the content settings for a folder or group of folders to specified users.

Note: Exchange Server 2007 introduced managed folders, and Exchange Server 2010 supports
managed folders that are configured in Exchange Server 2007.

Managed Folder Options


Use the following options when configuring managed folders:
• Configure content settings for the default folders that are created in all user mailboxes. When
configuring content settings for the default folders, set restrictions on how long the folder retains
messages. You can also use the Exchange Management Console to apply content settings to the
entire Mailbox folder. The content settings applied to this folder will apply to all folders in the user
mailbox, including folders they have created.
• Configure custom managed folders and then apply content settings to the custom folders. When
creating a custom managed folder, you can add that folder the user mailbox. You then can configure
content settings to apply to that folder. This is a useful option when users require the same folder,
and you need to manage the messages in the folder identically for all users.

Managed Content Setting Options


When you configure managed content settings, use the following options for configuring how users
manage messages:
9-50 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Configure retention periods, which enable you to define how long content will remain in users’
mailboxes. You can configure these policies by content age and message type, such as voice mail or
appointments.
• Configure what action occurs when the retention period expires. For example, you can configure
messages to be deleted permanently, moved to the Deleted Items folder, or moved to anther folder.
• Configure journal settings to ensure copies of all messages in the specified folder are sent to another
recipient.

Managed Folder Mailbox Policies


Managed folder mailbox policies enable you to group managed folders and assign the managed folder
settings to user accounts. For example, you might have created a managed content setting for the Inbox
and the Sent Items folders, and a custom managed folder for a sales project. To apply these settings to
users, you need to create a managed folder mailbox policy and assign the Inbox, Sent Items, and the
custom managed folders to the policy. You then assign the policy to all of the users in the Sales
department.

User Interaction with Messaging Records Management


When you create custom managed folders, users have to move e-mail messages from their Inbox to the
appropriate folders. MRM policies are applied automatically to messages that users have moved. User also
can sort messages into appropriate folders by using Outlook rules.

If you apply content settings to default folders in a user mailbox, no user interaction is necessary for the
settings to apply to the folders.
Configuring Messaging Policy and Compliance 9-51

Process for Deploying Managed Folders

Key Points
To implement MRM, you must complete the following steps:

1. Specify the folders to which you want to apply MRM. You can apply managed content settings to
default folders in user mailboxes, or you can create managed custom folders in user mailboxes.
2. Specify the managed content settings for selected folders. When you configure content settings, you
can configure options that define the message types you want to manage, how long to retain the
messages, and what action to take when messages expire. You also can configure journaling settings
that will save a copy of all messages in the folder.
3. Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed
folders.
4. Apply the managed folder mailbox policy to users’ mailboxes. By default, no managed folder mailbox
policies are created or applied to user mailboxes.
5. Schedule the managed folder assistant to apply the changes to users’ mailboxes. The managed folder
assistant creates managed folders in users’ mailboxes and applies managed content settings to them.
By default, the managed folder assistant runs from 1 A.M. to 5 A.M. everyday.
9-52 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Demonstration: How to Implement Managed Custom Folders and Content


Settings

Key Points
In this demonstration, you will review how to configure a managed custom folder, and then apply a
content setting to the custom folder. You also will see how to configure a managed folder mailbox policy
and apply it to a user account.

Demonstration Steps
1. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox.
2. Create a new managed custom folder using the following configuration:
• Name: Contoso Project
• Comment: All items related to Contoso Project should be posted here and will be retained for 2
years
3. Right-click the Contoso Project folder, and then create a new managed content setting with the
following configuration:
• Name: Contoso Project Content Settings
• Message type: All Mailbox Content
• Length of retention period: 731
• Retention period starts: When item is moved to the folder
• Action to take at the end of the retention period: Permanently delete
• Journaling: Disabled
4. In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed
folder mailbox policy named Accounting Department Policy that includes the Contoso Project
folder.
Configuring Messaging Policy and Compliance 9-53

5. Assign the Accounting Department Policy to all users in the Accounting OU.
6. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current
time.
7. Restart the Microsoft Exchange Mailbox Assistants service.
8. Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the
Contoso Project folder was created in the user’s mailbox.
9-54 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Considerations for Implementing Messaging Records Management

Key Points
MRM policies deal primarily with other message retention issues. By implementing MRM policies, you can
ensure that certain messages are deleted in user mailboxes and that certain messages are retained for an
extended period.

Note: MRM requires an Exchange Enterprise CAL for each mailbox on which it is enabled.

• Ensure that you have business and legal approval before configuring MRM policies. This is particularly
important if you are configuring policies that will delete messages from user mailboxes.
• You can use retention policies and managed folder mailbox polices to group a collection of folders
with associated Retention Tags or content settings. If different user groups in your organization have
different requirements for MRM, you can create a unique policy for each user group that includes just
the folders that should apply to those users.
• If your organization requires messages to be retained or managed based on projects, consider using
managed custom folders to apply messaging records management policies. With managed custom
folders, you can create the required folders in the mailboxes for all users associated with the projects,
and then ensure appropriate management of the folder’s messages.
• If you want to automate the MRM process for all users, consider using retention policies and
AutoTagging. With retention policies, you can set default tags that will be assigned to all folders,
while providing users with the option of overriding the tags. With AutoTagging, you can further
automate the process for managing Retention Tags to the extent that users no longer have to
manage the tags.
• If you need to ensure that copies of some messages are retained for extended periods, consider using
journaling as part of a content setting to ensure message retention. When you configure a content
setting, you can add a journal location so that all messages that the content setting covers also are
Configuring Messaging Policy and Compliance 9-55

moved automatically to the journal location. With this as an option, you can consider deleting
messages from user mailboxes.
• Use MRM policies to limit mailbox sizes. You can use MRM policies to remove old messages from
folders such as the Deleted Items folder, or the Sent Items folder.
9-56 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lesson 5
Configuring Personal Archives

A compliance issue that many organizations must solve is that much of the information users receive by e-
mail is not stored within the e-mail system. Because of mailbox size limits, many users move messages
from their mailboxes to personal storage table (PST) files, where the messages are not backed up
regularly, and where the messages are not available for discovery or indexing.

Exchange Server 2010 introduces Personal Archives as an option for ensuring that all messages are stored
in a mailbox on an Exchange server. This lesson describes how to configure and manage Personal Archives
in Exchange Server 2010.

After completing this lesson, you will be able to:


• Describe options for implementing mailbox archiving.
• Describe how Personal Archives work in Exchange Server 2010.
• Configure Personal Archives.
• Identify options for implementing Personal Archives.
Configuring Messaging Policy and Compliance 9-57

Discussion: Options for Implementing Mailbox Archiving

Key Points
Some organizations have implemented mailbox archiving by using third-party products. These products
provide different types of functionality and implement the functionality in different ways. In this
discussion, you will review the mailbox archiving solutions that organizations have implemented.

Question: Do you have any archiving or journaling requirements in your organization?

Question: How are you currently meeting these requirements?


9-58 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

How Personal Archives Work in Exchange Server 2010

Key Points
Exchange Server 2010 provides Personal Archives as a feature that enables users to move their PST files
back into the Exchange Server database. To implement a Personal Archive, create a second mailbox that
the user can use to store messages that are no longer current, but which they may need to retain. The
user can access this archive mailbox in Outlook 2010 or Microsoft Outlook Web App just like any other
folder in the user mailbox.

How Personal Archives Works


To implement Personal Archives, the Exchange Server administrator creates a new archive mailbox for the
users. You must create this mailbox in the same mailbox database as the user’s primary mailbox. You can
create the archive mailbox when you create the primary mailbox, or add the archive mailbox later.

The archive mailbox appears as a folder in the user’s regular mailbox when the user accesses their mailbox
by using Outlook 2010 or Outlook Web App. Users can the move their PST folders, or any other messages,
into the archive mailbox simply by dragging and dropping e-mail into an archive folder.

One of the differences between the primary mailbox and the archive mailbox is that the archive mailbox is
not cached on the client computer when you configure Outlook in cache mode. This decreases the
mailbox cache size on the client, but also means that the user can access the mail in the mailbox only
when connected to the Exchange server.

You can manage the archive mailbox through MRM policies. For example, you can configure retention
policies that will move messages from the primary mailbox to the secondary mailbox based on the
Retention Tags assigned to the primary mailbox folders. You can also configure retention policies for
folders located in the archive mailbox.
Configuring Messaging Policy and Compliance 9-59

Demonstration: How to Configure Personal Archives

Key Points
In this demonstration, you will review how to configure a Personal Archives mailbox for a user account.
You will also see how to access the mailbox by using Outlook Web App.

Demonstration Steps
1. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click
Mailbox.
2. Right-click a mailbox, and then click Enable Archive.
3. On the mailbox properties, review the archive quota settings.
4. Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and
ArchiveQuota settings.
5. Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook Web
App.

Question: Will you implement Personal Archives in Exchange Server 2010?

Question: What are the benefits and disadvantages of the Personal Archives feature?
9-60 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Considerations for Implementing Personal Archives

Key Points
Personal Archives provides an excellent opportunity for organizations to ensure that all messages in the e-
mail system are stored in a location where the messages can be managed and accessed. However,
deploying Personal Archives will also require careful planning to ensure that the implementation is a
success.

In many organizations, some users may have several gigabytes of data stored in PST files. If all of these
messages are moved into archive mailboxes, the amount of storage required for the mailbox databases
will increase dramatically.

Some considerations for managing the implementation for Personal Archives include:
• Consider an incremental implementation for Personal Archives. If your storage infrastructure cannot
handle implementing Personal Archives for all users, start by identifying the users that will benefit
most from Personal Archives. This may include users with the most critical information currently
stored in PST files, or it may include all executives in the organization.
• With the decrease in disk input/output (IO) per mailbox and the option of using database availability
groups (DAGs) for high availability, Exchange Server 2010 enables some important new options for
implementing storage. Because of the decrease in disk IO, it is now feasible to store mailbox
databases on lower performance and less expensive disk arrays using SATA drives. Additionally, rather
than depending on redundant disk arrays and backup to provide high availability, you can use DAGs
to provide the required level of availability.
• You can also use MRM policies to manage the archive mailboxes. By configuring retention tags for
the primary mailbox, you can ensure that messages are moved into the archive mailbox on a regular
basis. You can also use retention tags to manage the messages in the archive mailbox.
• After you implement Personal Archives, you should consider removing the option for users to use PST
files. You can start moving users away from using PST files by creating a Group Policy object that
prevents new items from being added to existing PST files. Making PST files read-only gives users
access to the PST files they may already have while encouraging them to keep the messages that they
Configuring Messaging Policy and Compliance 9-61

want to keep in their mailboxes. Eventually, you may want to create a GPO to remove access to PST
files altogether.
9-62 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Lab B: Configuring Messaging Records Management


and Personal Archives

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are
running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.
• 10135A-VAN-CL1: Client computer in the Adatum.com domain.
3. If required, connect to the virtual machines.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your organization has deployed Exchange
Server 2010.
The legal and audit departments at A. Datum provided you with several requirements for implementing
messaging policy and compliance. These requirements include configuring rules that will ensure that
some messages are retained for an extended period, while other messages are deleted when they expire.
Finally, you must enable Personal Archives for all of the users in the Executives department.
Configuring Messaging Policy and Compliance 9-63

Exercise 1: Configuring Messaging Records Management


Scenario
A. Datum Corporation also wants to ensure proper management of messages in the user mailboxes. The
project sponsors have provided the following requirements:
• For all users, all messages in the default mailbox folders must be deleted after 90 days.
• All members of the Finance department require a custom folder in their mailbox that contains
confidential messages related to finance. The messages in these custom folders must be retained for
180 days, after which the messages must be marked in Outlook as expired.
A. Datum Corporation would like to automate message management in user mailboxes. To test this
implementation, the executives have approved a pilot project to use retention policies for the ITAdmins
group.

The main tasks for this exercise are:


1. Create a managed custom mailbox folder named Executives Confidential.
2. Configure content settings for the Executives Confidential folder.
3. Configure content settings for all mailbox folders.
4. Configure a managed folder mailbox policy that applies to all users.
5. Configure a managed folder mailbox policy that applies to the Executives department.
6. Start the managed folder assistant process.
7. Test the managed custom folder implementation.
8. Configure Retention Tags and a retention policy.
9. Apply the retention policy to the Marketing group.

 Task 1: Create a managed custom mailbox folder named Executives Confidential


• Create a new managed custom folder with the following attributes:
• Name: Finance Confidential.
• Comment: All confidential items related to Finance should be posted here. Messages in this
folder are valid for 180 days.
• Do not allow users to minimize the comment in Outlook.

 Task 2: Configure content settings for the Executives Confidential folder


• Create a new managed content settings object with the following attributes:
• Name: Executives Confidential Content Settings.
• Message type: All Mailbox Content.
• Messages are retained for 180 days after they have been moved to the managed folder.
• After the retention period ends, the messages should be marked in Outlook as past retention
limit.

 Task 3: Configure content settings for all mailbox folders


• Configure a new mailbox content setting object that applies to all folders in the default mailbox with
the following attributes:
• Name: Mailbox Content Settings.
• Message type: All Mailbox Content.
9-64 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

• Messages will be retained for 90 days.


• Retention period starts when messages are delivered.
• Delete messages, and allow recovery.

 Task 4: Configure a managed folder mailbox policy that applies to all users
1. Create a new managed folder mailbox policy with this attribute:
• Name: Default Policy – All Users
2. Associate the Entire Mailbox with the policy.
3. Use the following command to assign the policy to all users: Get-Mailbox | Set-Mailbox –
ManagedFolderMailboxPolicy ‘Default Policy – All Users’.

 Task 5: Configure a managed folder mailbox policy that applies to the Executives
department
1. Create a new managed folder mailbox policy with the following attribute:
• Name: Executives Department Policy
2. Associate the Entire Mailbox and the Executives Confidential mailbox to this policy.
3. Use the following command to assign the new policy to the users in the Finance OU: Get-Mailbox |
where-object {$_.distinguishedname -ilike ‘*ou=executives,dc=adatum,dc=com’} | Set-
Mailbox –ManagedFolderMailboxPolicy ‘Executives Department Policy’

 Task 6: Start the managed folder assistant process


1. Create a custom schedule for the managed folder assistant process to run from Monday 6:00 A.M. to
Friday 6:00 P.M.
2. Stop and then start the Microsoft Exchange Mailbox Assistants service.

 Task 7: Confirm that the managed custom folder is created for the Executives
department users
1. In the Exchange Management Console, confirm that the managed folder mailbox policy is assigned to
Marcel Truempy.
2. On VAN-EX1, open Internet Explorer, and then connect to
https://VAN-EX1.adatum.com/owa.
3. Log on as Adatum\Marcel with the password of Pa$$w0rd. Confirm that the Finance Confidential
folder was created in Marcel’s mailbox.

 Task 8: Configure Retention Tags and retention policies


• Use the following cmdlets to configure the Retention Tags and retention policy.
• New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -
RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete –
isprimary:$true
• New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:*
-AgeLimitForRetention:30 -RetentionEnable:$True
-RetentionAction:MovetoDeletedItems
• New-RetentionPolicyTag “Retain for Records” -Type:Personal
-MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True
-RetentionAction:MoveToArchive
Configuring Messaging Policy and Compliance 9-65

• New-RetentionPolicy AllTagsPolicy
-RetentionPolicyTagLinks:DefaultTag,InboxTag,”Retain for Records”

 Task 9: Apply the retention policy to the Marketing group


1. Use the following cmdlet to apply the retention policy to all users in the Marketing OU: Get-Mailbox
| where-object {$_.distinguishedname -ilike ‘*ou=Marketing,dc=adatum,dc=com’} |Set-
Mailbox -RetentionPolicy AllTagsPolicy.
2. Run the Start-ManagedFolderAssistant cmdlet.
3. Log on to Outlook Web App, and log on as Manoj. Verify that the retention policy tags are applied.

Results: After this exercise, you should have configured a managed folder policy that ensures that all
messages in the default mailbox folders are deleted after 90 days. You also will have configured a
custom managed folder to ensure that all members of the Executives department have a custom
folder in their mailbox that will contain confidential messages. You also should have configured
Retention Tags and retention policies for the Marketing group.
9-66 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Exercise 2: Configuring Personal Archives


Scenario
A. Datum Corporation is also concerned about the number of e-mails that some users are storing in PST
files. In particular, some members of the Executives group have several gigabytes (GB) of data stored in
PST files. To provide these users with larger mailboxes, the project team has agreed to provide the
members of the Executives group with archive mailboxes. You need to configure the mailboxes for these
users.

The main tasks for this exercise are:


1. Create an archive mailbox for all members of the Marketing group.
2. Verify that the archive mailbox was created for members of the Marketing group.

 Task 1: Create an archive mailbox for all members of the Marketing group
• On VAN-EX1, in the Exchange Management Console, under Recipient Management, click Mailbox.
Sort the mailbox list by organizational unit, select all of the users in the Marketing OU, and then
create an archive mailbox for them.

 Task 2: Verify that the archive mailbox was created for members of the Marketing group
• Log on to Outlook Web App as Manoj, and then verify that the archive mailbox was created.

Results: After this exercise, you should have configured archive mailboxes for all members of the
Marketing group.

 To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V™ Manager.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the
Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting
the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
7. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Configuring Messaging Policy and Compliance 9-67

Module Review and Takeaways

Review Questions
1. You need to ensure that a copy of all messages sent to a particular distribution group is saved. You
only want copies of messages sent to the distribution group, not copies of all messages sent to
individual members of the group. What should you configure?
2. You need to ensure that a user can search all Exchange Server organization mailboxes for specific
content. What should you do? What user training will you need to provide?
3. You need to ensure that all messages related to a particular project are retained for three years. Users
in your organization use both Outlook 2007 and Outlook 2010. What should you do?

Common Issues Related to Implementing Messaging Policies


Identify the causes for the following common issues related and fill in the troubleshooting tips. For
answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

Transport rules that use regular If you are using a transport rule to check for information such as
expressions are not applied customer identification numbers or some other regular pattern of
consistently characters, ensure that your rule also checks for variations on the
regular pattern. For example, if the customer identification number
usually has dashes, you might also want to add the pattern without
dashes to the rule.

Message recipients report that If you have a transport rule in place that modifies the message
they are receiving error content, any digital signature attached to the message will be invalid
messages when they receive and users will get an error message when they open the message. To
digitally signed messages from avoid this, consider instructing users to add a disclaimer to all
other users in the organization. messages as part of their signature, and remove the transport rule.

After you implement a transport Ensure that when you implement a transport rule that might affect
rule, users report that some of message delivery, you configure an action in the transport rule that
9-68 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Issue Troubleshooting tip

the messages they send to informs the user if the message cannot be delivered. Normally, you
Internet recipients are not would do this with a bounce message.
delivered and they do not
receive notification of why the
messages were not delivered.

Real-World Issues and Scenarios


1. The Exchange Server administrators at Contoso, Ltd., have implemented a custom message
classification on the Exchange servers, but they notice that the custom classification is not available
on the Outlook 2007 clients in the organization. What do they need to do?
2. A. Datum Corporation has deployed an AD RMS server, and users are using it to protect e-mail.
However, users report that when they protect e-mail messages, users outside the organization cannot
read the messages. What should A. Datum messaging administrators do?
3. Woodgrove Bank has implemented message journaling for all messages sent to and from the legal
and compliance teams. These messages need to be available to auditors for seven years. The
mailboxes used for journaling are growing rapidly. What should the messaging administrators at
Woodgrove Bank do?

Best Practices Related to a Particular Technology Area in this Module


Supplement or modify the following best practices for your own work situations:
• Implementing messaging policies in Exchange Server 2010 can be complicated and the optimal
configuration will be different in every organization. However, it is critical that you start thinking
about this issue now in order to implement the policies and configurations that will meet your
organizations legal requirements.
• Implement messaging policies only after extensive testing in a lab environment. If you configure
messaging policies incorrectly, you could potentially delete messages that should be retained, or
disrupt message delivery. Additionally, some messaging policies may have unintended consequences.
Because of this, be sure to test all messaging policies thoroughly, and implement the policies in the
production environment incrementally.
• Planning messaging policies always involves discussions with legal and compliance personnel who
may not understand how you can use Exchange Server to enforce messaging policies. Be prepared to
explain what Exchange Server can and cannot do in terms that people who are not messaging experts
can understand.
Securing Microsoft® Exchange Server 2010 10-1

Module 10
Securing Microsoft® Exchange Server 2010
Contents:
Lesson 1: Configuring Role Based Access Control 10-3
Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 10-20
Lesson 3: Configuring Secure Internet Access 10-24
Lab: Securing Exchange Server 2010 10-38
10-2 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Module Overview

In many organizations, Microsoft Exchange Server 2010 provides a critical business function for both
internal and external users. Additionally, many organizations expose at least a few of their Exchange
servers to the Internet. For these reasons, it is important that you do what you can to secure the Exchange
Server deployment. There are two components to securing your Exchange Server deployment: configuring
administrative permissions appropriately and securing the Exchange Server configuration. This module
describes how to configure permissions and secure Exchange Server 2010.

After completing this module, you will be able to:


• Configure role based access control (RBAC) permissions.
• Configure security for Exchange Server 2010 server roles.
• Configure secure Internet access.
Securing Microsoft® Exchange Server 2010 10-3

Lesson 1
Configuring Role Based Access Control

Exchange Server 2010 uses the RBAC permissions model to restrict which administrative tasks users can
perform on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC,
you can control the resources that administrators can configure and the features that users can access.
This lesson describes how to implement RBAC permissions in Exchange Server 2010, and how to configure
permissions on Edge Transport servers.

After completing this lesson, you will be able to:


• Describe RBAC and management role groups.
• Identify Exchange Server 2010 built-in management role groups.
• Manage RBAC permissions.
• Configure custom management role groups.
• Describe management role assignment policies.
• Work with management role assignment policies.
• Manage permissions on Edge Transport servers.
10-4 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

What Is Role Based Access Control?

Key Points
RBAC is the new permissions model in Exchange Server 2010. With RBAC, you do not have to modify and
manage access control lists (ACLs) on Exchange Server or Active Directory® Domain Services (AD DS) and
Active Directory directory services objects. In Exchange Server 2010, RBAC controls the administrative
tasks that users can perform and the extent to which they can administer their own mailbox and
distribution groups.

When you configure RBAC permissions, you can define precisely which Exchange Management Shell
cmdlets a user can run and which objects and attributes the user can modify.
All Exchange Server administration tools, including Exchange Management Console, Exchange
Management Shell, and Exchange Control Panel (ECP), use RBAC to determine user permissions.
Therefore, permissions are consistent regardless of which tool you use.

RBAC Options
RBAC assigns permissions to users in two primary ways, depending on whether the user is an
administrator or end user:
• Management role groups. RBAC uses management role groups to assign permissions to
administrators. These administrators may require permissions to manage the Exchange Server
organization or some part of it. Some administrators may require limited permissions to manage
specific Exchange Server features, such as compliance or specific recipients.
To use management role groups, add users to the appropriate built-in management role group, or to
a custom management role group. RBAC assigns each role group one or more management roles
that define the precise permissions that RBAC grants to the group.
• Management role assignment policies. Management role assignment policies are used to assign end-
user management roles. Role assignment policies consist of roles that control what users can do with
Securing Microsoft® Exchange Server 2010 10-5

their mailboxes or distribution groups. These roles do not allow management of features with which
users are not associated directly.

Note: You also can use direct role assignment to assign permissions. Direct role assignment is an
advanced method for assigning management roles directly to a user or Universal Security Group,
without the need to use a role group or role assignment policy. Direct role assignments are
useful when you need to provide a granular set of permissions to a specific user only. However,
we recommend that you avoid using direct role assignment, as it is significantly more
complicated to configure and manage.

Question: What requirements does your organization have for assigning Exchange Server permissions?
Does your organization use a centralized or decentralized administration model? What special
permissions will you need to configure?
10-6 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

What Are Management Role Groups?

Key Points
Use management role groups to assign administrator permissions to groups of users. To understand how
management role groups work, you need to understand their components.

Management Role Group Components


Management role groups use several underlying components to define how RBAC assigns permissions as
assigned:
• Role holder. A role holder is a user or security group that you can add to a management role group.
When a user becomes a management role-group member, RBAC grants it all of the permissions that
the management roles provide. You can either add user accounts to the group in AD DS or Active
Directory, or use the Add-RoleGroupMember cmdlet.
• Management role group. The management role group is a universal security group that contains users
or groups that are role-group members. Management role groups are assigned to management roles.
The combination of all the roles assigned to a role group defines everything that users added to a
role group can manage in the Exchange Server organization.
• Management role. A management role is a container for a group of management role entries. These
entries define the tasks that users can perform if RBAC assigns them the role using management role
assignments.
• Management role entries. A management role entry is a cmdlet, including its parameters, which you
add to a management role. By adding cmdlets to a role as management role entries, you are granting
rights to manage or view the objects associated to that cmdlet.
• Management role assignment. A management role assignment assigns a management role to a role
group. Once you create a management role, you must assign it to a role group so that the role
holders use it. Assigning a management role to a role group grants the role holders the ability to use
the cmdlets that the management role defines.
Securing Microsoft® Exchange Server 2010 10-7

• Management role scope. A management role scope is the scope of influence or impact that the role
holder has once RBAC assigns a management role. When assigning a management role, use
management scopes to target which objects that role controls. Scopes can include servers,
organizational units, recipient objects, and more.
For more information about management role groups, refer to the CD content.
10-8 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Built-In Management Role Groups

Key Points
Exchange Server 2010 includes several built-in role groups that you can use to provide varying levels of
administrative permissions to user groups. You can add users to, or remove them from, any built-in role
group. You also can add or remove role assignments to or from most role groups.

Role group Description

Organization Role holders have access to the entire Exchange Server 2010 organization
Management and can perform almost any task against any Exchange Server object.

View-Only Organization Role holders can view the properties of any object in the organization.
Management

Recipient Management Role holders have access to create or modify Exchange 2010 recipients within
the Exchange Server organization.

UM Management Role holders can manage the Unified Messaging features within the
organization, such as Unified Messaging server configuration, properties on
mailboxes, prompts, and auto-attendant configuration.

Discovery Management Role holders can perform searches of mailboxes in the Exchange organization
for data that meets specific criteria.

Records Management Role holders can configure compliance features, such as retention policy tags,
message classifications, transport rules, and more.

Server Management Role holders have access to Exchange server configuration. They do not have
access to administer recipient configuration.

Help Desk Role holders can perform limited recipient management.


Securing Microsoft® Exchange Server 2010 10-9

Role group Description

Public Folder Role holders can manage public folders and databases on Exchange servers.
Management

Delegated Setup Role holders can deploy previously provisioned Exchange servers.

Note: All of these role groups are located in the Microsoft Exchange Security Groups OU in AD DS or
Active Directory. This OU contains several other universal security groups that grant permissions to
the Exchange server computer accounts.
10-10 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Demonstration: Managing Permissions Using the Built-In Role Groups

Key Points
In this demonstration, you will review how to manage RBAC permissions in Exchange Server 2010 by using
the built-in role groups. You will see how to add users to the built-in role groups and how RBAC assigns
the resulting permissions to the user accounts.

Demonstration Steps
1. In Active Directory Users and Computers, add a user or security group to the Recipient Management
group.
2. Log on to an Exchange server using the delegated user account. Open the Exchange Management
Console and the Exchange Management Shell.
3. Verify that the user has read access to the Exchange Server organization configuration.
4. Verify that the user cannot modify the settings on the Mailbox databases.
5. Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user
account has permission to move mailboxes to another server.
6. In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user
has Read permission to the Exchange server information.
7. Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.
Securing Microsoft® Exchange Server 2010 10-11

Process for Configuring Custom Role Groups

Key Points
In addition to the built-in role groups, you also can create custom role groups to delegate specific
permissions within the Exchange Server organization. Use this option when your ability to limit
permissions is beyond the scope of the built-in role groups.

Configuring a Custom Management Role Group


RBAC enables complete flexibility in how you assign permissions in an Exchange Server 2010 environment.
For example, RBAC enables you to assign permissions to a group of administrators in a branch office who
only need to manage recipient tasks for branch-office users and mailboxes on branch office Mailbox
servers. To implement this scenario, you would:
1. Create a new role group, and add the branch office administrators to the role group. You can use the
New-RoleGroup cmdlet to create the group. When you create the group, you must specify the
management roles. Additionally, you also can specify the management scope for the role.
2. Assign management roles to the branch office administrators. To delegate permissions to a custom
role group, you can use one or more of the default built-in management roles, or you can create a
custom management role that is based on one of the built-in management roles. Exchange Server
2010 includes approximately 70 built-in management roles that provide granular levels of
permissions.
10-12 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Note: You also can configure a new management role rather than use one of the existing
management roles. To do this, use the New-ManagementRole cmdlet to create a custom
management role based on one of the existing management roles. You can then add and
remove management role entries as needed. By default, the new management role inherits all of
the permissions assigned to the parent role. You can remove permissions from the role, as
necessary, by using the Remove-managementroleentry cmdlet. However, it can be
complicated to create a new management role and remove unnecessary management role
entries, so we recommend that you use one of the existing roles whenever possible.

3. Identify the management scope for the management role. For example, in the branch office scenario,
you could create a role assignment with an OU scope that is specific to the branch office OU.
4. Create the management role group using the information that you collect. Use the New-RoleGroup
cmdlet to create the link between the role group, the management roles, and the management
scope.For example, consider the following command:

New-RoleGroup – Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution Groups”,


“Move Mailboxes”, “Mail Recipient Creation” –User BranchOfficeAdmins –
RecipientOrganizationalUnitScope Contoso.com/BranchOffice.
It does the following:
• Creates a new role group named BranchOfficeAdmins.
• Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation
management roles to the BranchOfficeAdmins role group.
• Configures a management role scope limited to the BranchOffice OU in the Contoso.com
domain.
Securing Microsoft® Exchange Server 2010 10-13

Demonstration: Configuring Custom Role Groups

Key Points
In this demonstration, you will review how to create a custom role group and how to assign management
roles to the group. You also will verify that the correct permissions are assigned to the user accounts.

Demonstration Steps
1. On VAN-EX1, open the Exchange Management Shell.
2. Create a new management scope that will limit the tasks that can be performed by using the
following command:

New-ManagementScope –Name MarketingMailboxes –recipientroot


“adatum.com/Marketing” -RecipientRestrictionFilter {RecipientType -eq “UserMailbox”}
3. Create a new management role group that uses the custom management scope by using the
following command:

New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, “Mail Recipient Creation “


-CustomRecipientWriteScope MarketingMailboxes

4. Add a user to the management role group by using the following command:

Add-rolegroupmember –id MarketingAdmins –member Andreas


5. In Active Directory Users and Computers, verify that the group has been created in the Microsoft
Exchange Security Groups OU and that the user has been added to the group.
6. Open the Exchange Management Console as the delegated user account. Verify that the user can
modify mailboxes and create new mailboxes only in the Marketing OU.

Question: Will you implement custom management roles in your organization? If so, how will you
configure the management roles?
10-14 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

What Are Management Role Assignment Policies?

Key Points
Management role-assignment policies associate end-user management roles with users. You do not
configure administrative permissions with management role-assignment policies. Rather, you use
management role assignment policies to configure what changes users can make to their mailbox settings
and to distribution groups that they own.

Role Assignment Components


Role assignment policies consist of the following components that define what users can do with their
mailboxes:
• Mailbox. Mailboxes are assigned a single role assignment policy. When a mailbox is assigned a role
assignment policy, the policy is applied to the mailbox. This grants the mailbox all of the permissions
that the management roles provide.
• Management role assignment policy. The management role-assignment policy is an object in
Exchange Server 2010. Users are associated with a role assignment policy when you create their
mailboxes or change the role assignment policy on their mailboxes. The combination of all the roles
included in a role assignment policy defines everything that associated users can manage on their
mailboxes or distribution groups.
• Management role assignment. Management role assignments link management roles and role
assignment policies. Assigning a management role to a role assignment policy grants users the ability
to use the cmdlets in the management role. When you create a role assignment, you cannot specify a
scope. The scope that the assignment applies is based on the management role, and is either Self or
MyGAL.
• Management role. A management role is a container for a group of management role entries. Roles
define the specific tasks that users can do with their mailboxes or distribution groups.
Securing Microsoft® Exchange Server 2010 10-15

• Management role entry. A management role entry is a cmdlet, script, or special permission that
enables users to perform a specific task. Each role entry consists of a single cmdlet and the
parameters that the management role can access.
10-16 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Working With Management Role Assignment Policies

Key Points
Exchange Server 2010 includes a default role assignment policy that provides end users with the most
commonly used permissions. For most organizations, you do not need to modify the configuration.
However, you can change the management role assignment policy if your organization has specific
requirements regarding how users can interact with their mailboxes or groups.

Note: To view the default management role assignment policy configuration, use the Get-
ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet.
This cmdlet lists all the management roles that are assigned to the default role assignment
policy. To view the details of each management role, use the get-managementrole rolename |
FL cmdlet. For example, executing the get-managementrole Mybaseoptions | FL cmdlet
displays all management role entries associated with the Mybaseoptions management role.

Working with Assignment Policies


You can modify the default role-assignment configuration in several ways:
• Change the default permissions on the default role assignment policy by adding or removing
management roles. For example, if you want to enable users to perform additional tasks on their
mailboxes, you can identify the management role that grants them the necessary permissions, and
add the role to the Default Role Assignment Policy.
• Define a new role assignment, and then configure that role assignment to be the default for all
mailboxes. Use the Set-RoleAssignmentPolicy cmdlet to replace the built-in default role assignment
policy with your own. When you do this, RBAC assigns the role assignment policy that you specify to
new mailboxes, by default.
Securing Microsoft® Exchange Server 2010 10-17

Note: When you change the default role assignment policy, RBAC does not assign the new
default role assignment policy automatically. You will need to use the Set-Mailbox cmdlet to
update previously created mailboxes to the new default role assignment policy.

• Configure additional role assignment policies and assign the policies to a mailbox manually by using
the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox, or Enable-Mailbox
cmdlets. When you assign an explicit role assignment policy, the new policy takes effect immediately
and replaces the previously assigned explicit role assignment policy. If you have many different user
groups with special needs, you can create role assignment policies for each group.

Question: How will you configure role assignment policies in your organization?
10-18 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Managing Permissions on Edge Transport Servers

Key Points
You deploy the Edge Transport server role in an organization’s perimeter network, either as a stand-alone
server or as a member of a perimeter Active Directory domain.
No Exchange Server-specific groups are created when you install an Edge Transport server role. The
Administrators local group is granted full control of the Edge Transport server, which includes an instance
of Active Directory Lightweight Directory Service (AD LDS).

You can administer Edge Transport servers remotely by using Remote Desktop. The Administrators local
group is granted remote logon permissions automatically when you enable Remote Desktop.

Permissions Required to Administer the Edge Transport Server


The following table lists common administrative tasks that users perform on the Edge Transport server
and the group memberships necessary to complete each task successfully.

Task Required group membership

Backup and restore Backup Operators

Enable and disable agents Administrators

Configure connectors Administrators

Configure anti-spam policies Administrators

Configure IP Block and Allow lists Administrators

View queues and messages Users

Manage queues and messages Administrators


Securing Microsoft® Exchange Server 2010 10-19

Task Required group membership

Create an Edge Subscription file Administrators


10-20 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Lesson 2
Configuring Security for Server Roles in Exchange
Server 2010

The second component to configuring Exchange Server 2010 security is to secure the Exchange Server
deployment as much as is possible. To do this, you should understand the security risks for which you
need to prepare, and then you need to configure your Exchange Server security settings appropriately.
After completing this lesson, you will be able to:
• Identify the Exchange Server security risks.
• Implement best practices security measures.
Securing Microsoft® Exchange Server 2010 10-21

Discussion: What Are the Exchange Server Security Risks?

Key Points
To prepare for Exchange Server security, you first must understand the security risks that threaten the
Exchange server environment.

Question: What security risks do you need to protect against when deploying Exchange Server?

Question: What risks are the most serious?


10-22 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Exchange Server Security Guidelines

Key Points
The design of Exchange Server 2010 makes it secure when you deploy it. Many of its features, such as
server roles, Kerberos authentication, and self-signed certificates ensure that the servers present a minimal
attack surface and facilitate encryption for most network traffic sent to and from Exchange servers.

To maintain Exchange Server security, implement regular processes to monitor and validate the Exchange
Server configuration.

Apply Security and Software Updates


One of the most critical components for maintaining Exchange Server security is to install all security
updates as soon as possible after their release. Be sure to apply both the operating-system updates and
the Exchange Server updates.

Before update installation, test the deployment of all software updates on your Exchange servers. To do
this, you need a test environment that emulates your production environment.

Run the Exchange Best Practices Analyzer Tool Regularly


The Exchange Best Practices Analyzer automatically examines your Exchange Server deployment and
determines whether the configuration is set according to Microsoft best practices. Use the Exchange Best
Practices Analyzer as part of a proactive health check, which can expose availability or scalability issues
that pertain to your Exchange Server installations. You also can use it as a reactive troubleshooting tool
for problem diagnosis and identification.

For most environments, we recommend running the Exchange Best Practices Analyzer at least once per
quarter. However, it is a best practice to run this tool once a month on all servers installed with Exchange
Server.
Securing Microsoft® Exchange Server 2010 10-23

Microsoft Baseline Security Analyzer


Microsoft Baseline Security Analyzer (MBSA) is a security scanning and analysis tool that you can use to
check Exchange Server for a wide range of faulty configurations or security issues. You can configure
MBSA to scan a single machine or multiple machines within a range of IP addresses to which you have
administrator access.

Avoid Running Additional Software on Exchange Servers


One way to reduce an Exchange server’s attack surface is to avoid running unnecessary software on the
server. Ideally, you should dedicate the Exchange server to Exchange server roles, and the only additional
software that you should install are utilities, such as anti-virus software and server-management tools.

Install and Maintain Anti-Virus Software


Virtually all organizations deploy anti-virus software to guard against malicious e-mail. You also should
deploy file-level, anti-virus software on the Exchange servers to ensure that the servers are secure from
virus attacks.

Enforce Strong Passwords in Your Organization


If you enable remote access to your Exchange Server organization, attackers from outside the
organization can use brute force password attacks to attempt to compromise user accounts. Therefore, it
is very important that you define and enforce password policies for all user accounts. This includes
mandating the use of strong passwords. A password is strong if it meets several requirements for
complexity that make it difficult for attackers to figure out. These password requirements include rules for
password length and character categories. By establishing strong password policies for your organization,
you can help prevent an attacker from impersonating users, and thereby prevent the loss, exposure, or
corruption of sensitive information.
10-24 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Lesson 3
Configuring Secure Internet Access

Exchange Server 2010 provides access to user mailboxes from a wide variety of clients. In many cases,
these clients may be located outside the corporate network and may be accessing the user mailboxes
through an Internet connection. Because the Exchange servers cannot provide this functionality without
being accessible from the Internet, it is important that the connections from the Internet be as secure as
possible. This lesson describes how to configure secure access to the Exchange servers from the Internet.

After completing this lesson, you will be able to:


• Describe secure Internet access components.
• Deploy Exchange Server 2010 for Internet access.
• Secure Client Access server traffic from the Internet.
• Secure SMTP connections to the Internet.
• Describe reverse proxy.
• Configure secure access.
Securing Microsoft® Exchange Server 2010 10-25

Secure Internet Access Components

Key Points
Exchange Server 2010 enables users to access their mailboxes from many different types of messaging
clients and from almost anywhere. To provide secure access for the messaging clients, you need to
understand what types of access each client type requires.

Client Access to Exchange Servers


The following table lists the access requirement for clients when connecting to the Exchange servers from
the Internet.

Client Access requirements

Outlook Anywhere Access to the remote procedure call (RPC), Exchange Web Services (EWS), and
online address book virtual directories on a Client Access server
Access to the Autodiscover virtual directory on a Client Access server if
Autodiscover is enabled
Protocol requirements: HTTPS

Microsoft Outlook® Access to Outlook Web App and ECP virtual directories on a Client Access
Web App server
Protocol requirements: HTTPS

Exchange ActiveSync® Access to the Microsoft-Server-ActiveSync virtual directory on a Client Access


server
Access to the Autodiscover virtual directory on a Client Access server if
Autodiscover is enabled
Protocol requirements: HTTPS

Internet Message Access to the IMAP4 service on a Client Access server


Access Protocol version Access to a SMTP Receive connector on either a Hub Transport server, a Edge
10-26 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Client Access requirements

4rev1 (IMAP4) Transport server, or another SMTP server


Protocol requirements: IMAP4, SMTP (Port 25 or 587)

Post Office Protocol 3 Access to the POP3 service on a Client Access server
(POP3) Access to a SMTP Receive connector on either a Hub Transport server, a Edge
Transport server, or another SMTP server
Protocol requirements: POP3, SMTP (Port 25 or 587)

Note: In addition to the Client Access components, you also need to configure the environment
to support secure sending and receiving of SMTP e-mail. In most cases, this includes deploying
an Edge Transport server in the perimeter network.

Options for Configuring Internet Access


There are several options available to provide the necessary access to the Client Access and transport
servers. The most common options include:
• Virtual Private Network (VPN). Some organizations require that all clients use a VPN to connect to the
internal network. The VPN gateway may be a Windows Server 2008 Routing and Remote Access
server, or a third-party solution. By enabling VPN access, users can access all resources on the internal
network, including the Exchange servers.
• Firewall configuration. Virtually all organizations have firewalls that protect their internal networks
from unwanted Internet access. You can configure these firewalls to enable users to connect to the
required virtual directories and services on the Client Access server, and to provide access to an SMTP
server for IMAP4 and POP3 clients.
Implementing a firewall solution means that messaging clients need to be configured to use a server
name that resolves to an external IP address on the firewall. If users connect to the Exchange servers
from both inside and outside the organization, this can complicate the messaging client
configuration. For example, users may connect to the Exchange servers from the internal network
using the actual server name, but may need to use a more generic name, such as mail.contoso.com,
when connecting to the server from the Internet. You may need to instruct users to use the two server
names, or you may need to configure the internal DNS zone to provide name resolution to the more
generic name.
• Reverse proxy configuration. As an alternative to the standard firewall, you can use a reverse proxy, or
application layer firewall, to enable access to the internal Exchange servers. When you configure a
reverse proxy, it terminates all client connections and scans all network packets for malicious code.
The reverse proxy then initiates a new connection to the Client Access server and forwards the traffic
to the internal network.
When you use a reverse proxy, you must configure messaging clients to use a server name that
resolves to an external IP address on the firewall.
Securing Microsoft® Exchange Server 2010 10-27

Deploying Exchange Server 2010 for Internet Access

Key Points
When deploying Exchange Server 2010 so that it is accessible from the Internet, you must deploy all
server roles on the internal network, except for the Edge Transport server role. You should deploy the
Edge Transport server role in the perimeter network, and it should run on a server that is not an internal
domain member.
The recommended deployment for Exchange Server 2010 Internet access includes two firewalls in a back-
to-back firewall scenario, which enables you to implement a perimeter network between the two. An
external firewall faces the Internet and protects the perimeter network. You then deploy an internal
firewall between the perimeter and internal networks.

Configuring External Firewalls for Internet Access


The Internet facing or external firewall in this deployment protects the perimeter network. You configure
the firewall to accept packets based on source and destination IP addresses and ports. To support the
Exchange Server deployment, you need to configure the external firewall with the firewall rules that the
following table lists:

Destination port Address

25 Source address: All


Destination address: Edge Transport server
May also need to configure the external IP address of the internal firewall as a
destination address, if POP3 and IMAP4 clients are using port 25 to relay messages
through a Hub Transport server

80, 443 Source address: All


Destination address: External IP address of the internal firewall

110, 993 Source address: All


10-28 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Destination port Address

Destination address: External IP address of the internal firewall


Only required for POP3 access

143, 995 Source address: All


Destination address: External IP address of the internal firewall
Only required for IMAP4 access

587 Source address: All


Destination address: External IP address of the internal firewall
Only required if POP3 and IMAP4 clients are using the SMTP client submission port
to send SMTP e-mail

Configuring Internal Firewalls for Internet Access


The internal firewall may be another standard firewall or reverse proxy. To support the Exchange Server
deployment, configure the internal firewall with the following firewall rules:

Destination
port Address

25 Source address: Edge Transport server


Destination address: Hub Transport server
May also need to configure the internal IP address of external hosts as a source address, if
POP3 and IMAP4 clients are using port 25 to relay messages through a Hub Transport
server

80, 443 Source address: Internal IP address of the external firewall


Destination address: Client Access server

110, 993 Source address: External IP addresses


Destination address: Client Access server
Only required for POP3 access

143, 995 Source address: External IP addresses


Destination address: Client Access server
Only required for IMAP4 access

587 Source address: External IP addresses


Destination address: Hub Transport server
Only required if POP3 and IMAP4 clients are using the SMTP client submission port to
send SMTP e-mail

50636 Source address: Hub Transport servers on the internal network


Destination address: Edge Transport server
Required for the Hub Transport server to replicate information to the Edge Transport
servers using EdgeSync

3389 Source address: Administrator computers on the internal network


Destination address: Edge Transport server
Required if you want to use Remote Desktop to administer the Edge Transport server
remotely
Securing Microsoft® Exchange Server 2010 10-29

Note: Edge Transport servers also listen on port 50389 for unencrypted LDAP connections. This
port is used only for administering the AD LDS instance on the Edge Transport server using
standard LDAP tools. However, this port does not have to be open on the internal firewall.
10-30 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Securing Client Access Traffic from the Internet

Key Points
To ensure that the client connections are as secure as possible, implement the following
recommendations:
• Create and configure a server certificate. By default, all Client Access servers are configured with self-
signed certificates during Exchange Server 2010 installation. Because clients do no trust this
certificate, you should replace the certificate with one from a public Certification Authority (CA) or
from an internal CA. If you use an internal enterprise CA, the certificates will be trusted by computers
that are the internal domain’s members, but not by other client computers.
• Require Secure Sockets Layer (SSL) for all virtual directories. With Exchange Server 2010, you can
configure all of the Client Access server virtual directories to require SSL.
• Enable only required client access methods. You should enable access to only the client access
options that your organization requires. For example, if your organization only requires Exchange
ActiveSync and Outlook Web App connectivity from the Internet, then only allow access to those
virtual directories through the firewall.
• Require secure authentication. Forms-based authentication is the most secure authentication
mechanism for Outlook Web App. Other client access options, such as Outlook Anywhere or
Exchange ActiveSync, cannot use forms-based authentication, and may need to use authentication by
Microsoft Windows NTLAN) Manager, also known as NTLM, or use basic authentication. If you
configure the virtual directories to require SSL, the network traffic that authenticates the user is
encrypted.
• Require TLS/SSL for IMAP4 and POP3 access. To help secure communications between your POP3
and IMAP4 clients and the Client Access server, configure the Client Access server to use a certificate
for these protocols, and then force all clients to use Transport Layer Security (TLS) or SSL to encrypt all
authentication and message access traffic.
• Implement an application layer firewall or reverse proxy. To provide additional security, place an
application layer firewall or reverse proxy between the Internet and the Client Access server. This
Securing Microsoft® Exchange Server 2010 10-31

firewall can decrypt all network traffic between the client and the Client Access server, and inspects
the traffic for malicious code.
10-32 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Securing SMTP Connections from the Internet

Key Points
If you enable POP3 and IMAP4 connections from the Internet to your Client Access servers, you must
provide a means by which those clients can send e-mail using SMTP. As part of ensuring security for your
client-access deployment, you also need to ensure secure SMTP connectivity.

Providing SMTP Connectivity for POP3 and IMAP4 Clients


You can use POP3 and IMAP4 only to retrieve, not send, messages from user mailboxes. To enable clients
to send e-mail, you must configure the clients to use an SMTP server that relays the messages to both
internal and external recipients.
To enable the POP3 and IMAP4 clients to send e-mail, you must configure a Hub Transport server SMTP
Receive connector to accept SMTP connections from the Internet. Configure the SMTP Receive connector
to require authentication, so that only users with valid accounts in the Exchange Server organization can
relay messages through the server.

Note: If you accept anonymous SMTP connections from the Internet on the Hub Transport
server, using the Default SMTP Receive connector, you need to create an additional SMTP
Receive connector for the POP3 and IMAP4 clients, and configure the new connector to required
authenticated connections.

Note: You cannot use an Edge Transport server to accept authenticated SMTP connections, and
then use it to relay SMTP messages from POP3 and IMAP4 clients. You can configure a SMTP
Receive connector on an Edge Transport server that uses port 587, and you can configure the
Receive connector to accept authenticated connections. However, you cannot configure the
connector to authenticate the client connections using the user’s internal Active Directory
account.
Securing Microsoft® Exchange Server 2010 10-33

Securing SMTP Connections


To secure the SMTP connections to the Hub Transport server, complete the following steps:

1. Enable TLS for SMTP client connections. You can configure the SMTP Receive connector on the Hub
Transport server to require TLS security or to enable basic authentication, only after you initiate a TLS
session. If you have a trusted certificate assigned to the SMTP service, you should enable these
options, and then configure all clients to use TLS.
2. Use the Client Receive connector (port 587), and configure the Hub Transport servers with two
Receive connectors. The Default Receive connector is configured to use port 25, while the Client
Receive connector is configured to use port 587. By default, both connectors are configured to
require TLS security and to allow users to connect to the connector. However, by using the Client
Receive connector, you can avoid using the default SMTP port for client connections. As described in
RFC 2476, port 587 was proposed only for message submission use from e-mail clients that require
message relay.
3. Ensure that anonymous relay is disabled. Both Receive connectors block anonymous relays, and you
should not modify this option on any Receive connector that is accessible from the Internet. If you
enable anonymous relay, anyone can use your server to relay spam.

Note: In some cases, you may need to enable anonymous relay to allow internal applications to
send SMTP e-mail through the Exchange server. If you require this functionality, then configure
restrictions on the Receive connector so that only the IP addresses that you specify can relay
through the server.

4. Enable IMAP4 and POP3 selectively. If only some users in your organization require POP3 and IMAP4
access, then disable this option on all other mailboxes.
10-34 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

What Is a Reverse Proxy?

Key Points
You may want to use a reverse proxy server to manage incoming requests to a Client Access server. A
reverse proxy server provides the following advantages over a direct connection to a Client Access server:
• Security. The reverse proxy server provides an extra protective layer between the network and
external computers. This is because the reverse proxy server is the endpoint for all client connections.
The reverse proxy server then creates a new connection to the internal server.
• Application layer filtering. Most reverse proxy servers also can operate as application layer firewalls.
Application layer filtering enables the proxy to open up the entire TCP/IP packet and inspect the
application data for unacceptable commands and data. For example, an HTTP filter intercepts
communication on port 80 and inspects it to verify that the commands are authorized before passing
the communication to the destination server. Firewalls that are capable of application-layer filtering
can stop dangerous code at the network’s edge before it does any damage.
• SSL bridging. If you must encrypt communication between the reverse proxy server and the Client
Access server, do this by ending the SSL session between the Web browser and reverse proxy server.
You then establish a new SSL session between the reverse proxy server and the Client Access server.
This protects the Client Access server from direct access from the Internet, enables the reverse proxy
server to filter the data packets before they reach the Client Access server, and encrypts the data
along the whole path between the Web browser and the Client Access server.
• Load balancing. A reverse proxy server can distribute the traffic that is destined for a single URL to a
group of servers. You automatically implement Web load-balancing features when you publish
Outlook Web App and Outlook Anywhere. Outlook Web App automatically selects a rule by using
cookie-based load balancing. With cookie-based load balancing, the reverse proxy server forwards all
requests that relate to the same session (the same unique cookie provided by the server in each
response) to the same server. Outlook Anywhere uses source-IP-based load balancing. With source-
IP-based load balancing, the reverse proxy server forwards all requests from the same client (source)
IP address to the same server. Other Exchange services and features, such as Exchange ActiveSync,
Securing Microsoft® Exchange Server 2010 10-35

must use cookie-based load balancing. This also includes the Exchange services, such as the offline
address book and the Availability Service.
• SSL offloading. Instead of configuring the Client Access server to provide SSL encryption, you can
offload that function to the reverse proxy server. Not only does it encrypt data that is sent between
the Web browser and the Client Access server, but it also enables the reverse proxy server to inspect
the data packets and apply filters before they reach the Client Access server. If you offload SSL
encryption to a proxy server, data that is sent between the reverse proxy server and the Client Access
server will not be encrypted unless you use SSL bridging.
10-36 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Demonstration: Configuring Threat Management Gateway for Outlook


Web App

Key Points
In this demonstration, you will review how to create an Outlook Web App publishing rule in Forefront
TMG.

Note: Forefront TMG is an upgrade of Microsoft Internet Security and Acceleration (ISA) Server
2006.

Demonstration Steps
1. On VAN-TMG, open the Forefront TMG Management console.
2. In the Firewall Policy node, create an Exchange Server publishing rule by using the New Exchange
Publishing Rule Wizard. Configure the rule with the following settings:
• Name: OWA Access Rule
• Exchange version: Exchange Server 2010
• Service: Outlook Web App
• Server Connection Security: Use SSL to connect the published Web server or server farm
• Internal site name: VAN-EX1.Adatum.com
• Public Name Details page: mail.Adatum.com
3. Create a new Web Listener with the following settings:
• Name: HTTP Listener
• Client Connection Security: Do not require SSL secure connections from clients
• Web Listener IP Addresses: External
Securing Microsoft® Exchange Server 2010 10-37

• Authentication Settings: HTML Form Authentication


• Single Sign-On (SSO) Settings: Enabled
• SSO domain name: ADatum.com
4. On the Authentication Delegation page, click Basic authentication.
5. Accept the default User Sets configuration, finish the wizard, and then apply the changes.

Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy
compare to the TMG?
10-38 Configuring, Managing and Troubleshooting Microsoft®Exchange Server 2010

Lab: Securing Exchange Server 2010

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.
2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are
running.
• 10135A-VAN-DC1: Domain controller in the Adatum.com domain
• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
• 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
3. If required, connect to the virtual machines. Log on to VAN-DC1 and
VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-EX2 at
this point.

Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided
you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible.
The specific concerns included in the requirements include:
• Exchange Server administrators should have minimal permissions, which means that, whenever
possible, you should delegate Exchange Server management permissions.
• Ensure that client connections to the Client Access servers are as secure as possible by deploying a
TMG server.
Securing Microsoft® Exchange Server 2010 10-39

Exercise 1: Configuring Exchange Server Permissions


Scenario
A. Datum Corporation has completed the Exchange Server 2010 deployment, and now is working on
integrating Exchange Server and recipient management with their current management practices. To
meet the management requirements, you need to ensure that:
• Members of the ITAdmins group can administer individual Exchange servers, but they should not be
able to modify any of the Exchange Server organization settings.
• Members of the HRAdmins group must be able to manage mail recipients throughout the entire
organization. They should not be able to manage distribution groups and should not be able to
create new mailboxes.
• Members of the SupportDesk group should be able to manage mailboxes and distribution groups for
users in the organization. They should also be able to create new mailboxes.
The main tasks for this exercise are as follows:

1. Configure permissions for the ITAdmins group.


2. Configure permissions for the Support Desk and HRAdmins groups.
3. Verify the permissions.

 Task 1: Configure permissions for the ITAdmins group


• On VAN-EX1, in Active Directory Users and Computers, add the ITAdmins group to the Server
Management group.

 Task 2: Configure permissions for HRAdmins and Support Desk groups


1. On VAN-EX1, open the Exchange Management Shell. Use the following command to create the
HRAdmins role group:
New-RoleGroup –Name HRAdmins –roles “Mail Recipients”

2. Use the following command to create the SupportDesk role group:

New-RoleGroup –Name SupportDesk –roles “Mail Recipients”, “Mail Recipient Creation”,


“Distribution Groups”
3. On VAN-EX1, open the Exchange Management Console. Access the Role Based Access Control
(RBAC) User Editor from the Exchange Management Console Toolbox node. Log on as
Adatum\administrator using a password of Pa$$w0rd
4. Add Anna Lidman to the SupportDesk group.
5. Add Paul West to the HRAdmins group.

 Task 3: Verify the per