red gate exchange e book

Sybex’s Best ofExchange Server 2007

10 Full-Length Chapters • 350 Pages of “Must-Know” Information

SeriouS SkillS.

Microsoft®

Sponsored by

http://www.red-gate.com/

www.sybex.com

Exchange Server 2007 Infrastructure Design: A Service-Oriented Approach

David W. Tschanz

Chapter 4: Applying Planning Principles to Exchange Sever 2007

What’s Inside: Mastering Exchange Server 2007

Barry Gerber, Jim McBee

Chapter 2: Exchange Server Architecture

Chapter 6: Scaling Upward and Outward

Exchange Server 2007 Implementation & Administration

Jim McBee, Benjamin Craig

Chapter 2: Exchange Server Administration Chapter 4: Installing Exchange Server 2007

Chapter 12: Sizing Storage Groups and Databases

MCTS: Microsoft Exchange Server 2007 Configuration Study Guide (Exam 70-236)

Will Schmied, Kevin Miller

Chapter 10: Creating, Managing Highly Available Exchange Server Solutions

MCITP: Microsoft Exchange Server 2007 Messaging, Design and Deployment Study Guide (Exams 70-237 & 70-238) Rawlinson Rivera

Chapter 5: Defining Policies and Security Procedures

Chapter 10: Planning a Backup and Recovery Solution for Exchange Server 2007

Chapter 15: Planning Exchange Server 2007 Security

Wiley , the Wiley logo, the Sybex logo, and related trademarks and trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates. All other trademarks are the property of their respective owners

Copyright (c) 2008 Wiley Publishing, Inc. All rights reserved.

For more information about these and all of Sybex’s Exchange Server books go to www.sybex.com/go/exchange

www.sybex.com/go/exchange

Chapter 2

Exchange Server 2007 Architecture

What separates a good Exchange Server administrator or implementer from a great one? Well,certainly there are a lot of factors, including an eye for details, patience with users, and knowledgeof Exchange. However, truly effective Exchange Server 2007 planning, deployment, administra-tion, performance optimization, and troubleshooting depend at least partially on understandingwhat is going on behind the scenes. This includes knowledge of the Exchange Server architecture,installation options, database configuration, and server roles.

In this chapter, we will introduce you to some of the basics of Exchange Server architectureand how you can make some of the right decisions early in your Exchange Server deployments.Certainly understanding what Exchange Server 2007 requires of its underlying operating systemis a good start. And it’s important to understand the differences between Exchange Server 2007editions and client access licenses so you can pick the edition with the features and scalability thatyour organization requires.

A lot of changes have occurred for Exchange 2007 from the perspective of architecture and thechoices that are available to the Exchange designer, implementer, or administrator. Although weintroduced a lot of these concepts in Chapter 1, we will go in to more depth on the architecturalchanges in this chapter.

Topics in this chapter include the following:

◆ Exchange 2007 requirements

◆ How to plan for disk space

◆ The move to 64-bit Windows

◆ Active Directory and Exchange Server

◆ The basics of a client/server system

Exchange Server 2007 RequirementsTo properly support Exchange 2007, you need to make sure the hardware you are using meetscertain minimum requirements. This is certainly true if you are expecting Exchange 2007 to per-form as expected and you expect to run in an environment supported by Microsoft. The hardwareand software requirements are a bit more complex than they were for previous generations ofExchange.

Hardware RequirementsIn the past, Microsoft has made recommendations for hardware based on the absolute minimumsrequired to run Exchange Server. Now, however, the recommendations are much more practical

36 CHAPTER 2 EXCHANGE SERVER 2007 ARCHITECTURE

for real-world deployments. The goal is optimal performance, and the recommendations are nowmade with consideration for supporting applications that often run in concert with ExchangeServer, such as antivirus, anti-spam, archiving, management, monitoring, and reporting software.

Processors

The requirement for 64-bit processors is the first big change for Exchange 2007. The processorshould be at least an 800MHz processor, though you will certainly benefit from processors fasterthan 2GHz or dual-core processors. The processor must be either an Intel Xeon or Intel Pentiumx64 processor that supports the Intel Extended Memory 64 Technology (EM64 T) or an AMDOpteron or Athlon 64-bit processor that supports the AMD64 platform. The Intel Itanium IA64processor family is not supported. Table 2.1 shows the processor recommendations from Microsoftfor different Exchange Server 2007 roles.

Table 2.1: Processor Recommendations Based on Server Role

Exchange 2007

Server Role

Minimum Recommended Recommended

Maximum

Edge Transport 1 × processor core 2 × processor cores 4 × processor cores

Hub Transport 1 × processor core 4 × processor cores 4 × processor cores

Client Access 1 × processor core 4 × processor cores 4 × processor cores

Unified Messaging 1 × processor core 4 × processor cores 4 × processor cores

Mailbox 1 × processor core 4 × processor cores 8 × processor cores

Multiple server roles(combinations of HubTransport, Client Access,Unified Messaging, andMailbox server roles)

1 × processor core 4 × processor cores 4 × processor cores

You may have noticed in Table 2.1 that for some server roles, the maximum number of pro-cessors or processor cores is less than the maximum that Windows can actually support. Mostall multithreaded applications will reach a point of diminishing returns when more processorsare added, so it may not be worth it to add the maximum number of processors that Windowssupports.

In environments that scale past a few hundred mailboxes, certainly dual- or quad-processorsystems will be put to good use. For organizations that deploy Exchange Server in a combinationof roles to different physical machines, you will almost always benefit from a dual-processor ordual-core processor system.

Physical Memory

As we have mentioned previously, the advantage that Exchange 2007 really gets out of the 64-bitarchitecture is the ability to access more physical memory. Additional physical memory improvescaching, reduces the disk I/O profile, and allows for the addition of more features.

Microsoft is recommending a minimum of 1GB of RAM in each Exchange 2007 server or 2GBfor each server supporting the Mailbox server role. This will, of course, depend on the roles that

EXCHANGE SERVER 2007 REQUIREMENTS 37

the server is supporting. Table 2.2 shows the minimum recommended memory for each of theserver roles.

Table 2.2: Minimum and Recommended RAM for Exchange Server 2007 Roles

Server Role Minimum Recommendation Maximum

Mailbox 2GB 2GB base memory plus per mailboxcalculation.

32GB

Hub Transport 1GB 1GB per CPU core 16GB

Client Access 1GB 1GB per CPU core 4GB

Unified Messaging 1GB 1GB minimum plus 512MB for eachadditional CPU core

4GB

Edge Transport 1GB 1GB per CPU core 16GB

Multiple roles 2GB 4GB for combination Hub Transport,Client Access, and Unified Messagingplus the per-mailbox calculation

8GB

Once you have calculated the minimum amount of RAM that you require for the server, if youare configuring a mailbox server, you will need to add some additional RAM for each mailbox.This will depend on your user community’s estimated load profile. Table 2.3 shows the additionalmemory required based on the number of mailboxes supported.

Table 2.3: Additional Memory Factor for Mailbox Servers

User profile Mailbox Memory Recommendation

Light Add 2MB per mailbox

Average Add 3.5MB per mailbox

Heavy Add 5MB per mailbox

Tip

If you are curious what constitutes light, average, and heavy users, these are defined later in this chapterin Table 2.5.

So for example, a server handling a Mailbox server role should have 2GB of memory plusthe additional RAM per mailbox shown in Table 2.3. If the Mailbox server is supporting 1,000mailboxes and it is estimated that 500 of the users are average (1.75GB of RAM) and 500 are heavyusers (2.5GB of RAM), the server should have about 6.3GB of RAM. For good measure, we would


recommend going with 8GB of RAM so that there is additional RAM just in case it is required.Seasoned administrators of previous versions of Exchange will immediately notice that restrictionson usable physical memory no longer apply to Exchange 2007.

Remember that these RAM estimates are just that, estimates. Additional factors may requiremore or less RAM (usually more) than the calculations and recommendations here. For example,antivirus and anti-spam software on Mailbox servers can place a significant burden on RAM.

An alternate way to size memory for Mailbox servers is to estimate the amount of RAMrequired based on the number of storage groups. This method is calculated to ensure that eachstorage group (and mailbox database) that is in use is allocated sufficient memory for databasecaching. Table 2.4 shows the minimum memory recommendations based on storage groups.

Table 2.4: Minimum RAM Recommendations Based on Storage Groups

Number of Storage Groups Minimum RAM Required

1–4 2GB

5–8 4GB

9–12 6GB

13–16 8GB

17–20 10GB

21–24 12GB

25–28 14GB

29–32 16GB

33–36 18GB

37–40 20GB

41–44 22GB

45–38 24GB

49–50 26GB

If you calculate two different minimum recommendations for RAM, we strongly encourageyou to use the larger of the two calculations. Up to 32GB, Exchange 2007 Mailbox servers willalways benefit from additional performance. Of course, 32GB of RAM may not be required ona Mailbox server that is supporting only 200 mailboxes, so approach RAM sizing with a certaincautious exuberance.

Optical Media

Exchange Server 2007 ships only on DVD media. Although installing from a network share doeswork, it is generally a good idea to ensure that your servers have DVD drives available rather

EXCHANGE SERVER 2007 REQUIREMENTS 39

than CD-ROM drives. If your servers do not have DVD drives, you can still copy the Exchangesoftware across the network or install from a network share folder.

File System

The FAT and FAT32 file systems are not supported. All disks must be formatted using the NTFSfile system.

Disk Space

Exchange Server 2007 is certainly not the first edition of Exchange for which administrators ordesigners have improperly sized the amount of available disk space. More than a few times, wehave seen administrators scrambling for more disk space, adding additional hard drives, movingdatabases and transaction logs around, or begging the storage area network (SAN) administratorfor more disk space. This is so important, in fact, that we are dedicating an entire section to this inChapter 3, ‘‘Designing a New Exchange 2007 System.’’

For now, let’s just leave the disk requirements at the utmost basics. We recommend that eachsystem disk on an Exchange Server have at least 10GB of free disk space prior to the installationof Exchange 2007. The actual recommendation from Microsoft is 1.2GB disk space free and 200MBof free space on the system disk, but that is a bare minimum. The amount of disk space that each ofthe servers will actually require will depend on the server role, the number of users you support,mailbox limits, and leaving room to grow.

Operating System RequirementsThere are a few requirements for the Windows Server operating system. For the release to manu-facturing (RTM) version of Exchange 2007, the only version of Windows Server that can be used isthe Windows Server 2003 x64 SP1 (or later) or Windows Server 2003 x64 R2 family. Windows 2003with the Multilingual User Interface (MUI) pack can also be used.

Exchange 2007 can be installed on either the Standard Edition or Enterprise Edition of Win-dows Server 2003. Windows 2003 Enterprise Edition is required if you will be installing clusteredmailbox servers.

At some point in the future, Microsoft will include support for Exchange 2007 to run on top ofthe new Windows Server operating system that is currently code-named Longhorn. This will be inthe time frame of Exchange 2007 Service Pack 1. Do not try to install Exchange 2007 on LonghornServer in production until you have specific instructions from Microsoft as to how to support it.

The following list includes other requirements for preparing the Windows server to runExchange 2007:

◆ Install the Microsoft .NET Framework v2.0.

◆ Install the Windows PowerShell. The released version can be downloaded fromhttp://preview.tinyurl.com/e5x2t.

◆ Install Microsoft Management Console 3.0. You can find more information and downloadlinks in Microsoft Knowledge Base article 907265, ‘‘MMC 3.0 update is available for Win-dows Server 2003 and for Windows XP.’’

Note

Unlike with previous versions of Exchange, the Internet Information Server components Network NewsTransfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) should not be installed.


All additional applications that you run on an Exchange 2007 server should be 64-bit appli-cations. Although Windows x64 supports 32-bit applications in WOW64 emulation providedthe applications’ kernel mode components are 64-bit, it remains to be seen whether mixing andmatching 32-bit and 64-bit applications on an Exchange 2007 server is a good idea. Many of usstill remember poorly performing and unstable 16-bit Windows applications that adverselyaffected Windows NT 4.0, so this may potentially be true with 32-bit Windows applications onWindows 64-bit.

The 64-bit versions of Windowssupport applications in WOW64 to support Exchange. The onlyrequirement is that kernel mode components of those applications have to work, so those have tobe x64. The main application can be 32 bit running in WOW64. In our opinion, any third-partytools and utilities that run on an Exchange 2007 server should be 64-bit versions.

The Move to 64-Bit ArchitectureThe move to a 64-bit architecture has been a controversial decision on the part of Microsoft, but inour opinion this certainly makes a lot of sense. Additional accessible memory is the number onereason for moving to the 64-bit architecture. Exchange 2003 Server quickly becomes short on RAMavailable for caching and other Exchange operations. Microsoft could not add too many additionalserver-side features to Exchange 2007 without getting around this constraint.

Although the 32-bit architecture certainly leaves a lot of room to grow when fewer mailboxesper server are supported, servers with more mailboxes begin to hit limitations. Microsoft was facedwith a decision to support both 32-bit and 64-bit versions of Exchange or to require everyone tomove to the 64-bit version. Supporting two different processors’ architectures for the same productis both more difficult and more costly than supporting a single version. This is certainly the casewith Microsoft, but it is true to a certain degree for the customer as well. As third-party productsare released, as fixes are released, and as customizations or tweaks are documented, there will bemore possible choices for processors, editions, and operating systems and the customer’s supportresponsibilities will become more difficult.

Room to Grow

For servers supporting larger numbers of mailboxes, the Exchange team had clearly exceededthe limits of the 32-bit architecture with Exchange 2003. Adding additional server-side processessuch as messaging records management, improved calendaring and scheduling, transport rules,Unified Messaging services, integration with Windows Rights Management Services, and othernew features would not have been possible without additional room to grow.

Improved Caching and Reduced I/O Profiles

Even on a server with only a few hundred mailboxes, Exchange Server 2000/2003 quickly reachesthe maximum amount of RAM available for caching (1.2GB maximum). As more and moreusers vie for the same physical memory for caching, Exchange Server quickly becomes con-strained by the amount of I/O (input output) operations that the Exchange server’s disk subsystemcan support.

Hundreds of pages of material have been written on the concept of optimizing Exchange Serverfor maximizing performance by improving I/O performance with Exchange, and we certainlycan’t do the concept justice in just a few paragraphs, but understanding the basic input/outputper second (IOPS) requirements of users is helpful. Microsoft and hardware vendors have donemuch research on I/O requirements based on the mailbox size and the average load that eachuser places on the server. Table 2.5 shows the estimated IOPS given a user type and an estimated

ACTIVE DIRECTORY AND EXCHANGE SERVER 2007 41

mailbox size for Exchange 2003. IOPS requirements climb as the number of messages sent andreceived increases and as the mailbox size increases.

Table 2.5: User Profile, Mailbox Size, and Estimated IOPS for Exchange 2003

User Type Database Volume IOPS Messages Sent/Received per Day Mailbox Size

Light .5 20 sent/50 received 50MB

Average .75 30 sent/75 received 100MB

Heavy 1.0 40 sent/100 received 200MB

Large 1.5 60 sent/150 received 500MB

For an Exchange 2003 server that is supporting 3,000 heavy mailbox users, the disk subsystemwould have to support at least 3,000 IOPS. In order to meet this requirement, the disk subsystemmay have too many additional disks; thus, the disk subsystem may have far more disk spacethan is actually necessary in order to support the IOPS profile. Failure to plan for sufficient IOPScapacity on the disk subsystem will significantly hurt performance.

The 64-bit architectural improvements to Exchange 2007 allow the operating system andExchange Server 2007 to access more physical memory. With additional physical memory avail-able for caching, disk I/O is significantly reduced. Microsoft estimates that I/O requirements arereduced by approximately 70 percent provided the Exchange 2007 server has the recommendedamount of RAM. Table 2.6 shows the estimated IOPS requirements for Exchange 2007 Mailboxservers. Please keep in mind that these are estimates and may change over time. These num-bers are also calculated when the Mailbox server is configured with more than the recommendedamount of RAM.

Table 2.6: User Profile, Mailbox Size, and Estimated IOPS for Exchange 2007

User Type Database Volume IOPS Messages Sent/Received per day Mailbox Size

Light .14 20 sent/50 received 50MB

Average .20 30 sent/75 received 100MB

Heavy .27 40 sent/100 received 200MB

Large .41 60 sent/150 received 500MB

With this significant improvement in caching Exchange data, the Extensible Storage Engine(ESE) database engine needs to read and write from the disk less frequently and thus reduces theIOPS requirements. When the IOPS requirements are reduced, fewer disks are required to supportthe I/O load.

Active Directory and Exchange Server 2007Active Directory is a grand repository for information about such objects as users, domains, com-puters, domain controllers, groups, contacts, and shared resources (such as files and printers).


Active Directory lets you log into very large domains and use resources across the domain withease. All objects in Active Directory are protected by a security system based on Kerberos, anindustry-standard secret-key encryption network authentication protocol developed at the Mas-sachusetts Institute of Technology. (For more on Kerberos, see http://web.mit.edu/kerberos/www/.)

Windows Server controls who can see each object in Active Directory, what attributes eachuser can see, and what actions a user can perform on an object. The Windows Active Directorypermissions model is richer and more complex under the hood than directory services permissionsin earlier versions of Windows such as Windows NT 4, but it’s quite easy to manage at the userinterface level.

Exchange Depends on Active DirectoryExchange Server 2007, like Exchange 2000/2003, depends entirely on a healthy and function-ing Active Directory and the availability of Domain Name Service (DNS) services. In order forExchange servers to properly locate domain controllers and global catalogs, DNS must accuratelyresolve domain controller and global catalog service location records and host information as wellas information about Active Directory sites. Exchange must retrieve configuration and recipientinformation from Active Directory as well; if either DNS or Active Directory does not respond toan Exchange 2007 server’s queries, clients will not be able to authenticate, address lookups willnot occur, and e-mail will not flow.

Almost the entire Exchange 2007 configuration is stored in the Active Directory; this infor-mation is stored in a partition of the Active Directory called the Configuration partition. TheConfiguration partition (Figure 2.1) is replicated to all domain controllers in the entire forest, notjust the domain in which the Exchange server is installed.

Figure 2.1

Viewing the configura-tion from ADSI Edit

The information you see in Figure 2.1 represents the Exchange 2007 configuration as viewedusing the Windows 2003 Support Tools utility ADSI Edit. This is a very primitive view of theExchange configuration in much the same way that REGEDIT gives you an inside look at theWindows Registry. Actually configuring Exchange properties is much easier (and safer!) to do


when you use the Exchange Management Console (EMC) or the Exchange Management Shell(EMS). You should only use ADSI Edit to manipulate your Exchange organization’s configurationwhen you have specific guidance from Microsoft or a trustworthy source.

When an Exchange server starts running services such as the Microsoft Exchange System Atten-dant, the Microsoft Exchange Active Directory Topology service determines in which ActiveDirectory site the Exchange server is located and then locates all domain controllers and globalcatalog servers in that site. Exchange Server then reads its configuration from Active Directory;this would include determining which roles that server supports, the mailbox databases to mount,and more.

When Exchange 2007 Hub Transport server is routing messages to Exchange recipients, t itmust query a global catalog server in order to determine properties of the recipient such as proxyaddresses, home mailbox server, and mailbox restrictions. Figure 2.2 shows the E-mail Addressesproperty page of a mailbox recipient; mail recipients are managed through the ExchangeManagement Console (EMC).

Figure 2.2

E-mail Addressesproperties

All recipient information is stored in the Active Directory, so information regarding e-mailaddresses, home server, mailbox limits, message size limits, and so on are found in the ActiveDirectory. Exchange server must retrieve this information from an Active Directory global catalog


server. Exchange server is dependent on the availability and health of domain controllers andglobal catalog servers; if Active Directory resources are not available, Exchange will not function.

Active Directory Site MembershipExchange Server 2007 is an Active-Directory-site-aware application. Exchange 2007 uses ActiveDirectory site information for a couple of purposes.

Exchange 2007 servers automatically learn the Active Directory topology and determine inwhich Active Directory site each Exchange 2007 server is located. Exchange Server uses the IPsubnets to locate the sites; if the subnet information is incomplete or incorrect, Exchange Serverwill not be able to correctly determine site membership and mail may not be delivered properly.

Different Exchange Server 2007 server roles use the Active Directory site information in differ-ent ways:

◆ All Exchange 2007 server roles use the site architecture to locate domain controllers andglobal catalog servers closest to them from the network’s perspective.

◆ Hub Transport servers determine the remote Hub Transport servers names in other ActiveDirectory sites to which they need to transmit messages intended for remote Mailboxservers.

◆ Mailbox servers determine which Hub Transport servers are in their own site so they cannotify those servers that they have messages that must be transferred.

◆ Unified Messaging servers submit voicemail messages and faxes to Hub Transport serversin their own site for routing to Mailbox servers. Unified Messaging servers do not transfervoicemail and fax messages directly to a Mailbox server.

◆ Client Access servers look for site information in order to determine if they are located inthe same Active Directory site mailboxes that they are being asked to provide access to.If not, the Client Access server refers the client to a Client Access server that is in the samesite as the required Mailbox server.

◆ Exchange Server refers Outlook 2000, 2002, and 2003 clients to global catalog servers thatare in the same site as the Exchange server for global address list lookups.

If there are weaknesses in your Active Directory site design, Exchange 2007 will certainlyexpose them. You should ensure that for Active Directory forests with more than one ActiveDirectory site, subnets are properly defined and associated with the appropriate site.

Warning

Active Directory IP subnet information must be correct. If it’s not, Exchange components might notfunction properly and messages might not be delivered.

Domain Controllers and Global Catalog ServersThe simplest way to describe the Exchange 2007 requirements for Active Directory is to say thatall domain controllers should be running (at a minimum) Windows 2003 Service Pack 1 or later,each domain should be at Windows 2003 domain functional level, and the forest should be at Win-dows 2003 functional level. Although that is the best case scenario, it might not be practical and


it is not correct. The following are the actual minimum requirements for Windows 2003 domaincontrollers and Active Directory:

◆ Each Active Directory site that has Exchange 2007 servers must have at least one Windows2003 Service Pack 1 or later global catalog server. For redundancy, an additional globalcatalog server should be available. The recommended ratio of Exchange servers to globalcatalog servers is based on the number of CPUs; that ratio is 4:1. For each quad processorExchange server, a single processor global catalog server should be available in the site, butthat may not take in to consideration redundancy requirements.

◆ Each domain that will host Exchange 2007 servers or mail-enabled recipients must be at aminimum Windows 2000 native functional level.

◆ If you are supporting the Exchange 2007 Outlook Web Access browsable global addresslist, you must use Windows 2003 Service Pack 1 or later global catalog servers.

◆ The schema master flexible single master of operations role must be hosted on a domaincontroller running Windows 2003 Service Pack 1 or later.

◆ If you have Exchange organizations in multiple forests and require forest-to-forest trusts,then all forests involved in forest-to-forests trusts must be at Windows 2003 forest func-tional mode.

Tips for Healthy Interaction with Active DirectoryAny experienced Exchange administrator will tell you that a healthy Active Directory goes a longway toward ensuring that Exchange Server is healthy and trouble free. We have learned a numberof lessons (sometimes the hard way) over the years and can offer some useful tips for ensuringthat Active Directory provides consistent and reliable directory services to Exchange.

◆ Even in small and medium-sized organizations, redundant domain controllers and globalcatalog servers help ensure higher availability.

◆ In large organizations, each Active Directory site that hosts Exchange servers should haveat least two domain controllers that host the global catalog server role.

◆ In large organizations with many thousands of mailboxes, implementing dedicated domaincontroller/global catalog server sites that are exclusively for use by Exchange servers willensure that Exchange does not interfere with Active Directory’s other functions (such asauthenticating users) and vice versa.

◆ All clients and member servers should have a primary DNS server and a secondary DNSserver address configured.

◆ In large organizations, clients and member servers should have a primary, secondary, andtertiary DNS server IP addresses configured.

◆ Either Windows 2003 32-bit or 64-bit can be used for domain controllers and global cat-alog servers, but if the Active Directory database (NTDS.DIT) exceeds 1GB, then betterperformance will be achieved with 64-bit Windows 2003. For organizations with NTDS.DITfiles larger than a few hundred megabytes, separating the database transaction logs to aRAID 1 volume array and the NTDS.DIT database file to a RAID 5 array can also improveperformance.


◆ Installing the DNS service on all domain controllers and using Active Directory–integratedDNS zones on all domain controllers in the forest will improve the reliability of DNS andtherefore Active Directory. If you have more than two domain controllers/DNS servers inyour organizations, all domain controllers and member servers should be configured witha primary DNS server, a secondary DNS server, and a tertiary DNS server.

Exchange EditionsWhen you plan to purchase Exchange 2007, you need to make sure you purchase the correctedition of Exchange server and purchase the client access licenses to license the features that youwill require. Table 2.7 lists some of the features that are included with Exchange 2007 StandardEdition and Enterprise Edition.

Table 2.7: Exchange 2007 Standard Edition versus Enterprise Edition

Feature Standard Enterprise

Maximum database size 16TB (unlimited) 16TB (unlimited)

Maximum number of storage groups 5 50

Supports Recovery Storage Group � �Number of databases 5 50

Supports Client Access server role � �Supports single-copy clustered Mailbox servers �Supports clustered continuous replication Mailbox servers �Supports Edge Transport role � �Supports Hub Transport role � �Supports local continuous replication � �Supports Mailbox role � �Supports Unified Messaging role � �

In the past, you only had a single option when purchasing Exchange Server client accesslicenses (CALs). Exchange 2007 introduces the Exchange Enterprise CAL and Exchange StandardCAL. Either can be used against either Exchange Server Enterprise Edition or Exchange ServerStandard Edition. The choice for which CAL you require will depend on which premium featuresof Exchange Server 2007 you are going to require.

The Exchange Enterprise CAL adds additional features above and beyond the Exchange Stan-dard CAL. The Exchange Standard CAL provides your users with the ability to use Exchangefeatures such as accessing their mailbox from a MAPI client, Outlook Web Access, ActiveSync

SERVER ROLES 47

devices, and Outlook Anywhere (RPC over HTTP). The Exchange Enterprise CAL includes thefollowing additional functions:

◆ Unified Messaging services

◆ Microsoft Forefront Security for Exchange Server

◆ Advanced compliance capabilities such as per-user and per-distribution group journaling

◆ Messaging records management features

◆ Anti-spam and antivirus protection using Microsoft Exchange Hosted Filtering Services asan external service provider

Standard client access licenses must be purchased for each mailbox that is accessed on yoursystem. If you have users that use multiple devices (Outlook, Outlook Web Access, WindowsMobile, ActiveSync, Outlook Anywhere) to access their mailbox and their total percentage of timeaccessing their mailbox from their primary device is less than 80 percent, then you must purchasean additional CAL for each user.

If you use Exchange Enterprise CALs for all of your users, then you get to use all of the featuresavailable for Enterprise CALs. However, if you purchase Enterprise CALs only for a subset ofyour users that require a feature such as Unified Messaging and Journaling and also choose to useForefront Security for Exchange, then the remainder of the users must be licensed separately forForefront Security for Exchange.

Server RolesThe best way to think of Exchange 2007 server roles is to think of a server that has the necessarysoftware and configuration to perform only a specific set of functions. This makes installing serverswith dedicated functions much easier. Dedicated server roles are also more secure because onlythe necessary software is installed, thus reducing the attack surface.

The concept of server roles is not really new. In Exchange 2000/2003, to build a server for han-dling Internet messaging or inter-routing group messaging, you would install Exchange Server,flag the machine as a front-end server (optionally), and disable services such as the web ser-vice. To configure a machine as an Outlook Web Access or ActiveSync server, you would installExchange, flag the Exchange server as a front-end server, and disable the information store andSMTP services. With Exchange 2007, the server roles are assigned when Setup is run.

Server Roles OverviewExchange 2007 has made the assignment of specific server roles simpler by allowing the serverroles to be designated at installation time. When you group together and install only the necessaryservices for a specific function, server installation is simpler and more secure and the server hasless overhead. There are five basic server roles:

◆ Mailbox

◆ Client Access

◆ Hub Transport

◆ Unified Messaging

◆ Edge Transport


The Mailbox server role can be installed as a clustered mailbox server. In small andmedium-size organizations, a single physical server will usually host more than one server roleexcept in the case of the Edge Transport role. Edge Transport must run on its own server.

Mailbox Server Role

The Mailbox server role is responsible for mailbox and public folder databases and for allowingdirect connectivity from MAPI/RPC clients. Clients such as Outlook 2003 or Outlook 2007 usingMAPI/RPC will connect directly to the MAPI interface on the Mailbox server role. The Hub Trans-port and Client Access server roles are required for a fully functioning e-mail environment, butthey do not necessarily have to be on the same physical server.

The Mailbox server role must exist on its own physical server if it is being installed as part of aclustered mailbox server environment. In that case, the Hub Transport, Client Access, and UnifiedMessaging server roles must be on separate physical hardware. A server handling a mailbox serverrole will typically be configured with significantly more RAM, hard disk space, and processorcapacity than the other server roles.

High-availability options for Mailbox servers include local continuous replication, single copyclusters, and clustered continuous replication.

Local Continuous Replication

Local continuous replication (LCR) is a new technology for Exchange 2007. LCR is designed sothat a production copy of a database can be synchronized and have a backup copy always readyto be put in to production if the primary copy becomes corrupted; the administrator initiates theswitch over to the backup copy of the database. LCR is configured storage group by storage group,and each storage group can have only a single database in it.

When a server is configured to support LCR, an additional set of local disks should be allocatedfor the LCR transaction logs and for the backup copy of the database. These disks can be directlyattached to the server or attached via storage area network (SAN) or Internet small computersystems interface (iSCSI). As transaction logs are completely filled and closed on the productioncopy of the database, they are copied to the backup location and committed to the backup copy ofthe database.

Note

Local continuous replication is resource intensive since transaction logs are being copied and replayedto backup copies of a database.

Clustered Continuous Replication

Clustered continuous replication (CCR) is also a new technology for Exchange Server 2007. Thistechnology is similar to LCR in that as transaction logs are filled, they are copied to a backuplocation and committed to a backup (or passive) copy of the database. However, with CCR, theimplementation is in the form of a two-node active-passive cluster. When Windows 2003 cluster-ing services are used, both the active and passive nodes must reside on the same IP subnet. Thebackup location is on the passive node; the transaction log files are pulled to the passive node andcommitted to the database on the passive node.

If the primary node of the cluster fails, the passive node automatically comes online andtakes over handling the clustered mailbox server. Unlike Microsoft’s previous implementation

SERVER ROLES 49

of Exchange clustering (single-copy clusters), there is not a single copy of the database andtransaction logs that is shared by all nodes of the cluster.

Single-Copy Clusters

A Single-copy cluster (SCC) is the same technology that existed in earlier versions of Exchange.An active node of the cluster owns shared disks (usually on a storage area network or on networkattached storage, or NAS). The cluster can consist of from two to eight nodes, but there mustalways be at least one passive node. There is only a single copy of the database and transaction logfiles, and they are located on the shared storage.

If an active node of the cluster fails, then one of the passive nodes will take ownership ofthe shared disks and database, mount the shared database, and start servicing clients for thatparticular clustered mailbox server (CMS); the CMS was formerly known as an Exchange virtualserver (EVS) in previous Exchange cluster implementations.

Client Access Server Role

The Client Access server is considered a middle-tier server; this server role handles communica-tions between non-MAPI clients and the Mailbox server role. In order to have a fully functioninge-mail environment, the Client Access server role must be functioning. The following are some ofthe functions of the Client Access server role supports:

◆ Outlook Web Access clients

◆ ActiveSync-enabled mobile devices

◆ Outlook Anywhere (RPC over HTTP) clients

◆ POP3 and IMAP4 clients

◆ Offline Address Book Web distribution

◆ Web services such as Autodiscover and the Availability service

◆ Web Services that require access to user mailboxes

The Client Access server accepts connections from these clients via HTTP, POP3, or IMAP4 andthen passes requests on to the Mailbox server via MAPI over RPC. Each Active Directory site thatcontains a Mailbox server role must also contain at least one Client Access server.

High-availability options for the Client Access server role include implementing some typeof network load-balancing solution such as the Cisco Local Director or Windows Network LoadBalancing. The Client Access role cannot be configured on a clustered mailbox server.

Hub Transport Server Role

The Hub Transport server role is responsible for all message delivery regardless of whether themessage is being delivered from one mailbox to another in the same mailbox database, a Mailboxserver in the same Active Directory site, a server in a remote Active Directory site, or outside ofthe organization. At least one Hub Transport server role is required in each Active Directory sitethat contains a Mailbox server.

For internal mail routing, Exchange Server 2007 will automatically load-balance and fail over ifmore than one Hub Transport server exists in an Active Directory site. For redundancy in inboundSMTP mail from outside the organization, you have a couple of options. If inbound mail is com-ing directly into the Hub Transport servers, multiple MX records or network load balancing aregood solutions. If mail is coming into a perimeter network solution such as Edge Transport or


a third-party SMTP gateway, configure these solutions to use multiple internal Hub Transportservers.

For smaller organizations with a single server Exchange implementation, the Hub Transportserver can perform most of the message hygiene functions performed by the Edge Transport serverrole to connect Exchange to outside world. However, separating message hygiene functions to aseparate server role located on the perimeter network is more secure.

Unified Messaging Role

The Unified Message server role is considered a middle-tier system and is an entirely new con-cept for Exchange 2007. This server role integrates voicemail and inbound faxing with Exchangemailboxes. The Unified Messaging server requires an IP-based telephone switch or a traditionalPBX-to-IP gateway (PBX stands for public branch exchange). The following functions are handledby the Unified Messaging server role:

◆ Provides voicemail for users of the IP-based phone system or through the PBX-to-IP gate-way including voicemail greetings and options. Inbound voicemail is recorded as a WMAfile and stored as a message in a user’s Inbox.

◆ Accepts inbound faxes that are designated for specific mailboxes, converts the fax to a TIFFfile, and stores that message in a user’s Inbox.

◆ Allows a user to dial in to the Unified Messaging server to retrieve voicemail, listen toe-mail messages, review their calendar, or change appointments.

◆ Provides voice menus and prompting call menus acting as an auto-attendant system.

Edge Transport Role

The Edge Transport server role is an entirely new role. In the past, Exchange servers could beimplemented as an additional tier of message hygiene protection. However, there are a number ofreasons that you might not want to use Exchange servers as perimeter message hygiene systems:

◆ In order to process delivery reports, nondelivery reports, and address rewrites, the infor-mation store service must be running and the default mailbox database must be mounted.

◆ Placing an Exchange 2000/2003 server in the perimeter network requires many ports to beopened on the firewall from the perimeter network to the internal network.

◆ Allowing inbound e-mail directly to an Exchange server could jeopardize both Exchangeand Active Directory.

For these reasons, a server role was developed that has many of the advantages of an Exchange2007 server but can be made much more secure since it can run in the perimeter network as astand-alone computer and does not require Active Directory membership. The following are someof the characteristics of the Edge Transport server role:

◆ The Edge Transport server role should be deployed in the perimeter network.

◆ It can be managed with Exchange Management Shell scripts and the Exchange Manage-ment Console in much the same way a regular Exchange server is managed.

◆ The only components required to run the Edge Transport role are the message transportsystem and an instance of the Active Directory Application Mode (ADAM) database.

SERVER ROLES 51

◆ Features such as transport rules can be implemented in the perimeter network and providemessage policy enforcement for messages entering or leaving the organization that is sepa-rate from that provided on the internal network.

◆ Connectivity between internal Hub Transport servers and Edge Transport servers can beauthenticated and the data stream encrypted.

◆ The content filter functionality and other anti-spam and message security tools are built in,as is the ability to add third-party content filtering/message hygiene tools.

◆ Microsoft Forefront Security for Exchange Server can be employed on the Edge Transportserver role for virus detection and quarantine.

For medium and large organizations, higher availability comes in the form of installing mul-tiple Edge Transport servers and providing load balancing either using multiple DNS mailexchanger (MX) records, network load balancing, DNS round robin, or failover using multipleInternet connections.

Microsoft and Deployment PlanningEarly in the Exchange 2007 life cycle, Microsoft defined some new terminologies, acronyms, andorganization types that are used when designing and deploying an Exchange 2007 organizationfor businesses of different sizes. We felt it important to define these terms here so that there willbe less confusion when reading both this book and the Microsoft documentation.

Using some of these terms, Microsoft has attempted to more clearly standardize design method-ologies and approaches to deployment of Exchange in order to simplify Exchange operations.

The first of these terms is Service Delivery Location (SDL). The SDL is essentially the location ofyour servers. In a small organization, the SDL may be a secured and environmentally controlledcloset within your own facility or it could be operated by a service provider or located at a coloca-tion site. In a medium-size or large organization, an SDL may be distributed through many datacenters in dozens or hundreds of locations throughout the world or it could be a consolidated,centralized data center with hundreds of servers servicing clients worldwide.

This brings us to the location of the actual clients, or the Client Service Location (CSL). This is thelocation from which your clients access the services you are providing. In a small organization,the CSL may be on the same physical LAN as the SDL, while larger organizations may see the CSLspan countries, continents, or the entire world.

To simplify deployment concepts, Microsoft has defined four types of organization modelsrepresenting topologies in which Exchange 2007 may be deployed. These are the simple, stan-dard, large, and complex organization types. There is no exact formula for figuring out exactlywhich organization type might describe your organization. The physical distribution of your usercommunity, your organization’s high-availability requirements, your organization’s fault toler-ance requirements, the volume of data that your users process, and other factors will all influencethe organization model that you choose or a variation on these models that you choose to createyourself.

Tip

It’s important to understand that there might not be an organization model that describes yourorganization exactly.


Simple Exchange Organizations

A simple Exchange organization is well suited for organizations with under approximately 200mailboxes. Please note that ‘‘200 mailboxes’’ is somewhat arbitrary since organizations with eithermore or fewer mailboxes may fit in to this category depending on their user community, require-ments, and messaging load. The simple organization has a single Exchange 2007 server that isrunning on the same physical machine as the organization’s domain controller. The Exchange2007 server handles the Mailbox, Hub Transport, Client Access, and Unified Messaging roles.The optional Edge Transport server role must still be on a separate physical server and should belocated in the perimeter network.

In a simple Exchange organization, the users and the Exchange server are usually located in thesame physical location, but that is not fixed rule. Even small organizations have telecommutersand users that access their organization using mobile technologies. Although the SDL is usuallyin the same location as the users, an emerging trend is for even smaller organizations to locatetheir server resources in a colocation site that provides Internet connectivity, power condition-ing, backup power, air cooling, and physical security services. Another trend is to outsource themessaging functions entirely.

Note

Organizations considering a single-server deployment that fits the simple Exchange organization modelshould consider a Microsoft Windows Small Business Server deployment. All of the components aretested together much more thoroughly (such as running Exchange Server on a domain controller).

Providing multiple layers of message hygiene and security for simple Exchange organiza-tions would come in the form of a reverse proxy to handle inbound HTTP requests and an EdgeTransport server in the organization’s perimeter network. Figure 2.3 shows a simple Exchange

Figure 2.3

Protecting a simpleExchange organization

Edge Transportserver in perimeter

network formessage hygiene

Domaincontroller/

Exchange 2007server

Internal clients

Internetclients

ISA Server 2006 forfirewall and reverse

proxy services

SERVER ROLES 53

organization that is separated from the Internet using Microsoft ISA server and a perimeternetwork.

Microsoft also offers an additional service called Exchange Hosted Filtering that allows orga-nizations to direct their inbound mail to Microsoft’s servers. The Hosted Filtering service inspectsmail for viruses and spam and then passes the mail on to your servers. If you have purchasedEnterprise client access licenses for all of your users, then this service is included.

Inbound SMTP mail from the Internet is directed to the Edge Transport server, which is locatedin the perimeter/DMZ network. Inbound e-mail is inspected in the perimeter network for virusesor spam and message transport rules can enforce organizational policies on messages arrivingfrom the Internet.

Inbound Outlook Web Access, ActiveSync, and Outlook RPC over HTTP connections termi-nate at the Microsoft ISA Server 2006 firewall; ISA Server acts as a reverse proxy, inspecting theinbound HTTP requests and then passing them on to the internal Exchange 2007 server’s clientaccess components.

Standard Exchange Organizations

The standard Exchange model is by far the most common and flexible of the four Exchangeserver organization models. It will also be the organizational model most commonly found inorganizations with from a few hundred to potentially tens of thousands of mailboxes. An organi-zation will choose the standard Exchange model if any one of the following is true:

◆ Need to support more than approximately 200 mailboxes

◆ Require dedicated Exchange servers

◆ May need to split Exchange server roles among multiple physical servers

◆ Require dedicated domain controllers

◆ Need to support clustered mailbox servers

◆ Need to support more than one service delivery location (SDL)

◆ Require more scalability or infrastructure fault tolerance than the simple Exchange modelcan support

The standard Exchange organization is more scalable than the simple Exchange organization.Exchange servers are usually installed as member servers rather than on a domain controller.Exchange servers may span multiple Active Directory sites and server roles may be dedicatedto specific physical servers rather than a single physical server. In this model, a single ActiveDirectory forest is also required.

A standard Exchange organization with between a few hundred and a few thousand mail-boxes might look like the one in Figure 2.4. In Figure 2.4, this organization has only a single SDLand requires high availability and redundancy. The Mailbox server is clustered to provide highavailability for the mailbox databases while the Client Access and Hub Transport roles are bothinstalled on two physical servers. By combining these two roles on two servers, the organizationcan provide better availability for message transport and web clients.

The organization could scale to as many as five Active Directory sites with Exchange 2007servers and multiple Internet access points but still be considered a standard organization. Thenumber of mailboxes is somewhat less of a factor here than the organization’s needs. A com-pany that places greater importance on its messaging needs and availability will find itself withdedicated servers and Exchange servers installed as member servers. When designing an Exchange


organization for a company that meets this profile, the administrator will have to take into consid-eration the business needs, budget constraints, and availability requirements of the organization.

Figure 2.4

A standard Exchangeorganization

Perimeter network services

ISA Server 2006 forreverse proxy

services

Edge Transport server for message

hygieneCombined ClientAccess and Hub

Transport servers Active/PassiveExchange 2007

mailbox clusteredservers

Domain controllers/global catalog

serversInternal clients

Internetclients

Large Exchange Organizations

Large Exchange organizations are the most scalable of the Exchange organizational models; theyallow an Exchange organization to support tens of thousands or hundreds of thousands of mail-boxes. A large Exchange organization can have the same characteristics a standard Exchangeorganization has plus the following:

◆ More than five Active Directory sites and multiple SDLs

◆ Multiple CSLs

◆ Multiple Active Directory domains within a single Active Directory forest

Although the large Exchange organization is certainly more scalable than the standardExchange organization, the skills required to manage and build a standard Exchange organizationdo transfer upward to the large Exchange organization.

Complex Exchange Organizations

Complex Exchange 2007 organizations represent increasing complexity of Exchange 2007 inbusinesses that might have multiple Active Directory forests and resource forests or that hostmultiple companies within the same Exchange organization. In addition to the scalable features

MAJOR COMPONENTS 55

of a standard or large Exchange organization, the following are some of the characteristics of acomplex organization:

◆ Multiple Active Directory forests with recipient replication using tools such as MicrosoftIdentity Integration services

◆ Multiple-organization support or support for multiple subsidiaries or business units in asingle Exchange organization

◆ Integration with external Exchange organizations such as when a new business unit hasbeen acquired but not merged in to a single organization

◆ Public folders, free and busy information, or shared calendaring between multiple organi-zations all using Exchange Server 2007

Size is often not the determining factor when designing and deploying a complex Exchangeorganization. In some cases, due to business requirements, even an organization with fewer than1,000 mailboxes may find itself requiring multiple forests or other situations that require a complexExchange organizational design.

Combining or Splitting Server RolesA common question with respect to Exchange 2007 and server roles is, When should server rolesbe split across multiple physical machines? With few exceptions, there is not a rule that saysthat server roles should be split across multiple pieces of hardware. However, even for a smallerorganization, the need for high availability will drive the need for multiple Exchange 2007 servers.The only server role that can be installed on a clustered mailbox server is the Mailbox role. Thismeans an environment that requires clustering of the Mailbox server role will require the otherserver roles (Hub Transport and Client Access) to be located on separate physical server.

In a small environment, the Hub Transport and Client Access roles can exist on the same physi-cal server. In a medium-sized environment that requires high availability of the Client Access andHub Transport servers, two Windows servers could be installed and load-balanced. Both of thoseservers could then host the Client Access and Hub Transport server roles.

What are some other reasons multiple Exchange servers might be required? The justificationfor additional hardware will be different from one organization to the next and will often dependon the organization’s size, but here are a few:

◆ Server load is too great for a single machine. For example, a server supporting 1,000 mail-boxes may be using local continuous replication and thus have an IO profile that precludeshaving additional disk-intensive, processor-intensive, or Active Directory–intensive roles.

◆ Redundancy in message routing is required and thus multiple servers with the Hub Trans-port role are required.

◆ Redundancy when providing Web Services or Internet access to messaging data requiresmultiple Client Access servers.

◆ Simplifying server recovery and rebuilds may require placing different server roles on dif-ferent physical servers.

Major ComponentsThe services and components that you find on an Exchange 2007 server will vary depending onwhich roles are installed for that server. Figure 2.5 shows some of the Exchange 2007 services thatare found in the services console.


Figure 2.5

Common ExchangeServer 2007 services

If you are an experienced Exchange 2000/2003 administrator, you will also find that many ofthe services and executables are not recognizable. Exchange 2000/2003 has fewer core componentsand they were all installed on any Exchange server that you built. The Exchange 2007 componentsare shown in Table 2.8.

Table 2.8: Exchange 2007 Components

Service Name/

Short Service Name

Executable Name Function

Microsoft ExchangeActive DirectoryTopology/MSExchangeADTopology

MSExchangeADTopologyService.exe

Provides Exchange Server 2007 with ActiveDirectory site, domain controller, and globalcatalog server information. This component isfound on all Exchange 2007 server roles exceptthe Edge Transport.

Microsoft ExchangeADAM/ADAM MSExchange

Dsamain.exe This is the ADAM instance that holds the EdgeTransport server role’s configuration, recipientinformation, safe sender lists, and blocked senderlists. This service is only found on the EdgeTransport role.

MAJOR COMPONENTS 57

Table 2.8: Exchange 2007 Components (CONTINUED)

Service Name/

Short Service Name


Microsoft ExchangeAnti-spam Update/MSExchangeAntispamUpdate

Microsoft.Exchange.AntispamUpdateSvc.exe

This service provides updates for the content filterservice. This service is found on the EdgeTransport and Hub Transport server roles.

Microsoft ExchangeCredential Service/EdgeCredentialSvc

EdgeCredentialSvc.exe

This service monitors credential changes for theADAM database and updates the Edge Transportserver. This service is found only on the EdgeTransport server role.

Microsoft ExchangeEdgeSync/MSExchangeEdgeSync

Microsoft.Exchange.EdgeSyncSvc.exe

Handles synchronization of recipient and hubtransport information to Edge Transport servers inthe perimeter network. The EdgeSync processsynchronizes to the Edge Transport server’sADAM database; the synchronization is a pushsynchronization from the Hub Transport role outto the Edge Transport server. This component isfound on Exchange 2007 Hub Transport serverroles.

Microsoft Exchange FileDistribution/MSExchangeFDS

MSExchangeFDS.exe The File Distribution Service handles distributionof offline address books on Client Access serversand custom Unified Messaging prompts on UMservers. It is found on Exchange 2007 ClientAccess and Unified Messaging server roles.

Microsoft ExchangeIMAP4/MSExchangeIMAP4

Microsoft.Exchange.Imap4Service.exe

Provides IMAP4 client connectivity and is foundon Exchange 2007 Client Access server roles. Thisservice is set to manual by default and must beenabled to support IMAP4 clients.

Microsoft ExchangeInformationStore/MSExchangeIS

Store.exe The information store service runs the databaseengine and provides client access for MAPI clientsas well as access to mailboxes for connectionsfrom Client Access and Hub Transport servers.This service is only found on Exchange 2007servers with the Mailbox server role. This servicealso consumes the most RAM of any of theExchange 2007 services.

Microsoft Exchange MailSubmission Service/MSExchangeMailSubmission

MSExchangeMailSubmission.exe

Handles notifying Hub Transport servers that amessage is waiting to be retrieved from a localdatabase. This service attempts to distribute themessage delivery load if multiple Hub Transportservers are found. This service is found on theExchange 2007 Mailbox server role.

(CONTINUED)



Service Name/

Short Service Name


Microsoft ExchangeMailbox Assistants/MSExchangeMailboxAssistants

Microsoft.Exchange.InfoWorker.Assistants.exe

The Mailbox Assistants service handlescalendaring functionality such as CalendarAssistant, Resource Booking Assistant,Out-of-Office Assistant, and the Managed FolderMailbox Assistant. This service is found only onExchange 2007 Mailbox servers.

Microsoft ExchangeMonitoring/MSExchangeMonitoring

Microsoft.Exchange.Monitoring.exe

Provides an interface for applications to useExchange 2007 monitoring tasks. This service isfound on all Exchange 2007 server roles.

Microsoft ExchangePOP3/MSExchangePOP3

Microsoft.Exchange.Pop3Service.exe

Provides POP3 client connectivity and is found onExchange 2007 Client Access server roles. Thisservice is set to manual by default and must beenabled to support POP3 clients.

Microsoft ExchangeReplication Service/MSExchangeRepl

Microsoft.Exchange.Cluster.ReplayService.exe

This service handles copying log files from theiroriginal location to the backup log location onExchange 2007 Mailbox servers that have the localcontinuous replication or clustered continuousreplication functions enabled. This service isfound only on Exchange 2007 Mailbox serverroles.

Microsoft ExchangeSearch Indexer/MSExchangeSearch

Microsoft.Exchange.Search.ExSearch.exe

The Microsoft Exchange Search Indexer providescontent to the Microsoft Search (Exchange Server)service for full-text indexing. This service is foundonly on Mailbox server roles

Microsoft ExchangeService Host/MSExchangeServiceHost

Microsoft.Exchange.ServiceHost.exe

This service handles the configuration of RPCvirtual directories and Registry informationnecessary to support OutlookAnywhere (RPC overHTTP). This service is found on Exchange Mailboxand Client Access server roles.

Microsoft ExchangeSpeech Engine/MSS

MSSService.SpeechService.exe

The Speech Engine service provides the speechprocessing capabilities that are used by UnifiedMessaging services. This service is found only onUnified Messaging server roles.

Microsoft ExchangeSystem Attendant/MSExchangeSA

Mad.exe This service provides monitoring and directorylookup services for Exchange server. This serviceis found only on Mailbox server roles.

Microsoft ExchangeTransport/MSExchangeTransport

MSExchangeTransport.exe

This service provides the SMTP transportfunctions. Mail will not flow at all if this service ishalted. This service is found on all Exchange 2007Hub Transport and Edge Transport server roles.

DATABASES AND DATABASE SIZING 59


Service Name/

Short Service Name


Microsoft ExchangeTransport Log Search/MSExchangeTransportLogSearch

MSExchangeTransportLogSearch.exe

Provides the ability to search the Exchangemessage transport logs. This service is found onall Exchange 2007 Mailbox, Hub Transport, andEdge Transport server roles.

Microsoft ExchangeUnified Messaging/MSExchangeUM

umservice.exe The Unified Messaging service handles access touser’s mailbox via Outlook Voice Access, thecreation of voicemail messages, and the creationof fax messages. This service is found only on theUnified Messaging server role.

Microsoft Search(Exchange)/MSFTESQL-Exchange

Msftesql.exe This Search service creates full-text indexes onmailbox content. This service is found only on theExchange 2007 Mailbox server role.

World Wide WebPublishing Service

svchost.exe/inetinfo

A component of Internet Information Servicesthat is required on all Exchange 2007 ClientAccess server roles in order to provide access toweb services. This service is required on Exchange2007 Mailbox servers if you will be managingpublic folders using Exchange System Manager orPFDAVAdmin.

Depending on the server’s role(s), you will see many of these executables in the Windows TaskManager (shown in Figure 2.6). One frequently misunderstood service is the Microsoft ExchangeInformation Store service, or store.exe. By design this service will attempt to allocate as muchphysical memory as possible. On a server with 32GB of physical memory, it may not be unusualto see this service using 80 to 90 percent of that RAM.

Databases and Database SizingExchange 2007 includes a number of noteworthy improvements with respect to the Exchange mail-box and public folder databases. Although Exchange databases still uses the Extensible StorageEngine (ESE), aka Jet database engine, rather than a SQL Server database, improvements allowgreater scalability. The following are some of the changes that have been designed to improvescalability, improve performance, and make replication of data more feasible:

◆ The 64-bit version of the ESE database engine can access far more RAM for caching thanprevious versions.

◆ Each Exchange Server 2007 Enterprise Edition server supports up to 50 storage groups.

◆ Each Exchange Server 2007 Enterprise Edition server supports up to 50 databases.

◆ The database page size has been increased from 4KB (in previous editions) to8KB in Exchange 2007 to improve read and write performance.


◆ Transaction log files are now 1MB in size rather than 5MB; this allows data to be replicatedto a backup database location (in the case of LCR or CCR) much more quickly.

◆ The streaming store (STM) file found in previous versions of Exchange has been removed.Each Exchange database consists of a single EDB database file in which all content is stored.

Figure 2.6

Exchange 2007 servicesin Task Manager

We talked earlier about calculating the amount of disk space that you may require for ExchangeServer 2007 mailbox servers. In Chapter 1, we reviewed the changing nature of e-mail and messag-ing technologies and emphasized that mail storage requirements are greater than ever. We alwaysrecommended planning for more disk space and e-mail capacity than you think you will require.

However, more e-mail storage means including in your Exchange server design a maximumsize for each database. Why specify a maximum size for your database? As you saw earlier, speci-fying a maximum size gives you guidelines for distribution mailboxes and the maximum numberof databases that your server must support. In general, there are a number of good reasons forlimiting the maximum size of each database. Here are some thoughts and pointers on calculatingmaximum database size:

◆ Maximum database size when using streaming backups and restores should be around50GB to 100GB.

◆ When using LCR as the primary database restoration mechanism, databases can be allowedto grow to 200GB.

◆ Always take into consideration the restoration time when calculating maximum databasesize and ensure that you can restore within a timeline specified by your service levelagreement (SLA).

MESSAGE ROUTING 61

◆ Restoring from streaming tape backups can take significantly longer than restoring frombackups on disk.

◆ Larger databases take longer for online maintenance procedures to run. Microsoftrecommends online maintenance at least once every two weeks on each database for bestperformance.

One popular reason for limiting the size of a database or maximum mailbox sizes is the lengthof time it takes to restore a server. On one hand, this represents good planning, but often mailadministrators wield that excuse like a sword in order to keep their user storage limits lower. AnExchange administrator commented one time that ‘‘keeping mailboxes smaller is easier on us,’’meaning the IT department.

Storage limits and maximum mailbox sizes are all fine and good, but limits should not beset for the sake of IT. You should set limits that allow users to effectively do their jobs and toaccess the information they need to access, but you should also consider the needs of operations,archiving, and budgeting. Also keep in mind that the default mailbox limit for mailbox databasesis 2GB unless you change it, so make sure when you create new mailboxes databases that you alsoconfigure the correct limits. See more about establishing limits in Chapter 9, ‘‘Imposing Limitsand Why.’’

Message RoutingIn earlier versions of Exchange (2000 and 2003), if more than physical or geographic locationexisted, the Exchange servers could be broken up based on their physical location. The architectureof message routing is based on routing groups. By placing Exchange servers in different routinggroups, the administrator can control messaging traffic between those locations and can moreaccurately focus public folder connectivity by Outlook clients. In almost all situations, the serverslocated in routing groups correspond to the location of an Active Directory site, though not allActive Directory sites might actually have an Exchange server.

Exchange 2007 simplifies the management of the physical layout of Exchange by eliminatingthe need for routing groups and relying on the Active Directory site architecture instead. Serverswith the Hub Transport role accept messages from Mailbox servers, determine the location of thedestination mailbox database, and deliver the message to a Hub Transport server in the remoteActive Directory site.

Message Routing and the Hub Transport ServerThe Hub Transport server role is at the center of the message transport architecture. The HubTransport server maintains Send and Receive connectors that are responsible for receiving mailfrom the Internet, sending mail to the Internet, sending mail to remote Hub Transport servers,and receiving mail from remote Hub Transport servers. All messages must be processed bythe Hub Transport system regardless of whether they will be delivered to a local mailbox or aremote recipient.

Note

In Exchange 2000/2003 there was the concept of SMTP virtual servers, which could either send orreceive SMTP mail. Send connectors are responsible for outbound SMTP mail only and Receive con-nectors are responsible for inbound mail only. One big advantage of this is separation of logging.


The message transport architecture and dependencies are illustrated in Figure 2.7. Messagesenter the Exchange 2007 message transport system through one of three possible mechanisms:a message can be submitted to the Hub Transport via SMTP, a Mailbox server’s store driver, orthe file system’s Pickup folder on the Hub Transport server. The Hub Transport relies on ActiveDirectory for configuration, topology, and recipient information and thus must have access todomain controllers and global catalog servers.

Figure 2.7

Basics of the HubTransport architecture

SMTP to remoteHub Transport

servers

SMTP to Edge

Transportservers Hub

Transport

Mailboxserver

Domain controllers/global catalog

servers

MAP/RPCconnections

(Store driver)

GlobalCatalogqueries

Once a message is submitted to the Hub Transport system, it enters the message queuingsystem where the message Categorizer reviews it and determines how to deliver it. There are fivepossible queues that can be found on a Hub Transport server:

◆ The submission queue is the queue in which messages are placed when they enter the HubTransport server (via SMTP, store driver, or pickup folder). The categorizer processes themessages as they arrive in this queue. The submission queue is also called the categorizerqueue or the submit queue.

◆ The poison message queue is the queue in which messages are placed if there is a problemthat prevents the message from being categorized.

◆ The unreachable domain queue is the queue in which messages are placed if there is no routeavailable.

◆ Local delivery queues are queues in which messages are placed if they are to be delivered to aMailbox server in the same Active Directory site.

◆ Remote delivery queues are queues in which messages are placed to be delivered to remoteHub Transport servers or outside of the organization. The remote delivery queue is theonly type of queue available on the Edge Transport server role.

The Categorizer component is the Hub Transport component that watches the submissionqueue. As messages arrive in the submission queue, the Categorizer picks them up and processes

MESSAGE ROUTING 63

them. The following are some of the steps involved in message categorization:

◆ Expand any distribution lists, if applicable, by querying the global catalog.

◆ Resolve recipient addresses to determine which recipients are local, remote, or outside ofthe organization.

◆ Apply message transport rules to the message.

◆ Split the message into multiple parts if the message is going to local and remote recipients;this process is called bifurcation.

◆ Examine the message sender, recipients, header, body, and attachments and apply messagetransport rules that apply to the message.

◆ Convert the message to the appropriate message format (Summary-TNEF, MIME, orUUENCODE) depending on its destination.

◆ Determine the next ‘‘hop’’ for the message.

◆ Place the message in to appropriate local or remote delivery queue.

Note

With a few exceptions, such as application transport rules, the Categorizer function has not changedfrom Exchange 2000/2003.

Message Transport SecurityOne of the intentions of the design of Exchange 2007 was to make messaging more secure. Oneof the outcomes of this was to ensure that message content is secured as it is being transmittedfrom one server to another. This includes authenticated connections and encrypting the data asit crosses the network. Figure 2.8 shows the possible places a message may be passed across thenetwork and how protection is or may be implemented.

Figure 2.8

Security when messagesare being transmitted

Hub Transport toHub Transport –

Kerberosauthentication and

TLSRemote Hub

Transport server

EdgeTransport

server

EdgeTransport

server

Edge to EdgeMutual

authenticationand TLS

Hub Transportto Edge – Mutual

Authenticationand TLS Hub

Transport Mailboxserver

RPCencryption


As messages are transmitted via MAPI over RPC between Mailbox servers and Hub Transportservers, RPC encryption is automatically used. When a message is transmitted from one HubTransport server to another, the Hub Transport servers authenticate using Kerberos and the datastream is encrypted using Transport Layer Security (TLS). When messages are transmitted from aHub Transport server to an Edge Transport server, mutual authentication using certificates is usedand messages can be encrypted using TLS. Optionally, an organization that is sending messages toanother organization also using Edge Transport services can configure authenticated connectionsand TLS encryption to these remote organizations. Messaging security and Edge Transport isgoing to be covered in more detail in Chapter 20, ‘‘Securing Exchange Server.’’

Inter Site Message RoutingIn previous versions of Exchange, in order to deliver mail from one Exchange 2000/2003 routinggroup to another, a connector needed to be created (for example, Routing Group connector, SMTPconnector, and X.400 connector). The Exchange 2007 equivalents of routing group connectors areSMTP Send and SMTP Receive connectors.

One feature that will surprise some Exchange 2000/2003 administrators is that, by default,Exchange 2007 Hub Transport servers will behave as if connectivity between them is a full mesh.In previous versions of Exchange, messages flowed only between Exchange servers with explicitrouting group connectors.

Take, for example, the organization in Figure 2.9. This organization has four Active Directorysites. In three of them, there is a Mailbox server and a Hub Transport server.

Figure 2.9

Sample message routingarchitecture

Mailboxserver

HubTransport

Mailboxserver

HubTransport Hub

Transport

Mailboxserver

HubTransport

Site LinkB-C

SiteLinkH-B

SiteLinkH-A

SiteLinkH-C

Site LinkA-C

SiteLinkB-A Site B

Site A

Site HSite C

EXCHANGE SERVER 2007 AS A CLIENT/SERVER SYSTEM 65

The Active Directory site link architecture defines the site links as shown in Table 2.9.

Table 2.9: Sample Active Directory Site Links and Costs

Link Name Cost

Site Link H–A 1

Site Link H–B 1

Site Link H–C 2

Site Link A–C 100

Site Link A–B 100

Site Link B–C 100

Clearly, this Active Directory design intended for all replication to go through the ‘‘hub’’ siteknown as Site H. Thus, a logical assumption would be that messages would be routed using thissite link cost architecture. However, if a message originates on a Mailbox server in Site C andis intended for a recipient in Site B, the Hub Transport server will always attempt to route themessage directly first. If the direct path is not available, then the message will be routed to theHub Transport server in Site H. The site link costs are used to determine message routing pathsonly if the direct connection fails.

Exchange Server 2007 as a Client/Server SystemThe technology industry has overused the term client/server to the point that it is almost meaning-less. To put it simply, there are two kinds of networked applications: shared-file and client/server.The typical Exchange and Outlook deployment is a client-server messaging system and always hasbeen. However for people just getting involved in Exchange Server deployments, these conceptsshould be reviewed.

Shared-File ApplicationsEarly networked applications were all based on shared-file systems. The network shell that let youload your word processor from a network server and also allowed you to read from and write tofiles stored on a server. At the time, this was the easiest and most natural way to grow networkedapplications.

Microsoft’s first e-mail product, Mail for PC Networks, was a shared-file application. You runa Windows, OS/2, DOS, or Macintosh client application, which sends and receives messagesby accessing files on a Microsoft Mail for PC Networks post office that resides on a network fileserver. The front-end application and your PC do all the work; the server is passive. Figure 2.10shows a typical Microsoft Mail for PC Networks setup.

Easy as it was to develop, this architecture leads to some serious problems in today’s networkedcomputing world:

◆ Changing the underlying structure of the server file system is difficult because you have tochange both the server and the client.


◆ System security is always compromised because users must have read and write permis-sions for the whole server file system, which includes all other users’ message files. Thingsare so bad that in some cases a naive or malicious user can actually destroy shared-filesystem databases.

◆ Network traffic is high because the client application must constantly access indexes andhunt around the server’s file system for user messages.

◆ Because the user workstation writes directly to shared files, the server-based files can bedestroyed if workstation hardware or software stops functioning for some unexpectedreason.

◆ Often the client program would open these shared files and lock them for use. Thisfrequently prevented important data files from being backed up.

Figure 2.10

Microsoft Mail for PCNetworks is a typicalshared-file electronicmessaging system.

FileServer

MicrosoftMail

Client

ServerHard Disk

Messages

Shared-file applications are in decline. Sure, plenty of legacy (that is, out-of-date) applicationswill probably live on for the data-processing equivalent of eternity, but client/server systemshave quickly supplanted the shared-file model. This is especially true in the world of electronicmessaging.

Client/Server ApplicationsThough they have some limitations of their own, client/server applications overcome the short-comings of shared-file apps. So today, networked applications increasingly are based on the

EXCHANGE SERVER 2007 AS A CLIENT/SERVER SYSTEM 67

client/server model. The server is an active partner in client/server applications. Clients tellservers what they want done, and if security requirements are met, servers do what theyare asked.

Processes running on a server find and ship data to processes running on a client. When a clientprocess sends data, a server receives it and writes it to server-based files. Server processes can domore than simply interact with client processes. For example, they can compact data files on theserver or — as they do on Exchange Server — automatically reply to incoming messages to letpeople know, for instance, that you’re going to be out of the office for a period of time. Figure 2.11shows how Exchange implements the client/server model.

Figure 2.11

Microsoft Exchangeis based on theclient/server model.

MicrosoftExchange

Server

MicrosoftExchange

Client

ServerHard Disk

Server Process

Client Process

Messages


Client/server applications are strong in all the areas in which shared-file apps are weak:

◆ Changing the underlying structure of the server file system is easier than with shared-filesystems because only the server processes access the file system.

◆ System security can be much tighter, again because only the server processes access the filesystem.

◆ Network traffic is lighter because all the work of file access is done by the server, on theserver.

◆ Because server processes are the only ones that access server data, breakdowns of userworkstation hardware or software are less likely to spoil data. With appropriate trans-action logging features, client/server systems can even protect against server hardware orsoftware malfunctions.

As good as the client/server model is, it does have some general drawbacks. Client/server appsrequire more computing horsepower, especially on the server side. With Exchange, you shouldplan to start with very fast Pentium or better machines, lots of RAM, and plenty of hard disk andtape backup capacity — and expect to grow from there.

Client/server applications are more complex than shared-file apps. This is partly because of thenature of the client/server model and partly because of the tendency of client/server apps to benewer and thus filled with all kinds of great capabilities that you won’t find in shared-file applica-tions. Generally, you’re safe in assuming that you’ll need to devote more and more sophisticatedhuman resources to managing a client/server application than to tending to a similar one basedon shared files.

The good news is that Microsoft has done a lot to reduce the management load and to make iteasier for someone who isn’t a computer scientist to administer an Exchange system. I’ve lookedat many client/server messaging systems, and I can say without any doubt that Exchange is abso-lutely the easiest to administer, even in its slightly more complex 2007 implementation. ExchangeServer 2007 includes both a graphical user interface and a management shell that organizes theprocesses of management very nicely. With these interfaces, you can do everything from addingusers to assessing the health of your messaging system.

SummaryMicrosoft Exchange Server 2007 continues to build on a solid history of messaging servers.Improvements in the architecture of Exchange 2007 allow for continued innovation, improve-ment, and scalability. The move to the 64-bit architecture is clearly needed to allow Exchange tobe enhanced further and to reduce I/O requirements.

Server installation and configuration has been further enhanced and simplified by the intro-duction of server roles; the person that performs the Exchange Server installation chooses, whichcomponents are necessary for a particular server’s function.

Chapter 4

Applying Planning Principlesto Exchange Server 2007

‘‘The more they overthink the plumbing, the easier it is to stop up the drain.’’— Montgomery Scott, Star Trek III: The Search for Spock

‘‘There are two ways of constructing a software design; one way is to make it so simple that thereare obviously no deficiencies, and the other way is to make it so complicated that there are no obvi-ous deficiencies. The first method is far more difficult.’’— Sir Charles Anthony Richard Hoare

Simplicity begets reliability. Many email system architects have learned that as increasinglysophisticated systems are incorporated to improve email reliability, the complexity of configur-ing and maintaining these systems has resulted in errors that cause the very system outages theywere added to prevent.

Part of your challenge as the planning guru and designer is to maintain as much simplicity anddesign in your plan and design as you can. The statement of work, although comprehensive, doesnot have to create a Frankenstein’s monster. As you write it, think it, discuss it, and redo all of it,a key question you should be asking is ‘‘is it simple enough?’’

Of course, that doesn’t mean the planning is going to be simple. Let’s be honest. Once, design-ing Exchange Server used to be a fairly simple task. When an organization needed email and thedecision was made to go with Exchange Server, the only real decision to make was how manyExchange servers were needed. Primarily, organizations really needed nothing more than emailand eschewed any ‘‘bells and whistles.’’

Exchange Server 2007, on the other hand, takes messaging to a whole new level. No longerdo organizations require only an email system, but other messaging and unified communicationsfunctionality as well. After the productivity capabilities of an enterprise email platform havebeen demonstrated, the need for more productivity improvements arises. It’s a self-perpetuatingfeedback loop, and you’re going to have to manage it.

In the previous two chapters, you learned how to analyze your business requirements anddesign plans for your enterprises from a high level. In this chapter and the next, you’ll move yourplanning to a much lower level and start applying what you’ve learned from the stakeholders,users, and other concerned personnel to develop specific items for the statement of work for anExchange Server 2007–based messaging system.

78 CHAPTER 4 APPLYING PLANNING PRINCIPLES TO EXCHANGE SERVER 2007

Note

I won’t be describing how to set work requirements for the nuts and bolts of the functionality. Instead,I’ll show you how to determine what you should include and why, as well as help you determine howyou can justify those decisions and recommendations to management. For example, when I discussdisclaimers, the focus won’t be on how to configure them or set font size and color. The review willcenter on the fact that they are available, why they may or may not be needed, and various ways toutilize them.

This chapter will cover several key topics that are critical to your design. You’ll learn aboutthe different Exchange and operating system requirements. Another key concern is determiningdisk storage need. Naturally, Active Directory requirements are also a major factor. As you mayalready know, but will certainly be well aware by the end of the chapter if you do not, your plan-ning will be heavily influenced by the need to comply with many legal and internal regulatoryrequirements, including court-related demands on your system.

I’ll also cover email archiving. Mail archiving is now a major requirement and expectation ofemail messaging systems. Planning it is not only essential from the point of view of system man-agement, but there is also a growing body of legal and regulatory — as well as corporate — rulesand mandates governing the retention of and access to email records and contents. Getting thisright is not simply a matter of good practice; doing it wrong can cost a company millions and inextreme cases result in its financial ruination.

The final consideration is how you should implement your Exchange Server 2007–based mes-saging system. Should it be an in-house system, or should you outsource it? This is not an idlequestion. Exchange 2007 demands the latest and some of the most expensive hardware with fullredundancy. Outlook 2007 can be obtained only by purchasing it separately or as part of theMicrosoft Office suite. Analysts predict that 80 percent of midmarket companies will benefit ifthey outsource Microsoft Exchange. Some argue that a typical midsized company will save morethan $100,000 by avoiding an in-house deployment, a figure that suddenly makes outsourcing anattractive option. We’ll be looking at how you make that assessment and what you need to havein place, such as a service-level agreement, to make it a worthwhile proposition.

Note

Throughout this chapter, the word plan is used to refer to the statement of work document.

Reviewing the Changes in Exchange Server 2007Exchange Server 2007 introduces some important changes that need to be incorporated into yourstatement of work. In fact, you will find that some of these changes and enhancements will proba-bly drive the design process.

An Overview of the New FeaturesAlthough they will be discussed in more detail later in this chapter and throughout the book,you should make a note of the new features of Exchange Server 2007 right at the outset. After all,part of the reason you’re moving to Exchange Server 2007 is to exploit these new capabilities andleverage these changes into something your organization can use.

REVIEWING THE CHANGES IN EXCHANGE SERVER 2007 79

The key new features are:

◆ Role-based deployment, which lets you choose the messaging services you want to pro-vide and deploy server roles specific to those services. You can deploy the server rolesindividually on dedicated hardware, or install multiple roles on the same physical server,administered as separate entities.

◆ ‘‘Access to messages from anywhere’’ changes and improvements include an enhancedOutlook Web Access (OWA), Microsoft ActiveSync improvements, new Outlook VoiceAccess (OVA), Unified Messaging support, and Outlook Anywhere (formerly knownas RPC over HTTP). These methods greatly increase the design flexibility of Exchange,allowing end users to access email through a variety of different methods.

◆ Integrated antispam, antivirus, and compliance mechanisms.

◆ Local continuous replication (LCR) and cluster continuous replication (CCR). The twomethods provide log shipping capabilities for Exchange databases by enabling the cre-ation of a replica copy of an Exchange database to be built from new logs generated fromthe server. Replication can thus be done in real time from one server to another server in aremote site or locally on the same server.

◆ Standby continuous replication (SCR) was introduced in Service Pack 1 for MicrosoftExchange Server 2007. As its name implies, SCR is designed for scenarios that use standbyrecovery servers. SCR extends the existing continuous replication features and enablesnew data availability scenarios for Mailbox servers.

◆ Continuous replication (log shipping and seeding) over redundant cluster networks in acluster continuous replication environment.

◆ Support for IPv6 was introduced for SP1 versions running on Windows 2008.

◆ Exchange Server 2007 Service Pack 1 added some enhancements to Outlook Web Access,including the following:

◆ User creation and editing of personal distribution lists

◆ User creation and editing of server-side rules

◆ Recovery of deleted files

◆ Support for Public Folders

◆ S/Mime support

◆ The following features were added to Unified Messaging in Exchange 2007 SP1:

◆ Support for Secure Real-time Transport Protocol (SRTP)

◆ Exchange Management Console support for configuring Mutual Transport LayerSecurity (mutual TLS) for dial plans

◆ The ability to add a SIP or E.164 address for a user by using the Enable UnifiedMessaging Wizard

◆ The ability to modify extension numbers and SIP and E.164 addresses for a UM-enabled user by using the Exchange Management Console


◆ In-band fax tone detection

◆ Quality of Service (QoS) support

◆ Exchange 2007 SP1 can be deployed with Office Communications Server 2007 environ-ment. In that type of an integrated environment, the following are some of the featuresavailable to you:

◆ Ability to create SIP URI and E.164 dial plans by using the New Dial Plan Wizard

◆ Additional logic for resolving internal calling number

◆ Notification of forwarding when leaving voice messages in scenarios where the desti-nation uses call forwarding

◆ Support for recording high-fidelity voice messages in Exchange Unified Messaging

◆ Access to Outlook Voice Access from Microsoft Office Communicator 2007 withoutrequiring the user to enter a PIN

◆ Ability for Office Communicator 2007 clients to associate subjects and priorities tovoice messages

◆ Support for media streams to traverse firewalls

◆ Integration of missed call notification email messages with Office Communicator 2007

◆ Ability to prohibit Play on Phone calls that are placed by using Office Communicator2007 from being subjected to call forwarding rules that are configured

These are only a small number of the many new features that are now available in an ExchangeServer 2007–based messaging system with Service Pack 1 installed. This list is by no means exhaus-tive, and you should always refer to the product documentation for more information.

Choosing an Installation PathA solid, well-thought-out installation is a key to effective Exchange Server 2007 planning. In fact,you really don’t have a choice since there is no in-place server upgrade path from an existingExchange server to the new version.

There is no direct upgrade path because Exchange Server 2007 requires an x64 architecture-basedsystem with an Intel processor that supports Intel Extended Memory 64 Technology (Intel EM64T)or an AMD processor that supports the AMD64 platform. Note that the Intel Itanium (IA64) pro-cessor will not work with Windows 2003 x64 editions. Thus, it won’t work for Exchange 2007deployments. Because earlier versions of Exchange didn’t support x64 architecture, there are nosystems from which you can upgrade.

What this means is, like it or not, you will have to write a plan that has you installing ExchangeServer 2007 ‘‘fresh.’’ There are only three possible installation paths therefore:

◆ Create a new Exchange environment for a new company or one without an existingmessaging infrastructure.

◆ Where there is an existing Exchange environment, you can transition by installingExchange Server 2007 servers, having them coexist briefly, and then phasing out theprevious versions.

◆ Install Exchange Server 2007 in a new organization, migrate all your mailboxes over to2007, and then remove your old Exchange servers.

REVIEWING EXCHANGE AND OPERATING SYSTEM REQUIREMENTS 81

I’ll discuss installation paths and deployment in greater detail in Chapter 10. For now, one ofyour first decisions will be to decide which of the three methods is right for your organization.

Now let’s turn our attention to the system and network requirements you’ll need to meet inorder to successfully install Exchange 2007.

Note

Please note that if you have not already done so, you can install Exchange Server 2007 SP1 oncomputers running Exchange Server 2007 to perform an in-place upgrade. For new installations, youcan simply perform a fresh installation of Exchange 2007 SP1 without having to install the originalversion first.

Reviewing Exchange and Operating System RequirementsExchange Server 2007 has specific hardware and software requirements that must be taken intoaccount when designing your statement of work, adapting the details as you work on the project.These requirements fall into several categories:

◆ Hardware considerations

◆ Operating system

◆ Version

◆ Edition

◆ Product licensing

◆ Active Directory

◆ Virtualization

Each requirement must be addressed before Exchange Server 2007 can be deployed and soyou’re going to have to consider them in your plan.

Hardware ConsiderationsAs you have already read, Exchange Server 2007 requires a 64 bit platform. There’s simply noway of avoiding that investment. One thing you should do is attempt to mitigate the overall TotalCost of Ownership (TCO) by creating a hardware design that scales out the Exchange load to whatis forecasted at least 3 years from the date of implementation. Doing so helps retain the value ofthe investment in Exchange Server–supporting hardware and other systems that you will includein your plan.

Specific hardware configuration advice is offered in later sections of this chapter.Previous versions of Exchange forced many organizations into deploying servers in sites with

more than a dozen or so users. In addition it was often necessary to deploy Exchange servers andglobal catalog (GC) servers in remote locations with only a handful of users.

Exchange Server 2007 modifies this with site consolidation, which allows clients in remotelocations to access their mailboxes across wide area network (WAN) links or dial-up connectionsby using the enhanced Outlook 2003/2007 or OWA clients. It also means that smaller numbersof Exchange servers can service clients in multiple locations, even if they are separated by slowWAN links.


As you can see, site consolidation will have a profound effect on your overall Total Cost ofOwnership (TCO) and on your plan in general since reducing the number of Exchange servermachines you will need will help shrink the infrastructure costs of setting up Exchange.

For small and medium-sized organizations, this means that one or two servers should sufficefor the needs of the organization. Larger organizations will require a larger number of Exchangeservers, depending on the number of sites and users.

Yes, More Expensive Really Means Cheaper

It may seem counterintuitive that the higher costs of hardware to support Exchange Server 2007, par-ticularly the substantially increased cost of the 64 bit platform, can actually reduce overall costs byproducing a better outcome with less collateral damage in terms of system downtime, unexpectedconsequences, and the inability to scale effectively.

Consider, however, the experience of the United States Air Force. In World War II cheap andplentifully produced iron bombs were used over enemy targets. On average it took 108 aircraft, drop-ping 648 bombs to destroy a single target. In one notable case, U.S. bombers flying about 800 missionswere able to destroy only a tiny portion of a Japanese factory while leveling everything else around it.

In attempt to reduce both civilian casualties and the costs in aircraft and pilots, precision munitionswere developed and widely deployed in the early 1990s and beyond.

Although much more expensive, these weapons are far more accurate than bombs guided by nothingmore than gravity. By the time of the 2001 campaign in Afghanistan, 38 aircraft were able to hit 159targets on the first night of bombing, using less than 200 weapons. That’s a feat that wouldhave taken World War II aircraft more than 17,000 aircraft and 100,000 bombs. Civilian losses wouldhave been comparatively higher as well.

Sometimes the higher price tag is really a bargain, a point you may have to clarify to the stakeholdersand in your Statement of Work.

Another point to consider when planning location and placement of Exchange Server 2007machines is both the administrative group and the routing group structure, both of which nolonger exist in Exchange Server 2007.

Operating System (OS) RequirementsCurrently Exchange Server 2007 will install on only Windows Server 2003. Exchange Server2007 Service Pack 1 is required to install the program on Windows 2008 Server. Note that Win-dows Server 2003 installations of Exchange Server 2007 Service Pack require that Service Pack 2be installed on Windows Server 2003. Table 4.1 summarizes the compatibility between Exchangeversions and various operating systems (OS).

Exchange Server 2007 and the Current Network Infrastructure

Exchange Server 2007 incorporates industry-wide compatible protocols and services. In addi-tion, familiar Internet standards, such as Domain Name System (DNS), Internet Message AccessProtocol (IMAP), Simple Mail Transfer Protocol (SMTP), Lightweight Directory Access Protocol


(LDAP), and Post Office Protocol 3 (POP3), built into the product to provide coexistence withexisting network infrastructure, making infrastructure design and planning relatively simple andpainless.

You will, however, need to identify all the systems that require access to email data or services.For example, it might be necessary to enable a third-party monitoring application to relay mail offthe SMTP engine of Exchange so that alerts can be sent. Identifying these needs during the designportion of a project is extremely important.

Table 4.1: Exchange Version Compatibility

Version Windows NT 4.0 Windows 2000 Windows 2003 WIndows 2008

Exchange 5.5 Yes Yes No No

Exchange 2000 No Yes No No

Exchange 2003 No Yes Yes No

Exchange 2007 No No Yes, only 64 bit SP1 orR2 editions supported

No

Exchange 2007 Sp1 No No Yes, only 64 bit SP2supported

Yes

Version Selection ConsiderationsExchange 2007 comes in two platforms based on bits. The 64 bit version is intended for a liveproduction environment. It is the only one that can be purchased as a matter of fact.

The 32 bit version, basically intended for evaluation, is for nonproduction environments (suchas evaluation, labs, training facilities, demo, and so on).

There are two exceptions with respect to production and nonproduction use of the 32 bit plat-form because Microsoft does allow minimal supported use of the 32 bit version in productionenvironments. Specifically:

◆ You can use the 32 bit version in production to administer Exchange 2007 servers fromWindows Server 2003 or Windows XP.

◆ You can use the 32 bit version in production to extend your Active Directory directoryservice schema.

All other uses of the 32 bit version of Exchange 2007 in production environments areunsupported.

Automatic antispam updates from Windows Update are not available in the 32 bit version.Only a licensed 64 bit version can get automatic antispam updates from Microsoft Update.

You can have a maximum of 5 databases per server in as many as 5 storage groups on the32 bit version, which is less than the 50 databases per server as 50 storage groups.

Although the 64 bit version can be the Standard Edition or the Enterprise Edition, the 32 bitversion can only be the Standard Edition.

You can also install Unified Messaging (UM) with the 32 bit version in a nonproduction envi-ronment so that you can evaluate the UM-related features.


Edition ConsiderationsThere are two Exchange Server 2007 editions: Standard and Enterprise. The Standard Editionis designed to meet the messaging and collaboration needs of small and medium corporations;it may also be appropriate for specific server roles or branch offices. The Enterprise Edition isintended for large enterprise corporations and enables the creation of multiple storage groups anddatabases.

The primary differences, as summarized in Table 4.2, are:

◆ Only the Enterprise Edition can scale to 50 databases per server; the Standard Edition islimited to 5 databases per server.

◆ Only the Enterprise Edition can handle greater than 75 GB mailbox store.

◆ Single copy clusters (SCC) and cluster continuous replication (CCR) are supported only onthe Enterprise Edition.

Table 4.2: Exchange Server 2007 Edition Features

Feature Standard Edition Enterprise Edition

Storage Group Support 5 storage groups 50 storage groups

Database Support 5 databases 50 databases

Database Storage Limit 16 TB per database 16 TB per database

Single Copy Clusters Not supported Supported

Local Continuous Replication Supported Supported

Cluster Continuous Replication Not supported Supported

Note that Microsoft has made an exception in the 32 bit version code to allow SCC and CCR tobe used for nonproduction use on the 32 bit version, even though the 32 bit version is the StandardEdition. This means that you can set up a 32 bit test lab for evaluating or testing SCC and CCR.Because it’s 32 bit, you can create the nonproduction environments in a Microsoft Virtual Serverenvironment for your lab or demos.

Product Licensing ConsiderationsExchange Server 2007 edition types are licensing editions that are defined by a product key. Thereis a single set of binary files for each platform (one for x64 systems and one for x86 systems), andthe same binaries are used for both editions. When you enter a valid, licensed product key, thesupported edition for the server is established.

Product keys can be used for same edition key swaps and upgrades only, and they cannot beused for downgrades. You can use a valid product key to go from the evaluation version (TrialEdition) to either the Standard Edition or the Enterprise Edition; you can also use a valid productkey to go from the Standard Edition to the Enterprise Edition. You can also re-license the serverusing the same edition product key.


For example, if you had two Standard Edition servers with two keys, but you accidentally usedthe same key on both servers, you could change the key for one of them to be the other key thatyou were issued. You can take these actions without having to reinstall or reconfigure anything.

After you enter the product key and restart the Microsoft Exchange Information Store service,the edition corresponding to that product key will be reflected.

You cannot use product keys to perform a downgrade from the Enterprise Edition to theStandard Edition, nor to revert to the Trial Edition. A downgrade can only be done by uninstallingExchange 2007, reinstalling Exchange 2007, and entering the correct product key.

Client Access License ConsiderationsExchange 2007 also comes in two client access license (CAL) editions, which are also called theStandard Edition and the Enterprise Edition. You can mix and match the server editions withthe CAL editions. For example, you can use Enterprise CALs against the Standard server edition.Similarly, you can use Standard CALs against the Enterprise server edition.

The Exchange Server Enterprise CAL is an additive CAL and requires that a Standard CAL isalso purchased for each user or device. The Exchange Server Enterprise CAL provides access toUnified Messaging and advanced compliance, as well as Forefront Security for Exchange Serverand Exchange Hosted Filtering for onsite and hosted antivirus and antispam protection.

A CAL is required for each user or device (depending on the license) accessing the server.Either version of the CAL may be run against either version of the server.

Table 4.3 illustrates what features are included with the Standard CAL and Enterprise CAL.The last column illustrates what features can be accessed if you own both the Standard CAL andthe Enterprise CAL. Keep in mind that some features can only be purchased through a volumelicense program, and they are not available as retail purchases.

Virtualization ConsiderationsExchange Server 2007 is not supported in production in a virtual environment.

You can plan to use Virtual Server for training, labs, and demos. Exchange Server 2007 is alsonot supported in production in a virtual environment using non-Microsoft virtualization software.

The first 64 bit guest support is expected to be included with Hypervisor, which is an add-onfor Windows Server 2008 from Microsoft that is scheduled to ship within 180 days of WindowsServer 2008’s release.

Which Build Is It?

The final RTM build of Exchange 2007 (before Service Pack 1) is build 685.25, but in some placesit is listed as 685.24. Both are correct, actually. When you view the version information in theExchange Management Console or examine the value of the AdminDisplayVersion propertyfor Exchange servers in the Exchange Management Shell, it shows the version as 685.24. Whenyou view the Exchange version information in the Windows registry, it shows 685.25. If you useMicrosoft Operations Manager, it also shows version 685.25, but if you view version informationin Microsoft Office Outlook, it shows 685.24.

An exception to this version mismatch problem is present on the Edge Transport server. That willalways and only display 685.25 for the version. This makes things interesting when looking at severalExchange servers in the Exchange Management Console that include one or more synchronized Edge


Transport servers because the Version column will show both 685.24 (for non-Edge Transport servers)and 685.25 (for Edge Transport servers).

Also, when you click Help�About Exchange Server 2007, you’ll see a different version number alto-gether: 685.018. These versioning discrepancies have been expected to be resolved in Service Pack 1for Exchange 2007.

Finally, if you use the Get-ExchangeServer cmdlet and examine the ExchangeVersion property, you’llnotice yet another different version number: 0.1 (8.0.535.0). However, this number does not refer tothe version of an installed product; rather, it refers to the minimum version of the product that canread the object. In this case, any Exchange server that is version 8.0.535.0 or later can read this objectbecause the last changes to this object’s schema were made in build 8.0.535.0.

Table 4.3: Exchange Server 2007 CAL Offerings

Feature

Standard

CAL

Enterprise

CAL∗

Standard CAL +

Enterprise CAL

Email, shared calendaring, contacts,tasks, management

Yes No∗ Yes

Outlook Web Access Yes No∗ Yes

Exchange ActiveSync Yes No∗ Yes

Unified Messaging No Yes Yes

Per-User/Per-Distribution ListJournaling

No Yes Yes

Managed Email Folders No Yes Yes

Exchange Hosted Filtering∗∗ No Yes Yes∗∗

Forefront Security for ExchangeServer∗∗

No Yes Yes∗∗

*Additive CAL, purchase of the Standard CAL is required for Standard offerings**Offered only through Volume Licensing Programs, not available via retail purchase

Third-Party Product FunctionalityMicrosoft built specific hooks into Exchange Server 2007 to enable third-party applications toimprove upon the built-in functionality provided by the system. For example, built-in supportfor antivirus scanning, backups, and Unified Messaging exist right out of the box, although func-tionality is limited without the addition of third-party software. The most common additions toExchange implementation are the following:

◆ Antivirus

◆ Backup

DETERMINING DISK STORAGE NEEDS 87

◆ Phone/PBX integration

◆ Fax software

These will be discussed in detail in Chapter 5.

Determining Disk Storage NeedsComputers running Microsoft Exchange Server 2007 need to be deployed correctly with sufficientstorage capacity and performance capabilities. Capacity and performance are often at odds witheach other when it comes to planning a storage solution, and both must be considered beforemaking a purchase. You will need to ensure the following in your plan:

◆ Making sure there will be enough space to store all of the data.

◆ Making sure the solution provides acceptable disk latency and a responsive user expe-rience. This is determined by measuring or predicting transactional input/output (I/O)delivered by the solution.

◆ Making sure that nontransactional I/O has both enough time to complete and enoughdisk throughput to meet any service-level agreements (SLAs).

The optimal plan balances these factors and allows you to design the actual hardware solutionfor your servers.

Planning Disk CapacityHaving sufficient capacity is critical. Not having it causes things to go awry. If a database diskruns out of space, the database goes offline. If a transaction log disk runs out of space, it causesall of the databases in that storage group to go offline. Both of these are disasters, and there reallyisn’t a way to add more space in a hurry. Even performing offline compaction to reclaim space cantake a long time.

The bottom line is simple: running out of disk space results in an interruption of availabilityof one or more databases for a period of time that typically exceeds most recovery time objectives(RTO). That can get you fired.

There are several data points that you can use to determine how to size a database logical unitnumber (LUN), as well as a number of other factors. A safe decision and one that ensures that theneeds of the business are fully planned for calls for an additional overhead factor for the databaseLUN of 20 percent. This value will account for the other data that resides in the database that is notnecessarily seen when calculating mailbox sizes and white space; for example, the data structure(tables, views, and internal indices) within the database adds to the overall size of the database.For example, if after reading the following subsections, you determine that you need 200 GB, werecommend that you provision 250 GB, representing a 20 percent safety overhead for that storagegroup’s database LUN.

The key data points are as follows:

◆ Mailbox Quota

◆ Database White Space

◆ Database Dumpster

◆ Actual Mailbox Size


◆ Content Indexing

◆ Maintenance

◆ Recovery Storage Group

◆ Backup to Disk

◆ Log LUN Capacity

◆ Backup and Restore Factors

◆ Move Mailbox Operations

◆ Log Growth Factor

Calculating Mailbox Size

The following is a formula for database size using a 2 GB mailbox:

Mailbox Size=Mailbox Quota+White Space+(Weekly Incoming Mail × 2)

Mailbox Size=2,048 MB+(10 MB)+(52 MB × 2)

2,162 MB=2,048 MB+10 MB+104 MB (6 percent larger than the quota)

Table 4.4 can be used to estimate the number of transaction logs that will be generated on anExchange 2007 Mailbox server.

Table 4.4: Number of Generated Transaction Logs for Each Mailbox Profile

Mailbox Profile Message Profile Logs Generated/Mailbox

Light 5 sent/20 received 7

Average 10 sent/40 received 14

Heavy 20 sent/80 received 28

Very Heavy 30 sent/120 received 42

Storage TechnologyThe key aspects to choosing storage technology include reliability, capacity, performance,complexity, manageability, and cost.

Hardware Options

Exchange Server 2007 can make use of any of the following storage methodologies and options. Itis important to note that unlike previous versions of Exchange Server, network-attached storage isnot supported in Exchange Server 2007. The only network-based storage transport supported forExchange Server 2007 is Internet SCSI (iSCSI).

DETERMINING DISK STORAGE NEEDS 89

◆ Serial ATA (SATA)

◆ Serial Attached SCSI (SAS)

◆ iSCSI

◆ Fibre Channel

RAID Selection

As you can imagine, having redundancy in your storage design is a critical aspect of the planand to ensuring high availability. Microsoft recommends a redundant array of inexpensive disks(RAID) behind a battery-backed controller for all Exchange Server 2007 machines. Selecting aRAID type is a balance of capacity and transactional I/O. Mailbox size has a large impact oncapacity, while smaller form factor disks impact performance.

Table 4.5 compares the three most commonly used types of RAID solutions based on speed,space utilization, and performance during rebuilds and failures.

Table 4.5: Comparison of RAID Solutions

RAID type Speed

Capacity

utilization

Rebuild

performance

Disk failure

performance

I/O

performance

RAID10 Best Poor Best Best Best

RAID5 Good Best Poor Poor Poor

RAID6 Poor Good Poor Poor Poor

Storage ToolsIn order to assist administrators, planners and other users in designing their storage layout forExchange Server 2007, Microsoft has put together a number of tools to help assess and calculateneeds.

Storage Calculator for Exchange 2007

The Exchange 2007 Mailbox Server Role Storage Requirements Calculator (storage calculator)enables you to determine your storage requirements (I/O performance and capacity) and anoptimal LUN layout based on a set of input factors. As described before, there are many inputfactors that need to be accounted for before you can design an optimal storage solution for anExchange 2007 Mailbox server. The storage calculator enables you to input values specific to yourorganization and provides you with recommendations for optimal LUN layout.

The calculator does not make any recommendations toward storage design (RAID parity,number of disks, etc.) as the storage design is largely dependent on the type of storage array beingutilized. For more information on some basic requirements around storage design, see the StorageRequirements Blog listed above.

For more information about the storage calculator, including details about using it, see theExchange 2007 Mailbox Server Role Storage Requirements Calculator at http://msexchangeteam.com/files/12/attachments/entry438481.aspx.


Storage-Related Tools

Exchange Server Jetstress accurately simulates Exchange I/O characteristics. The tool includesboth a stress test and a performance test, which show the maximum performance of a LUN withinacceptable latencies. Additionally, a replacement for Load Simulator, called the Exchange LoadGenerator, has been created for simulating Outlook clients.

Both tools simulate Outlook and require a fully configured Exchange Server 2007 environmentfor testing. Simulating Outlook clients is the only way to measure actual client latency (rather thanjust the server disk latency).

You can download both of these tools using the following links:

◆ Microsoft Exchange Server Jetstress Tool (64 bit): http://go.microsoft.com/fwlink/?LinkId=80466

◆ Microsoft Exchange Server Jetstress Tool (32 bit): http://go.microsoft.com/fwlink/?LinkId=27883

◆ Exchange Load Generator (64 bit): http://go.microsoft.com/fwlink/?LinkId=80470

◆ Exchange Load Generator (32 bit): http://go.microsoft.com/fwlink/?LinkId=80469

The Exchange Stress and Performance tool is used to simulate Internet protocols such as POP3,IMAP4, and SMTP. It is often used to simulate incoming MIME mail from the Internet to an orga-nization. You can download this tool using the following links:

◆ Exchange Server Stress and Performance Tool (64 bit): http://go.microsoft.com/fwlink/?LinkId=80468

◆ Exchange Server Stress and Performance Tool (32 bit): http://go.microsoft.com/fwlink/?LinkId=80467

Other useful tools can be found at Tools for Exchange Server 2007: http://go.microsoft.com/fwlink/?LinkId=81741.

Understanding Active Directory (AD) RequirementsExchange originally maintained its own directory. With the advent of Exchange 2000, however,the directory for Exchange was moved to the Microsoft Active Directory (AD), the enterprisedirectory system for Windows. This gave greater flexibility and consolidated directories, but at thesame time it increased the complexity and dependencies for Exchange. Exchange Server 2007 usesthe same model, with either Windows 2000 Server or Windows Server 2003 AD as its directorycomponent.

Active Directory is a necessary and fundamental component of any Exchange 2007 implemen-tation. That said, organizations do not necessarily need to panic about setting up Active Directoryin addition to Exchange, as long as a few straightforward design steps are followed.

Exchange Server 2007 has several key requirements for AD. First, all domains must be in Win-dows 2000 or 2003 functional levels (no NT domain controllers). Second, it requires that the schemain an AD forest be extended for Windows Server 2003 RTM or R2 editions, and that theschema master domain controller be running either Windows Server 2003 SP1 or R2 edition. Inaddition, at least one global catalog server in each site where Exchange will be installed must berunning Windows Server 2003 SP1 or R2.

UNDERSTANDING ACTIVE DIRECTORY (AD) REQUIREMENTS 91

Furthermore, the following areas of Active Directory must be addressed to properly designand deploy Exchange 2007:

◆ Schema preparation

◆ Forest and domain design

◆ AD site and replication topology layout

◆ Domain controller and global catalog placement

◆ Domain name system (DNS) configuration

Before moving on to these topics let’s review some basic aspects of how Exchange Server 2007uses AD.

How Exchange Server 2007 Uses Active DirectoryWhen an Exchange Server 2007 server starts, it is stamped with a site attribute that helps otherExchange Server 2007 servers locate the services provided by it. Since only the Hub Transportserver can use SMTP to transport a message within the organization, each Active Directory sitewith a Mailbox server must also contain a Hub Transport server and, if the mailbox users accesstheir mailbox by using any non-MAPI method, each site must also contain a Client Access server.Anytime that a message needs to be processed for delivery, it will pass through a Hub Transportserver, which will make a decision about how the message should be routed. If the message isdestined for a Mailbox server in the same Active Directory site as the Hub Transport server, theHub Transport server will deliver the message to the mailbox. If the message is destined for aMailbox server that’s in a different site, the Hub Transport server will relay the message directlyto a Hub Transport server in the remote site.

The Hub Transport server makes use of the Active Directory IP site link cost information tocalculate the lowest-cost route to the Active Directory site where the recipient mailbox is located.The message does not stop at each Hub Transport server along the way. It goes directly fromsource to destination. So why does it bother to calculate the lowest-cost route if it’s relying onthe IP network to transport the message? There are a couple of reasons. One is to delay messagebifurcation. A message that is being sent to more than one recipient may need to be delivered toMailbox servers in more than one Active Directory site. Rather than bifurcate, or split, the messageat the first Hub Transport server, Exchange 2007 will not split the message until it reaches a forkin the routing path. As a result, the message will be relayed directly to a Hub Transport server inthe Active Directory site that represents the bifurcation point. This behavior is known as delayedfan-out.

Note

By default, Microsoft Exchange uses the cost assigned to an IP site link for Active Directory replicationpurposes to compute a routing topology. If, after documenting the existing Active Directory site andIP site link topology, you verify that the link costs for the Active Directory site and the network trafficflow patterns are not optimal for Exchange 2007, you can make adjustments to the costsevaluated by Microsoft Exchange. As an Exchange administrator, you cannot and should not modifythe cost assigned to the IP site link by using Active Directory tools. Instead, use the Set-ADSiteLinkcmdlet in the Exchange Management Shell to assign an Exchange-specific cost to the IP site link.


The lowest-cost route is also used to determine where to queue the message in case thedestination can’t be reached. If a Hub Transport server in the target Active Directory site can’t bereached, the sending Hub Transport server will then attempt delivery to a Hub Transport server inthe next closest Active Directory site according to the routing path. Message delivery will continuealong the lowest-cost route until it reaches an Active Directory site where a Hub Transport serveris available. Finally, if no Hub Transport servers along the route to the recipient Active Directorysite are available, the message is queued locally. This method queues the message as close to thedelivery point as possible, helping to make diagnosis of network failures more deterministic. Thisbehavior is known as queue-at-point-of-failure.

Exchange 2003 works in a completely different manner. It calculates the lowest-cost route fromone routing group to another based on the costs assigned to the routing group connectors. Abridgehead server in each routing group along the routing path will receive and then relay themessage. If the next connector in the path is not available, an attempt is made to calculate analternative route. Link state update messages are also communicated throughout the Exchangeorganization to notify the other Exchange servers that the connection is down. The bridgeheadservers will attempt to route around the down connector until a link state notification is receivedindicating that the connection is up.

The challenge when transitioning a large organization is to maintain mail flow during thecoexistence period. To achieve this continuity when Exchange 2007 is introduced into the envi-ronment, all Exchange 2007 servers become members of a single routing group. This means thatregardless of which Active Directory site the Exchange 2007 server is in, Exchange 2003 will see itas belonging to that single routing group. This allows you to establish a routing group connectorbetween that routing group and the Exchange 2003 routing groups so that Exchange 2003 canfigure out how to route messages to Exchange 2007. Exchange 2007 will also use the routing groupconnector to determine how to get messages to Exchange 2003. However, Exchange 2007 willalways prefer to route a message through another Exchange 2007 server, and will never backboneacross an Exchange 2003 routing group to reach another Exchange 2007 server.

Schema PreparationTo prepare AD for the move to Exchange Server 2007, the Schema Master has to have MicrosoftWindows Server 2003 SP1 or Windows Server 2003 R2 installed. There must also at least onedomain controller in each AD site that contains Exchange Server 2007 running Windows Server2003 SP1. The AD domain functional level must be at Windows 2000 Server–native or higher forall domains in the AD forest where you’ll be installing Exchange 2007.

With regard to preparing the schema and AD before installing Exchange Server 2007, the pro-gram has several different preparation switches you can run with the setup.com, including thefollowing:

◆ /preparelegacyexchangepermissions (to grant Exchange permissions where necessary)

◆ /prepareschema (to update the schema for Exchange 2007)

◆ /prepareAD (to configure global Exchange objects in AD)

Besides preparing your AD, you’ll need to prepare the domains into which you plan oninstalling Exchange 2007. Use the /preparedomain and/or /preparealldomains command(which will provide permissions on the domain container for your Exchange servers, permis-sion for Exchange Organization Administrators and a list of other necessary configuration andpermission changes) to prepare your domains for Exchange 2007.


Forest DesignBecause Exchange Server 2007 relies on the Windows Server 2003 AD for its directory, it isimportant to include AD in the design plans. Happily, if an AD based on either Windows 2000Server or Windows Server 2003 already exists in the organization, all you have to do is plan forthe inclusion of Exchange Server into the forest.

If an AD structure is not already in place, a new AD forest must be established. Designing theAD forest infrastructure can be complex and can require you to put nearly as much thought intothe design as the actual Exchange Server 2007 configuration itself. Therefore, it is important tofully understand the concepts behind AD before beginning an Exchange 2007 design.

Exchange 2007, while requiring an AD forest in all deployment scenarios, has certainflexibility when it comes to the type of AD it uses. It is possible to deploy Exchange in thefollowing scenarios:

Single forest The simplest and most traditional design for Exchange is one where Exchangeis installed within the same forest used for user accounts. This design also has the least amountof complexity and synchronization concerns to worry about.

Resource forest The Resource Forest model in Exchange Server 2007 involves the deploy-ment of a dedicated forest exclusively used for Exchange itself, and the only user accountswithin it are those that serve as a placeholder for a mailbox. These user accounts are not loggedon to by the end users, but rather the end users are given access to them across cross-foresttrusts from their particular user forest to the Exchange forest.

Multiple forests Different Multiple Forest models for Exchange are presently available, butthey do require a greater degree of administration and synchronization. In these models, dif-ferent Exchange organizations live in different forests across an organization. These differentExchange organizations are periodically synchronized to maintain a common Global AddressList (GAL).

It is important to determine which design model will be chosen before proceeding with anExchange deployment because it is complex and expensive to change the AD structure of Exchangeafter it has been deployed.

William of Occam stressed the concept of simple solutions to complex problems with hisfamous ‘‘razor.’’ The same principle applies to AD design. You should start with the idea thatall that is needed is a simple forest and domain in your environment.

However, simplicity is not always possible, and there will be certain cases where you mustconsider needing more than one AD forest in an organization, among the reasons for this are:

◆ Corporate politics. Some organizations have specific political reasons that force the cre-ation of multiple AD forests.

◆ Security concerns. Highly security-conscious organizations will implement separate ADforests to enhance internal security.

◆ Application functionality. Individual branches of an organization may require that certainapplications, which need extensions to the schema, must be installed. This might not bepossible or might conflict with the schema requirements of other branches. In those cases,you will likely need an additional separate forest.

◆ In some cases, it might be necessary to install Exchange Server 2007 in a separateforest, to enable Exchange to reside in a separate schema and forest instance. An


example of this type of setup is an organization with two existing AD forests thatcreates a third forest specifically for Exchange and uses cross-forest trusts to assign mailboxpermissions.

In any case, always, I repeat always, design AD with simplicity in mind. A Single Forest, SingleDomain model will meet the needs of many organizations. If Exchange itself is all that is requiredof AD, this type of deployment is the best practice to consider. Let KISS (keep it simple stupid) beyour byword.

AD Domain Structure DesignOnce you’ve planned the AD forest structure, you need to lay out the domain structure. Hereagain, simple is the best policy, and you should strive to establish a Single Domain model for theExchange 2007 directory. When deploying Exchange is the only consideration, this is oftenthe best choice.

There is one major exception to the Single Domain model: the Placeholder Domain model. ThePlaceholder Domain model has an isolated domain serving as the root domain in the forest.The user domain, which contains all production user accounts, would be located in a separatedomain in the forest, as illustrated in Figure 4.1.

Figure 4.1

A typical placeholderdomain configuration

Forest

Company main domain Placeholder

The value of a placeholder domain structure is that it increases security in the forest byisolating high-level schema-access accounts into a completely separate domain from theregular user domain, thus enhancing security. The negative side is that the additional domain willrequire additional domain controllers, thus increasing the infrastructure costs. You’ll find that insmaller organizations the tradeoff between cost and security is not worth it. Larger organizationscan consider the increased security provided by this model, however.

AD Site and Replication TopologyExchange 2007 no longer uses a separate replication mechanism (routing groups) from ActiveDirectory, and Exchange replication takes place within the context of Active Directory sites. Thismakes proper AD site topology creation a critical component of an Exchange deployment.


Active Directory sites should mirror existing network topology. Where there are pools of highlyconnected AD domain controllers, for example, Active Directory sites should be created to opti-mize replication. Smaller organizations have the luxury of a simplified AD site design. In general,the number of sites is small — or, in most cases, a single physical location. Midsize and largerorganizations might require the creation of multiple Active Directory sites to mirror the wide areanetwork (WAN) connectivity of the organization.

Domain Name System (DNS)Since both AD and Exchange Server 2007 are completely dependent on the DNS for lookups andoverall functionality, DNS is an extremely important design element. Typically, DNS is installedon the domain controller(s), which enables the creation of Active Directory–integrated DNS zones.AD–integrated zones enable DNS data to be stored in AD with multiple read/write copies of thezone available for redundancy purposes. Although using other non-Microsoft DNS for AD issupported, it is not recommended.

The main decision regarding DNS layout is what namespace should be used within the organi-zation.

The DNS namespace is the same as the AD domain information, and it is difficult to changelater.

The two options in this case are to configure DNS to use either a published, external namespacethat is easy to understand, such as Corp123.com, or an internal, secure namespace that is difficultto hack in to, such as Corp123.internal. In general, the more security conscious an organization,the more often the internal namespace will be chosen.

For the sake of simplicity Corporation123 could have chosen corp123.com as its AD name-space. This allows for an environment where the AD logon user principal name (UPN) and theemail address can be the same. For example, the user Kim Wimpsett is [email protected] forlogging on and [email protected] for email. This the preferred model for many organizationsbecause the need for user simplicity often outweighs the benefits of higher security.

Hardware ConsiderationsIn some cases with very small organizations, the number of users is small enough to warrant theinstallation of all AD and Exchange Server 2007 components on a single server. This scenario ispossible, as long as all necessary components — DNS, a global catalog domain controller, andExchange Server 2007 — are installed on the same hardware. In general, however, it is best toseparate AD and Exchange on separate hardware wherever possible.

Locating Global Catalog Servers

The global catalog is an index of the AD database that contains a partial copy of its contents. Allobjects within the AD tree are referenced within the global catalog, which enables users to searchfor objects located in other domains. Every attribute of each object is not replicated to the globalcatalogs, only those attributes that are commonly used in search operations, such as first nameand last name. Exchange Server 2007 uses the global catalog for the email-based lookups of names,email addresses, and other mail-related attributes. As a result, it is critical that the essential ADglobal catalog information be available to each Exchange Server 2007 server in the organization.

When planning for small offices with a single site, this simply means that it is important to havea full global catalog server available in the main site.

Another key consideration, within large organizations in particular, is to design a site structurethat reflects available WAN link capacity. This is because full global catalog replication can con-sume more bandwidth than standard domain controller replication. Only if a sufficient amount of


capacity is available will you be able to place a full global catalog server to be deployed at a site. Ifnot, and capacity is restricted, plan to enable universal group membership caching to reduce thebandwidth load.

Planning for ComplianceAnalysts estimate that as much as 75 percent of corporate documentation is created and commu-nicated via email. No doubt, a significant amount of your organization’s intellectual property liveson its messaging servers.

In business today, email is often both the most common and most preferred method of com-munication. As a corporate asset, email must be protected and in some instances regulated.Governments and corporate policy makers are defining regulations that affect email and the datait contains. The enforcement of these policies and regulations is known as compliance.

As mentioned in Chapter 2, organizations can no longer afford to simply ignore the wholeaspect of compliance with legal, regulatory, and corporate requirements regarding the production,handling, transmission, and retention of electronic messages. Each day a demand for evidence forlitigation or to provide documentation to regulatory agencies to prove they are complying withtheir regulations is delivered.

Many organizations in the financial services, insurance, and health-care industries must main-tain records of communication that occurs when employees perform daily business tasks.

Organizations that consider compliance when they plan their information technology infras-tructures, including their email infrastructures, can supply the required documentation ondemand with less effort. They can also comply with other regulatory requirements more easily.

Organizations that don’t consider compliance up front may find themselves sorting throughmillions of email messages manually, wasting time and money. Organizations can also be heldlegally responsible for not complying with laws or regulatory requirements.

Although an organization may have never been subject to litigation or may not be required tofollow regulatory requirements, there’s a good chance that you handle private and confidentialinformation that may be regulated by laws or regulations in your country or region. It’s importantthat you understand the laws and regulations that apply to your organization and take proactivesteps to make sure that you comply with them.

Selected Laws Governing Electronic Records in Effect as of 2007

This list is by no means exhaustive and estimates are that actual laws that have some impact of elec-tronic records, including international, federal, state, and local number in the thousands.

◆ Sarbanes-Oxley Act of 2002 (SOX): A U.S. federal law that requires the preservation of recordsby certain exchange members, brokers, and dealers.

◆ Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4): A U.S. Security and ExchangeRule that provides rules regarding the retention of electronic correspondence and records.

◆ National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110): The NASDrequires that member firms establish and maintain a system to ‘‘supervise’’ the activities ofeach registered representative, including transactions and correspondence with the public.

PLANNING FOR COMPLIANCE 97

Also, NASD 3110 requires that member firms implement a retention program for all correspon-dence that involves registered representatives. These regulations affect primarily broker-dealers,registered representatives, and individuals who trade securities or act as brokers for traderswho are subject to the regulations.

◆ Gramm-Leach-Bliley Act (Financial Modernization Act): A U.S. federal law that protectsconsumers’ personal financial information held by financial institutions.

◆ Financial Institution Privacy Protection Act of 2001: This law amends the Gramm-LeachBliley Act to provide enhanced protection of nonpublic personal information.

◆ Health Insurance Portability and Accountability Act of 1996 (HIPAA): A U.S. federal law thatprovides rights and protections for participants and beneficiaries in group health plans.

◆ Uniting and Strengthening America by Providing Appropriate Tools Required to Inter-cept and Obstruct Terrorism Act of 2001 (PATRIOT Act): A U.S. federal law that expands theauthority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the UnitedStates and abroad.

In addition to these U.S. laws and regulations, the following regulations also specify requirementsthat may rely on journaling technology:

◆ European Union Data Protection Directive (EUDPD): This directive standardizes the pro-tection of data privacy for citizens throughout the European Union (EU) by providing baselinerequirements that all member states must achieve through national implementing legislation.

◆ Japan’s Personal Information Protection Act: This act regulates the collection, use, andtransfer of personal information in and out from Japan. The Personal Information ProtectionAct applies to government or private entities that collect, handle, or use personal informationof 5,000 or more individuals.

Exchange Server 2007 has been designed to help organizations to meet compliance require-ments and contains several features that help you capture email messages in a user mailbox andas they flow in, through, and out of the organization.

There are generally three broad areas of compliance requirements: information retention, accesscontrol, and data integrity.

The following list provides several examples of the areas where compliance expectations areincreasing and should be planned for based on what you determined in your initial analysis:

Data retention policies Many organizations are required to keep data for a specific time andthen remove that data to protect privacy.

Privacy and confidentiality requirements Organizations have to protect the privacy of indi-viduals and the confidentiality of communications.

Ethical walls Organizations that work with securities and other financial information arefrequently required to prohibit communication between specific groups in their ownorganization.

Discovery requests Organizations are sometimes subject to litigation. As part of this process,litigants can request information from each other. This information frequently comes in theform of email messages.


The following compliance features provide the tools to help you seamlessly manage messagesin your organization:

◆ Messaging records management

◆ Transport rules

◆ Managed folders

◆ Journaling

◆ Disclaimers

What you will find yourself doing during this stage of your planning and designing process isworking with key personnel to determine what policies currently exist, what policies and practicesneed to be employed and how, and who will be defining the rules using one or all of these methodsto ensure that you meet compliance.

Messaging Records Management (MRM)The purpose of message management policies is to help organizations comply with legal require-ments and conserve information technology resources. MRM functionality in Exchange Server2007 meets the twin goals of messaging management and policy through three principles:

◆ Users classify their own messages.

◆ Obsolete messages are removed.

◆ Required messages are retained.

Within your organization, you most likely have rules, limits, and policies that define how largea mailbox can grow, how long email is retained after it is deleted, and perhaps age limits on certainfolders. These policies are put in place to manage email within your organization. MessagingRecords Management defines the life cycle of an email message within your organization, basedon the policies and rules you have in place.

After an email message is created and the user clicks ‘‘Send,’’ several things may happen to themessage. Obviously, the message is delivered to its recipient(s). Beyond that, several actions maybe taken with the email, including:

Sent items By default, a copy of each sent message is placed in the Sent items folder.

Deleted items Most messages are deleted out of the Inbox. By default, deleted messages aremoved to the Deleted items folder.

Deleted items retention After a user deletes a message from the deleted items folder, themessage may be stored for a period of time defined by the deleted items retention policy con-figured on the Exchange server. (The default is now 14 days.) After the retention period expires,the message is finally deleted from the user’s mailbox.

Journaling during transport During transport, messages that meet defined criteria can besent to any message archive that accepts SMTP email. An archive contains copies of messagesalong with message metadata.

Journaling managed folder messages Messages in a managed folder (described later in moredetail) can be sent to any message archive that accepts SMTP email, such as SharePoint Server2007.


Backups Messages are also copied during each backup. Backups are typically used for disas-ter recovery but can also be used to retrieve messages that have otherwise been deleted or lost.

The life cycle of an email message begins when the message is created, and ends when allcopies of the message are deleted. You can manage what happens to the message between thesepoints, as defined by your organization or by government regulations. A simple life cycle is wherea message is simply sent and received.

With Exchange Server 2007, you can define your email life cycle for messages that touch yourorganization so that legal discovery and compliance policies are satisfied.

As you design your plan, you will need to have a clear idea of what is organizationally requiredand apply these needs.

Transport RulesExchange Server 2007 allows you to define and create transport rules that conform to corporateemail policy. During message transfer, if the message meets the transport rule criteria, an actionwill be taken that may affect that message. Rule criteria are based on message sender, recipient, ormetadata — such as a word or phrase within the message, or the message classification. Messageclassification can be applied by a user or rule, such as confidential or personal.

When you plan for the deployment and configuration of transport features, you must clearlyidentify the organization’s business needs and the message-processing practices that best fulfillthose needs. To make sure that you have all the information and resources that are required tocorrectly deploy and configure these features, you should ask the following questions:

◆ Are there corporate or regulatory mandates with which your organization must comply?

◆ Should messages be identified for long-term document retention?

◆ Does your organization transmit confidential messages?

◆ Does your organization have to journal communications between individuals and groups?

◆ Should certain types of messages be scheduled or prioritized?

◆ Do you have to add disclaimers to the body of particular messages?

◆ Should messages be restricted by attachment size or type?

◆ Should certain connections be rejected by content or attachment name?

When you determine the business needs of your organization, you can determine the transportfeatures that should be deployed. After you have made these decisions, you will know whichfeatures to configure, which agents to enable, and which storage and security resources to makeavailable.

In terms of compliance, however, the only important agent is the one that runs on HubTransport servers. This agent helps you apply policy-based compliance rules to messages flow-ing through your Exchange organization. (The Edge Transport Server Rules agent, on the otherhand, helps you protect your organization against spam and viruses, and is discussed furtherin Chapter 5.)

Some of the common regulatory and compliance requirements that you will need to considerinclude the following:

◆ Limiting interaction between different groups of senders and recipients (‘‘ethical walls’’)

◆ Preventing inappropriate content from entering or leaving the company


◆ Filtering confidential information

◆ Tracking or archiving messages that are sent to and received from specific users andgroups

◆ Redirecting inbound and outbound messages for inspection before delivery

◆ Applying disclaimers

Among the common uses of transport rules are ethical walls between users within the sameorganization whose communication must be managed. You can define a rule where an action istaken when messages are sent between users or groups of users. Several actions can be taken:drop the message, return a nondelivery report, strip attachments, modify the message, journalthe message, send a copy of the message to a compliance officer, and so on. For example, MarketAnalysts and Brokers within an organization — two groups whose communication should bemonitored or not allowed — can be managed with a transport rule. In this example, the transportrule restricts messages being exchanged between these two groups of users.

Rules can also be defined that take action based on message classification. Users can chose fromseveral types of message classifications within Exchange Server 2007, in addition to classificationsthat can be assigned by the transport rule itself. For example, all messages sent to the corporatecounsel can be classified as confidential. Confidential messages can be archived differently thannormal messages, or avoided during discovery searches.

You can apply the Transport Rules agent in Exchange Server 2007 to meet any requirementsgoverning messages, the senders, and the recipients. Obviously, in designing your plan and state-ment of work, you will need to take these into consideration. In addition to compliance, as youwill see in Chapter 5, you can plan for and design transport rules to deal with spam and viruses.

Transport rules on Hub Transport servers evaluate all meeting requests, regular messages,encrypted messages, and rights-protected messages that are sent between authenticated users, asshown in Figure 4.2. All email messages that are sent anonymously are evaluated, regardless ofmessage type, sender, and recipient.

Each transport rule consists of the following components: conditions, exceptions, and actions.Conditions are used to indicate which message attributes — such as headers, recipients,or senders — are used in the message identification process. Once a message meets all of theconditions for a particular rule, actions are applied unless the message matches a configuredexception. Exceptions are optional. If configured, an exception will stop any messages that meetany one of the exception criteria from being processed by the transport rule. Actions, which are arequired component for each transport rule, specify how a message should be processed.

Transport rules are available with both the Exchange Enterprise CAL and the Exchange Stan-dard CAL.

Managed FoldersAfter a message reaches your inbox, it is outside the reach of transport rules, so policy and com-pliance responsibility is shifted to folder rules. Exchange Server 2007 introduces managed folders,useful for meeting compliance and also for general message organization.

Managed folders are created by an Exchange administrator and appear in the mailbox folderlist of a user’s mailbox. They can have specific rules and age limits applied to them, but they arenot shared across users like public folders.

A compliance scenario provides a good example of how a managed folder might be used.Some messages within your organization may need to be retained for seven years for compliancepurposes. You can create a managed folder that stores and archives messages for seven years. As


users receive messages that require that level of compliance, they move them into the managedfolder.

Figure 4.2

Hub Transport servermail flow

Forest

UnifiedMessaging

ServerMailboxServer 1

HubTransport

Server 1

FirewallThird-PartyApplication orMessaging Server

HubTransportServer 2

EdgeTransport

Server

Firewall

Internet

MailboxServer 2

MailboxServer 3

SITE A SITE B

Data retention (or records management) is a critical part of your compliance framework.Exchange Server 2007 has taken a big leap forward in how it allows administrators to managedata. In Exchange Server 2007, records management is based on three principles: obsolete mes-sages are removed, required messages are retained, and users are responsible for classifying theirown messages. A key part of your plan should be to determine how messages should be classified.

Managed folders and the corresponding content settings provide a powerful mechanism formanaging the retention and compliance process. Not only does it allow users to sort relevant emailand store data in folders that are managed centrally, but it also allows for journaling of these itemsto ensure that in the event of a discovery request or preservation order, you can easily complywith the court’s request.

JournalingPlanning for journaling and designing it into your statement of work will be partly driven bycorporate and regulatory demands that you must be aware of and familiar with.


Journaling is the ability to record all communications, including email communications, in anorganization for use in the organization’s email retention or archival strategy. Archiving refers toreducing the strain of storing data by backing up the data, removing it from its native environ-ment, and storing it elsewhere.

Journaling allows for the auditing of all mail sent to and received by a group of users asrequired by several different regulations and serves as a key tool in the email retention or archivalstrategy you are designing. It is also a good tool for ensuring compliance even if not specificallyrequired by a specific regulation since terms and requirements of the regulation may force you touse journaling as a way to comply.

Journaling is also a useful tool to organizations for conducting internal policies or audits.Messages journaled by Exchange Server 2007 can be stored in an Exchange database, Share-

Point site, or can be sent to any external SMTP address used by third-party journaling companies.In previous versions of Exchange, entire mailbox stores had to be journaled. In Exchange Server

2007, a scope determines what messages are journaled. The scope can be as granular as a singlemailbox, a distribution list, a database, or the entire organization. Voice mail messages and missedcall notifications can be excluded from the journal. Also, a detailed report on what is journaledincludes information such as To:, From:, Cc:, Bcc:, and expanded distribution list information aswell as other metadata from each journaled message. The value of this is obvious if you find thatyour plan needs to include the ability to respond to an ongoing need to place a hold on the emailmessages of certain individuals, because, for example, of an internal investigation or a court case.Exchange Server 2007 allows the administrators to add and remove users to an established groupthat is already being journaled. This provides a quick and easy way to provision ad hoc journaling.Figure 4.3 provides a good overview of how Exchange Server 2007 journaling operates.

Figure 4.3

Exchange Server 2007journaling

From: <Sender address>To: <Destination address>Cc: <Carbon Copy address>*Bcc: <Blind Carbon Copy Address>*Subject: <Message Subject>

From: <Sender address>To: <Destination address>Cc: <Carbon Copy address>*Bcc: <Blind Carbon Copy Address>*Subject: <Message Subject>

Sender: <Sender address>Message ID: <Message ID@server>Subject: <Message subject>

To: <Destination address>Cc: <Carbon Copy address>*Bcc: <Blind Carbon Copy address>*

*Ps: The fields CC: and BCC: are optional

Original Message

Hub Transport Role Journal Report

Original Message

Journal Mailbox

Recording MessageCreate a Journal

Report

Original Message

Normal Delivery

JOURNAL AGENTIs there a journalrule that matches

this message?


You will have to determine which of the two versions of journaling should be implemented,premium or standard.

Leveraging Journaling Technology

By US federal law corporate officers at Wimpsett Financial Services are responsible for the claimsmade by their employees to their customers. In order to verify that this is the case and the dataprovided is accurate, a corporate officer sets up a system whereby managers review some part ofemployee-to-client communications regularly. Every quarter the managers verify compliance andapprove their employees’ conduct. After all managers report approval to the corporate officer, the cor-porate officer reports compliance, on behalf of the company, to the regulating body.

In this scenario, email messages are one of the employee-to-client communications that managersmust review, so all email messages that are sent by client-facing employees are journaled. Other clientcommunication mechanisms may include faxes and telephone conversations, which must also berecorded.

Hence with Exchange Server 2007’s ability to journal all classes of data in an enterprise, WimpsettFinancial Services not only can meet internal audit requirements but also document them and be ableto act resolutely and confidently in the event that employees are not meeting the standards.

Premium Journaling

Premium journaling, new to Exchange Server 2007, allows the targeting of journaling rules byspecifying Simple Mail Transfer Protocol (SMTP) addresses that belong to mailboxes, contacts,or distribution lists that you want to journal in your organization. When you specify a targetrecipient or sender on a journal rule, you target specific recipients or senders for journaling.These recipients or senders may be subject to the regulatory requirements that were describedearlier in this topic. Alternatively, they may be involved in legal proceedings where email mes-sages or other communications are collected as evidence. If you target specific recipients, senders,or groups of recipients or senders, you can easily configure a journaling environment that matchesyour organization’s processes and regulatory and legal requirements.

Premium journaling requires Exchange Server 2007 Enterprise Edition CALs.

Standard Journaling

Standard journaling is basically the same as journaling in Exchange Server 2003. It enables jour-naling on a per-mailbox store basis. When a mailbox database has standard journaling enabled,all the messages that are sent to or from mailboxes in a mailbox database are sent to the specifiedjournaling mailbox.

If you have only Exchange Standard CALs for the mailboxes that you want to journal, you mustuse standard journaling.

Licensing and Compliance FeaturesThe availability of compliance features depends on whether you have purchased Exchange Enter-prise CALs or Exchange Standard CALs. As you can see in Table 4.6, all the compliance featureslisted earlier are available to you if you have purchased Exchange Enterprise CALs. If you havepurchased Exchange Standard CALs, you can use only the compliance features that are part of theExchange Standard CAL.


Table 4.6: Compliance Features Available for Each Type of CAL

Compliance feature Exchange Standard CAL Exchange Enterprise CAL

Messaging records management No Yes

Hub Transport rules Yes Yes

Standard journaling Yes Yes

Premium journaling No Yes

If you want to use the advanced compliance features available with an Exchange EnterpriseCAL, purchase the number of Exchange Enterprise CALs equal to the number of users who willbe using the advanced compliance features. For example, if you have 1,000 mailboxes and plan toenable MRM on only 100 of those mailboxes, you only have to purchase 100 Exchange EnterpriseCALs. The 900 remaining licenses can be Exchange Standard CALs. If you want to apply premiumjournaling to some of the same 100 mailboxes that were previously covered by the ExchangeEnterprise CALs, you don’t have to purchase additional licenses. However, if you want to applyMRM or premium journaling to more than the original 100 mailboxes, you must upgrade theappropriate number of Exchange Standard CALs to Exchange Enterprise CALs.

You can use either Exchange Enterprise CALs or Exchange Standard CALs with both MicrosoftExchange Server Enterprise Edition and Microsoft Exchange Server Standard Edition. For example,you can put mailboxes that require premium journaling, such as Exchange Enterprise CALs, on acomputer that is running Exchange Standard Edition.

Other features of Exchange 2007 may require Exchange Enterprise CALs. You must purchaseExchange Enterprise CALs for each mailbox that uses an Exchange Enterprise CAL feature.

As discussed at the beginning of the chapter, you are going to have to spend time carefullyassessing your licensing needs.

Exchange Hosted ServicesSome compliance features are enhanced by or are also available as a service from MicrosoftExchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:

◆ Hosted Filtering, which helps organizations protect themselves from email-bornemalware

◆ Hosted Archive, which helps them satisfy retention requirements for compliance

◆ Hosted Encryption, which helps them encrypt data to preserve confidentiality

◆ Hosted Continuity, which helps them preserve access to email during and after emergencysituations

These services integrate with any on-premise Exchange servers that are managed in-house orHosted Exchange email services that are offered through service providers.

Exchange Hosted Services will be discussed in greater detail as part of Chapter 5’s assessmenton whether to keep your Exchange Server in-house or to outsource some or all of it.


Message ClassificationsMessage classifications is a Microsoft Exchange Server 2007 and Microsoft Office Outlook 2007feature that is intended to help organizations comply with their email policies and regulatoryresponsibilities.

By default, there are four message classifications when Exchange Server 2007 is deployed andwhich are available in OWA. Below, the four default message classifications are explained:

Company Confidential This contains proprietary information and should be handledconfidentially.

Company Internal This contains sensitive information that should only be delivered tointernal recipients.

A/C Privileged This kind of message is either a request for legal advice from an attorney ora response by an attorney about legal advice. It’s also called ‘‘Attorney/Client Privileged.’’

Attachment Removed The attachment was removed from the email.

Technically speaking there is a fifth default classification, ‘‘No Restriction,’’ which is merely atraditional message without any added metadata.

When a message is ‘‘classified,’’ the message contains specific metadata that describes theintended use or audience of the message. Outlook 2007 or Microsoft Office Outlook Web Accessmay act on this metadata by displaying a user-friendly description of the classification to sendersand receivers of a classified message. In Exchange Server 2007, the Exchange Transport servicemay act on the metadata if there is a transport rule that meets specific criteria that are configuredby the Exchange administrator.

The following list provides a brief description of some of the message classification fields thatcan be set by the Exchange administrator:

◆ Display name

◆ Sender description

◆ Recipient description

◆ Locale

It is important to remember that in the initial installation of Exchange Server 2007 all messageclassifications are informational only. They don’t do anything because they are not associated withrules. Default message classifications are simply a way for senders to communicate additionalinformation about a message to the message recipients.

Your plan can consider and call for creating a global transport rule that enforces some or all ofthe message classification based on your business needs. For example, if the client organizationis a law firm or a company with a legal division, you can group the attorneys into organizationalunit that is called ‘‘Legal.’’ You can then configure a transport rule that returns messages that areclassified as A/C Privileged to the sender if the sender or at least one recipient on the To or Cc lineis not in the Legal group.

Message classifications can be logically separated into two classes based on how they areattached to a given message:

◆ A message classification can be manually added by the sender of a message.

◆ A message classification can be added as the result of a rule.


You can create more than one message classification instance for each language in yourorganization. If you have multiple, localized versions of a given message classification, Outlookand Outlook Web Access will display the correct version based on the language settings on theuser mailbox.

In some scenarios, your business needs may dictate following different regulations for differentregions or locales where your business operates. In these cases, it may not make sense to display allmessage classifications to all users. For example, health care–related companies that operate in theUnited States and in Europe may have to comply with Health Insurance Portability and Account-ability Act (HIPAA) regulations in the United States but not in Europe. Therefore, the display ofmessage classifications that are HIPAA-specific should only be enabled for employees operatingin the United States. You can set read permissions on classifications so that only appropriate userscan view specific message classifications.

Overview of DisclaimersAfter several high-profile lawsuits with multi-million dollar penalties concerning the contents ofcorporate emails, companies are increasingly aware that simply by using email they are exposingthemselves to legal threats. Email disclaimers can also be used for marketing purposes or to pro-vide warnings about unknown or unverified email senders or for any other reasons determinedby an organization.

Exchange Server 2007 includes the ability to add text disclaimers to email messages that areprocessed on a computer that has the Hub Transport server role installed. Disclaimers are typicallyused to provide legal information and warnings about unknown or unverified email senders, orfor various other reasons as determined by an organization.

There are several legal threats that disclaimers can help protect against:

Breach of confidentiality By including a disclaimer that warns that the content of the email isconfidential, you can protect your company against the exposure of confidential information. Ifthe receiver breaches this confidentiality, they could be liable.

Accidental breach of confidentiality If an employee were to receive a confidential mail fromsomeone and by accident forward it to the wrong person, the employee, and therefore the com-pany, could be liable. This can easily happen. For instance a wrongly addressed email can beforwarded to a postmaster, who might not be authorized to read the mail. Furthermore, emailcan easily be intercepted. If you include a statement at the end of your mail that the messageis only intended for the addressee, and that if anyone receives the email by mistake they arebound to confidentiality, this could protect you.

Transmission of viruses If an employee sends or forwards an email that contains a virus,your company can be sued for this. Apart from implementing a good virus checker that blocksviruses entering and leaving the company via email, you can also warn in your disclaimer thatthe email can possibly contain viruses and that the receiver is responsible for checking anddeleting viruses.

Entering into contracts Written communication, including email, can be used to form bind-ing legal contracts if the individuals have actual or apparent authority to do so. If you donot wish certain employees to be able to form binding contracts by email, you could includea statement that any form of contract needs to be confirmed by the person’s manager.

Negligent misstatement By law, a person is obliged to take care when giving advice thata third party relies on. If an employee were to give professional advice in an email, the


company will be liable for the effect of the advice that the recipient or even third party, reason-ably relies upon. A suitable disclaimer could protect your company from this kind of liability.

Disclaimers Are Not a Panacea

There is no certainty that if a company is sued for the contents of an email, that an email disclaimerwill protect it from liability in a court of law. However, it will certainly help and in some situationsmight exempt the company from liability because it can show it has acted responsibly.

Although a company is ultimately responsible for the actions of its employees, including the contentof any emails they send, a disclaimer can decrease liability. If a company can show that it has cor-rectly instructed its employees not to send libelous, inappropriate, or defamatory statements this couldhelp in disclaiming responsibility if an employee breaches these rules. A company can demonstratethis by including an email disclaimer to that effect, and by implementing an email policy that clearlywarns employees against misuse of email.

There is no disclaimer that can protect against actual libelous or defamatory content. The most a dis-claimer can accomplish in this respect is to reduce the responsibility of the company, since it can provethat the company has acted reasonably to stop employees from committing these offenses.

Apart from legal uses, disclaimers can be used to add a footnote or to add a signature formarketing purposes. A ‘‘disclaimer’’ can also be used to add a company address, URL, and/orslogan if wished. In some countries companies are required to state the company’s particulars onany written communication. Since email is also written, it is probably best to include this in emailsas well.

Another benefit of using disclaimer is that they help an enterprise convey a professional, trust-worthy image.

Disclaimer Examples

Disclaimers can serve a variety of purposes, not only legal but also marketing and customer servicesupport and information ones. The following examples, taken from my own email, show you the usesto which this technology can be put. You encourage management to think of various proactive waysto use disclaimers to promote their business and not just for defensive antilawsuit purposes.

Amazon.comWe hope you found this message to be useful. However, if you’d rather not receive future emailsof this sort from Amazon.com, please visit the opt-out link here: http://www.amazon.com/gp/gss/o/1U4V7f41B4j.GH5WzGigvvY4BFb47iy-8AQqoA9w43HM

Please note that product prices and availability are subject to change. Prices and availabilitywere accurate at the time this newsletter was sent; however, they may differ from those you seewhen you visit Amazon.com.


(c) 2007 Amazon.com, Inc. or its affilates. All rights reserved. Amazon, Amazon.com and theAmazon.com logo are registered trademarks of Amazon.com, Inc. or its affilates.

Amazon.com, 1200 12th Ave. S., Suite 1200, Seattle, WA 98144-2734.

GFI

DISCLAIMER

The information contained in this electronic mail may be confidential or legally privileged. Itis for the intended recipient(s) only. Should you receive this message in error, please notify thesender by replying to this mail. Unless expressly stated, opinions in this message are those of theindividual sender and not of GFI. Unauthorized use of the contents is strictly prohibited. Whileall care has been taken, GFI is not responsible for the integrity of the contents of this electronicmail and any attachments included within.

This mail was checked for viruses by GFI MailSecurity. GFI also develops antispam software(GFI MailEssentials), a fax server (GFI FAXmaker), and network security and managementsoftware (GFI LANguard) - www.gfi.com

Against The Odds Magazine

Against the Odds Magazine has won three Charles S. Roberts Awards for BestWargaming Magazine. Visit us at www.atomagazine.com and see why!Andy Nunez, besides editing Against the Odds is also the author of Treasures of theEastern Shore, Mysteries of the Eastern Shore, Crimson Need, and the upcoming Ghosts ofthe Eastern Shore, all available from www.cambridgebooks.us.

Law offices of Hilary B. Miller

This message, together with any attachments, is intended only for the use of the individual orentity to which it is addressed and may contain information that is legally privileged, confiden-tial and exempt from disclosure. If you are not the intended recipient, you are hereby notifiedthat any dissemination, distribution, or copying of this message, or any attachment, is strictlyprohibited. If you have received this message in error, please notify the original sender imme-diately by telephone (203-399-1320) or by return email and delete the message, along with anyattachments, from your computer. IRS Circular 230 disclosure: Any tax advice contained in thiscommunication (including any attachments) was not intended or written to be used, and cannotbe used, for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Codeor (ii) promoting, marketing or recommending to another party any matters addressed herein.Thank you.

British Airways

IF YOU HAVE RECEIVED THIS EMAIL IN ERROR This is a confidential email intended onlyfor the British Airways customer appearing as the addressee. If you are not the intended recipi-ent please delete this email and inform the sender as soon as possible. Please note that any copy-ing, distribution or other action taken or omitted to be taken in reliance upon it is prohibitedand may be unlawful.

PLANNING MAIL ARCHIVING 109

Jumeirah Emirates Towers

Disclaimer

Jumeirah is a trade name of Jumeirah International LLC, a limited liability company incorpo-rated in Dubai. Commercial Registration Number 57869. Share Capital Dhs. 300,000 fullypaid up.

The information in this email is private & confidential. It is intended only for the use of the per-son(s) named. If you are not the intended recipient, you are notified that any dissemination orcopying of this communication is prohibited and kindly requested to notify the sender and tothen delete this message. Jumeirah International LLC gives no representation or guarantee withrespect to the integrity of any emails or attached files and the recipient should check theintegrity of and scan this email and any attached files for viruses prior to opening.

Unique Disclaimers

The following conditions are examples of business conditions that might require that you useunique disclaimers:

◆ Legal requirements that may be different in various countries or regions

◆ Different languages

◆ Business or regulatory requirements that may be different in multiple regions

◆ Potentially unsafe email messages that are sent to internal users

Disclaimers for Messages That Can’t Be Modified

Some messages, such as encrypted messages, prevent Exchange from modifying the content ofthe original message. Exchange enables you to control how your organization handles these mes-sages. When you create a new disclaimer, you can decide whether to wrap a message that can’tbe modified in a message envelope that contains the disclaimer, reject the message if a disclaimercan’t be added, or let the message continue without a disclaimer.

Planning Mail ArchivingSince Chapter 2 we have been discussing the need to comply with certain requirements and thefact that such requirements must be factored into your planning. In Chapter 4, we discussedthe role of journaling and other compliance meeting actions and tasks that you needed to take intoconsideration. All these touch on the concept of mail archiving in one way or another.

Your plan for your Exchange Server 2007–based messaging system must include provisionsfor archiving email, whether or not you intend to use Exchange Server 2007 exclusively, use it inconjunction with third-party products, or use third party products exclusively.

As you should be aware, email has become a primary channel of business communication. Asemail has evolved into electronic substitutes for legal business documentation, the informationin the email now constitutes a legal record. Hence, as with all records, these emails must now beretained for a minimum period of time, often established by statutes. As mentioned previously,there is considerable legislation and regulatory requirements describing what to retain, how to


retain it, and how accessible it must be. Simply stated, retaining these records is critical and mustbe planned for.

You should also understand the real difference between a true email archive and an emailbackup that is sometimes erroneously described as archival.

An email archive is a repository of correspondence, usually held in a nonproduction environ-ment that provides a secure preservation of email for compliance and operational purposes. A‘‘true’’ email archiving system automatically extracts message contents and attachments fromincoming/outgoing emails, and after indexing, it stores them in read-only format. This ensuresthat archived records are maintained in their original state.

Because it’s active, archiving ensures that an organization has a centralized and accessible copyof all its email. This provides additional protection against accidental or intentional deletion ofemails by end users. Email archiving also eliminates the need to search for personal archives oneach and every local machine whenever litigation support is requested. Record authenticity (i.e.,preservation of a record in its original state) is one of the key requirements in many of the contentregulations imposed by the laws.

This is completely different from email backup. Backups are intended to save current dataagainst the event of failure or disaster. That’s all. The data is not ‘‘archived,’’ merely stored. Bycontrast email archiving systems preserve data in a manner that allows it to be accessed whenneeded by using advanced search and retrieval functions. These systems allow users to trackdown email messages in a timely and cost effective manner.

Email archiving also allow for the creation of access restrictions to secure and protect intel-lectual property rights as well as ensure data integrity and confidentiality in compliance to thestatutes.

Email archiving solutions offers businesses tremendous capabilities — from optimizing theiremail environment to providing archive, search, and retrieval options for compliance and discov-ery mandates. Often the benefits these solutions provide go beyond the scope of an organization’sinitial requirements.

Prior to planning and implementing an email archive solution, you should carefully examinethe drivers that determine the solution. You should also carefully research the companies thatoffer email archive solutions, as this is a relatively new market and some technology vendorsdon’t have the track record that others do.

The Cost of Discovery

The cost of finding the electronic records for a discovery process can be astronomical, requiringmonths of IT manpower to wade through backup tapes. Failing to find the records or losing them canlead to a series of fines and directed judgments. Your email archiving design should prevent these sortof occurrences:

◆ In Murphy Oil USA v. Flour Daniel, the defendant was ordered to restore and print the emailscontained in 93 tape backups and to absorb the total costs involved to perform this operationwhich amounted to $6.2 million.

◆ In March 2004, Bank of America was fined $10 million by the Securities and Exchange Commis-sion (SEC) for failing to retain email records for the time stipulated by the regulation and forfailing to submit the information requested by SEC in a timely manner.


◆ Investment firms Deutsche Bank Securities Inc., Goldman Sachs & Co., Morgan Stanley,Solomon Smith Barney Inc. and U.S. Bancorp Piper Jaffray Inc. were all fined $1.65 million eachfor not complying with SEC Rule 17a-4 and for failing to produce emails requested during thecourse of an investigation.

◆ The cost for restoring 77 tape backups in the case Zubulake vs. Warbung (USB Bank) amountedto $165,954, and the relative review costs totaled to $107,694.

◆ Philip Morris International, one of the largest tobacco companies in the world, was fined $2.75million dollars for destroying emails in violation of a 1999 order.

Why Archive Email?There are four key reasons for an organization to archive its email. These are compliance, judicialdiscovery, storage management, and knowledge control.

Compliance

The new regulatory environment is one of the major drivers behind the increase in demand foremail archiving solutions.

Although the data subject to regulatory statutes varies by industry, all records that pertain tothe organization’s business activity are subject to compliance regulations. These include employeeand client records, correspondence between organizations, and financial documentation.

Other legislation defines requirements for specific regulated industries. Some legislation relatesto the amount of time records must be held, while other legislation relates to what can be held.While it is not always clear-cut what these laws require, and there is some degree of subjectivityin interpreting the laws, several common themes emerge:

◆ Electronic business records (including email communications) are now placed under thesame scrutiny as their paper-based counterparts. Failure to manage these records properlyand failure to reproduce certain email data upon request could be deemed an obstructionof justice.

◆ Organizations are being required to archive email data systematically as a standard courseof business and, in some cases, on a inalterable storage medium to bolster the evidentiaryvalue of this data.

◆ Organizations are being required to document their data management practices andrequirements related to email and to communicate this information to employees so that allstakeholders are on notice as to the liabilities associated with email messages.

◆ Metadata or descriptive information about the email data itself is viewed as a key consider-ation when evaluating the evidentiary value of archived email messages.

Although many regulations exist and each seems to have its own requirements, email archivingcompliance is based on three main concepts:

◆ Archived data must be retained in its original state without being altered or deleted.

◆ Archived information that is retained must be safeguarded against all security threats,which include access by unauthorized persons as well as anything that could physicallydamage or endanger the availability of the information.


◆ Archived information should be easily accessible in a timely manner by authorized person-nel whenever required.

Any archiving plan and product should ensure that these exist.

Judicial Discovery

Sooner or later every company, large or small, is going to become involved in a lawsuit, either asa defendant or a plaintiff. Every lawsuit inevitably involves the process of judicial discovery.

Discovery is the process in which parties involved in a lawsuit are requested by the court tosubmit information that is relevant to the case. The company that receives the discovery requestmust search its records and submit all the relevant/requested information in a timely manner.Recent court rulings have acknowledged that the company providing the information mustendure the discovery cost, without reimbursement. As you can imagine, as is shown in ourreal-world examples, the cost of producing the information for litigation can be colossal and canoften outweigh the damages sought in the suit, especially if the organization does not have anadequate email archiving solution in place.

An issue with discovery requests is that there is no specific time limit that defines on how farback a company must search. Organizations are required to provide all copies of email relevantto the request, regardless how far back this may be. The completeness and availability of all therequested records and the time required to extract this information depends very much on theorganization’s email storage management and employee behavior.

Other issues that need to be considered are that litigation support information must be accurate,complete, and possibly in its original state. An organization that fails to submit the informationrequested in a legal discovery can be found guilty of ‘‘spoliation.’’ This is legal term describesthe improper destruction of evidence. If a court feels that there is a basis to believe spoliation hasoccurred, it can do a number of things, almost all of them bad for the party found involved inspoliation. The court can order a verdict for the other party, or the court can assume that the lostinformation was harmful to the party that failed to produce it and instruct a jury to act accordingly.Finally, there can be hefty fines.

Storage Management

It has been estimated that one in every four organizations experiences a storage managementgrowth rate in excess of 25 percent per year. It is also estimated that nearly 50 percent of orga-nizations are providing more than 150 MB of storage per user. A study by Osterman Researchaffirms that email stores are growing at 37 percent annually. Consequently, keeping email in a‘‘live’’ (online) storage format will necessitate more physical storage space as well as increasinglypowerful hardware to handle these loads. Compliance regulations have further contributed to theincreased demand for storage by obliging organizations to preserve old email forpredefined periods.

Email archiving solutions can be used to provide a more versatile way of storage managementby doing the following:

◆ Centralizing the organization’s email records.

◆ Storing emails in a compressed format.

◆ Automatically archiving emails as they pass through the message store.

◆ Allowing authorized users to view emails from a central repository can encourage them toeliminate bulky PST files stored locally.


Knowledge Control

An organization’s email system is also a vast and comprehensive corporate knowledge repository.It can contain vast quantities of useful email information that are often vital to a business, andallowing access to this corporate asset can make users more productive.

An email archiving system can provide appropriate knowledge management tools (for example,email record sorting, advanced searching, and retrieval functions) that enable IT and end users tobetter manage the knowledge base contained in the company’s email archive.

Performance

Archiving can enhance performance. By decreasing the size of the primary email database, theperformance of the email servers is enhanced and there is a subsequent reduction in the amountof high-performance storage required for email.

Backup and recovery operations will be improved as well. Because persistent (that is, static)data is archived, the amount of unchanged data that is backed up again and again is reduced.

Email Archiving Planning ConsiderationsBased on the above, any email archiving solution should include the following features:

◆ Emails should be archived automatically and with the minimal human interventionpossible.

◆ Archived emails should be indexed, especially the text content, so that search facilitieswill enable the quick extraction of records to support regulatory audit requests and legaldiscovery.

◆ The email archiving plan system must include configuration features through which thecompany can define its archiving criteria. These features should at least allow archiving ofspecific mailboxes and messages from specific domains or email addresses.

◆ The email archiving system must be able to ensure that records are secure from loss, dam-age, or misuse. The solution must include access restriction features.

◆ Journaling must be used for organizations that are using the email archive solution for gov-ernance (i.e., a system of record), since it ensures that each email is capturedand saved.

◆ The solution should enable a company to use its email archive as a central knowledgerepository from where authorized users can extract information required. Depending onhow the system is configured, the retrieval can essentially be transparent to theend user.

◆ The archiving system should support all major messaging platforms to ensure standardscompatibility.

Deploying and Managing Email Archive SolutionsThere are two main methods for deploying and managing email archive solutions:

◆ A completely in-house solution

◆ A hosted solution in which the archive is maintained at a third party’s data center


An in-house email archiving solution involves having your email repository on a server withinthe corporate building. The main advantage of in-house archiving is that the organization’s sen-sitive information is stored behind the corporate firewall and is handled by its own internal staff.This ensures better control over data integrity and confidentiality. The organization relies entirelyand independently on its own resources and can therefore assess its compliance status at any time.The main disadvantage is the upfront costs involved and the sudden impact that the system mighthave on the company’s IT department. In order to deploy an internal email archive, the companymust purchase an adequate email archiving program as well as the hardware (server) that willhost the archive.

Hosted solutions require lower upfront cost than in-house solutions. Customers can get upand running fairly quickly without the investment in hardware and IT staff. Running costs arealso low since new capabilities and software/hardware upgrades are generally implemented bythe provider. In hosted solutions, a software application located on the corporate email servercaptures email and migrates it offsite via the Internet to a third-party data warehouse for archiv-ing. Authorized users can subsequently access the data stored offsite using a web browser orcompatible email client.

However, it is likely that many, if not most organizations will prefer a message archivingsolution that is operated completely in-house. This perception is primarily attributed to the factthat organizations feel more confident when storing sensitive corporate data in-house rather thanon third-party servers outside the company (i.e., hosted archiving).

In addition companies that manage their own email systems have the final say on when thingsget done whereas with a hosted system the company’s priorities compete with those of the serviceprovider. Such a limitation may actually place an organization at higher risk because archivalrecords might be incomplete and/or may not be able to be retrieved in the time required by arequest. Organizations must also consider the possibility of a provider going out of business orfailing to provide a service compliant to the statutes. In such an event, the company will be forcedto change service supplier or must switch to an in-house archiving solution. In either case, thearchiving service will be disrupted and extra money must be spent.

Some organizations perceive hosted archiving solutions as a way to shift liability to the out-sourcing vendor but this is a misconception, as the liability continues to fall with the data owner(that is, the organization employing the outsourced resources).

In-House vs. Outsourced ServicesNow that you’ve determined what needs to be planned for and how it should be implemented, onefinal consideration is where and how you want to provide these services. In the past, the answerwas relatively simple; most companies and enterprises would purchase the needed hardwareand software, and hire the necessary support staff. However as Exchange, and the whole area ofmessaging systems, has become more complex that simple option has started to lose its allure andpracticality.

Exchange 2007 is the first major update since Exchange 2003, and it is the first version of thesoftware that runs only on 64 bit servers. Previously, Exchange ran on 32 bit servers, so customerswill not be able to just switch out their current version of Exchange to a new one. They will berequired to update the hardware.

The introduction of server ‘‘roles’’ in Exchange Server 2007, while a boon in one regard, alsomeans that the software can no longer be set up for high availability on two servers — one forthe roles and one for failover. Now, to run all of the three primary Exchange 2007 roles (mail-box server, hub transport, and client access) with high availability, you will typically need up tofour servers, which is twice as many as you needed in Exchange 2003. If your design adds the Uni-fied Message and Edge Transport roles, you need six servers. Of course, if you don’t want high

IN-HOUSE VS. OUTSOURCED SERVICES 115

availability, you can run all the roles of Exchange Server 2007 on one server, except for the EdgeTransport server. The question of course is whether or not an enterprise is willing to forego highavailability for their messaging system. Most won’t take that risk.

New hardware requirements, incompatibilities with other Microsoft software, and the com-plexity of the product’s new architecture are just a few of the issues that can make a move toExchange 2007 from Exchange 2003 or earlier versions costly for a company and difficult for ITadministrators. There are 6,000 pages of documentation for an IT administrator to review andunderstand in order to deploy Exchange Server 2007.

Another concern is the need for added functionality that most organizations will have foremail archiving, storage management, and continuity service messaging, which is not fully metwith standard features. For example, Exchange 2007 lacks capabilities for the following:

◆ The ability to set, secure, or easily manage granular message retention and deletion rules

◆ The ability to place legal holds on selected mailboxes to prevent the destruction of messages

◆ Storage management capabilities to reduce data store sizes or improve backup, recovery,and maintenance window times

◆ The ability to execute finely tuned searches for messages, and/or attachments across multi-ple mailboxes

◆ End user search and recovery of deleted or lost messages and attachments

◆ Continuity services that protect against site outages, infrastructure problems, database cor-ruption, Exchange & Active Directory problems, and configuration errors

◆ Email recovery services that protect against message loss in the event of databasecorruption

◆ Wireless device continuity services that protect against BlackBerry downtime duringExchange, Active Directory, and infrastructure outages

Nearly all companies, especially U.S. companies regulated under Sarbanes-Oxley or with activelitigation subject to the Federal Rules of Civil Procedure, consider these archive, compliance, anddisaster recovery capabilities to be essential email requirements. As a result, most companies willprobably deploy Exchange 2007 with a complementary mail archiving solutions as discussed inthe next section. With part of the solution already being outsourced, there will likely be somepressure to outsource the entire messaging system solution.

For many small and medium businesses (SMB) the entire cost, both financial administrativeand resource intensive of an in-house Exchange Server 2007–based messaging system may simplybe too much. Upfront costs can exceed $10,000, plus staff time to maintain the server. These con-siderations may necessitate SMBs considering different strategies. Large enterprises will likely beless inclined to make a move to a hosted Exchange system, but increasing complexity and resourceconsumption will start to drive organizations to study their options in that regard.

Pros and Cons of OutsourcingOutsourcing has a number of substantial benefits. When done correctly, it can provide SMBs withdirect positive outcomes:

◆ Low cost-of-ownership and cost predictability

◆ Rapid deployment

◆ Scalability


◆ Anytime, anywhere access to information

◆ Business-class messaging and collaboration

◆ Malware management

Outsourcing reduces or eliminates the following:

◆ Purchasing hardware and software, reducing startup costs

◆ Maintenance expenses

◆ Administrative staff needs

◆ Maintaining hardware and software updates

In addition, it makes sense to utilize off-site solutions that have no dependency on your organi-zation’s internal infrastructure. Similarly using an outsourced service eliminates spam and virusesat the perimeter before they utilize your organization’s bandwidth and server capacity. Finally,for archiving, it is often important to have a third-party custodian who can certify the integrity ofthe message archive in the event of a lawsuit or compliance investigation.

Outsourcing email is usually a harder decision for a large enterprise IT to make. This is becausethere is already significant investment in resources and expertise, which acts as an anchor to keepemail servers and administration in-house. Also outsourcing from a large enterprise requirescareful strategic planning because of the integration between email and other applications thatmay already exist. There may also be custom integration with other enterprise systems, such asorder-taking systems that get their input from email.

Service-Level AgreementsBefore finalizing an outsourcing arrangement, you should have a service-level agreement (SLA)with the vendor. Simply described an SLA is a formal negotiated agreement between customersand their service provider, or between service providers. A typical SLA records the commonunderstandings about services, priorities, responsibilities, guarantees, and the like, with the mainpurpose being to agree on the level of service. For example, it may specify the levels of availability,serviceability, performance, operation, or other attributes of the service such as billing, and evenpenalties in the case of violation of the SLA.

There are two major parts to an SLA — the governing document and the process:

◆ The SLA document is usually legally binding between a company and an outsourcing ven-dor(s). The document describes the exact services and service levels, with details about allagreements.

◆ The SLA process represents the methods that the outsourcing vendor will use to support theSLA document. The methods of supporting the SLA document are usually left to the out-sourcing vendor to identify. These processes should be discussed and possibly identifiedduring SLA contract negotiation. It is important that both parties understand the processesand methods of support as well as the management and reporting tools.

The SLA process represents a third of the total solution. It is up to the outsourcing vendorand your company to ultimately choose the correct people to manage the systems and the besttechnology for implementation. The people involved in managing the process must also managethe technologies and understand the importance of reporting on and monitoring the entire system.

IN-HOUSE VS. OUTSOURCED SERVICES 117

System management and service desk automation technology can provide a supportingenvironment for tracking, escalation, and management of service metrics. End-user satisfactionsurveys can also provide input that will help target appropriate service levels and cost controls.

Proper Elements of an SLA

Let’s take a look at what needs to be considered in creating an SLA document for the fictional com-pany Maeder Enterprises:

Statement of objectives The primary objective of an SLA document is to correctly identifythe support requirements for Maeder Enterprises in regard to supporting the messaging systemneeds.Usually this will be negotiated between the Maeder Enterprises and the vendor.

Contacts and role assignment First, name the key contact for the service-level agreementand delegate SLA management tasks to others. You may need to include other contacts such asmanagement, technical personnel, and the like.

Reporting The frequency and detail of reports must be identified as well.

Finances Payment terms and contract length are negotiated with the outsourcing vendor.

Contract termination procedures Specifies how the contract is terminated. Specifies penal-ties, if any. Specifies whether technology transfer must occur.

Review process There should be a formal review to evaluate the performance and customerservice levels as well as staff reviews. A quarterly review is sometimes formalized in order toinclude discussions on SLA fulfillment, staffing, and future projects that may affect the SLA.

Change management Specifies how amendments and changes can be made to the existingSLA. Several things could require a change or addendum to the existing SLA:

◆ A change in the process workflow

◆ Additional services

◆ Missed performance or customer service thresholds

◆ Additional third-party applications

Usually these changes are detailed by contract riders appended to the SLA until such timethat the SLA is rewritten to incorporate the addendums. The SLA can only be written during arenewal cycle, with both parties present.

Financial incentive plan Specifies penalties and bonuses for meeting or exceeding SLA per-formance guidelines. This can be used as a carrot/stick approach to ensure SLA compliance.

Performance-level guidelines These should be specified and metrics applied. In the case ofan SLA for Exchange outsourcing, typical metrics might include:

◆ Intersite message transfers

◆ Intrasite message transfers


◆ Remote synchronization performance

◆ Offline address book refreshes

◆ Mailbox replication/size

◆ Directory update frequency

◆ Administrative task time limits (e.g., one business day to add a mailbox)

Uptime requirements System availability can be an expensive requirement. It is impor-tant to identify the specific requirements from a resource access standpoint and not neces-sarily on a server-by-server basis. The specifics dictate the availability of the services:

◆ Network and remote access

◆ Mailbox access

◆ Public folder access

◆ Intersite directory

◆ Intrasite directory

◆ Server availability

Equipment support requirements For access and security, you should require that namedcontacts be permitted physical access to the equipment at any given time. Moreover, over-all access to the equipment must be secured and restricted. Access to the equipment must beavailable 24 hours a day, 7 days per week for the vendor’s support personnel.For backups, many companies require that the clients be able to request a ‘‘recovery of deleteditems’’ for up to 30 days of deleted items. Moreover, backup tapes for the system should beplaced in a 30 day rotation, then erased or destroyed. There should be no tapes that containdata over 30 days old.For monitoring, specify any required monitoring or where appropriate the type of monitoringtechnologies to be used.

Staffing Certification and experience levels of supporting staff. Exclusive/nonexclusive use ofresources.

Equipment Brand/vendor of equipment to be used. Any additional equipment for testing orrecovery.

Comfort LevelThe final decision will be up to the enterprise’s management, but your recommendation on thispoint will carry considerable weight. Before recommending outsourcing to a particular vendor,you should be comfortable with your answers to the following points:

◆ Is the organization comfortable with someone else handing their data? If you’re the CIA,you may not want to have others in possession of your email.

◆ Do you feel secure that your outsourcing solution will be there for you when you needthem for a restore or just general support? You should always check the track record andreliability rating of any vendor.

SUMMARY 119

◆ Do they have the technical expertise to do everything you need?

◆ What is the plan in the event their hardware fails?

◆ If the vendor turns out to be a mistake or incapable of meeting your needs, what is yourbackout strategy? Can you migrate to your own server, or another third-party’s servers,if you need to reverse your outsourcing decision?

SummaryAs you have seen, Exchange Server 2007 offers a broad range of functionality to messaging thatyou need to assess so that you can properly plan for it. With proper thought and attention to themajor design topics, you can put a robust and reliable Exchange email solution into place that willperfectly complement the needs of any organization.

The following are some of the best practices and key points you will want to keep in mindwhile planning for Exchange Server 2007:

◆ Use site consolidation strategies to reduce the number of Exchange servers to deploy.

◆ Install Exchange Server 2007 on Windows Server 2003 R2 Edition when possible.

◆ Select the appropriate license, version, and edition based not only on the current environ-ment but also on what is anticipated for the next 3 to 5 years.

◆ Select the processor and memory based not only on the current environment but also onwhat is anticipated for the next 3 to 5 years.

◆ Keep the AD design simple, with a single forest and single domain, unless a specific needexists to create more complexity.

◆ Implement DNS in the environment on the AD domain controllers.

◆ Keep a local copy of the global catalog close to any Exchange servers.

◆ Identify the client access methods that will be supported, and match them with the appro-priate Exchange Server 2007 technology.

◆ Make sure that you understand and plan for the correct number and type of server roles.

◆ Determine in advance who will set transport rules, journaling, and disclaimer policies.

◆ Establish sufficient flexibility in compliance policies to meet inevitable new demands andchanges.

◆ Use disclaimer and other technologies proactively, not just in a ‘‘hunker-down’’ protectiveposition.

McBee c02.tex V3 - 01/23/2008 3:01am Page 53

Chapter 2

Exchange Server 2007Administration

The changes to the new management interface are the most noticeable change to Exchange Server2007. After all, we use the administrative interface on a daily basis, and we use it to train ouradministrators and help desk. Any significant change to the interface results in confusion on ourpart and retraining for the people that use it. More than a few times during my first months withExchange Server 2007, I found myself wondering, ‘‘How do I do this in the new user interface?’’

In early deployments of Exchange Server 2007, frustration with the new interface was prettyhigh. In some cases, I think a little frustration is warranted, but in others, I think administratorsare just not approaching the changes from the right perspective. The first piece of advice I give topeople learning Exchange 2007 is to give the new interface a chance. It is different, but the changesand improvements are long overdue.

In this chapter, I want to give you a bit of a review about why the administrative interfacechanged and help you make the transition from an organization that manages with ExchangeSystem Manager and Active Directory Users and Computers to a new Exchange 2007 organization.The following topics are included in this chapter:

◆ Defining the interface to Exchange

◆ Introducing the new management interface to Exchange 2007

◆ Understanding administrative permissions and delegation in Exchange 2007

◆ Managing a ‘‘mixed’’ mode Exchange organization

Interfaces! Get Your Management Interfaces!I’ll start off by defining a management interface. In the introduction to this chapter, you probablyfigured I was referring to the Exchange System Manager versus the new Exchange ManagementConsole. In general, that is what I meant, but I want to broaden the scope a bit more forthis chapter.

The management interface for Exchange is defined as the tools that you use to manage theconfiguration, services, and data that Exchange Server supports. This is not just the ExchangeSystem Manager, but also the application programming interfaces (APIs) and scripting interfacesthat you may use to manipulate the configuration or management recipients.

Before I go any further, let me explain something. You may think that scripting interfaces do notapply to you. After all, in the past most administrators rarely wrote a script that did anything toan Exchange server, and I am included in that category. For Exchange 2000/2003, I never wrote


54 CHAPTER 2 EXCHANGE SERVER 2007 ADMINISTRATION

a script to perform any sort of Exchange management task. I used the Exchange System Managerconsole or I used the extensions to Active Directory Users and Computers. I suspect that this willchange for many of us with Exchange 2007 (it certainly has for me). Don’t be intimidated becausescripting interfaces are not as bad as they sound.

Old School With the Exchange System Manager ConsoleFirst, let’s take a look at the old way of doing things, starting with the Exchange System Manager(ESM) console that we used with Exchange 2000/2003. The ESM is a front end for the Exchangeconfiguration data that is found in the configuration partition of the Active Directory; I’ll comeback to this later. Figure 2.1 shows this management console. The management tree is in the leftpane of the window and the contents , or objects, are found in the right pane. While I was quiteattached to this console, it had a number of design flaws.

Figure 2.1

Taking a critical look atthe Exchange SystemManager

One of the biggest flaws of the ESM interface was that you often had to drill down five, six, ormore levels deep in the tree to find the actual object you needed to configure. Objects appearednot only in the tree pane but also in the details pane. Finally, once you found the object you werelooking for, the tasks available to you were not always obvious.

Recipient configuration and management could also be confusing. Under the organizationobject (Volcano Surfboards in Figure 2.1), there is a Recipients container. However, if youopen that container it holds organization-wide recipient configuration information. Thisinformation has nothing to do with individual mail-enabled recipients such as mailbox-enabledusers, mail-enabled users, groups, or contacts.

You manage actual mail-enabled recipients for Exchange 2000/2003 organizations usingextensions or snap-ins to Active Directory Users and Computers. For example, when you create


INTERFACES! GET YOUR MANAGEMENT INTERFACES! 55

a user using Active Directory Users and Computers, the New Object–User Wizard (shown on theleft side of Figure 2.2) prompts the administrator to assign the user a mailbox.

Figure 2.2

Managing mailrecipients inExchange2000/2003

If the Exchange 2000/2003 extensions for Active Directory Users and Computers are installed,when you view the properties of a user, contact, or group, you will see additional propertypages. The right side of Figure 2.2 shows the Exchange General properties of a mailbox-enableduser account.

Other Exchange 2000/2003 Management InterfacesFor users who use the graphical user interface, the functions of the Exchange System Managerconsole and the extensions to Active Directory Users and Computers have been replaced with theExchange Management Console.

However, the Exchange System Manager and the Active Directory Users and Computersextensions are just two interfaces for Exchange and recipient configuration. There are actually anumber of others, but most of these are available or useful to you only if you are writing scripts.

Active Directory Services Interface (ADSI) Most of the Exchange 2000/2003 (as well asExchange 2007) configuration is stored in the Active Directory. Administrators and developersoften write scripts to manipulate data (such as recipients or Exchange configuration data) inbulk. Scripts can be written in VBScript or other scripting languages. This interface is stillsupported, though most functions are much easier to perform using the new ExchangeManagement Shell.

Collaborative Data Objects / Collaborative Data Objects for Exchange (CDO/CDOEx)Collaborative Data Objects gives a developer or script writer the ability to access or manipulatee-mail data and directory services. The CDOEx continues to be supported on Exchange 2007but it is recommended that applications using CDOEx be rewritten to use the new WebServices API.

Collaborative Data Objects for Exchange Management (CDOExM) CDOExM providesdevelopers and script writers with an interface for managing Exchange Server configurationdata. This interface is being replaced by the new management interface for Exchange 2007.



Web-based Distributed Authoring and Versioning (WebDAV) WebDAV provides webdevelopers a mechanism for manipulating data in mailboxes or public folders via HTTP.WebDAV will continue to work on Exchange 2007, but it should be phased out in favor of thenew Web Services API.

Exchange Object Linking and Embedding Database (ExOLEDB) ExOLEDB providesdevelopers with a mechanism for manipulating data in the Exchange databases via Windowsapplications. ExOLEDB should continue to work, but applications that use ExOLEDB shouldbe migrated to the new Web Services API.

Store Events Store Events give developers the ability to trigger and run scripts based onactions that happen (new message, delete message, modify message, timed events) in amailbox or public folder. Store Events continues to work in Exchange 2007 but applicationsthat use it should be migrated to the new Web Services API.

SMTP Transport Event Sinks SMTP Event Sinks provides developers with an interface formanaging messages as they travel through the Exchange 2000/2003 advanced queuing engineand message categorizer. SMTP event sinks have been replaced by the new transport agentarchitecture.

Exchange Installable File System (ExIFS) The ExIFS gives administrators and developers(or even users if shared to the network!) the ability to access their mailbox or public folder datadirectly via a drive letter. Exchange 2000 servers automatically had an M: drive, but this waslater hidden in Exchange 2003. This has been discontinued in Exchange 2007. Administratorsthat need direct access to mailbox or public folder store data must develop applications usingthe new Web Services API.

Exchange WMI classes Exchange WMI classes allow an administrator or developer toretrieve information about Exchange Server configuration or manage Exchange Servercomponents via the Windows Management Instrumentation (WMI) interface. This interfaceis no longer supported for Exchange components and the new Exchange 2007 managementinterface should be used.

Exchange Web forms Exchange Web forms gave developers a way to develop custom webforms for Outlook Web Access (OWA). Exchange web forms are no longer supported; if youhave web-based OWA forms, they should be replaced with ASP.NET web forms and youshould use the new Web Services API.

Workflow Designer The Workflow Designer that came with the Exchange SoftwareDevelopment Kit allowed custom workflow applications to be developed for Exchange. Thisis no longer supported and should be replaced by workflow applications developed usingWindows Workflow Services.

As you can see, there are quite a few interfaces to Exchange 2000/2003, and this is not even allof them. Out of all of these interfaces, I have used only ADSI and CDO and then only with the helpof a real developer. So why are these important to you? And why are they in a book for systemadministrators?

I included them here because I want to emphasize how much easier many of the adminis-trative and data access tasks actually are with Exchange 2007. Also, if you are planning yourmigration from Exchange 2000/2003 and you have customized applications that use one of theseinterfaces, then you need to understand that some of them may break if Exchange 2007 does notsupport them.


NEW EXCHANGE 2007 MANAGEMENT ARCHITECTURE 57

New Exchange 2007 Management ArchitectureNow that I’ve presented a review of the management interfaces for Exchange 2000/2003, let’s startwith a discussion of how they have been consolidated and modernized. When talking about thegeneric interfaces, the Exchange team set a few goals:

◆ Acknowledge that Exchange 2000/2003 management and APIs are inconsistent andfunctionality is scattered across many different API sets.

◆ Simplify Exchange configuration and data management by reducing the number of APIsthat have to be learned and supported.

◆ Provide more powerful access to Exchange data through a consistent set of functions.

◆ Allow all management functions to be easily performed via a script or command shell.

◆ Interface with Microsoft’s new task-based command shell called PowerShell.

Out of this set of requirements, a new set of management interfaces were produced thatsimplify Exchange data access and administration:

◆ Exchange Web Services allow developers to access data in mailboxes and publicfolders through a consistent, web-services-based interface. This interface replaces APIssuch as WebDAV, ExOLEDB, CDO, CDOEx, Event Services, and the ExIFS, to name a few.I will not be focusing on this type of Exchange management at all in this book other thanto occasionally reference some function of Exchange 2007 that uses this interface, such asthe Availability service or Autodiscover. Any application you need to develop that wouldmanipulate data in an Exchange mailbox should use the Web Services API.

◆ Exchange transport agents allow developers to write programs that run on the Exchange2007 Hub Transport server role and can manipulate data in transit. I will not focus onthe development of transport agents other than to refer to transport agents that ship withExchange 2007, such as transport rules, the attachment filter, and the antispam agents.

◆ The Exchange management interface is the interface that manages the Exchange 2007configuration and recipient information. The Exchange Management Shell andsubsequently the Exchange Management Console use this interface.

Understanding the Management InterfaceSo now that you know a little bit about the three major API sets or interfaces that are used withExchange 2007, let’s talk about the management interface. The new management interface forExchange 2007 has been completely rewritten. One of the goals the Exchange team set whendeveloping the new management interface was to make it easier to perform scripting operationsand bulk operations against Exchange data and recipient information.

Although we could already perform scripting and bulk administration using Exchange 2000/2003, it was hardly simple. For example, if I wanted to write a script that created a new user andassigned that new user a mailbox, it would require 20 to 30 lines of VBScript code using ADSI. So,not only did I have to know VBScript, I also had to know ADSI.

Let’s say that I wanted to dismount a mailbox database on SERVER1; that might require a70-line VBScript program using the Exchange WMI Classes interface.

How about if I wanted to move all mailboxes that are members of the Executives group over totheir own mailbox database? That might require a 30- to 40-line VBScript using the ADSI interface.



Would you believe that each of these tasks in Exchange 2007 requires a single command lineto accomplish using the Exchange Management Shell. Not even a script, just a single commandline. If you are guessing that I am a fan of the new PowerShell, then you are correct, but it did takeme a while to warm up to it. I’ll tell you more about that in Chapter 8, ‘‘Don’t Fear the ExchangeManagement Shell.’’ For now, though, let’s get back to the basics of the management interface.

When the Exchange team sat down to start developing the new management interface, they seta few goals for it. These goals included making everything scriptable, allowing the managementinterface to be extended or accessed using .NET classes and providing a graphical interface as wellas a command-line interface. The basics of that architecture are shown in Figure 2.3.

Figure 2.3

Exchange Server 2007management interfacearchitecture

Exchange Management Console

Exchange Management Shell

WinForms

PowerShell Data Provider

Windows PowerShell Engine

Exchange tasks/cmdlets

Configuration Data Access

MAPIStore

Metabase

RegistryAD

First, they had to isolate the different types of configuration data and services that an Exchangeadministrator must manipulate. By and large, almost all of the configuration data forExchange 2007 and all mail-enabled recipient data are stored in the Active Directory; this hasnot changed since Exchange 2000/2003.

Note

Mail-enabled recipient data and most of the Exchange configuration are still stored in theActive Directory.



Some of the web-based components of Exchange 2007, such as Outlook Web Access,ActiveSync, Outlook Anywhere, Autodiscover, and other web services all have Internet Infor-mation Services (IIS) components. So the IIS metabase must occasionally be manipulated by theExchange administrator.

Occasionally you find Exchange server configuration information in the Windows Registry;this means that some Exchange tasks must manipulate the Registry. Finally, sometimes even anadministrator must access data in the Exchange data stores; this might include moving mailboxesor performing a discovery as a result of legal action.

After the configuration data from different locations was stored, the Exchange team next hadto determine the types of objects that must be manipulated. This includes user account e-mailattributes, group properties, mailbox databases, transport configuration, diagnostics logging,Outlook Web Access virtual directories, SSL certificates, and much more. The Exchange teamhad to analyze the types of operations performed on each type of object, such as creating a newmailbox-enabled object, mounting a mailbox database, and so on.

Each operation that can be performed against an object represents a specific task. Figure 2.4shows an example of the mailbox object and some (not all) of the tasks that may be performed.

Figure 2.4

Some tasks that canbe performed against amailbox

Mailbox enable an existing account(Enable-Mailbox)

Export mailbox contents(Export-Mailbox)

Remove mailbox from account(Disable-Mailbox)

Set the properties(Set-Mailbox)

View the properties(Get-Mailbox) User account

Create account and add mailbox(New-Mailbox)

Delete account and mailbox(Remove-Mailbox)

Move a mailbox to a new database(Move-Mailbox)

View mailbox storage statistics(Get-MailboxStatistics)

Each type of task has been abstracted to a task in the Exchange Management Shell (EMS)extensions to the new Windows PowerShell. In Figure 2.4, I gave you a sneak peak at the actualEMS cmdlet that you would use to perform each task from the command line. Developers canaccess these extensions as .NET classes using development tools such as the .NET Framework andVisual Studio. The Exchange team built a graphical user interface on top of these extensions, calledthe Exchange Management Console.

Introducing the Exchange Management ConsoleThe Exchange Management Console (EMC) is built on top of the Microsoft .NET Framework 2.0,the Microsoft Management Console v3.0, and the Windows PowerShell. All three will need to beinstalled on a Windows XP SP2, Windows 2003 SP1, or Windows Server 2008 computer beforeyou can install the Exchange Server 2007 management tools. You can install the 64-bit version ofthe management tools on Windows 2003 x64, Windows 2008 x64, and Windows XP x64 or youcan get the 32-bit evaluation software and install the 32-bit management tools on Windows XP orWindows 2003.

Since the EMC uses the Microsoft Management Console v3.0, there may be a few new thingsyou have not seen before. Figure 2.5 shows the Exchange Management Console. Notice that theconsole includes four distinctive sections; they are called panes. The EMC panes include theconsole tree, the work pane, the result pane, and the action pane.



Figure 2.5

The Exchange Server2007 Exchange Manage-ment Console

Navigation Tree

The console navigation tree is one of the biggest improvements in the Exchange 2007 EMC. Unlikethe Exchange 2003 System Manager, EMC contains only static data and containers; there are nodynamic data or objects in the navigation tree that must be configured. The EMC navigation tree isa maximum of only three levels deep and by default contains only four work centers. A differentview of just the navigation tree is shown in Figure 2.6.

Figure 2.6

Exchange ManagementConsole navigation tree



The work centers in Figure 2.6 show the different types of configuration data or operations thatan administrator may be required to manage. Later in this chapter you will see how you can breakthe console up so that an administrator can see only a particular work center. Table 2.1 describesthe Exchange 2007 work centers.

Table 2.1: Exchange 2007 Work Centers

Work center Description

Organization Configuration The organization work center contains objects and properties related to theconfiguration of the entire Exchange 2007 organization. These objects andproperties affect all servers and recipients.

Server Configuration The server work center contains the server objects that can be configuredindividually, such as mailbox databases, Outlook Web Access virtualdirectories, SMTP receive connectors, and Unified Messaging components.

Recipient Configuration The recipient work center contains the recipient data for all mail-enabledobjects in the organization, including mail-enabled users, mail-enabledcontacts, and mail-enabled groups. In Exchange 2000/2003, this informationwas managed through Active Directory Users and Computers.

Toolbox The toolbox work center is a launching pad for additional tools or consoles,including the Exchange Best Practices Analyzer, Queue Viewer, Mail FlowTroubleshooter, Database Recovery Management, and Message Tracking.

Also note in Figure 2.6 that the Organization, Server, and Recipient Configuration work centershave containers under them that help to categorize the types of objects found in them.

Results Pane

The results pane of the EMC will be different depending on which work center object andsubcontainer is highlighted in the navigation tree. For example, if you highlight the RecipientConfiguration object in the tree, the results pane will show all mail-enabled recipients (users,contacts, groups). A view of the entire Recipient Configuration container is shown in Figure 2.7.

Depending on the work center selected in the tree view, the results pane will change. If Iselect the Mailbox container under the Recipient work center, the results pane will hold onlymailbox-enabled users.

Work Pane

Some results panes list objects that require more than just a single set of property pages. Objectssuch as Exchange Mailbox servers have property pages, but objects under the server, such asstorage groups and mailbox databases, also have property pages. Server objects require anadditional pane under the results pane called the work pane. In Figure 2.8, the Mailbox subcon-tainer found under the Server Configuration work center is selected. Notice that there is a newpane below the results pane; this is the work pane.

Because I have selected the Mailbox subcontainer, the results pane lists only servers that holdthe Mailbox server role. Because the Mailbox subcontainer is highlighted, the work pane will have



property pages (in this case, only one) related to mailbox server management. Notice that thework pane has a Database Management property page that contains the storage groups for thehighlighted server in the results pane as well as the mailbox and public folder databases. Becausethe Mailbox subcontainer has been highlighted, you will see only the mailbox-server-relatedproperties in the work pane.

Figure 2.7

General view of theRecipient Configurationwork center

Figure 2.8

Server objects include awork pane.



If you select the Client Access subcontainer in the Server Configuration work center, the workpane shows only the properties related to the Client Access server that you have selected inthe results pane. Figure 2.9 shows the work pane if the Client Access subcontainer is selected.

Figure 2.9

Work pane propertypages and objects whenthe Client Access serversubcontainer is selected

If you have previously used Exchange 2007 RTM, you will notice that the Outlook Web Accesstab in the work pane shows only the OWA virtual directory now. You may also notice a POP3and IMAP4 tab in the work pane. These are changes to Exchange 2007 Service Pack 1. If you arelooking for the Exchange 2000/2003 OWA virtual directories, they are now found on the WebDAVtab of the Mailbox server work pane.

Actions Pane

The actions pane is the most dynamic of the panes found in the Exchange Management Console. Itis also arguably the biggest change found in the EMC interface. Any change of a selected object inthe navigation tree, the results pane, or the work pane will change the actions pane in one way oranother. The actions pane consists of the tasks or actions that are available for the selected object.The actions pane will change as different objects are selected in the navigation tree, the resultspane, or the work pane. The addition of the actions pane is a result of Exchange administratorsreporting to Microsoft that they had difficulty finding out the available tasks for a particular object.

Figure 2.10 is a good example of the actions pane. In this example, I selected the Mailbox sub-container in the Server Configuration work center, a mailbox server in the results pane, and astorage group called First Storage Group in the work pane.

Notice that the actions pane has a Mailbox section, a section for the specific Exchange server thatI am working on (HNLEX04), and a section for the storage group that I have selected (First StorageGroup). The actions that are available against the server (HNLEX04) are to view its properties, tocreate a new storage group, or to change the management view to another role (Manage Hub



Transport Role or Manage Client Access Role). These actions are available because this serversupports all three roles (Mailbox, Client Access, and Hub Transport).

Figure 2.10

Corresponding actionsavailable based onselected objects

Finally, the actions available in the First Storage Group section include moving the selectedstorage group’s files, creating a new mailbox or public folder database, enabling local continuousreplication, deleting the storage group, and viewing the storage group’s properties.

The First Storage Group object was also the most recent object selected in the interface, sothe actions found in the actions pane for this object will correspond with the actions found onthe context (right-click) menu and on the Action drop-down menu.

To see one final example of the Action menu tasks that become available, look at the actionsoffered when you have the Mailbox subcontainer highlighted under the Recipient Configurationnavigation tree object.



Figure 2.11 shows the actions pane for the Mailbox subcontainer. Notice that the actions panehas two sections. The first section shows the actions available for the Mailbox subcontainer. Thisincludes modifying the maximum number of mailboxes returned, view options, and creating anew mailbox.

Figure 2.11

Actions pane for theRecipient ConfigurationMailbox subcontainer

The second section shows actions for a specific mailbox because I have selected mailboxDamion Jones. From here, I can disable the mailbox, remove the mailbox from the account,move the mailbox to another database, enable Unified Messaging, or view the user and mailboxproperties. You might be wondering if this is the only information I will cover on recipientmanagement. Don’t worry; I just want you to become familiar with the console right now. I willcover more about recipient management in Chapter 9, ‘‘Administering Recipients.’’



The Toolbox Work CenterThe Toolbox work center that is found in the Exchange 2007 EMC is a new concept for Exchangemanagement tools. The Toolbox work center from a default installation of Exchange 2007 is shownin Figure 2.12.

Figure 2.12

The Toolbox workcenter of the ExchangeManagement Console

The tools that are found in the Toolbox are not directly integrated with the ExchangeManagement Console; instead, the Toolbox provides links to external tools. As new or updatedtools are released by Microsoft, the Toolbox can be updated. The following tools are found inthe Toolbox:

◆ The very popular Exchange Best Practices Analyzer (BPA) tool analyzes your Exchangeconfiguration and makes recommendations for configuration and security improvementsbased on Microsoft and industry best practices.

◆ The Details Templates Editor allows you to edit templates that the user sees from withinOutlook, such as User and Contact. This feature is new to Exchange Server 2007 ServicePack 1.

◆ The Public Folder Management Console allows you to manage public folder propertiesfrom a graphical user interface rather than the Exchange Management Shell; this featureis new to Exchange Server 2007 Service Pack 1.

◆ The Database Recovery Management tool helps guide you through the process ofperforming disaster recoveries of various server roles.

◆ The Database Troubleshooter tool helps you to determine why mailbox databases will notmount or why transaction log files will not replay.

◆ The Mail Flow Troubleshooter helps to diagnose problems relating to messages beingtransferred between Mailbox, Hub Transport, and Edge Transport servers.



◆ The Message Tracking tool allows you to track a message’s progress through an Exchangeorganization and see which Exchange components have processed the message.

◆ The Queue Viewer allows you to view the message queues on Hub Transport servers.

◆ Routing Log Viewer is a new utility that lets you view the message routing logs to helpwith troubleshooting site, routing group, server, address space, and Send connectorconfigurations.

◆ The Performance Monitor tool is a Windows tool that helps analyze and troubleshootWindows’s performance. When you launch the tool from the EMC Toolbox work center, itincludes common performance counters related to Exchange servers.

◆ The Performance Troubleshooter analyzes a server, looks at common factors that couldhurt performance — such as memory and disk configuration — and makesrecommendations to improve them.

Defining Filters for the Exchange Management ConsoleOne area that you may find frustrating is the Recipient Configuration work center. All of themail-enabled recipients in the entire organization are shown in the Recipient results pane. But youcan tidy this up a bit: you can apply a filter to restrict the scope of results displayed in the results pane.

At the very top of the results pane is a Create Filter button; you can use this option to createexpressions that define or restrict the scope of results in the results pane. While you can define afilter for any type of object, I am using the example once again of mail-enabled recipients. To createa filter, click the Create Filter button and the filter options will appear at the top of the results pane.

The left field of the filter defines the attribute on which you want to filter. You can build a filteron the following attributes:

ActiveSync Mailbox Policy Last Name

Alias (Exchange alias) Managed By

City Mailbox Folder Mailbox Policy

Company Name

Country/Region Office

Custom Attributes 1–15 Recipient Type Details (user mailbox, legacy mailbox,linked mailbox, mail contact, etc.)

Database (mailbox database) Server (home mailbox server)

Department State Or Province

Display Name UM Enabled

E-Mail Address Unified Messaging Mailbox Policy

External E-mail Address User Logon Name (pre–Windows 2000)

First Name User Principal Name (UPN)



Note that not all attributes are available for all object containers. For example, you cannot applya filter for the ActiveSync Mailbox Policy on the Distribution Group container since distributiongroups do not have ActiveSync policies.

The middle field defines the operator for the attribute you are filtering. Operators includeEquals, Does Not Equal, Contains, Does Not Contain, Starts With, Ends With, Is Present, and IsNot Present. The actual operators you see will be based on the attribute on which you are buildingthe filter.

Finally, the right field is where you enter the data for which you are building the filter. In thepreceding example, I created a filter that displays only mail-enabled users whose city is Honolulu.You can click the Add Expression button and add additional expressions to further filter theinformation that is displayed in the results pane. In the following example, I have further restrictedthe filter using two expressions so that it shows me only recipients whose city is Honolulu andwhose department is Viper Pilots.

This filter will be in effect only for the Mailboxes container because that is the subcontaineron which I created it; if I select the entire Recipient Configuration work center or the DistributionGroup, Mail Contact, or Disconnected Mailbox subcontainers, the filter does not apply.

Certain types of attributes will include a Browse button that allows you to browse the directoryfor the specific policy for which you want to set the filter. These attributes include the ActiveSyncMailbox Policy, Managed Folder Mailbox Policy, and the Unified Messaging Mailbox Policy.When you choose the Recipient Type Details attribute, the last field converts to a drop-down listand you can select from the following recipient types:

User Mailbox Mail Contact

Legacy Mailbox (a mailbox located onExchange 2000/2003)

Mail User

Linked Mailbox Dynamic Distribution Group

Shared Mailbox Mail Universal Distribution Group

Room Mailbox Mail Universal Security Group

Equipment Mailbox Mail Non-Universal Group

Exchange Management Console CustomizationThe new Microsoft Management Console v3.0 is much more flexible and customizable than earlierversions. This means that you can customize your Exchange Management Console even further



and create specialized consoles for tasks such as recipient management. Because all mail-enabledrecipients are now handled via the Exchange Management Console and we can’t sort our usercommunities based on organizational unit, we need a more flexible method that will allow you tocreate views for departmental administrators. In this case, we can use a feature of the managementconsole to create customized recipient views for allowing departmental administrators.

Customizing the Console View

There may be features or views of the EMC that you simply don’t need in order to complete yourdaily tasks. Many of the console components (such as the tree, toolbar, status bar, and actionspane) can be removed from the default view. From within your console, select View � Customizeto see the Customize View dialog box shown in Figure 2.13.

Figure 2.13

Customizing the com-ponents shown in theExchange ManagementConsole

If you are creating a scaled-back EMC console for a junior or delegated administrator,restricting or removing some of the console features may be helpful in order to create a moresimplified interface. From the Customize View dialog box, you can enable or disable the followingcomponents from the console view:

◆ The navigation tree

◆ MMC-specific Action and View menus

◆ MMC-specific toolbars



◆ The MMC status bar

◆ The MMC description bar

◆ Taskpad navigation tabs (if creating taskpads)

◆ The actions pane

◆ Exchange Management Console–specific menus

◆ Exchange Management Console–specific toolbars

For an experienced administrator, there will probably not be a need for restricting thesefeatures, but as you will see in the following example, you can certainly make the console simplerby removing some of the unnecessary features.

Creating a Recipient Management Console

Even with earlier versions of the Microsoft Management Console (MMC), there was a lot offlexibility in creating and customizing the views that are available to the administrator. TheExchange 2007 EMC is even more customizable. Consoles can be scaled back and restricted sothat only specific functions are available. In a medium-sized or large organization, an excellentexample of this would be creating a management console that allows the user to manage onlyrecipients.

In the example, you’ll create a console that allows the person using it to manage mailbox objectsonly. The result of this customization is shown in Figure 2.14.

Figure 2.14

Customized RecipientAdmin Console

So, how do you scale back a full-blown EMC to just mailbox management features? It is prettyeasy once you know a few of the tricks. Follow these steps to create a customized MMC that can



be used just for mailbox management; you can do variations of these steps to create other types ofconsoles, too.

1. Run mmc.exe to create an empty console window.

2. Select File�Add/Remove Snap-in.

3. Click the Add button, scroll through the list of available snap-ins until you find ExchangeServer 2007, select it, click Add, and then click Close.

4. Click the OK button.

5. In the console tree, expand the Microsoft Exchange Console and then expand the RecipientConfiguration work center.

6. Right-click on the Recipient console and choose Modify Recipient Scope to see theRecipient Scope dialog box. In the console in Figure 2.14, the scope of the view has beenrestricted to a single organizational unit (OU); you do this by selecting the View AllRecipients in Specified Organizational Unit radio button and then specifying the domainname and OU name. This step will be optional if you do not need to filter by domain or OU.

7. Right-click on the Mailbox subcontainer in the Recipient Configuration work center andchoose New Window From Here. This creates a window with just the mail-enabledrecipients.

8. From the View menu, choose Add/Remove Columns, and remove Recipient Type Detailsfrom the Displayed Columns list since you know that everything in this list will be a mail-box. Add City and move it up to just under the Alias. Click OK when finished.



9. Now you can remove some of the unnecessary components of the console from the view.From the menu, select View � Customize. This will display the Customize View dialogbox. Ensure that the only check box that is enabled is the Action Pane checkbox; the rest ofthe console components are unnecessary for this specific console. Click OK.


ADMINISTRATION AND PERMISSIONS 73

10. In the MMC, select File � Options and then in the Console Mode drop-down list, selectUser Mode – Limited Access, Single Window. Click OK.

11. In the MMC, select File � Save As and give the MMC file a name such asMailboxRecipientManagement.msc.

12. If you have any other MMC windows open within the MMC you are creating, you will seea prompt that reads, ‘‘You chose to display a single window interface when this consoleopens in user mode, but you have more than one window open. The user can view onlythe currently active window. Are you sure you want to display a single window interfacewhen this console opens in user mode?’’ Simply answer Yes at this prompt.

Congratulations, you have just created a simplified EMC that will allow the user of thisconsole to manage just mailbox recipients. You can use this MSC file from any computer on whichthe Exchange 2007 management tools have been installed provided the user has been delegatedthe appropriate permissions to manage the user objects in Active Directory and they have beendelegated recipient administration permissions to Exchange 2007.

Administration and PermissionsOne of the most interesting changes for Exchange 2007 is the fact that administrative groups havebeen ‘‘eliminated.’’ Well, they have not really been eliminated, but all Exchange 2007 servers areput into the same exact administrative group.

Further, not only have the administrative groups been ‘‘eliminated,’’ but administrativepermissions are now delegated in a completely different (and more flexible) manner.

Administrative Groups and Exchange 2007For most organizations, administrative groups are not all that important anymore. Manyorganizations still have an extensive administrative group structure merely because that was whatthey had in Exchange 5.5. Exchange 5.5 sites tied administration and message routing together, soadministrative groups for organizations that migrated from Exchange 5.5 often mirrored the 5.5site architecture. Organizations that did green field or from scratch migrations often duplicated theirExchange 5.5 site architecture merely because that was what they were used to.

If you install Exchange 2007 into an organization with Exchange 2000/2003 servers, youwill notice an additional administrative group in the Exchange System Manager program. Thisadministrative group is named Exchange Administrative Group (FYDIBOHF23SPDLT) and isexclusively for Exchange 2007 servers. Do not try to put Exchange 2000/2003 servers in thisadministrative group.



Warning

Do not attempt to manage Exchange 2007 servers using Exchange 2000/2003 ExchangeSystem Manager.

Even if you install Exchange 2007 from scratch in your Active Directory, this administrativegroup is created. The group is created by Setup and is required for backward compatibility. Ifyou examine the Microsoft Exchange container inside the Services container of the Configurationpartition of Active Directory, you will see this administrative group (see Figure 2.15).

Figure 2.15

Viewing the Exchange2007 administrativegroup using ADSI Edit

Assigning Administrative PermissionsBy now, you may be wondering how administrative permissions are delegated if the concept of theadministrative group is gone. Administrative permissions are now different (and in my opinionbetter) than in Exchange 2000/2003, though I should note that if you will be interoperating withExchange 2000/2003, you will need to continue to assign administrative permissions for thoseservers via your existing administrative groups.

Also, I want to comment on Active Directory permissions. Active Directory administrativepermissions and Exchange 2007 administrative permissions are split by design. This allows formore administrative flexibility. Members of the root domain’s Domain Admins group and theEnterprise Admins group will still be Exchange administrators, but other groups such as AccountOperators do not automatically include Exchange administrative permissions. This is by design toallow for maximum flexibility when creating different types of administrators.

Exchange 2007 Administrative Roles

Before we look at Exchange 2007 administrative roles, we should quickly review the Exchange2000/2003 administrative roles. This will help administrators who are making the transition fromExchange 2000/2003 organizations to Exchange 2007 better understand the changes. Exchange2003 offered three types of administrative roles, as shown in Table 2.2.

Although these roles worked well for some organizations, they could only be assigned to anentire administrative group or the entire organization. For medium-sized and large organizations,where administrative tasks are sometimes very granular, these roles may not necessarily give the


ADMINISTRATION AND PERMISSIONS 75

Table 2.2: Exchange 2003 Administrative Roles

Role Permissions

Exchange View OnlyAdministrator

Gives users or groups the ability to view the Exchange organization andserver configuration. Mailbox administrators required this role in order toenumerate Exchange server names, storage groups, and mailbox storenames.

Exchange Administrator Gives users or groups the ability to manage (create/change/delete)Exchange objects at either the organization level or within a specificadministrative group, depending on where the role was delegated.

Exchange FullAdministrator

Gives users or groups all of the permissions that an ExchangeAdministrator has but also the ability to change permissions on objects.

specific permissions required or they might give too many permissions. For example, if one groupmanaged all bridgehead servers and mail transport functions, then the organization’s bridgeheadservers all had to be in the same administrative group. If all servers (bridgehead, Outlook WebAccess, and mailbox servers) were in the same administrative groups, the permissions had to beassigned to all of the servers. Further, the administrative permissions for the organization andeach administrative group had to be delegated when Exchange server was installed.

The Exchange 2007 administrative model has improved the Exchange administrative model bydefining the following four administrative roles:

The Exchange View-Only Administrators role allows an administrator to view the Exchangeconfiguration, but they cannot make any changes.

The Exchange Recipient Administrator role has the permissions to modify Exchange-relatedproperties of mail-enabled objects such as users, contacts, and groups. This information wouldinclude information such as e-mail addresses, home server, Client Access server, and UnifiedMessaging. This permission includes only read and write permissions to Exchange propertiesfor objects found in the Users container in each domain in which the Exchange 2007 Prepare-Domain process has been run. For additional management permissions, an administratorwould have to be delegated Active Directory permissions to manage objects in an OU, givenmembership in the Account Operators group, or be a member of Domain Admins. If a user orgroup is delegated the Exchange Recipient Administrators, that user or group will have thesepermissions for the entire organization.

The Exchange Public Folder Administrator role provides permissions to manage the publicfolder hierarchy and public folder properties. This permission is new to Exchange 2007 ServicePack 1.

The Exchange Server Administrator role can be delegated permissions to one or moreindividual Exchange 2007 servers regardless of the roles that server maintains. Someone withthese permissions can manage any configuration data for that particular server, has theExchange View Only Administrators role, and will be made a member of the computer’s localAdministrators group. This role allows medium and large organizations to delegatepermissions for Exchange management more precisely.



The Exchange Organization Administrator role provides the permissions necessary tomanage the organization wide properties of Exchange 2007 including connectors, acceptede-mail domains, transport rules, Unified Messaging properties, ActiveSync policies, managedfolders, messaging records management policies, and managing global settings. This role is byfar the most powerful of the five Exchange 2007 roles.

Exchange 2007 Built-In Administrative Groups

Now that I have explained the administrative roles that you could use to delegate permissions, I’lltell you that you probably don’t need to do any delegation yourself. For small or medium-sizedorganizations, you probably will not need to delegate additional roles for your users and groups.This is because when the first Exchange 2007 server is installed, some preconfigured groups arecreated for you. In most organizations, these groups will be sufficient for assigning the permissionsyou need for different types of administrators.

These universal security groups are created in an organizational unit called Microsoft ExchangeSecurity Groups; this OU is found in the forest root domain. Figure 2.16 shows the MicrosoftExchange Security Groups organizational unit and the groups that are created in that container.

Figure 2.16

Prebuilt Windows secu-rity groups for managingExchange 2007

I recommend that you use these built-in groups when assigning the necessary permissions toyour administrators. The following are the built-in Windows security groups and the permissionsthey assign to their members.

Exchange Servers provides the permissions necessary for Exchange servers to interact witheach other as well as with the Active Directory. Each Exchange 2007 server’s computer accountwill automatically be assigned membership in this group. Administrators do not need tobelong to this group.

Exchange View-Only Administrators provides the permissions necessary to read Exchangeconfiguration data from the Active Directory and provides read access to mail-enabled objects.

Exchange Recipient Administrators provides the permissions necessary to manage mail-enabled objects (including assigning mailboxes to users and mail-enabling contacts and groups).


MANAGING AN ORGANIZATION DURING A MIGRATION 77

Exchange Organization Administrators provides members with the permissions necessary tomanage all Exchange properties for the entire organization.

Exchange Public Folder Administrators provides members with the permissions necessary tomanage the public folder tree and public folder properties.

Exchange2003Interop provides permissions necessary for interoperability with Exchange 2003.Only Exchange 2000/2003 servers need to be a member of this group.

Customizing Administrative Permissions

Most organizations will not need to customize administrative permissions, but these permissionscan be delegated at the Organization Configuration level of the EMC navigation tree. Simplyselect the Organization Configuration work center and choose the Add Delegate action; this willdisplay the Add Delegate Wizard. In Figure 2.17, I am delegating the Exchange Server Admin rolefor just a single Exchange server (called HNLEX04) to a group called Exchange Hub TransportAdministrators.

Figure 2.17

Delegating Exchange2007 administrativeroles

Managing an Organization during a MigrationSome of the most common questions I have seen on Internet newsgroups and Web forums afterthe release of Exchange 2007 have dealt with administration and interoperability. I will getinto the actual mechanics of migration in later chapters, but I want to address administration inthis chapter and hopefully answer some common questions you will have.

As with any migration, the quicker you can get all of your servers and mail recipientsmigrated from Exchange 2000/2003 over to Exchange Server 2007, the better off you will be.



The interoperability issues between Exchange 2000/2003 are few, but they can still give you a fewheadaches. If you are aware of the areas in which you need to keep an eye on interoperability, thenyou can address potential problems before they become an issue for you or your users.

We can break this up into a few different categories, including administering organizationpermissions, servers, and recipients. In the following sections, I am assuming you have installedyour first Exchange 2007 servers. These servers may be Client Access, Hub Transport, orMailbox servers, but you have put the first few Exchange 2007 servers into your organization.

Managing Organization PropertiesLet’s start with the organization-wide properties that affect all Exchange servers and recipientsin your organization. In Exchange Server 2000/2003, the organization-wide properties are foundunder the Global Settings and Recipients containers in Exchange System Manager; these are shownFigure 2.18.

Figure 2.18

Viewingorganization-wideconfiguration

In Exchange Server 2007, organization-wide configuration data are all found under theOrganization Configuration work center. In the case of Exchange 2007, the organization config-uration is separated into objects that affect Mailbox, Client Access, Hub Transport, and UnifiedMessaging servers; to manage these objects using the graphical interface, you must select theappropriate subcontainer under Organization Configuration and you must select the correct tab.Figure 2.19 shows the E-mail Address Policies page for the Hub Transport server.

Figure 2.19

Viewing the Exchange2007 recipientproperties

There are certain types of Exchange 2007 configuration data that will be completely ignoredby Exchange 2000/2003 and vice versa. For example, transport rules, messaging recordsmanagement, Unified Messaging, and journaling are Exchange 2007–specific features and are



ignored by Exchange 2000/2003 servers. Other organization-wide settings such as the spamconfidence level (SCL) settings, recipient filtering, and mobile settings are not used by ExchangeServer 2007 but are used by Exchange Server 2000/2003. However, there are certain features,such as address lists and recipient policies, that are shared by both Exchange 2000/2003 andExchange 2007.

You may be wondering how you should manage these configuration settings. In general,the rule of thumb that I use is that if the feature is accessible by either Exchange 2000/2003 orExchange 2007, I use the Exchange 2007 management tools. While you are interoperating withExchange 2003, you will still need to manage certain features from Exchange 2003, though.

The following is a list of organization-wide features that will require the Exchange 2000/2003Exchange System Manager console tool:

◆ Antispam features such as gateway SCL level, sender filtering, recipient filtering, blocklists, and Sender ID settings. (For Exchange 2007 servers, use the Edge Transport or HubTransport antispam settings.)

◆ Exchange 2000/2003 permissions delegation either at the organization level or at theadministrative group level

◆ Mobile Services for Exchange 2000/2003 users (Mobile services for Exchange 2007 users aredefined via ActiveSync policies).

Likewise, the following features are shared with Exchange 2000/2003 and should be editedusing Exchange 2007 management tools:

◆ Internet message formats in Exchange 2000/2003 are now controlled through the RemoteDomains feature of Exchange 2007.

◆ Maximum inbound message and outbound message size; maximum number of recipientsper message.

◆ Antispam store (junk e-mail) threshold value.

◆ Address lists and offline address lists.

◆ Recipient policies (e-mail addresses and mailbox management) are now maintained as anumber of separate features. E-mail addresses are now maintained as accepted domainsand e-mail address policies, whereas the mailbox manager portion is now configured bymessaging records management.

Servers and PermissionsIt is pretty easy to monitor and handle the administration when you are managing bothExchange 2000/2003 and Exchange 2007 servers. While all of the configuration for both types ofservers is stored in the Active Directory, administration is still split. Just glancing at theadministrative groups for the Exchange 2000/2003 Exchange System Manager (ESM), you mightthink that you can manage your Exchange 2007 server’s properties via ESM. When you look at theExchange 2007 administrative group via ESM (in Figure 2.20), it appears as if these servers canbe managed.

However, in spite of the Exchange 2007 servers being visible in the Exchange 2000/2003 SystemManager, all Exchange 2007 servers must be managed using the Exchange 2007 managementtools (the Exchange Management Console or the Exchange Management Shell). The ExchangeManagement Console does not even display Exchange servers running earlier versions.



Figure 2.20

Viewing Exchange 2007servers via the ExchangeSystem Manager

Tip

A good rule of thumb is that anything you find in the Exchange 2007 administrative group (ExchangeAdministrative Group FYDIBOHF23SPDLT) must be managed using the Exchange 2007 managementtools.

One nice feature of objects in the Active Directory of Exchange 2007 is the error message youget if you attempt to manage the object via ESM: you will see a message informing you that youneed a newer version of the management tool. The message you see below is a little misleadingbecause it seems to indicate that there is a later version of Exchange System Manager that willmanage the selected object, but there is not. In this case, I have selected and tried to manage anExchange 2007 object.

Message Routing and Routing GroupsWhen the first Exchange 2007 Hub Transport server is installed, the setup program prompts youfor the name of an existing Exchange 2000/2003 server to use as a bridgehead server for therouting group connector that will be created between Exchange 2000/2003 and the ExchangeServer 2007 Hub Transport server. In Figure 2.21, you see the First Routing Group container of theFirst Administrative Group; in this container you see a routing group connector called HNLEX03to HNLEX01. This connector was created by the Exchange 2007 installation process and isspecifically for delivering mail between the Exchange 2000/2003 servers and the Exchange 2007routing group.

You cannot manage the routing group connectors that are created using the Exchange 2007setup or the Exchange 2007 management tools; you use the Exchange 2007 Management Shelltools to manage these connectors.

RecipientsRecipient management has been one of the more confusing points for organizations that aremoving from Exchange 2000/2003 to Exchange 2007. First and foremost in a pure Exchange 2007



environment, those extensions to Active Directory Users and Computers that you know andlove — well, they don’t exist anymore. Figure 2.22 shows an example of the Exchange Generalproperty page.

Figure 2.21

Viewing routing groupconnectors in ExchangeSystem Manager

Figure 2.22

Active Directory Usersand Computersextensions for Exchange2000/2003



It’s not that these property pages don’t work, because many of the functions continue to work.After all, if you set a size warning limit for a mailbox, that information is in the same attribute inActive Directory regardless of which utility you use. However, even though some of thefunctions of the older utilities might continue to work, I strongly urge you to use the Exchange2007 management tools to manage any e-mail recipient that is now hosted on Exchange 2007.

During your period of interoperability between Exchange 2000/2003 and Exchange 2007, youmay also need to mail-enable users, groups, or contacts. The mail-enabled or mailbox-enabledusers may continue to exist on Exchange 2000/2003 for some time. In this case, you can use theActive Directory Users and Computers (ADUC) extensions to mail-enable objects. However, theADUC extensions require that the Exchange 2000/2003 recipient update service (RUS) be runningand able to update the necessary Exchange attributes.

You must use the Exchange 2007 management tools (the Exchange Management Console or theExchange Management Shell) to move mailboxes to Exchange 2007 Mailbox servers. You cannotuse the ADUC extensions or the Exchange System Manager interface to do this. The ExchangeServer 2007 Exchange Management Console will help you to identify recipients that have not yetbeen moved over to Exchange 2007 servers. Figure 2.23 shows the Exchange Management Consoleviewing the Mailbox subcontainer of the Recipient Configuration work center. Notice that some ofthe recipients still have Legacy Mailbox in the Recipient Type Details column; this indicates thatthese mailboxes are still on an Exchange 2000/2003 server.

Figure 2.23

Looking for legacymailboxes using theExchange ManagementConsole

SummaryFrom the perspective of the person that manages the Exchange server on a day-to-day basis andfrom the perspective of the people that manage mail-enabled recipients, the changes to Exchange2007 are most visible in the Exchange management interface. In this chapter, I first covered someof the application programming interfaces (APIs) that are used by Exchange 2000/2003 and howthey would be supported or superseded in Exchange 2007.

The Exchange Management Console is the biggest change for many Exchange administra-tors because many functions and properties have been rearranged. However, once you have


SUMMARY 83

some time to explore this new graphical user interface, you will find that it is much moreintuitive and easy to use than previous Exchange management tools.

Finally, I completely ignored the Exchange Management Shell in this chapter except for apassing mention. Many administrators will use the shell only as a last resort or if they need toconfigure some less-common configuration settings. However, for other administrators, theExchange Management Shell (and the capabilities of the underlying Windows PowerShell) willbecome an indispensable part of their everyday toolset. I’ll cover more about the ExchangeManagement Shell in Chapter 7, ‘‘Exchange Management Shell Primer.’’

McBee c04.tex V2 - 01/21/2008 4:15pm Page 101

Chapter 4

Installing Exchange Server 2007

I commend those of you who have exercised great self-restraint by not installing Exchange 2007before you read this book in its entirety, but please don’t deprive yourself. Find a x64 versionof Windows 2003 Service Pack 2 or Windows Server 2008 and feel free to run through a defaultinstallation in your lab environment right now without further instruction. Go ahead — I’ll makea cup of coffee. . .

You may have noticed that aside from requiring a x64 operating system and some softwareprerequisites like .NET 2.0 and PowerShell 1.0, the installation is at first blush very straight-forward: a dozen or so Next buttons, the name of your Exchange organization, and some clientcompatibility questions. And because you’re reading this, you probably have also come to theconclusion that a default installation of Exchange is far different than installing Exchange correctly.

This chapter will focus on the terminology, concepts, and procedures necessary to tailor asuccessful Exchange 2007 installation plan for your needs. For the most part, I am going to ignorethe possibility that you already have Exchange 2000/2003 in your environment and assume youare performing a clean installation. Don’t worry, though, I will come back to this topic in Chapter 5,‘‘Performing an Intra-Organization Migration.’’ In this chapter, I will cover the following topics:

◆ Steps to get started

◆ Selecting server roles

◆ Choosing hardware

◆ Installing Exchange Server 2007

◆ Post-installation tasks

Getting StartedWhether your organization comprises a single Exchange server with less than one hundredusers or a global network of many Exchange servers and thousands of users, the steps to installExchange 2007 are pretty much universal:

1. First build a test lab that will sufficiently duplicate your production environment. It does nothave to be exactly like your production environment, but it should give you a pretty goodidea of the things you need to know to proceed.

2. Decide which Exchange Server role or roles your organization needs to function properlyand whether or not you will need dedicated hardware for each role (as larger companieswill) or combined-function servers.

3. Determine your hardware requirements and software prerequisites for each ExchangeServer 2007 server you will deploy.


102 CHAPTER 4 INSTALLING EXCHANGE SERVER 2007

4. Run either the graphical or command-line setup.

5. Complete the post-installation steps to finalize your deployment.

Note

This chapter covers the lift and lay approach of installing a brand-new Exchange 2007 organization. Ifyou plan on migrating from an existing Exchange 2003 infrastructure or incorporating an altogetherseparate Exchange organization you should also read Chapter 5 and Chapter 6, where both scenariosare covered in great detail. I recommend reading through this entire chapter even if you’ve alreadybegun your Exchange implementation as there are some concepts and features new to Exchange 2007that will eventually demand your attention if not addressed prior to installation.

References and ResourcesBefore you start building the plan for your Exchange 2007 topology, you should be familiar withsome resources that will impact your design and that could alleviate a lot of stress down theroad. First and foremost, the Exchange 2007 release notes should make the top of your readinglist (directly under this book). There you will find late-breaking caveats, bugs, and pointers fromthe Exchange development team that could greatly impact your migration day. You don’t have tohave the installation media in order to peruse the release notes; just do a search for ‘‘Exchange 2007release notes’’ on the Microsoft home page. I am assuming that you will be installing ExchangeServer 2007 Service Pack 1 at a minimum, so you should read the release notes from the servicepack as well.

Note

Support packs have their own set of release notes and are required reading.

Another excellent online Exchange resource is the Microsoft Exchange Server TechCenter, asite dedicated to Exchange administrators looking for the latest documentation, downloads,and news without a lot of marketing fluff. The TechCenter can be found at http://technet.microsoft.com/en-us/exchange.

One of the more helpful guides that Microsoft has put together on Exchange 2007 is theExchange 2007 Planning & Architecture Guide, which can be found here in the TechCenter:www.microsoft.com/technet/prodtechnol/exchange/e2k7help/.

In recent years, Microsoft amended its Internet communication strategy to allow product teamsto publish technical content in addition to their sales and marketing presence. This significantparadigm shift has led to official Microsoft blogs that are managed by the designers, developers,and testers of Microsoft products. The Microsoft Exchange team has its own blog full of fascinatingtips, insights, and answers, which is updated on a regular basis. You can check out the blog athttp://msexchangeteam.com/.

Last, if you are having a weird problem or seeing an error message you cannot figure out,consider that someone else has also seen that error in the past or had that same problem. Beforeyou place your first call for paid tech support, it might be worth your while to check out theExchange newsgroups that can be found on almost every search engine on the planet. My favoriteat the moment is http://groups.google.com.


SELECTING SERVER ROLES 103

Creating a Test LabIf you have never installed Exchange Server 2007, I recommend performing a few dry runs to getthe kinks worked out of your process. I can’t remember the number of times that I have gotten aserver or application configured and running and then, once I started testing, decided there wasa better approach.

In this chapter, I am assuming that you are performing an installation from scratch and that youhave no Exchange servers in your organization and no updates have been made to your ActiveDirectory from installing either Exchange 2007 or an earlier version of Exchange. When building afrom scratch lab, you should plan with the following issues in mind:

◆ Isolate your test lab from your existing Active Directory; it should use its own ActiveDirectory.

◆ Use a backup copy of your Active Directory in the test lab to test Exchange 2007 changesagainst your existing directory.

◆ Install all server roles that you will use in production and confirm that you can make eachrole behave as expected.

◆ Install all third-party software (backup software, message hygiene, software,archival software, etc.).

◆ Perform customizations to your production organization.

◆ If possible, duplicate (on a smaller scale) your storage and backup architecture.

◆ Test as much of the functionality as you possibly can, including basic messaging functions,Outlook 2007 Autodiscover, Outlook Web Access, continuous replication, and clusteringfailovers.

If you are getting close to your Exchange 2007 deployment, you may actually have thehardware that you will use in production. This provides a good opportunity to burn in the newhardware, provided you completely wipe out the lab configuration (operating system and alldisks) prior to installing the new hardware in production.

Many organizations keep their test lab around after they deploy so that they can test changes,service packs, fixes, and new software additions.

If you want to simulate a user load or simulate database activity on your new servers, youcan use Microsoft tools such as JetStress, the Exchange Load Generator, and Exchange ServerStress and Performance tool; these can be found at http://technet.microsoft.com/en-us/exchange/bb330849.aspx.

As important as building a test lab is for ensuring a successful new deployment of Exchange2007, it is even more critical in a migration. This is especially true in an intra-organization migra-tion. I will discuss test labs more in Chapter 5, as well virtualization and imaging technologies.

Selecting Server RolesOne of the most dramatic improvements you will immediately recognize when installing Exchange2007 for the first time is the ability to select which roles to install on your Exchange server. Microsoftfirst introduced the concept of roles in Exchange 2000 by allowing administrators to define whetherExchange is installed as a front-end or back-end server.

Exchange 2000/2003 front-end servers were intended to accept client requests and proxy themto the client’s native back-end server for processing. While this topology helped offload some



of the back-end server’s burden, it still required a full installation of Exchange on both types ofservers, leaving no granular control over which Exchange services were installed. With Exchange2007, you can now separate the functions of your Exchange server, which allows your organizationto dramatically increase Exchange’s overall security, efficiency, and reliability. You can choose toinstall the following five roles on an Exchange 2007 server:

◆ Mailbox role

◆ Hub Transport role

◆ Client Access role

◆ Edge Transport role

◆ Unified Messaging role

It is important to understand that not all Exchange roles can be installed on the same server,and there are some distinct advantages to segregating roles onto separate servers. That said, don’tbe too afraid to select the wrong roles your first time installing Exchange. You can always go backand install or remove roles even after the server has been installed.

Tip

If you haven’t read the section ‘‘Server Roles’’ in Chapter 1, I highly encourage you to do so now. Also,if you’re about to design your Exchange 2007 architecture, you will want to peruse ‘‘Hardware andSoftware Requirements,’’ also in Chapter 1.

Required RolesIf I have made most of the server roles sound optional, I apologize. Sure, the Mailbox server rolecould be installed without any of the other server roles, but you would be left with an Exchangesystem that was relatively nonfunctional. Though I covered their functions in Chapter 1, now is agood time to quickly review the important ones handled by each server role.

Mailbox server role The Mailbox server role supports direct connectivity from OutlookMAPI clients for mailbox data and public folder data. A Mailbox server is required for e-maildata storage and public folders and to act as a target for standby continuous replication. If youplan to implement single copy clusters or cluster continuous replication clustering, the Mailboxserver role can be the only role on the cluster.

Hub Transport server role The Hub Transport server is responsible for all mail deliverywithin a single server, within an Active Directory site, between Exchange Hub Transportservers in different Active Directory sites, to external SMTP organizations, and from externalSMTP organizations. This role is required.

Client Access server role The Client Access server role (or just CAS) handles Outlook WebAccess, ActiveSync, POP3, and IMAP4 clients. The CAS server also handles services such asAutodiscover, offline address book distribution (for Outlook 2007), free/busy information(for OWA and Outlook 2007), and other web services. While some might argue that this is anoptional server role, if you have Outlook 2007 clients or require other web services, it is not.

Unified Messaging server role The Unified Messaging server role interfaces with your Voiceover Internet Protocol (VOIP) system to act as an interface for voicemail and faxes that should


SELECTING SERVER ROLES 105

be recorded and delivered to a user’s mailbox, allowing users access to their mailbox andcalendar via telephone and acting as an auto-attendant for your phone system. The UnifiedMessaging server role is optional, though I foresee its use becoming more popular over time asorganizations deploy telephone systems or VOIP gateways that will allow Exchange to interactwith the VOIP system.

Edge Transport server role The Edge Transport server role sits in your perimeter networkand is not part of your Active Directory. It is responsible for accepting inbound and outboundSMTP and performing message hygiene functions. The Edge Transport server can receiveinternal Exchange routing and recipient configuration from your Exchange organization viaa process called Edge Synchronization. The Edge Transport role is an optional component.

Combining RolesIf your organization is relatively small, say less than a 15GB Exchange 2000 or 2003 informationstore and 200 users, you may opt to install all of your roles (except the Edge Transport) on a singlepowerful server. However, there are some performance and security advantages to installing roleson multiple servers and caveats you should be aware of when colocating the Mailbox role withany others.

◆ While it can be colocated on the same server as the Mailbox role, the Unified Messagingrole requires a great deal of resources. For this reason, I recommend using no more than 25Unified Messaging mailboxes (enough for a small pilot program) on a server hosting boththe Unified Messaging and Mailbox roles.

◆ The Mailbox role is the only one that can be clustered using Exchange’s native clusteringtechnologies. For this reason, if you plan on clustering your Exchange Mailbox roles, youcannot colocate any other roles on the server hosting your Mailbox role.

Note

Organizations that have found clustering to be cost or resource prohibitive in the past may take asecond look at clustering with Exchange 2007. In the past, traditional clustering services were expen-sive because they required hardware on the Microsoft Cluster Compatibility List and Enterpriseversions of Windows Server and Exchange — this type of clustering is still supported but is nowcalled single copy clustering (SCC). Exchange 2007 introduced three more types of clustering: clusteredcontinuous replication (CCR), local continuous replication (LCR), and standby continuous replication(SCR), each of which are discussed in further detail in Chapters 12 and 13. If you like, skip ahead anddecide if these new clustering technologies are right for you, but be sure to come back!

◆ If a Hub Transport role is colocated on the same Exchange server as the Mailbox role, itwill always use the locally installed Hub Transport service and look for additional HubTransport roles only if the local Hub Transport service is not functioning. If you havemultiple servers hosting the Hub Transport role and one of them fails, the Mailbox rolewill automatically fail over to all remaining servers hosting the Hub Transport role inthe site.

◆ The Hub Transport role(s) in your Exchange organization are responsible for enforcingtransport rules and journaling policies. As you build policies to meet regulatory require-ments, you may find that a single Hub Transport role isn’t sufficient to process all the mailin your organization.



◆ Because the Client Access role does not host SMTP services, you may find it advantageousto colocate it on a server running the Hub Transport role so you can limit the number ofhosts that have to be NATed (Network Address Translation) through your firewall.

◆ The Edge Transport server role cannot be colocated with any other role.

Choosing the Order in Which to Install RolesIf you’re installing a single Exchange server, you can install all the roles at once (excluding theEdge Transport role, of course). If your implementation will span multiple servers, Microsoft bestpractices suggest you install the roles in the following order:

1. Active Directory schema and domain preparation: This can be accomplished from thecommand line or with the graphical installer.

2. Client Access role: I recommend installing the Client Access role because Outlook 2007depends on it to obtain its configuration if you’re using the Autodiscover service.

3. Hub Transport role: The rationale for installing the Hub Transport Role before any other isthat mail cannot be delivered without it.

4. Mailbox role: Once your core infrastructure is up and running, I recommend installing theMailbox server so you can test intra-organization functionality and mail delivery. If you’reinstalling more than one Mailbox role in a cluster, this is a perfect time to get the clustercompletely up and running prior to bringing clients into production.

5. Edge Transport role (optional): By this time, your Exchange System should be up andstarting to receive its first batch of spam. What better time to install an Edge Transport role?The advantage to having your Hub Transport up before your Edge Transport is that youcan set the Hub to have a lower-priority MX record while tweaking the configuration of theEdge Transport, thereby ensuring minimal loss of incoming messages.

6. Unified Messaging role (optional): If you plan on leveraging Unified Messaging, I recom-mend waiting until the rest of your core Exchange infrastructure is running in production(preferably for more than a couple of weeks) before installing this role.

Hardware SetupSince the launch of Exchange 2007, there have been several revisions to the official Microsoft bestpractices guide for sizing your Exchange server hardware. These revisions are based on feedbackfrom customers running Exchange in production as well as the developers who are writing code totake advantage of the latest hardware. In this section, I will summarize Microsoft’s best practicesand add my recommendations where applicable.

In the past, Microsoft’s minimum hardware recommendations were laughable even for a testenvironment. While Windows 2000 can theoretically run on a Pentium 133 MHz processor with32 MB of RAM, no IT professional would punish their most despised user with such a meagerconfiguration. Lately, Microsoft has opted instead to provide customers with the following threetiers of configurations:

Minimum The bare minimum hardware configuration necessary to run the product. Theminimum configuration must be met in order to receive technical support from Microsoft.


HARDWARE SETUP 107

Recommended The ideal hardware configuration for a server that is running at 75 percentto 80 percent of its capacity during peak hours. The recommended configuration is whatMicrosoft feels is the best balance between price and performance.

Maximum The maximum hardware configuration that the product is designed to utilize.The maximum recommendation is based on the product only; if you have additional servicesor applications running on the server, you may opt to exceed the maximum recommendation.

I think these guidelines are realistic and provide a very good starting point. I encourageyou to check the following site for the most up-to-date guidelines and best practices prior tosubmitting a purchase order for new hardware: www.microsoft.com/technet/prodtechnol/exchange/e2k7help/.

Basics on Memory and Processor RequirementsThe single most debated and significant change between Exchange 2003 and Exchange 2007 isthe move to the 64-bit architecture. For those of you who missed the memo, Exchange 2007 is notsupported in production on a 32-bit operating system.

Note

Note the subtle use of the word production. There is a 32-bit version of Exchange, but it is only meantto be deployed in a lab or training environment. If you’re thinking of blurring the line between yourlab and production network, forget it. There’s no way to activate the 32-bit version of Exchange. Thegood news is that you can still run the 32-bit version of Exchange after the trial period has expired (fornow), so you don’t have to rebuild your lab environment every 120 days. However, you will be facedwith a ‘‘nag dialog’’ every time you open the Exchange Management Console.

With respect to the processor, you have two choices: Intel’s Extended Memory 64 Technology(EM64 T) or AMD’s AMD64; these processor extensions are sometimes just called x64. Intel Ita-nium processors cannot be used with Windows Server 2003 x64 and thus cannot be used withExchange Server 2007. Exchange 2007 was designed to leverage dual-core processors and willundoubtedly benefit from quad-core processors.

Note

Note that Microsoft’s recommendations are for processor cores, not processors. If you have a dual pro-cessor, quad-core server, you effectively have eight cores.

With respect to memory, one of the limitations of a ‘‘legacy’’ 32-bit platform is the 4GB RAMceiling that was imposed on Exchange 2003. With a 64-bit platform, Exchange can utilize morethan 4GB of RAM, and the best part is you don’t have to fiddle with the boot.ini file in order toget the operating system to recognize more then 2GB, as was the case with a 32-bit platform.

The current recommended sizing guideline for an Exchange server hosting the Mailbox roleis 2GB of base memory plus about 5 MB per mailbox. You can use less memory than this, butdon’t expect to get the types of I/O performance that Microsoft advertises if you use less than therecommended amounts. See Chapter 1 for more information about memory sizing.



Recommended Hardware Resources for Exchange 2007 RolesPicking the right hardware for your configuration can sometimes be tough. After all, you don’twant to spend too much, but you want to make sure that you have sufficient room to grow andthat you don’t run out of capacity. This section suggests some server configurations based onserver roles and a possible load.

Sizing the exact hardware for any organization in just a few pages is impossible, so pleasekeep that in mind. The recommendations in the following sections are general and based on anaverage load. Your organization may have fewer users, but they may be much heavier messagingsystem users. These recommendations are based on a combination of research from Microsoft’sbest practices and observed behavior.

Note that in these different configurations, I recommend a best possible network connection toother server roles; this does not mean that you need separate network adapters.

Mailbox Role

The Mailbox role houses all user data; therefore its configuration is based on mailbox count anduser profile. For the purposes of establishing a common standard by which I can classify users,I will refer to the following user profiles based on an average message size of 75 KB:

Light: 10 e-mails sent, 20 e-mails received per day

Average: 15 e-mails sent, 40 e-mails received per day

Heavy: 20 e-mails sent, 70 e-mails received per day

Light user If you have fewer than 1,000 mailboxes with a light user profile and up to fourstorage groups, you can get by with the minimum hardware configuration:

◆ One processor core (Add one processor core for an average user profile and three processorcores for a heavy user profile.)

◆ 2GB RAM (Add 2GB RAM for an average user profile and 6GB RAM for a heavy userprofile.)

◆ 20GB storage for OS, 25GB storage for Exchange

◆ 100 Mbps connection to Client Access role

◆ 100 Mbps connection to Hub Transport role

◆ 100 Mbps connection to Unified Messaging role (if used)

Average user If you have between 1,000 and 2,000 mailboxes with an average user profileand between 5 and 15 storage groups, you should use the recommended hardwareconfiguration:

◆ Four processor cores (Add four processor cores for a heavy user profile.)

◆ 4GB RAM per core (4GB minimum for an average user profile, 16GB minimum for a heavyuser profile)

◆ 20GB storage for OS, 50GB Storage for Exchange

◆ 1 Gigabyte per second (Gb/sec) connection to Client Access role


HARDWARE SETUP 109

◆ 1Gb/sec connection to Hub Transport role

◆ 1Gb/sec connection to Unified Messaging role (if used)

Heavy user If you have between 2,000 and 5,000 mailboxes with an average user profile andbetween 16 and 50 storage groups, you should use the maximum hardware configuration:

◆ Eight processor cores

◆ 32GB RAM

◆ 20GB storage for OS, 75GB Storage for Exchange

◆ 1Gb/sec connection to Client Access role (preferably multiple 1Gb/sec port-channeledconnections or use of a network interface card with a TCP offload engine)

◆ 1Gb/sec connection to Hub Transport role (preferably multiple 1Gb/secport-channeled connections or use of a network interface card with a TCP offloadengine)

◆ 1Gb/sec connection to Unified Messaging role (if used; preferably multiple 1Gb/secport-channeled connections or use of a network interface card with a TCP offload engine)

If you have the hardware configuration as shown above with a heavy user profile, have morethan 5,000 mailboxes, or plan on leveraging Exchange clustering, then you will need multipleMailbox servers.

Client Access Role

The Client Access role renders Outlook Web Access pages and formatting messages for POP,IMAP, or WebDAV access. Organizations wishing to differentiate between external and internalOutlook Web Access portals should consider installing multiple Client Access roles within a site.A Client Access role serves Outlook 2007 users for some tasks, but its primary capacity can bemeasured by the number of Outlook Web Access, ActiveSync, POP3, and IMAP4 remote usersit serves.

Minimum configuration If you have fewer than 200 remote access users and 1,000mailboxes, you can get by with the minimum hardware configuration:

◆ One processor core

◆ 2GB RAM


◆ 100 Mbps connection to Mailbox role


Recommended configuration If you have fewer than 500 remote access users and between1,000 and 2,000 mailboxes, you should use the recommended hardware configuration:

◆ Four processor cores

◆ 1GB RAM per core (3GB minimum)




◆ 1Gb/sec connection to Mailbox role


Maximum configuration If you have fewer than 1,000 remote access users and between 2,000and 5,000 recipients, you should use the maximum hardware configuration:


◆ 8GB RAM


◆ 1Gb/sec connection to Mailbox role (preferably multiple 1Gb/sec port-channeledconnections or use of a network interface card with a TCP offload engine)

◆ 1Gb/sec connection to Unified Messaging role (if used; preferably multiple 1Gb/secport-channeled connections or use of a network interface card with a TCP offload engine)

If you have over 1,000 remote access users and 5,000 recipients, you should use the maximumhardware configuration and consider adding additional Client Access roles.

Hub Transport Role

The Hub Transport role is responsible for all mail delivery within a site. For this reason, I suggestthat organizations who wish to deploy a fault-tolerant Exchange 2007 infrastructure deploy atleast two Hub Transport roles; when possible, they should be geographically separated. A HubTransport role’s capacity can be measured by the number of mailboxes it serves.

Minimum configuration If you have fewer than 1,000 mailboxes, you can get by with theminimum hardware configuration:

◆ One processor core (two or four processor cores if you plan on installing antivirus orantispam features on the Hub Transport role or using it as your primary SMTP gatewayinstead of the Edge Transport role)

◆ 2GB RAM



◆ 100 Mbps connection to your Active Directory infrastructure

◆ 100 Mbps connection to Edge Transport role (if used)


Recommended configuration If you have between 1,000 and 2,000 mailboxes, you shoulduse the recommended hardware configuration:

◆ Four processor cores (eight processor cores if you plan on installing antivirus or antispamfeatures on the Hub Transport role or using it as your primary SMTP gateway instead ofthe Edge Transport role)


HARDWARE SETUP 111




◆ 100 Mbps connection to your Active Directory infrastructure

◆ 100 Mbps connection to Edge Transport role (if used)


Maximum configuration If you have over 2,000 mailboxes, you should use the maximumhardware configuration and have multiple instances of the Hub Transport role:

◆ Eight processor cores (With this many mailboxes, you really should leverage theEdge Transport role or a suitable substitute to offload antispam, antivirus, and contentfiltering.)

◆ 16GB RAM



◆ 1Gb/sec connection to your Active Directory infrastructure

◆ 1Gb/sec connection to Edge Transport role (if used)

◆ 1Gb/sec connection to Unified Messaging role (if used; preferably multiple 1Gb/secport-channeled connections or use of a network interface card with a TCP offloadengine)

Unified Messaging Role

The Unified Messaging role converts voicemail recorded as WAV files to WMA files and performsboth text to speech and voice recognition functions. A Unified Messaging role’s capacity can bemeasured by the number of voice mailboxes it hosts.

Minimum configuration If you have less then 25 voice mailboxes, you can get by with theminimum hardware configuration:


◆ 2GB RAM



◆ 100 Mbps connection to Client Access role


◆ 100 Mbps connection to Active Directory infrastructure

◆ 100 Mbps connection to Voice over IP infrastructure



Recommended configuration If you have fewer than 60 voice mailboxes, you should use therecommended hardware configuration:





◆ 1Gb/sec connection to Client Access role


◆ 100 Mbps connection to Active Directory infrastructure

◆ 1Gb/sec connection to Voice over IP infrastructure

Maximum configuration If you have fewer than 100 voice mailboxes, you should use themaximum hardware configuration:


◆ 4GB RAM



◆ 1Gb/sec connection to Client Access role (preferably multiple 1Gb/sec port-channeledconnections or use of a network interface card with a TCP offload engine)

◆ 1Gb/sec connection to Hub Transport role (preferably multiple 1Gb/sec port-channeledconnections or use of a network interface card with a TCP offload engine)

◆ 1Gb/sec connection to Active Directory infrastructure

◆ 1Gb/sec connection to Voice over IP infrastructure (preferably multiple 1Gb/secport-channeled connections or use of a network interface card with a TCP offload engine)

If you have over 100 voice mailboxes, you should use the maximum hardware configurationand consider adding more Unified Messaging roles.

When sizing your Unified Messaging servers, though, the actual capacity of the server willdepend more on the number of simultaneous voice and fax messages it must process, the totalsimultaneous number of Outlook Voice Access users, and the simultaneous number of callsanswered and routed by the Automated Attendant.

Edge Transport Role

The Edge Transport role is responsible solely for SMTP delivery and message hygiene (such asantispam, antivirus, and content filtering). Its utilization can be categorized by valid recipientaddresses or, in other words, e-mail addresses that will accept mail from outside organizations. It isworth mentioning that organizations who wish to deploy a fault-tolerant infrastructure will benefitfrom having at least two Edge Transport roles (or third-party intelligent relay hosts) with multipleDNS mail exchanger (MX) records; when possible these should be geographically separated.


BEGINNING THE SETUP PROCESS 113

Minimum configuration If you have fewer than 1,000 valid recipients, you can get by withthe minimum hardware configuration:


◆ 2GB RAM



Recommended configuration If you have between 1,000 and 2,000 valid recipients, youshould use the recommended hardware configuration:

◆ Two processor cores




Maximum configuration If you have between 2,000 and 5,000 recipients, you should use themaximum hardware configuration:


◆ 16GB RAM



If you have over 5,000 recipients, you should use the maximum hardware configuration andconsider adding more Edge Transport roles and using multiple MX records to load-balancebetween them.

Beginning the Setup ProcessI will walk you through an installation of Exchange 2007 with Support Pack 1 on Windows Server2003 R2 (with Support Pack 2) because this is the configuration most organizations will adopt untilWindows Server 2008 is more widespread. You will need Domain Admin, Schema Admin, andEnterprise Admin permissions to complete most of the installation tasks outlined in the followingsections. As mentioned previously, this chapter covers the steps necessary to install Exchange2007 in a test lab or production environment with no regard to existing messaging services. Ifyou wish to learn more about merging Exchange 2007 with an existing Exchange infrastructure ordeveloping a migration strategy, you should also read Chapters 5 and 6.

Note

An interesting fact about Exchange 2007 service packs: You can install them directly on your serverswithout the original Exchange 2007 media. Past versions of Exchange (and most other applications)require that the original product be installed and then upgraded with the latest support pack. As mostadministrators will agree, this is a welcome feature long overdue.



Tip

In case you missed it before, please note the Exchange setup files no longer fit on a single CD. If youhave a volume license agreement with Microsoft, the installation media is available only on DVD orby download. If you plan to install from physical media, it would be a good idea to verify that yourtarget server has a DVD reader (internal or external) prior to installation.

Graphical InstallationThe Exchange 2007 graphical user interface (GUI) setup is one of the best that Microsoft hasproduced. Rather than start off with an End User Licensing Agreement (EULA) and jump rightinto the installation, the graphical wizard’s main page is broken into three sections:

Plan An external link to the Exchange Server 2007 website on Technet

Install Information on and downloads for the prerequisites necessary to install Exchange2007, the Exchange installation files, and a link to Microsoft Update

Enhance Exchange 2007 add-ons like hosted services and Microsoft Forefront Security forExchange Server

If you are missing any of the software prerequisites, the Exchange install wizard will walk youthrough them prior to installation. Note in Figure 4.1 that the first three prerequisites are grayedout because they are already met.

Figure 4.1

Exchange 2007installation steps

You cannot install Exchange (Step 4) until all the following steps are chronologically met:

Step 1: Install .NET Framework 2.0 As mentioned in Chapter 1, you must install the WorldWide Web Service component prior to installing .NET 2.0 so the Microsoft .NET Framework



and IIS extensions are installed correctly. Remember, if you’re trying to keep your IISinstallation to a minimum, you will only need to check the single IIS component shown inthe following screen shot:

Tip

IIS is only required for the Client Access and Mailbox roles.

Step 2: Install Microsoft Management Console (MMC) 3.0 The MMC version 3.0 wasincluded in Windows Server 2003 R2; if you are running the original release of Windows Server2003, you may need to obtain the latest MMC from Microsoft’s website (be sure to get the x64version if you’re using a 64 bit operating system).

Step 3: Install Microsoft Windows PowerShell Windows Server 2003 R2 with Service Pack2 doesn’t come with Windows PowerShell; you will have to download it from Microsoft’swebsite. As this book went to press, the most current PowerShell version was 1.0; do not installsubsequent versions of the PowerShell unless they are specifically approved to work withExchange 2007 because they could render your Exchange server unmanageable.

Step 4: Install required hotfixes Even Windows Server 2003 with Service Pack 2 has a fewhotfixes that are required to run Exchange Server 2007 SP1. Ensure that you have installedKB 931836 (http://go.microsoft.com/fwlink/?LinkID=92858) and a .NET Framework 2.0fix found at http://go.microsoft.com/fwlink/?LinkID=74465 prior to starting to installExchange 2007. Otherwise the setup program will warn you that these are required and mustbe installed. If you do not install the .NET Framework 2.0 SP1 update, then I also recommendyou install the hotfix documented in KB 942027.



Preparing Windows Server 2008

If you are starting your Exchange Server 2007 deployment on Windows Server 2008, you don’t have toworry about getting a lot of the updates and service packs installed. You can use any edition ofWindows Server 2008 except Server Core. The base installation of Windows must have someadditional components installed. You can install the additional components you require in ControlPanel, but the easiest way to install these components is to use the ServerManagerCmd command-line utility. The following is a list of components that must be installed and the command necessaryto install them.

◆ Install the Active Directory management tools.

ServerManagerCMD -i RSAT-ADDS

◆ Install the Windows PowerShell (included with Windows Server 2008).

ServerManagerCmd -i PowerShell

◆ Install the IIS components required (Client Access).

ServerManagerCmd -I Web-ServerServerManagerCmd -I Web-ISAPI-ExtServerManagerCmd -I Web-MetabaseServerManagerCmd -I Web-Lgcy-Mgmt-ConsoleServerManagerCmd -I Web-Basic-AuthServerManagerCmd -I Web-Digest-AuthServerManagerCmd -I Web-Windows-AuthServerManagerCmd -I Web-Dyn-Compression

◆ Install the IIS components required (Client Access if Outlook Anywhere is required).

ServerManagerCmd -I RPC-over-HTTP-Proxy

◆ Install the IIS components required (Mailbox servers).

ServerManagerCmd -I Web-ServerServerManagerCmd -I Web-ISAPI-ExtServerManagerCmd -I Web-MetabaseServerManagerCmd -I Web-Lgcy-Mgmt-ConsoleServerManagerCmd -I Web-Basic-AuthServerManagerCmd -I Web-Digest-AuthServerManagerCmd -I Web-Windows-AuthServerManagerCmd -I Web-Dyn-Compression

◆ Install Windows failover clustering (Mailbox servers supporting SCC or CCR).

ServerManagerCmd -I Failover-Clustering



◆ Install Active Directory Lightweight Directory Services, aka AD LDS or ADAM (only required onEdge Transport).

ServerManagerCmd -I ADLDS

◆ Install the Windows Media audio/video codecs (Unified Messaging servers only).

ServerManagerCmd -I Desktop-Experience

Once you have prepped your Windows Server 2008 server, you must use the Exchange Server 2007Service Pack 1 binaries to install the software. You cannot install the Exchange Server 2007 RTM ver-sion on Windows Server 2008.

Once the core software prerequisites are met, you can move on to the next step, which isinstallation. As you’re clicking past the Next buttons you will pass an introduction to Exchange2007, the end user licensing agreement, and an invitation to send any errors automatically toMicrosoft, but you will notice there’s no screen on which to enter a license code. That’s becauseyou don’t need a license key to install Exchange or to run it for the first 120 days. After 120 days,you will automatically be reminded each time you open the Exchange Management Console witha ‘‘nag’’ dialog like the one in Figure 4.2 showing the remaining days before your evaluationperiod expires.

Figure 4.2

Licensing reminderdialog

Ultimately, you will have the choice of performing a typical or custom installation as shownin Figure 4.3. A typical installation installs the Mailbox, Hub Transport, and Client Access serverroles as well as the Exchange administrative tools.

If your organization is relatively simple and requires only one server, the typical ExchangeServer installation may suffice; however, I suggest choosing the custom installation so youunderstand what all of your options are. At this screen, you also have the option of definingan installation path for the Exchange program files.



Figure 4.3

Selecting theinstallation type

If you’re like most Exchange administrators and opt to always choose the custom installation,you will find yourself looking at the Server Role Selection screen (Figure 4.4). Here you can selectwhich Exchange 2007 server roles you would like to install on this Exchange server. Remember, ifyou forget to install a role or decide to remove a role, you can always do so at a later time.

Note that the wizard will allow you to select only roles that are compatible with each other. Forinstance, if you select the Edge Transport server role, all other roles will be grayed out because theEdge Transport role must be installed on its own server. Also note that both the active and passiveclustered mailbox roles prevent you from selecting any other roles (including the mailbox role)because they must be installed separately from all other Exchange services.

When launched, the Exchange installer searches Active Directory for existing Exchangearchitecture, resulting in one of the following three scenarios:

◆ If it finds that this is the first Exchange 2007 server in your Active Directory infrastructure,it will prompt you to supply an Exchange 2007 organization name.

◆ If it finds existing Exchange 2007 servers, it will automatically add the additional objects inthe Active Directory to configure the new server you are creating.

◆ If it finds a legacy Exchange 2000 or 2003 organization, it will prompt you to select anExchange 2003 SMTP bridgehead to use for legacy connectivity. We will come back to thispossibility in Chapter 5.

If you have selected to install the Mailbox role on this Exchange server, you will be askedwhether or not you would like to enable a public folder database at the Client Settings screen.If you have Entourage for the Mac, Outlook 2003, or earlier Outlook clients deployed in yourorganization, you will need a public folder database to handle legacy functions like free/busyrequests and offline address books.



Figure 4.4

The Server RoleSelection screen

Outlook 2007 uses the Client Access role for these functions and does not require the use ofpublic folders. In case you’re wondering, Microsoft has decided to leverage Microsoft OfficeSharePoint Server instead of Exchange public folders moving forward. However, this shift in pol-icy doesn’t preclude the use of public folders in Exchange 2007; they will continue to be supportedfor 10 years after Exchange 2007 is released.

The next screen will automatically run readiness checks for each role you have selected to install(Figure 4.5). If you are missing any prerequisites or need to reconfigure your server, the wizardwill identify what needs to be corrected and even provide you with external links to eliminateunresolved dependencies. Once all prerequisites are confirmed, you can click the Install button.

If you have the proper permissions to modify your organization’s Active Directory schema andinstall Exchange on the server, the wizard will automatically install the necessary extensions intoyour schema. A major improvement over prior versions of Exchange is the ‘‘realistic’’ indicatorshowing your progress through the installation. Once installation has completed, you have theoption to automatically launch the Exchange Management Console and perform post-installationtasks as shown in Figure 4.6.

At the end of the installation, the Exchange 2007 setup screen will give you the option ofimmediately checking for updates. I recommend that you do this as soon as possible on eachserver you install.

Command-Line InstallationIf you’re still reading after seeing the title of this section, you are either a die-hard command-linejunkie or you’ve found yourself in a position in which the graphical installer just won’t do. Ineither case, strap on your ergonomic wrist-protecting gloves and hold on — you are in for a treat!For the first time, Exchange has a comprehensive command-line installer that requires no graphicalinteraction at all. Of course, if you get too lost, you can always access the command-line installerhelp function by changing to the root of your installation media and typing D:\setup /?.



Figure 4.5

The Readiness Checksscreen

Figure 4.6

The Completion screen



Note

One of the executables installed on an Exchange 2007 server is Exsetup, a command-line setup toolthat can be used to reconfigure your Exchange server after the initial installation without requiringthe original install media. Exsetup uses the same syntax as the command-line version of setup.

For the purposes of illustrating the command structure, I will use the unabbreviated syntax inthis section. For example, I will reference the command-line switch /UnifiedMessaging insteadof /u. Additional syntax options can always be found by accessing the help function.

One nice feature of the command-line installer is that it is very similar to command-line utilitiesfound in other operating systems. Okay, that requires some explanation: In the past, Microsoftintroduced some command-line tools that required very verbose and menu-driven syntax, like thecommand-line utility Ntdsutil. For example, Ntdsutil requires you type connections to access aConnections menu, type connect to server <servername> to establish a connection to a domaincontroller, and then exit the Connection menu by typing q. While this isn’t a ‘‘bad’’ utility, itdoesn’t lend itself to being scripted, nor does it resemble the syntax found in other command-lineshells like Microsoft DOS or the Unix/Linux bash shell. Exchange 2007 greatly improves uponpast command-line utilities by allowing you to run every function from the command line thatyou can from the graphical installer.

Many of the setup.exe options will work with a /DomainController switch that allows youto pick a specific domain controller rather than having setup discover one for you. For example, if Iwere going to prepare the Active Directory schema and wanted to use domain controller HNLDC01in the Somorita.Int forest, I would type this:

Setup.exe /PrepareSchema /DomainController:hnldc01.somorita.int

Upgrading Earlier Versions of Exchange 2007

As you may have already found, the Exchange Server 2007 Service Pack 1 binaries are completelystandalone, meaning you do not need an earlier version of Exchange Server 2007 installed in orderto install SP1. If you are currently running the release-to-manufacturing (RTM) Exchange Server2007, you can easily perform an upgrade by running the setup. Or if you prefer, you can do thisupgrade from the command line. The following setup.exe command will upgrade to ServicePack 1.

Setup.exe /mode:upgrade

Preparing Active Directory

If your organization is particularly large, you may find that there is a benefit to preparing theActive Directory schema in advance so all updates to the schema can be propagated throughoutyour organization prior to the installation of your first Exchange 2007 server.

Tip

Use the Exchange 2007 Service Pack 1 or later setup.exe to prepare your Active Directory. Therewere a few additional schema extensions included with E2K7 SP1.



There are a few steps for preparing your Active Directory, and they should be performed inthis order:

1. Prepare legacy Exchange permissions.

2. Extend the schema.

3. Prepare the Active Directory.

4. Prepare each (or all) Active Directory domains.

The first step is necessary only if you have Exchange 2000/2003 in your environment; thisstep configures the permissions necessary in Active Directory for Exchange 2000/2003 servers tointeract with Exchange 2007 servers. The command syntax for configuring the legacy Exchangepermissions in Active Directory is as follows:

Setup /PrepareLegacyExchangePermissions

The /PrepareLegacyExchangePermissions option must be run if you are going to interactwith an existing Exchange 2000/2003 organization in your Active Directory, even if it is for a shortperiod of time.

Tip

Any forest-wide change, such as preparing legacy Exchange permissions, extending the schema, andpreparing a domain, should be allowed to replicate throughout your forest before you continue withExchange server installations. This could take anywhere from a few minutes to a few days, dependingon your Active Directory replication architecture.

The next step in preparing your Active Directory is to extend the Active Directory schema withthe additional attributes and classes necessary to support Exchange Server 2007. This is done withthe /PrepareSchema option. To prepare the schema, run this command:

Setup /PrepareSchema

Next you need to prepare the Active Directory; with Exchange 2000/2003, all of these stepswere included with the /forestprep option, but now they are separate tasks. The Active Directorypreparation process includes the following steps:

◆ Verify that the schema has been extended.

◆ Create the Exchange container in the Active Directory configuration container and assignan organization name (if not already present).

◆ Create the additional containers necessary to support Exchange 2007 in the Exchangeconfiguration container.

◆ Create the Microsoft Exchange Security Groups OU in the forest root domain and createthe universal security groups that are used for Exchange administration and security.

◆ Create the Exchange 2007 administrative group and routing group.

◆ Perform the prepare domain functions for the forest root domain.



To prepare the Active Directory, run the following command:

Setup /PrepareAD

If this is a new organization, you will need to include the /OrganizationName switch; here isan example:

Setup /PrepareAD /OrganizationName:"Somorita Surfboards"

Finally, you have to prepare all of the other Active Directory domains that will support anExchange 2007 server or that will hold mail-enabled objects (users, contacts, groups). The preparedomain option includes the following tasks:

◆ Assigns the Exchange 2007 universal security groups the necessary permissions tothe domain.

◆ Creates an Exchange Install Domain Servers group and assigns that group as a member ofthe Exchange Servers universal group in the forest root.

◆ Assigns permissions to the Exchange Recipient Administrators and Exchange Serverssecurity groups.

You can either prepare a single domain at a time using the /PrepareDomain option or prepareall domains using the /PrepareAllDomain. Here is an example:

Setup /PrepareAllDomains

Preparing Active Directory for Delegation

If your organization distinguishes between Active Directory Schema Administrators andExchange Administrators, you may opt to prepare your Active Directory schema in advance soan Exchange 2007 server can be installed without requiring Schema Admin permissions. Here isthe command syntax for preparing Active Directory for delegation of server HNLEX01:

Setup /NewProvisionedServer:hnlex01.somorita.int

Note

It is possible to provision an Exchange 2007 server in Active Directory prior to actually installing it.For more information, see http://technet.microsoft.com/en-us/library/bb201741.aspx.

Installing, Upgrading, and Uninstalling

The basic command structure for installing, upgrading, and uninstalling Exchange serversincludes a switch to specify the setup mode and another switch to determine what is beinginstalled; here are the switches:

setup /mode:<setup mode> /role:<role(s)>



Mode The mode parameter defines what action you want to take on the Exchange server:

setup /mode:Installsetup /mode:Uninstallsetup /mode:Upgrade

Role There are five different types of roles. You use the following syntax for these roles:

Hub Transport role: HubTransport, or HT, or H

Client Access role: ClientAccess, or CA, or C

Mailbox role: Mailbox, or MB, or M

Unified Messaging role: UnifiedMessaging, or UM, or U

Edge Transport role: EdgeTransport, ET, E

Exchange management tools: ManagementTools, MT, T

Note

While the Exchange Management Shell and Console aren’t exactly a role, they are included as aninstallation options so as not to create another command-line option.

So, if you wanted to install the Hub Transport and Client Access roles on an Exchange server,you would type this:

setup /mode:Install /role:HubTransport, ClientAccess

And if you wanted to install only the Exchange management tools, you would type this:

setup /mode:Install /role:ManagementTools

Common optional parameters The following parameters can be used with almost allExchange setup and Exsetup commands.

Use /TargetDir to specify an alternate directory for the installation of Exchange. Here isan example:

Setup /mode:Install /role:Mailbox /TargetDir:"E:\Exchange"

Use /SourceDir to specify the source location for the Exchange installation files. Here is anexample:

Setup /mode:Install /role:Mailbox /SourceDir:"\\server\E2K7.SP1"



Use /EnableLegacyOutlook when installing the Mailbox server role; this ensures that the firstMailbox server in the organization has a public folder store installed on it.

Use /LegacyRoutingServer when you’re installing the first Hub Transport server role; it isused to specify an existing Exchange 2000/2003 bridgehead server that should be connected forlegacy Exchange mail routing.

Use /AdamLdapPort when you’re installing the Edge Transport server role so that you canspecify an alternate ADAM LDAP port. The default is 50984.

Use /AdamSslPort when installing the Edge Transport server role to specify an alternate LDAPport. The default SSL port is 50982.

Complete the Post-installation stepsOnce you have completed your Exchange 2007 installation using either the graphical or command-line installer, there are some universal tasks that should be completed to finalize your Exchangedeployment.

◆ Enter your Exchange Server product key. Without it you can only run the Exchange serverfor 120 days. Bear in mind that there is no activation key for the 32-bit ‘‘lab’’ version ofExchange.

◆ Run the Exchange Best Practices Analyzer. Because this utility is frequently updated, youshould obtain the latest version from the ExBPA site at www.exbpa.com.

◆ Consider installing Microsoft Forefront Security or another form of antivirus softwaredesigned for Exchange 2007 on your Exchange servers that run the Hub Transport role.

◆ Configure the Client Access role to provide offline address book functionality for your Out-look 2007 clients.

◆ Obtain a SSL certificate for your Client Access role.

◆ Configure ActiveSync on your Client Access role.

◆ Configure domain(s) for which you will accept mail.

◆ Configure an e-mail address policy to automatically generate e-mail addresses.

◆ Subscribe to the Edge Transport server (if you choose to use one).

◆ If you are not using an Edge Transport server, configure a Send connector and thenconfigure a Receive connector to accept anonymous connections.

◆ Create a default Postmaster mailbox.

As seen in Figure 4.7, when you open the Exchange Management Console, each of these tasks(and possibly a few more) will be displayed on the main page until complete. If you select a task,you will be presented with step-by-step instructions explaining how to best accomplish it, truly anice touch from the Exchange development team.



Figure 4.7

Post-installation stepswithin the ExchangeManagement Console

SummaryIn this chapter, I covered the basics of installing an Exchange 2007 server. I mostly assumedthat you are installing Exchange 2007 in an organization that does not currently have Exchange2000/2003 installed.

One of the biggest favors you can do for yourself is to build a small Exchange 2007 orga-nization that will duplicate your production environment but on a smaller scale. Install all ofyour third-party software and perform as much testing as possible. Follow that up with a smallproduction pilot. Both of these steps will help you to decide if you have the right configuration foryour environment.

In later chapters, I will discuss the processes for inter- and intra-organization migrations.

Chapter 6

Scaling Upward and Outward

Under what circumstances should you add an Exchange server? How do you know whether youneed an additional Active Directory global catalog server? When should you add mailbox serversto a remote Active Directory site? When should you create more storage groups? Or mailboxdatabases? How many mailboxes should be located on a single mailbox database?

These are all questions that affect your Exchange 2007 design, deployment, and even day-to-dayoperations. If you don’t provide sufficient resources, then the Exchange organization will notoperate as effectively as it should. Sometimes the decision points for adding more servers or cre-ating new databases are clearly defined based on your organization’s requirements. Other times,however, the decision matrix for expanding your Exchange Server environment is not alwayscut-and-dried.

This a good topic to address in its own chapter so we can give you ideas and guidance on thefactors that may affect your decision to scale upward and outward.

Topics in this chapter include the following:

◆ Deciding when to grow

◆ Performance monitoring basics

◆ Adding more mailbox storage

◆ Enabling local continuous replication

Deciding When to GrowDo you have clear guidance that tells you when you should expand, add servers, or add capacity?Sometimes your gut instinct just tells you that it is time. But is that something you can take to yourboss?

If you are lucky, you can back up your request for a new server or more capacity with tangibleevidence. We will discuss both the tangible and intangible factors that may influence the need toexpand your Exchange organization.

When you are trying to increase your budget, nothing impresses your boss more than havinghard numbers or company policies to back up your requests (well, unless you have a PowerPointpresentation with lots of colorful clipart, charts, and graphs). And you may even be surprised tolearn just what you can assign hard-core values to.

The first factors we’ll discuss actually involve organizational requirements. A number of dif-ferent components of organizational requirements may affect the number of servers and theirplacement. The first is high availability. Here are some factors that will increase the number ofExchange 2007 servers that you will require:

◆ Clustering always requires at least two servers; one server is the active mailbox server andone server is the passive server. This includes shared copy clusters as well as clusteredcontinuous replication clusters.

164 CHAPTER 6 SCALING UPWARD AND OUTWARD

◆ Other server roles cannot be installed on a clustered mailbox server. This means that otherroles, such as Hub Transport, Client Access, or Unified Messaging servers, must be placedon a separate physical machine.

◆ Fault tolerance for internal message routing is achieved with multiple Hub Transportservers. Exchange 2007 will automatically load-balance between multiple Hub Transportservers in the same Active Directory site.

◆ Fault tolerance or higher availability for server roles such as Client Access or UnifiedMessaging is achieved with multiple servers and using a load-balancing technology(recommended) or DNS round robin (not recommended).

◆ Each Active Directory site that contains a Mailbox server must have the Hub Transportand Client Access server roles. If the Unified Messaging server role is used, the ActiveDirectory site must have a Unified Messaging server installed in the site.

◆ Using Edge Transport services always requires an additional Windows server. Providingfault tolerance for Edge Transport server roles means installing at least two Edge Transportserver roles. It is recommended that the Edge Transport servers be installed in your organi-zation’s perimeter or DMZ network.

◆ Large organizations will often create a dedicated Active Directory site containing domaincontrollers and global catalogs servers. These servers are then used exclusively byExchange servers. This way Exchange does not interfere with domain controllers that arehandling user and computer authentication and vice versa.

Let’s not forget about supporting network infrastructure services. In a small organization, asingle Windows domain controller/global catalog server/DNS server will be sufficient. However,if your organization is supporting more than a few hundred mailboxes, then the requirements formore supporting infrastructure components will increase as well. Here are some factors that mayincrease the number of network infrastructure services your organization requires:

◆ Some organizations split their DNS servers on to servers or appliances that are separatefrom the servers that support Active Directory. While we normally recommend using theWindows 2003 DNS server running on a domain controller, if you choose to move DNSto another system, make sure that you have redundancy and that all Windows serversare configured with a primary and secondary DNS server. If you want to use the ActiveDirectory–integrated DNS zone feature of the Windows 2003 DNS server, then the DNSserver must be running on a domain controller.

◆ The generic recommendation for the number of domain controllers and global catalogservers is one domain controller CPU for each four Exchange CPUs. This does not take intoconsideration fault tolerance for the domain controllers, so in organizations with more than500 mailboxes, we recommend at least one redundant domain controller. That domain con-troller should be configured as a global catalog server.

◆ If fault tolerance is specified in your Exchange design, it should be specified in your ActiveDirectory design. This means each Active Directory site that contains an Exchange mailboxserver (and consequently Hub Transport and Client Access server roles) should containtwo domain controller/global catalog servers.

◆ Remember that Outlook 2000 and later clients also use global catalog servers for globaladdress list lookups.

DECIDING WHEN TO GROW 165

Another factor that we consider a tangible factor when designing an Exchange 2007 system isrecoverability and meeting service level agreements. As you will learn in Chapter 16, ‘‘Backupand Disaster Recovery,’’ there are many types of outages and many approaches to recoveringfrom them. Your Active Directory and Exchange designs may be subject to meeting a specificservice level agreement that includes a statement defining recovery time for different types ofoutages:

◆ The simpler a server’s configuration is, the more quickly you can rebuild it if you have toperform a bare metal restore. Bare metal restores usually require that you start over withthe server build and redo everything from the operating system on up to the applicationand all customization that has been done to the server. While small organizations (under500) may not be able to segment server roles on to dedicated server hardware, for largeorganizations this certainly can help reduce the complexity of the server. Reduced serverconfiguration complexity assists in speeding recovery.

◆ The local continuous replication (LCR) feature of Exchange 2007 is one of its most promis-ing features with respect to improving recoverability times. LCR allows you to keep aalmost completely synchronized copy of the database ready to put into production in casethe live copy of the database has corruption. At a bare minimum, this feature will requiretwice as much disk space (if you replicate all of your databases) as you had originallyplanned for. Naturally, there is additional overhead associated with keeping a synchro-nized copy of the database, so if you are using LCR you may not be able to support asmany mailboxes on one mailbox server.

◆ The time it takes to restore a mailbox database from backup is directly proportional to thesize of the database. Larger databases mean longer restoration times in the event of a sin-gle database corruption or failure. Creating more databases with fewer mailboxes can helpreduce recovery time. Exchange Server 2007 Standard Edition provides you with up to5 mailbox databases and Exchange Server 2007 Enterprise Edition provides you with upto 50. We recommend that no single database in exceed 100GB in a non-LCR environmentand 200GB in an LCR environment.

◆ Potential speed of data restoration may affect the sizing of your servers. Calculate theamount of data that you will be hosting on any given mailbox server and then calculatehow long it will take you to restore that data in a worst-case scenario. Is that acceptable inyour environment?

Do you remember those hard numbers and graphs that prove to your boss that you haveexceeded your current computing capacity? Nothing beats performance monitoring tools andreports for visually providing tangible evidence that you are exceeding your capacity. We willlook at these in more detail later in this chapter, but for now here are some things that you can useperformance monitoring to locate bottlenecks that would indicate insufficient resources:

◆ Performance monitoring may indicate insufficient hardware resources such as memory ordisk I/O capacity on existing servers.

◆ When querying a domain controller or global catalog, performance monitoring may pin-point bottlenecks that indicate either a performance problem or an overloaded domaincontroller/global catalog.

The final tangible factor in sizing servers and choosing hardware is the eighth layer of the OSImodel; this is the political layer. We all frequently joke about our jobs being part politics, but in


many organizations this is a reality. Here are some factors that might require a political designdecision rather than a technical design decision:

◆ Satellite or regional offices require their own Exchange server hardware even in the face ofconsolidation.

◆ Executives or some divisions of an organization expect to be on isolated server hardware.

◆ A department feels like having their mail on a server with everyone else is not secureenough.

Monitoring PerformanceUsing the Windows performance monitoring tools to monitor Exchange server is a topic thatcould easily cover an entire chapter or even two. In this chapter, we’ll cover some basic perfor-mance monitoring counters and EMS cmdlets that can help you in determining whether you haveperformance problems.

Performance DegradationIf all we had to worry about was measuring performance and planning for server capacity, thenour jobs would be much easier. In your server design, capacity planning, and analysis, there are anumber of addition factors to consider:

◆ Consolidated servers (multiple roles on a single server) can contribute to degraded serverperformance. On a server that supports more than 500 mailboxes as well as other func-tions, such as Hub Transport and Client Access server roles, ensure that transaction logs,message databases, and message queues are all on separate physical disk drives.

◆ Local continuous replication (LCR) will significantly increase the I/O requirements formailbox servers. LCR databases and transaction logs must be on separate physical disks toensure that performance does not suffer.

◆ LCR will place a significant burden on the server’s CPU — by some estimates, as muchas 40 percent additional burden if all databases have an LCR copy. Consider this whencalculating CPU capacity and the number of mailboxes that a single server can support.

◆ Antivirus software configured to scan mailbox databases using the Exchange AntivirusAPI can use significant amounts of RAM and CPU capacity.

◆ Antivirus applications on Hub Transport servers can also use quite a bit of RAM andconsume some of the CPU resources.

◆ Transport rules are executed for every message that passes through a Hub Transportserver. The more transport rules that are processed, the more CPU and memory overheadwill be consumed by the Hub Transport server. In an organization with more than 100transport rules, consider segmenting the Hub Transport role to its own physical hardware.

◆ Backup applications use a significant amount of resources during the backup process.Streaming backup applications use a lot of disk I/O time when backing up data in mail-box databases. Volume shadow copy backups of production databases will also impactperceived response time for users who are working during the backups. Perform streamingbackups during the off-hours or implement LCR and then volume shadow copy backups ofthe LCR databases rather than the production databases.

MONITORING PERFORMANCE 167

◆ Implementing Secure Sockets Layer (SSL) on Client Access servers is essential forproviding better security for web applications such as Outlook Anywhere, Outlook WebAccess, and ActiveSync. However, SSL will introduce approximately a 25 percent CPUoverhead on the Client Access server.

◆ EdgeSync can place a larger load on a Hub Transport server if it is run frequently.EdgeSync requires internal connectivity to both Active Directory and mailbox servers.

◆ Running scheduled tasks such as updating address lists and e-mail address lists cangenerate additional disk utilization as well as CPU activity and Active Directoryqueries.

Exchange Management Shell CmdletsExchange 2007 has a few cmdlets that are useful when testing or measuring potential performanceproblems. The first is the Test-MAPIConnectivity cmdlet. It allows you to test MAPI connectiv-ity to a mailbox you specify. For example, if you want to test MAPI connectivity for a mailboxnamed Suriya.Supatanasakul, you would type this:

Test-MAPIConnectivity Suriya.Supatanasakul

MailboxServer Database Result Latency(MS) Error------------- -------- ------ ----------- -----HNLEX03 Mailbox Database Success 20

The mailbox test will access the mailbox store on which the mailbox is located and access themailbox to ensure that it can be accessed. The output tells you whether or not that test was success-ful and how much latency was measured. The latency should usually be less than200 milliseconds. Higher latencies could indicate a network problem or that the server is notresponding to RPC requests quickly enough.

If you do not specify a mailbox name, the cmdlet will access all of the system mailboxes on thelocal server and report latency for each of those mailbox databases:

[PS] C:\>Test-MAPIConnectivity

MailboxServer Database Result Latency(MS) Error------------- -------- ------ ----------- -----HNLEX03 Engineering Mail Success 58HNLEX03 Mailbox Database Success 18

Another useful testing tool for measuring server response time is the Test-Mailflow cmdlet.Without any parameters, the Test-Mailflow cmdlet will send mail to the local systemmailbox:

Test-Mailflow

TestMailflowResult MessageLatencyTime IsRemoteTest------------------ ------------------ ------------Success 00:00:01.6388565 False


The MessageLatencyTime column indicates (in seconds) how long it took to deliver a message.Within the same Active Directory site (or within the same server), this should take no longer than2 or 3 seconds. By sending a test message (to a system mailbox by default), the Test-Mailflowcmdlet tests not only the Mailbox server’s responsiveness, but also how well the Hub Transportserver is responding as well as the efficiency of Active Directory queries. Each of these places canbe a bottleneck when a message is sent.

However, you can specify a source server and a specific target server using the-TargetMailboxServer parameter. Here is an example:

Test-Mailflow hnlex01 -TargetMailboxServer hnlex03

TestMailflowResult MessageLatencyTime IsRemoteTest------------------ ------------------ ------------Success 00:00:02.8396133 True

For tests that indicate a message latency time of greater than 3 to 5 seconds within the sameActive Directory site or greater than 10 seconds between Active Directory sites, you should beginto look for potential bottlenecks such as insufficient Hub Transport server capacity, low systemresources (low memory, not enough disk I/O capacity) on the mailbox server, and bottleneckswhen Active Directory is queried.

If you want to test responsiveness of Outlook Web Access, there is also aTest-OwaConnectivitycmdlet that can prove useful. However, that cmdlet requires a that Client Access server (CAS) testuser be created; the New-TestCasConnectivityUser.ps1 script (included with the Exchange 2007scripts) will create this user for you.

Performance Monitoring as a Work of ArtThere is a lot more to performance monitoring than just adding a few counters to a chart or reportand then making some conclusions based on what you see. Getting an accurate picture of theperformance and bottlenecks is something between a science and an art form. Before we jump into the actual mechanics of performance monitoring, we would like to cover just a few basic andimportant tips:

◆ When monitoring, take averages over a period of hours (usually during the busiest part ofthe day).

◆ Avoid the temptation to look at a small snapshot of performance and making load-balancing situations. Spikes or lulls in usage will not represent your average performance.

◆ Don’t run performance monitoring against a server you have just rebooted. Sometimes aserver may take a few days to settle in to a typical performance profile.

◆ Always develop a performance baseline for a system so that you know what counter val-ues are ‘‘normal’’ for a particular usage profile. Remember, though, that this will changeover time as usage increases, more features are used, or more users are added to thesystem.

Now let’s look at some of the basics of using the System Monitor application and what you canfind when you use the Performance Monitor console and the System Monitor object. Figure 6.1shows the Add Counters dialog box from the System Monitor tool. Counters are the meat and


potatoes of what you are looking for when you use the System Monitor tool in the PerformanceMonitor console. However, we want to look a little more closely at this interface.

Figure 6.1

Adding counters to theSystem Monitor tool

At the top of the Add Counters interface is the option to specify which computer you are actu-ally looking at. You can either specify the local computer or you can monitor another computeracross the network. This means you don’t actually have to be sitting on the console of the computeryou want to monitor.

The Performance Object drop-down list allows you to select a specific performance object orobject category. Different software components will add additional performance monitor objectsto a server; this is also true of Exchange Server 2007 roles. Different server roles will add addi-tional performance objects and this will explain why you will see different performance objects ondifferent servers.

Some performance objects have multiple instances. A good example is the Processor object. Youwill have a Total instance that represents all of the processes combined and you will have indi-vidual processor numbers (starting from 0). This means that you could monitor the performanceof an individual CPU on a multiprocessor system.

Finally we get to the counters list. The counters are what actually provide us with data about thecomponents of Windows and Exchange. In Figure 6.1, you see that the performance object that isselected is the Processor object; possible counters for that particular object include the percentage ofidle time (%Idle Time), the percentage of time the CPU is running privileged threads (%PrivilegedTime), and the percentage of time the processor is doing real work (%Processor Time). Each object


will have unique counters. Some of these counters report actual, measured data while others (suchas the processor counters) may report on data measured in a percentage (0 to 100).

When performance monitor data is displayed, there are two views you’ll find useful. The firstis the chart view; the chart view is probably the most common (see Figure 6.2).

Figure 6.2

Using the chart view ofthe System Monitor

The chart view is best for spotting trends; by default it provides only 100 seconds of historicalinformation, but the sample interval can be changed on the System Monitor property page (shownin Figure 6.3). If you are trying to gather information over a period of time (say, for an entiremorning), you would definitely want to change the sample interval. For example, if you wantedthe chart to include three hours worth of information, you would change the sample interval toabout 77 seconds.

The Performance Monitor console can also record activity over a period of time using theCounter Logs feature. You can schedule the Performance Monitor to start at a specific time (suchas 8:30 in the morning), record the objects and counters you desire, and then stop at a specifictime. You can then use the recorded Performance Monitor counters to review activity in a chart(or report) over time.

The report view of the System Monitor is not as spiffy-looking as the chart view, but it pro-vides you with a much easier way to look at actual numbers as opposed to trends. If the datasource you are viewing is current activity, then the values shown on the report view will be theaverage of the previous recorded value and the current recorded value. If the data source is apreviously recorded log file, then the report view shows you the average over the life span of thelog file.

The System Monitor view in Figure 6.4 shows the report view. When looking at live data,the report view is helpful for looking at a specific piece of information at a certain point in time.Remember that when you’re looking at performance statistics and analyzing bottlenecks, a partic-ular point in time is not as useful as looking at averages over a period of time, such as when theserver is busiest.

The report view is helpful in seeing information that is static or that does not change much overtime.


Figure 6.3

Changing SystemMonitor properties

Figure 6.4

Using the report view ofSystem Monitor


Performance Monitor CountersAs we mentioned earlier, a full discussion of performance monitoring and Exchange 2007 couldconsume several chapters. Indeed, once Exchange 2007 is installed on a server (depending on theroles selected), nearly 70 different Performance Monitor objects are created; that says nothing ofthe actual counters and instances of each of these objects!

In this section, we’ll look at some of the counters that may help you to understand when aserver has exceeded its capacity. Let’s start with some basic operating system objects and counters;these are pretty universal when it comes to performance monitoring, so you may have seen thembefore. The recommendations that we are making for minimum or maximum thresholds are basedon our own experiences and may not agree with ‘‘official’’ Microsoft documentation. Some of thebasic operating system counters are shown in Table 6.1. These can help you decide if you need toadd more capacity to an existing server or to add an additional server.

While we can’t easily come up with performance counters that will help you in every situation,the ones in Table 6.1 are generic enough to help you get started and to help you in deciding if youhave a specific type of bottleneck.

Table 6.1: Operating System Performance Counters and RecommendedThresholds

Object/Counter Recommended Values

Processor/%Processor Time

This is the total percentage of time that the server’s CPU is doing useful work (asopposed to idle threads). Examine this counter over a period of typical usage ratherthan worrying about spikes in activity. The average value of the %Processor Timeshould usually be less than 70%. If CPU activity is excessive, examine othercounters to make sure the server does not need memory or additional disk capacitybefore deciding you need additional CPU capacity. If the server is truly CPU bound,then the solution may be to move some Exchange roles or mailboxes to anadditional Mailbox server. If a server does appear to have a CPU bottleneck, you canuse the Process object’s %Processor Time counter to isolate which process is usingthe most CPU time; for this counter, select the process instances you are interestedin monitoring.

Memory/AvailableMBytes

Shows the total amount of unused RAM. All versions of Exchange Server lovephysical memory. Exchange Server 2007 can consume just about as much memoryas you can throw at it. This additional memory will improve performance byallowing more and more data to be cached in RAM, thus reducing dependencies ondisk I/O. If you see the Available MBytes counter reporting that there is less than10% of the total amount of RAM available, you should consider adding additionalRAM.

Memory/Pages/sec The Pages/sec counter indicates the number of times per second that Windows goesto the page file to store or retrieve information that is in virtual memory. Pagingcan harm performance since disk access is significantly slower than RAM access.Specific maximum recommended paging values for the Pages/sec counter may varywidely depending on who is making the recommendation. In general, we considersustained values of more than 10 pages/sec to be excessive. Additional physicalRAM is usually the answer to reducing paging, though faster hard disks to supportthe page file may also provide better throughput for paging.


Table 6.1: Operating System Performance Counters and RecommendedThresholds (CONTINUED)


TCPv4/SegmentsRetransmitted/sec

This counter shows the number of TCP segments that have had to be retransmittedeach second. If you find that the value of this counter is greater than 5% of the totalTCPv4/Segments Sent/sec counter, then you may have network problems such asrouters that are congested or switching problems. Each of these things can causedropped or lost packets. Always check your network card configurations to makesure they are connected and make sure your network drivers are up-to-date, butthis problem is almost always related to the physical infrastructure of your network.

Database/DatabaseCache % Hits

This is an Exchange Server–specific counter for the ESE database engine that tellsyou what percentage of disk requests are serviced from cache rather than from thedisk. This value should be as high as possible (greater than 95%). The lower thevalue, the more of a disk I/O burden Exchange places on the disk subsystem.Increasing the available RAM on a server can improve the Database Cache % Hitsratio.

Database/LogRecord Stalls/sec

This is an Exchange Server–specific counter for the ESE database engine that tellsyou if the ESE database engine is having to wait because the log buffers are full.Increasing the log buffer size may correct this, or you can increase the amount ofmemory in the server. Increasing the memory may reduce the amount of I/Ooperations that are necessary. If the server has sufficient memory, then improvingthe speed of the disk subsystem may be the next move. Moving transaction log fileto dedicated spindles can help, as can increasing the I/O capacity of the disks thatare used by the transaction logs. On servers that are hosting multiple server roles,moving roles that are disk intensive (such as the Mailbox and Hub Transport roles)to different servers can reduce the I/O load on the disk subsystem.

LogicalDisk/ %DiskTime

This counter reports how busy the disk is performing read and write operations.This is one of those counters that should be monitored over a period of typicalactivity. This value should not exceed 75% average utilization during this time. Ifdisk usage is excessive, adding physical memory or additional disk I/O capacity canhelp, as can moving data or transaction logs off to other physical disks.

LogicalDisk/Avg.Disk Queue Length

The average disk queue length is the number of requests waiting in the disk queueto either be written to the disks or read from the disk. This is another value thatshould be monitored over a period of average activity rather than looking at a singlepoint in time. The value should not be more than 2 over a sustained period ofactivity. Larger values may indicate that the disk subsystem is not able to keep upwith the disk I/O requirements. If disk usage is excessive, adding physical memoryor additional disk I/O capacity can help, as can moving data or transaction logs offto other physical disks.

MSExchangeIS/RPCAveraged Latency

The RPC Averaged Latency counter reports the latency of remote procedure callsthat are serviced by the information store. The value is the average if the RPClatency of the last 1,024 RPC packets; the value displayed is in milliseconds. Ingeneral, it should not exceed 50 milliseconds. Insufficient server resources can oftencause this value to be too high, but it is more frequently due to network problems.

(CONTINUED)


Table 6.1: Operating System Performance Counters and RecommendedThresholds (CONTINUED)


MSExchangeIS/RPCRequests

The RPC Requests counter reports the number of remote procedure call requeststhat are currently being serviced by the information store. The information storeservice can service a maximum of 100 requests and this value should usually notexceed 30 requests. Insufficient Exchange Server resources (either memory or I/Ocapacity) usually contribute to the server accumulating RPC requests. If RPCrequests are not being serviced in a timely manner, the RPC Averaged Latencycounter value will also increase.

NetworkInterface/BytesTotal/sec

Bytes Total per second indicates the total data transfer rate of the network adapter.For 100MB network adapters, this value should be below approximately6MB/second. For 1GB network adapters, this value should be below 60MB/second.If these values are exceeded, it may indicate that the network is a bottleneck or theserver is under too much load. Installing additional servers and moving mailboxesor server roles may alleviate this condition. Upgrade to 1GB adapters and switchesfor the network segment that hosts the Exchange servers with only 100MB networkadapters. Additional network adapters can also alleviate performance problems bylocating clients on one network segment and Active Directory resources on adifferent network segment.

MSExchangeADAccess DomainControllers/LDAPRead Time

The LDAP read time is the time (in milliseconds) that it takes to send an LDAPquery and receive a response. For this counter, there are multiple instances (each aseparate domain controller). The value of this counter should stay below 50ms onaverage. If it is higher than this on a sustained basis, you have a domain controllerbottleneck. Adding additional domain controllers, adding additional memory toexisting domain controllers, or replacing 32-bit Windows domain controllers with64-bit domain controllers may help. Of course, poor network performance can alsocause this counter to be high; local domain controllers are always preferred todomain controllers in another Active Directory site.

MSExchangeADAccess DomainControllers/LDAPSearch Time

The LDAP search time is the amount of time (in milliseconds) that it takes to sendan LDAP search to a domain controller and then receive a response. Performancecharacteristics for this counter are the same as the LDAP Read time mentionedearlier.

Adding More Mailbox StorageA common way to improve the scalability of mailbox servers is to add additional storage groupsand mailbox databases. While this might not improve overall server performance or a user’sperceived response time, it allows you to break up the amount of data you are storing andplace it across multiple smaller mailbox databases. In turn, this allows you to support largermailboxes. Keep in mind as you increase the number of mailboxes that each Mailbox server

ADDING MORE MAILBOX STORAGE 175

supports, increasing the amount of RAM will help improve performance and reduce the diskI/O profile.

When creating additional mailbox databases, you should plan to place each storage group’stransaction logs on separate disk spindles from the database files. This can help improveperformance as well as recoverability.

In the following section, we will show you how first create a new storage group and then createa database in that storage group.

Managing Storage GroupsCreating a new storage group is a simple process in either the Exchange Management Console(EMC) or the Exchange Management Shell (EMS). Storage groups for each Mailbox server roleare created and managed from within the EMC within the Mailbox subcontainer of the ServerConfiguration work center. Figure 6.5 shows the Mailbox subcontainer of the Server Configurationwork center along with the Database Management work pane.

Figure 6.5

Managing storage groupsand mailbox databasesusing the ExchangeManagement Console

All EMC-based storage group, mailbox database, and public folder database management isperformed through the Database Management pane. However, the Database Management paneis shown below the Results pane only if you have selected the Mailbox subcontainer. The EMCActions pane is the on the right side of the EMC interface and gives you access to the followingstorage group management tasks:

◆ Creating a new storage group

◆ Moving existing storage group files

◆ Creating a database (mailbox or public folder) within the storage group



You can also retrieve a list of storage groups using the Get-StorageGroup EMS cmdlet. Hereis an example:

[PS] C:\>Get-StorageGroup

Name Server Replicated Recovery---- ------ ---------- --------First Storage Group HNLEX03 None FalsePublic Folder SG HNLEX03 None FalseEngineering Mailboxes SG HNLEX03 None FalseExecutives SG HNLEX03 None False

We could have narrowed the scope of that query using the Where cmdlet so that only the storagegroups from a specific server are listed. Here is an example that lists only the storage groups onserver HNLEX03:

Get-StorageGroup | where {$ .Server -eq ”HNLEX03”}

To create a new storage group, chose the New Storage Group task from the Actions pane torun the New Storage Group Wizard. The wizard is quite simple and has only two pages; the NewStorage Group page (shown in Figure 6.6) prompts for the name of the storage group, the path tothe transaction log files, and the path to the system files.

Figure 6.6

Creating a newstorage group using theExchange ManagementConsole


You can also enable local continuous replication when you create the storage group, but wewill come back and do that later. Notice also in Figure 6.6 that we are selecting the default locationfor the transaction logs and system files. We will come back and move them later.

When you click the New button on the New Storage Group Wizard, the task is executed andthe new storage group is created; the EMS cmdlet that is executed is the New-StorageGroupcmdlet. The Completion page shows the EMS command that was executed to create this storagegroup:

New-StorageGroup -Server ’HNLEX03’ -Name ’Executives SG’-LogFolderPath ’C:\Program Files\Microsoft\Exchange

Server\Mailbox\Executives SG’ -SystemFolderPath’C:\Program Files\Microsoft\Exchange Server\Mailbox\Executives SG’

Now that the storage group is created, the first thing you should do is move the transaction logand system files to an alternate path. This can also be accomplished via the EMC or the EMS. Inthe EMC, you just need to select the storage group you want to move and then choose the MoveStorage Group Path task from the Actions pane. The Introduction page of the Move Storage GroupPath task is shown in Figure 6.7.

Figure 6.7

Moving a storagegroup’s transaction logsand system files

The only information that is required to move the storage group is the new location of the logfiles path and/or the system files path. When you click the Move button, the task is executed. TheEMS cmdlet Move-StorageGroupPath sets the storage group’s path and moves the existing system


and/or log files. The following command was executed:

move-StorageGroupPath -Identity ’HNLEX03\Executives SG’-LogFolderPath ’C:\Executives-SG-Logs’-SystemFolderPath ’C:\Executives-SG-Logs’

However, if no mailbox stores have been created and mounted in the storage group, then therewill be no system or transaction log files. The wizard will actually tell you this if it does not findany files. Therefore, you would need to run a slightly modified version of the cmdlet since thefiles do not need to be moved. You would need to include the -ConfigurationOnly switch in thecommand line:

Move-StorageGroupPath ’HNLEX03\Executives SG’-LogFolderPath ’C:\Executives-SG-Logs’ -SystemFolderPath

’C:\Executives-SG-Logs’ -ConfigurationOnly -Confirm:$False

You can view the properties of the storage group by selecting it in the Database Managementwork pane and then selecting the Properties task on the Actions pane. In this case there are twoProperties tasks on the Actions pane, so select the one in the storage group portion of the pane.

The storage group properties are shown in Figure 6.8. From here you can change the storagegroup’s display name or enable circular logging. Circular logging tells the Exchange databaseengine not to keep more than a few of the previous transaction log files. Enabling circular loggingwill prevent up-to-the minute recoverability of databases from a restore since there will not beenough transaction logs available after the most recent backup.

The storage group’s properties also include the transaction log path, the system files path, thelog file prefix, and the date on which the storage group was last modified. The log file prefix isused when creating log files for this storage group; this is a system-assigned value and cannot bechanged. In the case of the storage group shown in Figure 6.8, the log file prefix is E03; a samplelog filename would look like this: E03000011A0.log.

You can also retrieve the storage group’s properties using the Get-StorageGroup cmdlet. Thefollowing example shows all of the properties of the Executives SG storage group:

[PS] C:\>Get-StorageGroup ”Executives SG” | FL

LogFolderPath : c:\executives-SG-LogsSystemFolderPath : c:\executives-sg-LogsCircularLoggingEnabled : FalseZeroDatabasePages : FalseLogFilePrefix : E03LogFileSize : 1024RecoveryEnabled : TrueOnlineDefragEnabled : TrueIndexCheckingEnabled : TrueEventLogSourceID : MSExchangeISLogCheckpointDepth : 20971520CommitDefault : FalseDatabaseExtensionSize : 256PageFragment : 8PageTempDBMinimum : 0


Server : HNLEX03ServerName : HNLEX03CopyLogFolderPath :CopySystemFolderPath :Recovery : FalseName : Executives SGReplicated : NoneHasLocalCopy : FalseMinAdminVersion : -2147453113AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=Executives

SG,CN=InformationStore,CN=HNLEX03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=comIdentity : HNLEX03\Executives SGGuid : 772e9d5a-0b82-4cdc-867b-8922ed55215fObjectCategory : volcanosurfboards.com/Configuration/Schema/ms-Exch-Storage-GroupObjectClass : {top, container, msExchStorageGroup}WhenChanged : 12/6/2006 7:35:13 PMWhenCreated : 12/6/2006 7:13:46 PMOriginatingServer : HNLDC01.volcanosurfboards.comIsValid : True

Many of these values can be changed by the Set-StorageGroup cmdlet. If you want to enablecircular logging, you would type this command:

Set-StorageGroup ”Executives SG” -CircularLoggingEnabled:$True

Managing Mailbox DatabasesNow that we have created a storage group, we can create a new database in it. While bothExchange Server 2007 Standard Edition and Enterprise Edition allow up to five mailbox databasesin a storage group, we are going to limit our examples to a single mailbox database per storagegroup. This is the Microsoft recommendation, and one mailbox database per storage group is alsoa requirement of local continuous replication.

You can view the current mailbox database for each server using the EMC, or you can use theGet-MailboxDatabase cmdlet to list all of the mailbox databases in the entire organization:

Get-MailboxDatabase

Name Server StorageGroup Recovery---- ------ ------------ --------Mailbox Database HNLEX03 First Storage Group FalseEngineering Mailb... HNLEX03 Engineering Mailb... FalseExecutives HNLEX03 Executives SG False


Figure 6.8

Viewing a storagegroup’s properties

Of course, you can narrow the scope of this output to just a specific server or a specific storagegroup using the Where cmdlet. Here are two examples:

Get-MailboxDatabase | Where {$ .Server -eq ”HNLEX03”}Get-MailboxDatabase | Where {$ .StorageGroupName -eq ”Executives SG”}

Tip

When creating a new mailbox database, name the database something that is standardized anddescriptive. Making sure the filename matches the display name of the database will ensure that itis easier to manage.

To create a new mailbox database, highlight the storage group in which you want the mailboxdatabase to be created and select the New Mailbox Database task from the Actions pane. Thislaunches the New Mailbox Database Wizard that is shown in Figure 6.9. All that is required tocreate a new mailbox database is to provide the name; the path will automatically be completedand the database’s EDB file will be put in the same path as the transaction logs.


Figure 6.9

Creating a newmailbox databaseusing the ExchangeManagement Console

Ideally, you should click the Browse button and select a correct location for the mailboxdatabase now, but we will show you how to move the mailbox database here shortly.

Note

Exchange 2000/2003 administrators may notice that the database has only an EDB file. Exchange2007 does not have an STM file; each Exchange 2007 database consists of a single EDB file.

The wizard will also mount the database once the wizard creates the configuration for thedatabase. This will initialize a new empty database file. The resulting commands are as fol-lows; the New-MailboxDatabase cmdlet is used in the command to create the database and theMount-Database cmdlet is used in the command to mount the database:

New-MailboxDatabase -StorageGroup ’CN=ExecutivesSG,CN=InformationStore,CN=HNLEX03,CN=Servers,

CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com’ -Name ’Executives’-EdbFilePath ’c:\executives-sg-logs\Executives.edb’

Mount-Database -Identity ’CN=Executives,CN=ExecutivesSG,CN=InformationStore,CN=HNLEX03,CN=Servers,

CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com’


Notice that when the database was created, the distinguished name of the storage group wasused. However, if the storage group and database names were unique, you could also specifythese commands:

New-MailboxDatabase -StorageGroup ’Executives SG’ -Name ’Executives’-EdbFilePath ’c:\executives-sg-logs\Executives.edb’

Mount-Database ’Executives’

We created the database in the default path so we could illustrate the process of moving it.Using the EMC, we can move the database by choosing the Move Database Path task in the Actionspane. The only thing that needs to be provided in the Move Database Path Wizard is the newlocation of the database file.

When you specify that you are about to move the database, you are warned that the databasewill be dismounted while the files are being copied and that it will be inaccessible.

The amount of time that it takes to move the database file will depend both on the size of thedatabase file and the speed of the disk subsystem. Once the file is moved, the Completion page ofthe Move Database Path Wizard will show the EMS command that was used to move the databasefile. Here is an example:

Move-DatabasePath -Identity ’HNLEX03\Executives SG\Executives’-EdbFilePath ’D:\Executives-SG-DB\Executives.edb’

Now let’s look at some of the properties of a mailbox database. Figure 6.10 shows the Generalproperty tab of the mailbox database property page. At the top is the display name of the mailboxdatabase. From here, you can rename the database if you need to conform to a new databasenaming standard. The path to the database is shown, but you cannot change the path here; youmust use the Move-MailboxDatabase cmdlet or the Move Database Path task. The database copypath is set when you configure local continuous replication.


Figure 6.10

General property page ofa mailbox database

There is a lot of dynamic information on the General property page of a mailbox database aswell. This includes:

◆ The last full backup indicates the last time a full or normal backup was run using an ExchangeAPI–based backup solution. Transaction logs would have also been purged at that time.

◆ The last incremental backup indicates the last time an incremental backup was run. Thisbackup type will back up the storage group’s transaction logs and then it purges them.

◆ The status indicates if the database is mounted or dismounted.

◆ The Modified field shows the date and time the database properties in Active Directorywere last changed.

The Journal Recipient option allows you to specify a journaling recipient for all mailboxeslocated on this mailbox database. If this is enabled, a copy of any message or delivery receipt sentor received by a mailbox on this system will be sent to the journal mailbox.

The Maintenance Schedule drop-down list (or Customize button) allows you to specify whenonline maintenance is scheduled for this particular database. Online maintenance includes purg-ing deleted items permanently from the mailbox database, purging deleted mailboxes perma-nently from the database, verifying that mailboxes on the database are all connected to an Active


Directory account, cleaning up unused folder views, and rearranging white space. Onlinemaintenance must complete periodically, otherwise the database will be come less and lessefficient and the database file will continue to grow since the deleted items and mailboxes willnever be completely purged.

The Do Not Mount This Database at Startup check box allows the administrator to prevent thedatabase from being mounted after the information store service is restarted. This might be usefulwhen the administrator wants to make the mailbox databases available one or two at a time ratherthan all at once.

The This Database Can Be Overwritten by a Restore check box is used when you must restorea database file from an offline backup. An offline backup occurs when the database file itself isbacked up, such as making a file copy of the database file. This has no effect when restoring adatabase backup that was made from an online backup.

The next tab on a mailbox database property page is the Limits property page. We will look atdifferent ways to establish limits on mailbox database in Chapter 9, ‘‘Imposing Limits and Why,’’but let’s do a quick review here (see Figure 6.11).

The Storage Limits section allows you to specify the amount of storage that the mailbox isallowed to have. What you see in Figure 6.11 are the storage limit defaults; administrators ofprevious versions will be surprised to learn that newly created mailbox databases have defaults.Everyone will be surprised to see the actual default values:

◆ Issue Warning at (KB) is set to 1,991,680KB. When a mailbox reaches this limit, the user willbe sent an e-mail message that informs them that they have reached a limit on their mail-box and they should clean up some data in it.

◆ Prohibit Send at (KB) is set to 2,097,152KB. Once the mailbox hits this limit, user will beunable to send new messages or reply to existing messages. Both Outlook and OutlookWeb Access will inform the user if they try to send a message and they are over this limit.

◆ Prohibit Send and Receive at (KB) is set to 2,411,520KB. When a mailbox exceeds this limit,the mailbox is closed or disabled. Even though the user can access the mailbox, the serverwill not allow the user to send new messages or reply to existing messages. In addition, themailbox will not receive any incoming mail from other Exchange users or from outside ofthe organization.

Outlook Web Access has a neat new feature that will inform the user of how close they areto their limit or if they are over their limit. Simply move your mouse pointer over the top of themailbox in the folder listing pane of Outlook Web Access and you will see a pop-up box similar toone of the ones shown here.


Figure 6.11

Setting limits on amailbox database

The limit that you see in this message is the Prohibit Send at (KB) limit, not the Prohibit Sendand Receive at (KB) limit.

The Warning Message Interval drop-down list is the interval at which Exchange generates awarning message informing users that they are over their Issue Warning limit. By default, this issent once daily at 1:00 a.m. local time. You can customize this to another time, but be careful. TheSchedule dialog box (shown in Figure 6.12) has a detail view option of either 1 hour or 15 minutes.

When using any schedule box that has a 1 hour and a 15 minute view, switch to the 15 minuteview to set a schedule. If you select an entire hour, then whatever process you are scheduling willrun four times per hour. In this case, if you select an entire hour, a warning message will be sentto all mailboxes over their warning limit four times per hour. The users would not be amused. Anexample of the warning message is shown in Figure 6.13.

The Deletion Settings section of the Limits tab allows you to configure how long the serverwill retain deleted items for this mailbox and how long the server will retain a mailbox once it isdeleted. The Keep Deleted Items for (Days) options specifies how many days the Exchange serverwill keep items that have been deleted either from the Deleted Items folder or via a hard delete(Shift+Delete) from another folder. Once a message has been in the deleted item cache for longerthan this period (14 days by default for Exchange 2007), the user will no longer be able to retrievethe message using the Outlook Recover Deleted Items feature.


Figure 6.12

Using the CustomizeSchedule dialog box

Figure 6.13

Warning message a userreceives when theirmailbox exceeds theProhibit Send at (KB)limit


The Keep Deleted Mailboxes for (Days) option specifies how long the mailbox database willkeep a deleted mailbox before it is permanently purged. The default is 30 days and that is reason-able for most organizations. A mailbox can be recovered using the EMC’s Disconnected Mailboxfeature or via the EMS Connect-Mailbox cmdlet.

The Do Not Permanently Delete Items Until the Database Has Been Backed Up check box tellsthe server that it should not permanently purge an item or a mailbox until the mailbox databasehas been backed up. This ensures that a copy of the deleted item or deleted mailbox could berecovered from backup media if necessary.

The Client Settings tab of a mailbox store (shown in Figure 6.14) allows the administrator tospecify two configuration settings that affect the mailboxes on this store. The first is the DefaultPublic Folder Database setting; this field contains the name of the public folder database thatMAPI clients should connect to first when retrieving information about public folder hierarchy orcontent.

Figure 6.14

Client Settingsproperties of a mailboxdatabase

The other setting affects clients that work in offline mode or local cache mode. This is the OfflineAddress Book setting; here you specify which offline address book (OAB) a MAPI client shoulddownload. The default is the default offline address book; this OAB contains the default globaladdress list and is sufficient for most small and medium-sized businesses.


The properties we have just examined using the graphical user interface can also be exam-ined using the Get-MailboxDatabase cmdlet. The following is an example of retrieving mailboxdatabase properties and sending them to a formatted list:

Get-MailboxDatabase ”Executives” | FL

JournalRecipient :MailboxRetention : 30.00:00:00OfflineAddressBook : \Default Offline Address ListOriginalDatabase :PublicFolderDatabase : HNLEX03\Public Folder SG\Public FoldersProhibitSendReceiveQuota : 2355MBRecovery : FalseProhibitSendQuota : 2GBIndexEnabled : TrueAdministrativeGroup : Exchange Administrative Group (FYDIBOHF23SPDLT)AllowFileRestore : FalseBackupInProgress :CopyEdbFilePath :DatabaseCreated : TrueDescription :EdbFilePath : D:\Executives-SG-DB\Executives.edbExchangeLegacyDN : /o=Volcano Surfboards/ou=Exchange Administrative

Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HNLEX03/cn=Microsoft Private MDBHasLocalCopy : FalseDeletedItemRetention : 14.00:00:00LastFullBackup :LastIncrementalBackup :MaintenanceSchedule : {Sun.1:00 AM-Sun.5:00 AM, Mon.1:00 AM-Mon.5:00AM,Tue.1:00 AM-Tue.5:00 AM, Wed.1:00 AM-Wed.5:00 AM, Thu.1:00 AM-Thu.5:00 AM,Fri.1:00 AM-Fri.5:00 AM, Sat.1:00 AM-Sat.5:00 AM}MountAtStartup : TrueMounted :Organization : Volcano SurfboardsQuotaNotificationSchedule : {Sun.1:00 AM-Sun.1:15 AM, Mon.1:00 AM-Mon.1:15AM,Tue.1:00 AM-Tue.1:15 AM, Wed.1:00 AM-Wed.1:15 AM, Thu.1:00 AM-Thu.1:15 AM,Fri.1:00 AM-Fri.1:15 AM, Sat.1:00 AM-Sat.1:15 AM}RetainDeletedItemsUntilBackup : FalseServer : HNLEX03ServerName : HNLEX03StorageGroup : HNLEX03\Executives SGStorageGroupName : Executives SGIssueWarningQuota : 1945MBEventHistoryRetentionPeriod : 7.00:00:00Name : ExecutivesMinAdminVersion : -2147453113AdminDisplayName : ExecutivesExchangeVersion : 0.1 (8.0.535.0)

LOCAL CONTINUOUS REPLICATION 189

DistinguishedName : CN=Executives,CN=Executives SG,CN=InformationStore,CN=HNLEX03,CN=Servers,CN=ExchangeAdministrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=comIdentity : HNLEX03\Executives SG\ExecutivesGuid : 99c3570b-d19b-493b-aec6-4da1b2c3bbb3ObjectCategory : volcanosurfboards.com/Configuration/Schema/ms-Exch-Private-MDBObjectClass : {top, msExchMDB, msExchPrivateMDB}WhenChanged : 12/6/2006 8:32:31 PMWhenCreated : 12/6/2006 8:27:15 PMOriginatingServer : HNLDC01.volcanosurfboards.comIsValid : True

Not all of these properties that you see in the output of the Get-MailboxDatabase cmdletcan be changed, of course. The mailbox database location must be changed using the Move-MailboxDatabase cmdlet and some of these are system properties.

The properties that you are able to change can be changed through the EMS using the Set-MailboxDatabase cmdlet. For example, to change the Prohibit Send At (KB) quota to 100MB, youwould type this:

Set-MailboxDatabase ”Executives” -ProhibitSendQuota:100MB

Local Continuous ReplicationLocal continuous replication (LCR) is one of the most promising features of Exchange 2007. Thekey point of LCR is to allow you to have a nearly completely replicated copy of the currentdatabase on the local server. In a situation where the production database is no longer functioning,the administrator can switch from the production database to the LCR database.

LCR is enabled on a per-storage group basis and the storage group cannot have more than onemailbox or public folder database. When first enabled, LCR creates a seeded copy of the currentdatabase; at the point of creation, the LCR database that was seeded will be the same as the pro-duction database. As transactions are committed to the production database, the transaction logsare filled. When a transaction log fills up, LCR copies the transaction log file to the LCR transactionlog location for that particular storage group. The log is then replayed into the LCR copy of thedatabase; Microsoft calls the LCR database the ‘‘passive’’ copy of the database. At any given time,the LCR database should be within one transaction log of being completely synchronized. If thedatabase is dismounted, the LCR database becomes fully synchronized.

Tip

Local continuous replication is one of the reasons that the Exchange database transaction log file sizewas reduced from 5MB to 1MB. This ensures that transactions are committed to the LCR databasemore quickly.

The advantage of this is that it reduces the amount of time necessary to restore a database frombackup to practically no time at all. This will allow you to safely support larger and larger database


sizes and still maintain good recoverability and recover times. Still, supporting LCR is not a licenseto have 5TB mailbox databases since you still have to worry about a situation in which you mighthave to completely rebuild the server or the entire disk subsystem. Databases still have to be backedup to an alternate media even if you do have LCR copies. Further, the database size show not be solarge that nightly online maintenance cannot be completed at least once every week.

Microsoft recommends mailbox databases of no more than 100GB without LCR and mailboxdatabases of up to 200GB with LCR.

Tip

Local continuous replication provides you with a locally backed-up copy of databases. If the entireserver fails or must be rebuilt, you still have to restore data from an alternate media. Keep this inmind when planning for database sizes.

One additional possible advantage to using LCR is that you can streamline your backup pro-cess. Streaming backups and volume shadow copy (VSS) backups of production databases canadversely affect performance during the backup windows. Backup windows have to be preciselycalculated in order to ensure that online maintenance is completed at least once week for eachdatabase.

An alternate backup approach for Exchange is to use LCR to keep a completely synchronizedcopy of the production database and then to use a VSS backup of the LCR database. As long asthe LCR copy of the database is on different spindles from the production database, the VSS backshould not noticeably affect the I/O on the production database disk.

Requirements for Local Continuous ReplicationThere are some requirements that you need to plan for when you implement LCR. These includeensuring that you have adequate server capacity and that your storage groups are configuredproperly. Here are some tips when planning to implement LCR:

◆ Implementing LCR will generally increase the amount of CPU and memory capacity ona server by at least 30 to 40 percent. Do not implement LCR on a server that is already onthe border of having performance problems. Move mailboxes or server roles to anotherserver to lighten the load on a mailbox server on which you are planning to enable LCR.

◆ For the best level of recoverability and performance, LCR databases and transaction logsshould be on separate physical disks or separate logical units (LUNS if you using a SAN)from the production databases and logs.

◆ Sufficient disk capacity must exist for LCR databases and transaction logs. If you have500GB of available disk space for the production databases, your LCR database will needto be the same size. The disks that host the LCR databases and transaction logs should becapable of the same I/O capacity as the production databases.

◆ On heavily loaded mailbox servers, you may run out of drive letter capacity when addingLCR databases and transaction logs. Volume mount points can be used in this instance.

◆ Storage groups can have no more than one mailbox or public folder database each.

◆ Only one public folder database in an entire Exchange organization can be replicated withLCR. The LCR solution for organizations with more than one public folder database is touse public folder replication.


◆ It is more efficient to start using LCR immediately after you create a storage group andmailbox database. Enabling LCR for an existing storage group and database will takelonger if the database file size is large.

If you can’t meet the prerequisites for LCR, then you should look at improving the capacityof your server resources and configuration prior to starting. If a server is not configured with theproper capacity, you will find that you make performance problems worse.

Configuring Local Continuous ReplicationConfiguring LCR is pretty simple to do and it can be done via the Exchange Management Console(EMC) or the Exchange Management Shell (EMS). We will take you through a configuration ofLCR using the EMC and then cover the necessary EMS steps to accomplish the same tasks.

To enable a storage group to use LCR via the EMC, you can use a wizard. In the EMC, locatethe storage group in the Server Configuration work center and under the Mailbox subcontainer.Highlight the server name in the Results pane and then locate the storage group in the Work pane.Select the Enable Local Continuous Replication task in the Actions pane; this runs the EnableStorage Group Local Continuous Replication Wizard. The Introduction page of this wizard isshown in Figure 6.15.

Figure 6.15

Starting the EnableStorage Group LocalContinuous ReplicationWizard

All you have to do on the Introduction page of the wizard is confirm the storage group nameand confirm that there is only a single database in the storage group. The database list is labeled‘‘Database Names,’’ but the wizard will stop you later if the storage group has more than onedatabase.

Just like creating a storage group, you must define the location of the transaction log files andthe system files. On the Set Paths page (shown in Figure 6.16), you must specify the LCR paths


for the transaction logs and system files. Ideally, these paths should be on a separate physical diskfrom the original transaction logs, the original database, and the LCR database.

Figure 6.16

Specifying LCR pathsfor transaction logs andsystem paths

The screen capture shown in Figure 6.17 shows the Engineering Mailboxes page of the EnableStorage Group Local Continuous Replication Wizard. This page is unique to the database con-tained in the storage group you have selected and thus will usually be different depending on thedatabase that appears in the Database Names field.

On the Engineering Mailboxes page, the only thing you can specify is the location of the LCRdatabase. Ideally, like the LCR path for the system and transaction log files, this should pathshould be on a separate physical disk from the original database and transaction log files as wellas the LCR transaction log and system files.

The Enable page of the wizard simply shows the configuration summary of what tasks areabout to be performed.

Once the Enable button is clicked on the Enable page, the Enable-DatabaseCopy and Enable-StorageGroup copy cmdlets are used to enable LCR for this storage group and database. Thefollowing are the commands that are actually executed by the wizard:

Enable-DatabaseCopy -Identity ’HNLEX03\Engineering MailboxesSG\Engineering Mailboxes’

-CopyEdbFilePath ’D:\Engineers-Mailboxes-LCR\Engineering Mailboxes.edb’

Enable-StorageGroupCopy -Identity ’CN=Engineering Mailboxes SG,CN=InformationStore,CN=HNLEX03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),


CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com’-CopyLogFolderPath ’D:\EngineersSG-LCR’-CopySystemFolderPath ’D:\EngineersSG-LCR’

Figure 6.17

Specifying a path for theLCR database

Notice that the fully qualified distinguished name was used in the Enable-StorageGroupCopycommand to identify the storage group name. To help you disseminate and decode what wasdone, here is a summary of the configuration parameters used to enable LCR for the storage groupand database:

Storage group name Engineering Mailboxes SG

Database name Engineering Mailboxes

LCR transaction logs path D:\EngineersSG-LCRLCR system files path D:\EngineersSG-LCRLCR database path D:\Engineers-Mailboxes-LCR

Managing Local Continuous ReplicationOnce LCR is enabled for a storage group, there are a few management tasks that you may need toperform. Management tasks for LCR include checking the health of a storage group’s replication,suspending replication, resuming replication, and resynchronizing (aka reseeding) the entiredatabase.

Health Checks

Now that storage group replication is enabled, you can confirm that it is working in a number ofdifferent ways.The first is just to look at the listing of storage groupsanddatabasesnames in the Workpane. Notice for the Engineering Mailboxes SG that the value in the Copy Status column is Healthy.


Here are the possible status values you may see in the Copy Status column (or in theSummaryCopyStatus property when you use the EMS cmdlet):

◆ Healthy means that LCR is working normally and data is replicating and being committedto the LCR copy of the database.

◆ Disabled means that LCR is not configured.

◆ Suspended means that an operator has temporarily stopped replication.

◆ Seeding means that the production database is being copied to the LCR location.

◆ Failed means that something has failed during the replication process and there may beproblems with the configuration, logs, or database. Consult the event logs.

◆ Not Supported means that the current configuration does not support or allow LCR.

Using the EMS cmdlet Get-StorageGroupCopyStatus, you can retrieve more useful anddetailed information about the LCR status of a particular storage group. Here is an example:

Get-StorageGroupCopyStatus ”Engineering Mailboxes SG” | Format-List

Identity : HNLEX03\Engineering Mailboxes SGStorageGroupName : Engineering Mailboxes SGSummaryCopyStatus : HealthyCCRTargetNode :Failed : FalseFailedMessage :Seeding : FalseSuspend : FalseSuspendComment :CopyQueueLength : 2ReplayQueueLength : 9LatestAvailableLogTime : 12/10/2006 11:39:27 PMLastCopyNotificationedLogTime : 12/10/2006 11:39:27 PMLastCopiedLogTime : 12/10/2006 11:39:26 PMLastInspectedLogTime : 12/10/2006 11:38:45 PMLastReplayedLogTime : 12/10/2006 11:33:18 PMLastLogGenerated : 1768LastLogCopyNotified : 1768LastLogCopied : 1767LastLogInspected : 1766LastLogReplayed : 1757LatestFullBackupTime : 11/25/2006 12:05:57 PMLatestIncrementalBackupTime : 12/4/2006 8:46:09 PMSnapshotBackup : FalseIsValid : TrueObjectState : Unchanged

Suspending and Resuming Replication

There is really not much that you need to do to an LCR database once it is replicating. If you haveto do maintenance on the disk on which LCR is running or if you want to stop all replication,


you can highlight the storage group that is running LCR and click Suspend Local ContinuousReplication in the Actions pane. When you choose to suspend LCR, you are prompted for a reason.Simply type a reason and click Yes.

To resume LCR on the storage group, select the storage group and then click Resume LocalContinuous Replication in the Actions pane. You will be prompted to confirm that this is whatyou want to do and you will see the reason that LCR was suspended previously.

You can accomplish the same thing using the Suspend-StorageGroupCopy and Resume-StorageGroupCopy cmdlets:

Suspend-StorageGroupCopy ”Engineering Mailboxes SG” -SuspendComment ”LCR disk maintenance on December 12” -Confirm:$False

Once LCR is suspended, you can confirm it also using the Get-StorageGroupCopyStatuscmdlet, as you can see in this example:

get-storagegroupcopystatus ”Engineering Mailboxes SG” |FL Identity,StorageGroupName,SummaryCopyStatus,SuspendComment

Identity : HNLEX03\Engineering Mailboxes SGStorageGroupName : Engineering Mailboxes SGSummaryCopyStatus : SuspendedSuspendComment : LCR disk maintenance on December 12

The Application event log will contain event ID 2083 from the MSExchangeRepl service indi-cating that replication for the storage group has been suspended:

Event Type: InformationEvent Source: MSExchangeRepl


Event Category: ActionEvent ID: 2083Date: 12/10/2006Time: 11:50:58 PMComputer: HNLEX03Description:Replication for storage group HNLEX03\Engineering Mailboxes SG has been suspended.

Tip

If you suspend LCR during busy times for your server, expect to have a lot of logs that need to bereplayed when you resume LCR.

When you are ready to resume LCR for that storage group, you can use the Resume-StorageGroupCopy cmdlet:

Resume-StorageGroupCopy ”Engineering Mailboxes SG”

The Resume-StorageGroupCopy cmdlet starts the log files copying and replaying once againand it clears the SuspendComment property. When LCR is restarted, you will see the followingevent information in the Application event log:

Event Type: InformationEvent Source: MSExchangeReplEvent Category: ActionEvent ID: 2084Date: 12/11/2006Time: 8:04:24 AMComputer: HNLEX03Description:Replication for storage group HNLEX03\Engineering Mailboxes SG has been resumed.

You will also see events in the event log indicating that the log files have started copying (eventID 2114) and log files have started replying (event ID 2115). These are normal andexpected:

Event Type: InformationEvent Source: MSExchangeReplEvent Category: ServiceEvent ID: 2115Date: 12/11/2006Time: 8:05:08 AMComputer: HNLEX03Description:The replication instance for storage group Engineering Mailboxes SGhas started replaying logfiles. Logfiles up to generation 1788have been replayed.


Resynchronizing Local Continuous Replication

Under some circumstances, it may be come necessary to resynchronize the database or tomanually resume replication. This operation is also called reseeding. This may be necessary ifyou created an LCR database before the original database was created, if you have performed anoffline defragmentation of the original database, if the LCR database gets deleted, or if the LCRdatabase becomes corrupted.

The only way to resynchronize the database is to use the EMS cmdlet Update-StorageGroupCopy. Prior to running this cmdlet, you should suspend LCR for the storage groupthat you are working on and then delete the LCR files (database and transaction log files) unlessyou are planning to use the -DeleteExistingFiles parameter. Here is an example:

Update-StorageGroupCopy ”Engineering Mailboxes SG” -DeleteExistingFiles

ConfirmContinuous replication seeding found an obsolete checkpoint’D:\EngineersSG-LCR\E02.chk’ file for storage group copy ’EngineeringMailboxes SG’. The checkpoint file will be deleted, and then thedatabase will be seeded if you confirm now.

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is ”Y”):y

ConfirmContinuous replication seeding found an existing target database’D:\Engineers-Mailboxes-LCR\Engineering Mailboxes.edb’ for storagegroup copy ’Engineering Mailboxes SG’. This target database will

be deleted, before seeding starts, if you confirm.[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is ”Y”):y

This operation can take a fairly significant amount of time if the production database is large.Remember that it is making a copy of the production database. If you do this during a periodwhen the load on the Exchange server is typical, you may affect your end users’ response timeswhen they are using the server. We recommend you perform this operation during off-hours orperiods of low usage.

Recovery Using Local Continuous ReplicationThe reason you put LCR into operation in the first place is to allow you to very quickly bringonline a backup copy of the database. You would only need to do this if the production databasehas become corrupted. Database corruption is a tough topic to try to address in just a few lines,but we should state clearly here that as long as the production database is on a separate physicaldisk from the transaction logs, the LCR transaction logs, and the LCR copy of the database, thecorruption should not extend to the LCR copy of the database.

How will you know that your production database is corrupted? We can think of a couple ofsituations:

◆ Normal or full backups of the production database fail. Online backups of the databaseusing Exchange-aware backup software will perform a page-by-page check of the database


as it backs it up. If a page-level error is detected, the backup halts, the error is logged to thebackup log, and the error is logged to the Application event log.

◆ If corruption is detected during normal operations (for example, if the database enginereads a page of data that is corrupted), Exchange confirms that the page in the database isbad and logs an event to the Event Viewer.

◆ The database will not mount or reports errors when you try to mount it.

Figure 6.18

Errors found whenExchange Server readsa corrupted page fromthe database

Monitoring for potential errors in your production databases is something you should doregularly, or you should configure your monitoring system to monitor for specific errors in eitherthe Application event log (such as the one shown in Figure 6.18) or the backup logs such as theone shown here:

Backup started on 12/11/2006 at 8:47 PM.The ’Microsoft Information Store’ returned ’Error returned from anESE function call (d).’ from a call to ’HrESEBackupRead()’ additional data ’-’The ’MicrosoftInformation Store’ returned ’Error returned from an ESE function call


(d).’ from a call to ’HrESEBackupRead()’ additional data ’-’The operation was ended.Backup completed on 12/11/2006 at 8:47 PM.Directories: 0

Note in the case of the error shown in Figure 6.18 that the database was mounted and func-tioning. The error did not interfere with the normal functioning of the database but was rather asingle page in the database that could not be read properly. This error was probably due to thedisk subsystem, device driver, or firmware. It is unlikely that the problem would extend to theLCR copy of the database.

If you realize that your production database is corrupted, you can manually switch the LCRdatabase into production. This is done using the Restore-StorageGroupCopy cmdlet. Beforewe do an example, let’s look at the current location of the live database and logs as well as thelocations of the LCR files. Here are two quick ways to retrieve this information using the EMS:

[PS] C:\>Get-StorageGroup ”Engineering Mailboxes SG” | FL name,*path*

Name : Engineering Mailboxes SGLogFolderPath : D:\EngineersSGSystemFolderPath : D:\EngineersSGCopyLogFolderPath : D:\EngineersSG-LCRCopySystemFolderPath : D:\EngineersSG-LCR

[PS] C:\>Get-MailboxDatabase ”Engineering Mailboxes” | FL name,*path*

Name : Engineering MailboxesCopyEdbFilePath : D:\Engineers-Mailboxes-LCR\Engineering Mailboxes.edbEdbFilePath : D:\EngineersSG\Engineering Mailboxes.edb

There are two steps to switching over to using an LCR database instead of the original pro-duction database. The production database must be dismounted and then the LCR database/loglocations are swapped out. There are two approaches to ‘‘swapping out’’ the database. The first(and desired) approach is to copy the LCR database to the production database location. Here isan example:

[PS] C:\>Dismount-Database ”engineering mailboxes” -Confirm:$False[PS] C:\>Restore-StorageGroupCopy ”Engineering Mailboxes SG”

Base name: e02Log file: D:\EngineersSG\E0200000774.logCsv file: D:\EngineersSG-LCR\IgnoredLogs\q5cfbb2m.koe

Base name: e02Log file: D:\EngineersSG-LCR\E0200000774.logCsv file: D:\EngineersSG-LCR\IgnoredLogs\5p52d1ni.kxz

Integrity check passed for log file: D:\EngineersSG-LCR\inspector\E0200000775.logIntegrity check passed for log file: D:\EngineersSG-LCR\inspector\E0200000776.log


Integrity check passed for log file: D:\EngineersSG-LCR\inspector\E0200000777.logIntegrity check passed for log file: D:\EngineersSG-LCR\inspector\E0200000778.logIntegrity check passed for log file: D:\EngineersSG-LCR\inspector\E0200000779.logIntegrity check passed for log file: D:\EngineersSG-LCR\inspector\E02.logWARNING: Restore-StorageGroupCopy on Engineering Mailboxes SG was successful.All logs were successfully copied.

Once this is executed, you must manually copy it into the production location. You can do thisby just copying the files, or if the paths are the same but the drive letters are unique, you could sim-ply reassign the drive letters. For example, if the production database is onD:\EngineeringMailboxes and the LCR database is on E:\EngineeringMailboxes, you couldsimply tell the server that the D: drive is now the E: drive. The advantage to this approach isthat the documented locations of all of the database and storage group files remains the same.The downside to this is that the only Exchange data that could be on the D: and E: drives in thisexample would be that one database that is being swapped out.

The other way to swap out the database files is simply to swap out the locations; this is donewith the Restore-StorageGroupCopy cmdlet and the -ReplaceLocations option. Here is anexample:

[PS] C:\>Restore-StorageGroupCopy ”Engineering Mailboxes SG” -ReplaceLocationsBase name: e02Log file: D:\EngineersSG\E020000001F.logCsv file: D:\EngineersSG-LCR\IgnoredLogs\raobyk4o.lqt

Base name: e02Log file: D:\EngineersSG-LCR\E020000001F.logCsv file: D:\EngineersSG-LCR\IgnoredLogs\hosrmoec.5v1

Integrity check passed for log file: D:\EngineersSG-LCR\inspector\E02.logWARNING: The Restore-StorageGroupCopy operation for storage group copyEngineering Mailboxes SG was successful, and production pathswere updated. All logs were successfully copied.

The database can now be remounted, but it is now in use in a different location. We can confirmthis with the Get-StorageGroup and the Get-MailboxDatabase cmdlets. Notice also that LCR hasbeen disabled for this storage group after the Restore-StorageGroupCopy cmdlet was run:

[PS] C:\>Get-StorageGroup ”Engineering Mailboxes SG” | FL Name,*path*,HasLocalCopy

Name : Engineering Mailboxes SGLogFolderPath : D:\EngineersSG-LCRSystemFolderPath : D:\EngineersSG-LCRCopyLogFolderPath :CopySystemFolderPath :HasLocalCopy : False

[PS] C:\>Get-MailboxDatabase ”Engineering Mailboxes” | fl Name,HasLocalCopy,*path*

SUMMARY 201

Name : Engineering MailboxesHasLocalCopy : FalseCopyEdbFilePath :EdbFilePath : D:\Engineers-Mailboxes-LCR\Engineering Mailboxes.edb

The Microsoft online documentation makes a very good point that if you use the— ReplaceLocations parameter, you should make an effort to update your documentation to

reflect the new database location or move the database back to the original location. Otherwise,your documentation will now be out-of-date and other administrators may be confused as to whythe production databases are in folders that have LCR in their name.

SummaryScaling upward and outward is a necessary evil for organizations with more than a few hundredusers. While a single machine can easily support all the necessary server roles for a few hundredmailboxes, if it is not properly configured, it may experience performance problems. Recognizingpotential performance bottleneck points and how to correct them is an essential skill for Exchangeadministrators.

As more mailboxes are supported on a single Exchange Mailbox server, scaling the serverupward to support more storage is also an important configuration item. Creating more storagegroups and mailbox databases will help you to support larger mailboxes and more data whilepreventing any single database from growing too large.

Local continuous replication is a new feature of Exchange 2007 that also allows you to growand scale your organization. This feature allows you to support larger mailboxes but still havelow recoverability times for mailbox databases. By allowing important mailbox databases (or allmailbox databases) to be configured to use LCR, you can have a nearly perfectly synchronizedcopy of the production database that can be swapped in to production in a moment’s notice.


Chapter 12

Sizing Storage Groupsand Databases

Planning for storage and sizing databases are two things I frequently see companies have troublewith when they plan or roll out their Exchange organizations. Unfortunately, most of us don’thave ‘‘magic’’ company crystal balls to peer into and see our organization’s requirements forstorage, databases, and mailbox sizes.

Mailbox and database sizes can generate some zealous discussions that can actually stall anentire deployment or migration because no one can reach a consensus. Exchange Server adminis-trators frequently want to keep the total size of the databases very small to minimize backup andrecovery times. Users want larger allowable mailboxes.

New technologies on the Exchange Server side — such as improved caching, database replica-tion, and Exchange snapshots — may permit larger databases, and technologies such as UnifiedMessaging (voicemail and faxes in the user’s mailbox) and Office Communication Server mayrequire even more storage. Archival technologies, on the other hand, may allow you to reduce theoverall storage requirements but still allow users access to historical data.

I am an advocate of giving users the space that they need to do their jobs effectively. If thatmeans giving each user a 5GB mailbox so that every piece of information they need is at theirfingertips, indexed, and ready to use via Outlook, Outlook Web Access, or Windows Mobile,then so be it. They should be able to have that storage space if they are using it for data that theyneed.

In this chapter, I’ll address some of the major issues that affect mailbox sizes as well as howyou will use that information to effectively plan for creation and placement of storage groups andmailbox databases. The following topics are included:

◆ Estimating mailbox and disk space required

◆ Creating and managing storage groups

◆ Creating and managing mailbox databases

Estimating Disk Space for Exchange DataLet’s start with the controversial topic of estimating how much storage you need for a given usercommunity. Over the years, I have taken a number of different approaches to arriving at thisnumber. The two major approaches that I use to calculate disk space are as follows:

◆ Take your worst-case disaster recovery window and figure out how much data you canrestore during that time. Work backward from there to figure out how much data you canstore and therefore how large each mailbox can be.


342 CHAPTER 12 SIZING STORAGE GROUPS AND DATABASES

◆ Calculate the amount of space your users need to do their jobs and add a fluff factor on topof that to figure out the maximum mailbox sizes. From there, figure out what the maximumstorage requirements would be for those mailboxes.

Estimating Mailbox SizesIs there a mailbox size standard or consensus? That’s a question that I am fairly frequently askedand that I see posted in newsgroups. The only consensus I see across many different industries isthat everyone else’s standard is wrong. If I propose a maximum mailbox size of 200 MB, inevitablysomeone will say that is way too much, while many will say it is not enough.

Conversely, I could say that the maximum mailbox limit is 2.3GB and many Exchange admin-istrators will tell me that is far, far too much. Yet that is the new default mailbox database prohibitsend and receive quota, so obviously the folks at Microsoft think that is a good default maximummailbox size.

You need to find out what defaults work best for you. For most organizations today, I rec-ommend starting with somewhere between 250 MB and 500 MB as the maximum mailbox size.From there, figure out if you need to give your users more or less space. A number of factorsaffect mailbox storage — and I’ll go into these in more detail later — but the following factors aresignificant:

◆ Unified Messaging can greatly affect the need for more mailbox storage; if users store bothfaxes and voicemail in the mailbox, the files will increase storage needs even more.

◆ Mail may need to stay on the server longer if users need to access their e-mail via Outlook,Outlook Web Access, and Windows Mobile devices.

◆ A mail archival system that moves older mail off of the Exchange server and into auxiliarystorage can lower mailbox storage requirements.

The bottom line is that you need to provide your users with enough mailbox space to effectivelydo their job. Mailboxes full of relevant (and used) content certainly justify larger mailboxes; I haveworked with users that often go back a year or two to find messages relating to an old project ortopic. Conversely, mailboxes full of MP3 files and joke of the day messages do not justify largerstorage space regardless of how funny the jokes are.

Estimating Maximum StorageWhen I start calculating how much storage I need, I look at the factors that may influence themailbox database (or databases) size. Let’s first review some of the factors that actually affect therecommended size of a mailbox. In this section, I’ll show you how to calculate how big the mailboxdatabase might get in a worst-case scenario.

Figure 12.1 shows a conceptual diagram of an Exchange 2007 Mailbox server that is designed tosupport 1,000 mailboxes. I will explain the process I went through to estimate the storage required.In some cases, I picked a typical large drive size. Mailbox servers are by far the biggest consumersof disk storage; you must plan for a large amount of storage space and be prepared for growth.

I also take into account local continuous replication (LCR) in Figure 12.1 and thus have allo-cated disk space for these files. Ideally, transaction logs and the operating system are on dedicatedRAID 1 spindles and the databases are on dedicated RAID 5 spindles. Even though I labeled thisfigure as having local drives, you could deploy the same configuration using iSCSI or SAN disks.

Exchange servers holding the Mailbox server role consume the most disk space. When design-ing an Exchange system, administrators often fall short when they do not allow sufficient disk


ESTIMATING DISK SPACE FOR EXCHANGE DATA 343

space for mail storage and transaction logs as well as extra disk space. Often the disk space is notpartitioned correctly, either. Here are some important points to keep in mind when planning yourdisk space requirements:

Figure 12.1

Disk configuration for anExchange 2007 mailboxserver

Operating system, page file,Exchange binariesRAID 1 - 72GB

Exchange transaction logsRAID 1 – 146GB

Exchange databasesand indexesRAID 5 - 2.6TB

LCR Exchangetransaction logsRAID 1 – 146GB

LCR Exchange databasesRAID 5 - 2.6TB

Local disk drives

C:\

D:\

F:\

E:\

G:\

◆ Place transaction log files on a separate set of physical disks (spindles) from their corre-sponding Exchange database files. RAID 1 or RAID 0 + 1 arrays provide better perfor-mance for transaction logs.

◆ Allow for at least a week’s to 10 days’ worth of transaction logs to be stored for each stor-age group. The estimated amount of transaction logs will vary dramatically from one orga-nization to another, but a good starting point is about 5GB of transaction logs per day per1,000 mailboxes.

◆ Allow for 10 to 15 percent white space estimates in the maximum size of each of yourdatabase files.

◆ Allow for 10 to 15 percent deleted item and deleted mailbox retention space in eachdatabase file.

◆ Place replicated transaction logs and the backup copy of the databases on separate physicaldisks from the source when planning for local continuous replication.

◆ Allocate enough free space on the disk so that you can always make a backup copy of yourlargest database and still have some free disk space. A good way to calculate this spaceis to take 110 percent of the largest database you will support since that also allows you todefragment the database using ESEUTIL.EXE if necessary.

◆ Consider additional disk space for message tracking, message transport, HTTP protocol,POP3 protocol, and IMAP4 protocol log files.



◆ Make sure you allow for enough disk space to perform database recovery, such as to arecovery storage group. This disk space is usually determined by the maximum size ofyour databases. I usually make sure I have enough extra disk space so that I can recoverat least 20 percent of the databases on the server. So if I have 5 mailbox databases, I wouldwant enough space to have 1 mailbox database in the recovery storage group. If I have20 mailbox databases, I would want enough disk space to have 4 mailbox databases on thedisk that have been recovered.

Let’s look at an example for a server that will support 1,000 mailboxes. Suppose we estimatethat we will provide typical users with a prohibit send size warning of 500 MB and a prohibit sendand receive limit of 600 MB. In any organization of 1,000 users, you must consider that 10 percentof them will qualify as some type of VIP who is allowed more mail storage; in this case, we willallow those 100 VIP users to have a prohibit send and receive limit of 2GB.

This gives us 540GB of mail storage requirements (600 MB times 900 mailboxes) for the first 900users plus another 200GB (2GB times 100 mailboxes) for the VIP users. This is a maximum amountof mail storage of 740GB. However, this estimate does not include deleted items in a user’s mailboxand deleted mailboxes, so we want to add an overhead factor of about 15 percent, or about 111 MB,plus an overhead factor of another 15 percent (another 111 MB) for database white space. The whitespace is the empty space that is found in the database at any given time.

So at any given time, for these 1,000 mailboxes, we can expect the total size of mail databasestorage (valid e-mail content, deleted data, and empty database space) to be approximately 962GB,but since we like round numbers, let’s average that up to 1,000GB, or 1TB.

In this example, let’s say we have decided that the maximum database size we want to be ableto back up or restore is 100GB. This means that we need to split our users’ mailboxes across 10mailbox databases and storage groups.

For the transaction logs, we estimate that we will generate approximately 5GB of transactionlogs per day. We should plan for enough disk space on the transaction log disk for at least 50GBof available disk space, to cover 10 days’ worth of logs.

Next, since full-text indexing is enabled by default, we should allow enough disk space forthe full-text index files. In this case, we will estimate that the full-text index files will consume amaximum of about 5 to 10 percent of the total size of the mail data, or approximately 100GB. Ifwe combine the full-text index files on the same disk drive as the database files, we will requireapproximately 1.3TB of disk space.

Finally, on this server we are planning to implement local continuous replication, so we willneed to plan for a separate set of spindles for the databases (1.3TB) and the transaction logs (50GB).

Anytime there is any doubt as to how much disk space you should include, it is usually a goodidea to plan for more rather than less. Although disk space is reasonably inexpensive, unless youhave sophisticated storage systems, adding additional disk space can be time consuming andcostly from the perspective of effort and downtime.

Planning for Mailbox GrowthGrowth?! You may be saying to yourself, ‘‘Self, I just gave the typical user a maximum mailbox sizeof 600 MB and the VIPs a maximum size of 2GB! How can my users possibly need more mailboxspace?’’ Predicting the amount of growth you may need in the future is a very difficult task. Youmay not be able to foresee new organizational requirements, new mail-based applications, or eventhe influence of future laws that require specific data retention periods.

Mailbox limits, regardless of how rigid you plan to be, are managed by exception and by need.In the previous example, we calculated that we would need 1.3TB of disk space for our 1,000mailboxes. Would we partition or create a disk of exactly that size? Probably not.



Instead of carving out exactly the amount of disk space we anticipate we will need, we’ll add afluff factor to our calculations. I recommend doubling the anticipated amount of storage, but thisis just a wild guess. In this example, though, we might anticipate using 2.6GB of disk space if wedoubled our expected requirements. In your own organization, you may want to consider someof the following factors when deciding how much growth your mailbox servers might experience:

◆ Average annual growth in the number of employees

◆ Acquisitions, mergers, and consolidations that are planned for the foreseeable future

◆ Addition of new mail-enabled applications such as Unified Messaging features and elec-tronic forms routing

◆ Government regulations that require some types of corporate records (including e-mail) tobe retained for a number of years

Conversely, there are potential changes in your future that could actually reduce the amountof mailbox storage you require. Many organizations are now including message archival andlong-term retention systems in their messaging systems. These systems archive older contentout of a user’s mailbox and move it to some type of external storage such as a disk, storage areanetwork (SAN), network attached storage (NAS), and optical or tape storage. The user can stillaccess or search for archived content, but it no longer takes up space in your Exchange Servermailbox databases.

Archive systems are great for organizations that must retain much of the information in theirmailboxes but want to move it to external storage. However, depending on the system, you don’twant to archive everything older than five days (a bit of an exaggeration) since the user may not beable to access it via Outlook Web Access or mobile devices. Further, after the content is archivedfrom their mailbox, it will no longer be accessible from a user’s desktop search engine, such as theGoogle Desktop or the MSN Desktop search engine. So keeping a certain amount of content in theuser’s mailbox will always make sense.

Adding More Mailbox StorageIn our worst-case scenario for how to estimate mailbox database size for a given configuration, Iestimated that a single database could grow to 1.3TB in size. While Exchange Server can technicallysupport a database that large, it would take forever to back up, and worse, it would take foreverto restore. Even if you are using snapshot technologies, if the snapshot backup software performsdatabase verification, then the verification would take far too long. So a database size of 1.3TB isjust not practical.

Maximum Database SizesMicrosoft recommends that you keep each mailbox database under about 100GB if you are notusing any type of replication technology. If you are using local continuous replication (LCR),cluster continuous replication (CCR), or even standby continuous replication (SCR), then you canconsider allowing a maximum database size of 200GB.

I urge you to consider your existing environment when you think about these maximum sizes.Ultimately, you need to consider how much time it will take to restore one of these databases froma tape backup; if the absolute longest time you can take to restore a database from your backupmedia (for example a tape) is two hours and your tape system restores at a rate of 30GB per hour,then the largest database size you should consider supporting is 30GB.



Replication technologies such as LCR, CCR, and SCR allow you to keep a replicated copy of adatabase ready to use in the event of a failure. Naturally, this can allow a much quicker recoveryfrom a corrupted database or a failed server.

Determining the Number of Storage Groups and DatabasesIn the previous example, we expect the total database size to be 1.3TB. We have to divide upthat number and figure out how many databases we need. Let’s assume that we will use oneof the replication technologies and that we have a backup and restore solution that will allow a200 MB database to be restored in a reasonable amount of time; in that case, we need seven mailboxdatabases.

Storage Groups and Exchange server

For those of you who are new to Exchange Server, I want to take a moment and explain the conceptof a storage group. A storage group is a collection of databases that all share a common set of trans-action logs. As a transaction is written to a log file, it is serialized and identified so that the Exchangedatabase engine (known as the Extensible Storage Engine, or ESE) knows to which database file thetransaction belongs.

In Exchange 2000/2003/2007, a storage group can contain between one and five databases;these databases can be either mailbox or public folder databases. However, there are guide-lines that you may need to follow for performance or certain configurations. For example, if youimplement cluster continuous replication or local continuous replication, you can have only onedatabase per storage group. If you are coming from Exchange 2000 or even Exchange 2003, youmay be planning to fill up each storage group with the maximum number of databases beforecreating the next storage group.

Exchange Server 2007 Standard Edition supports a maximum of 5 storage groups and a maxi-mum of 5 databases. Enterprise Edition supports a maximum of 50 storage groups and 50 mailboxdatabases. If you own Enterprise Edition, you could create 10 storage groups that each hold 5mailbox databases, but the recommendation now is that you create 1 storage group for eachdatabase.

Tip

I recommend that you create one database per storage group.

There are two reasons for creating one database per storage group. The first is that the LCR,CCR, and SCR technologies support only one database per storage group. So if you plan to useany of those technologies (and I hope that you will), you must use one database per storagegroup.

The second reason is that you can improve the overall performance of the database engine.Each storage group is configured with a 20 MB checkpoint depth. This means that a maximumof 20 MB of outstanding transactions can be written to the logs but not immediately commit-ted to the database. If you have one mailbox database in a storage group, then that database’s



checkpoint depth is 20 MB; however, if you have five mailbox databases a single storage group,each database’s checkpoint depth is 4 MB.

During busy periods of time, the ESE may have to write to the database more frequently if thetransaction log depth per database is small. If each database has the full 20 MB of transaction logdepth available to it, the ESE can be more efficient about how it writes data to the database andthus write data in larger chunks.

Allocating Disk DrivesThe traditional logic for Exchange Server design was to place databases on a set of physical diskdrives separate from the transaction log files. As Exchange 2000/2003 servers scaled upward tosupport thousands of mailboxes, administrators placed the transaction log files for each storagegroup on separate spindles (or physical disks) and placed the database files for each group on adifferent set of spindles.

While placing different files on separate disks is pretty good advice, today many of us useFiber Channel or iSCSI SANs to store our Exchange data. The SAN is usually some aggregation ofa large number of disks in a RAID 4, RAID 5, RAID 0 + 1, or other redundant configuration. Theperson that manages the SAN (hereafter known as one of the SAN people) carves up the amountof storage you request from that large aggregation of disk space and assigns it to you as a logicalunit (LUN) of disk space. You then configure your Windows server to connect to those LUNsacross the iSCSI or Fiber Channel network (or fabric).

I was an early doubter of putting Exchange databases on a networked storage device, but I havecome to see the advantages for many medium and large organizations. The ability to combinelarge numbers of disks together into very large volumes and then allocate pieces of a large volumeto the applications (such as Exchange) that need disk space can help reduce your storage costs andallow you take advantage of technologies such as snapshot backups and improved recoverabilityfeatures. Further, since all of the storage is not physically connected to the server, a disaster thatbefalls the server hardware may not affect the storage system.

If you are a SAN user, you should ask your SAN people for two LUNs for each storage group.One LUN should be sized to hold a storage group’s transaction log files and one LUN should besized to hold that storage group’s database; that is, of course, for a Mailbox server role. By puttingone database on each LUN and one transaction log on each LUN, you ensure that the granularityof snapshot solutions is per database.

For heavily used Hub Transport server roles, you might also want to put the Hub Transportserver database and log files on a SAN; the transport database and the log files should each go ontheir own LUN.

Those of you who think about disks and disk performance may be wondering about all of thoseLUNs being carved out of the same logical disk. If your SAN is improperly sized and withoutenough spindles, performance can be a problem. A properly engineered SAN solution shouldprovide enough total I/O capacity for all of the LUNs and the applications that will use thoseLUNs to function correctly.

Creating and Moving Storage GroupsDepending on the setup options for the Mailbox server role, a Mailbox server will have one or twostorage groups. During setup, if you told the setup program that you support Outlook 2003 andearlier clients, the server will have two storage groups: one for the first mailbox database and onethat holds the public folder database. Otherwise, the server has only one storage group and thedefault mailbox database.



Figure 12.2

A default Mailbox serverrole that includes a pub-lic folder storage group

Figure 12.2 shows the Database Management tab of the work pane for a Mailbox server; noticethat this server has two storage groups and each storage group has one database.

Because I have selected a Mailbox server, there is a New Storage Group option in the Actionsmenu, and since I have highlighted First Storage Group in the work pane, the tasks I can performon the storage group also appear in the action pane.

You manage the EMC-based storage group, mailbox database, and public folder databasethrough the Database Management tab of this work pane. However, the Database Managementpane is shown below the result pane only if you have selected the Mailbox subcontainer. The EMCaction pane is on the right side of the EMC interface and gives you access to the following storagegroup management tasks:

◆ Creating a new storage group

◆ Moving existing storage group files

◆ Creating a database (mailbox or public folder) within the storage group


You can also retrieve a list of storage groups using the Get-StorageGroup EMS cmdlet. Hereis an example:

[PS] C:\>Get-StorageGroupName Server Replicated Recovery---- ------ ---------- --------First Storage Group HNLEX03 None FalseFirst Storage Group HNLEX04 None FalsePublic Folder SG HNLEX03 None FalseMailbox Database HNLEX04 None FalseEngineering Mailboxes SG HNLEX03 None FalseExecutives SG HNLEX03 None False



I could have narrowed the scope of that query using the Where cmdlet so that only the storagegroups from a specific server are listed. Here is an example that lists only the storage groups onserver HNLEX03:

Get-StorageGroup | Where $ .Server -eq ’’HNLEX03’’}

If you are still running Exchange 2000/2003, you could also have included the storage groupsfrom the Exchange 2000/2003 servers in your organization by using this command:

Get-StorageGroup -IncludePreExchange2007

New Storage Groups

Creating a new storage group is a simple process in either the Exchange Management Console(EMC) or the Exchange Management Shell (EMS). From within the EMC, you create and managestorage groups for each Mailbox server role within the Mailbox subcontainer of the Server Config-uration work center. To create a new storage group, choose the New Storage Group task from theactions pane to run the New Storage Group Wizard. The wizard is quite simple and has only twopages; the New Storage Group page (shown in Figure 12.3) prompts for the name of the storagegroup, the path to the transaction log files, and the path to the system files.

Figure 12.3

Creating a new stor-age group using theExchange ManagementConsole

You can also enable local continuous replication when you create the storage group, but we willcome back and do that later. Notice also in Figure 12.3 that you are selecting the default locationfor the transaction logs and system files.



When you click the New button on the New Storage Group Wizard, the task is executed and thenew storage group is created; the EMS cmdlet that is executed is the New-StorageGroup cmdlet.The Completion page shows the EMS command that was executed to create this storage group:

New-StorageGroup -Server ’HNLEX04’ -Name ’Executives SG’ -LogFolderPath i’C:\E2K7-Data\ExecutivesSG’ -SystemFolderPath ’C:\E2K7-Data\ExecutivesSG’

Now that the storage group is created, if you have not assigned the log files and the systemfile to the correct location, you should move the transaction log and system files to an alternatepath. This can also be accomplished via the EMC or the EMS. In the EMC, you just need to selectthe storage group you want to move and then choose the Move Storage Group Path task fromthe actions pane. The Introduction page of the Move Storage Group Path Wizard is shown inFigure 12.4.

Figure 12.4

Moving a storagegroup’s transaction logsand system files

The only information that is required to move the storage group is the new location of thelog files and/or the system files. When you click the Move button, the task is executed. The EMScmdlet Move-StorageGroupPath sets the storage group’s path and moves the existing systemand/or log files. The following command was executed:

Move-StorageGroupPath -Identity ’HNLEX04\Executives SG’ -LogFolderPath i’C:\Execs-SG-Logs’ -SystemFolderPath ’C:\Execs-SG-Logs’

If you move a storage group that does not contain any databases, the Move Storage Group PathWizard will generate an error. The Completion page is shown in Figure 12.5; we are seeing this



error because no databases have yet been created and therefore there are neither transaction logfiles nor a checkpoint file.

Figure 12.5

Moving a storage groupwith no files

If no mailbox stores have been created and mounted in the storage group, then there will be nosystem or transaction log files. The wizard will actually tell you this if it does not find any files.Therefore, you would need to run a slightly modified version of the cmdlet since the files do notneed to be moved. You would need to include the -ConfigurationOnly switch in the commandline:

Move-StorageGroupPath ’HNLEX03\Executives SG’ -LogFolderPath i’C:\Executives-SG-Logs’ -SystemFolderPath ’C:\Executives-SG-Logs’ i-ConfigurationOnly -Confirm:$False

Storage Group Properties

You can view the properties of the storage group by selecting it in the Database Management workpane and then selecting the Properties task on the action pane. In this case there are two Propertiestasks on the action pane, so select the one in the storage group portion of the pane.

The storage group SG-HNLEX04-03 properties are shown in Figure 12.6. From here you canchange the storage group’s display name or enable circular logging. Circular logging tells theExchange database engine not to keep more than a few of the previous transaction log files.Enabling circular logging will prevent up-to-the minute recoverability of databases from a restoresince there will not be enough transaction logs available after the most recent backup.

The storage group’s properties also include the transaction log path, the system files path, thelog file prefix, and the date on which the storage group was last modified. The log file prefix is



used when creating log files for this storage group; this is a system-assigned value and cannot bechanged. In the case of the storage group shown in Figure 12.6, the log file prefix is E03; a samplelog filename would look like this: E03000011A0.log.

Figure 12.6

Viewing a storagegroup’s properties

You can also retrieve the storage group’s properties using the Get-StorageGroup cmdlet. Thefollowing example shows all of the properties of the Executives SG storage group:

[PS] C:\>get-storagegroup ’’SG-HNLEX04-03’’ | FL

LogFolderPath : C:\E2K7-Logs\SG-HNLEX04-03SystemFolderPath : C:\E2K7-Logs\SG-HNLEX04-03CircularLoggingEnabled : FalseZeroDatabasePages : FalseLogFilePrefix : E03LogFileSize : 1024RecoveryEnabled : TrueOnlineDefragEnabled : True



IndexCheckingEnabled : TrueEventLogSourceID : MSExchangeISLogCheckpointDepth : 20971520CommitDefault : FalseDatabaseExtensionSize : 256PageFragment : 8PageTempDBMinimum : 0Server : HNLEX04ServerName : HNLEX04CopyLogFolderPath :CopySystemFolderPath :Recovery : FalseName : SG-HNLEX04-03Replicated : NoneHasLocalCopy : FalseCanEnableLocalCopy :CanRunDefaultUpdate :CanRunRestore :StandbyMachines : {HNLSCR01.volcanosurfboards.com}AdminDisplayName : SG-HNLEX04-03ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=SG-HNLEX04-03,CN=InformationStore,CN=HNLEX04,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=comIdentity : HNLEX04\SG-HNLEX04-03Guid : eeacdea1-c315-4a10-a958-9ed3261dc3a2ObjectCategory : volcanosurfboards.com/Configuration/Schema/ms-Exch-Storage-GroupObjectClass : {top, container, msExchStorageGroup}WhenChanged : 9/22/2007 11:47:55 AMWhenCreated : 9/1/2007 8:40:05 PMOriginatingServer : HNLDC02.volcanosurfboards.comIsValid : True

Notice that some of these properties are not set. This is because we are not actually retrievingthe status information from the information store. To retrieve additional status information, youneed to include the -Status option in the Get-StorageGroup command line. Here is an example.

Get-StorageGroup ‘‘First Storage Group’’ |iFL name,CanEnableLocalCopy,CanRunRestore,CanRunDefaultUpdate

Many of these values can be changed by the Set-StorageGroup cmdlet. If you want to enablecircular logging, you would type this command:

Set-StorageGroup ’’Executives SG’’ -CircularLoggingEnabled:True



Creating and Managing Mailbox DatabasesNow that you have created a storage group, you can create a new database in it. While bothExchange Server 2007 Standard Edition and Enterprise Edition allow up to five mailbox databasesin a storage group, I am going to limit this example to a single mailbox database per storagegroup. This is the Microsoft recommendation, and one mailbox database per storage group is alsoa requirement of local continuous replication.

You can view the current mailbox database for each server using EMC or the Get-MailboxDatabase cmdlet to list all of the mailbox databases in the entire organization:

Get-MailboxDatabaseName Server StorageGroup Recovery---- ------ ------------ --------Mailbox Database HNLEX03 First Storage Group FalseEngineering Mailb... HNLEX03 Engineering Mailb... FalseExecutives HNLEX03 Executives SG False

Of course, you can narrow the scope of this output to just a specific server or a specific storagegroup using the Where cmdlet, and you can include Exchange 2000/2003 mailbox databases. Hereare three examples:

Get-MailboxDatabase | Where { .Server -eq ’HNLEX03’}Get-MailboxDatabase | Where { .StorageGroupName -eq i

’Executives SG’}Get-MailboxDatabase -IncludePreExchange2007

Tip

When you’re creating a new mailbox database, use a descriptive name and a naming scheme. Thedatabase will be easier to manage if the filename matches the display name of the database.

To create a new mailbox database, highlight the storage group in which you want the mailboxdatabase to be created and select the New Mailbox Database task from the actions pane. Thislaunches the New Mailbox Database Wizard, shown in Figure 12.7. Then you just provide thename of the new mailbox database; the path is completed automatically and the database’s EDBfile is put in the same location as the transaction logs.

Ideally, you should click the Browse button and select a correct location for the mailboxdatabase now, but I will show you how to move the mailbox database here shortly.

Note

Exchange 2000/2003 administrators may notice that the database has only an EDB file. Exchange 2007does not have an STM file; each Exchange 2007 database consists of a single EDB file.



Figure 12.7

Creating a new mail-box database using theExchange ManagementConsole

The wizard will also mount the database once it creates the configuration. This will initialize anew empty database file. In some circumstances, the Completion page will include an error whenthe wizard attempts to mount the newly created database. An example of this error is shown inFigure 12.8.

The error shown in Figure 12.8 usually occurs when the Exchange Management Console isconnected to one domain controller to create the database in Active Directory but the Exchangeserver is using a different domain controller for its configuration data. If you wait a few minutes,you can usually mount the database.

The actual commands that are used are as follows: the New-MailboxDatabase cmdlet is usedin the command to create the database and the Mount-Database cmdlet is used in the commandto mount the database:

New-MailboxDatabase -StorageGroup ’HNLEX04\Executives SG’ -Name i’Executives Mailboxes’ -EdbFilePath ’c:\E2K7-Data\ExecutivesSG\Executives.edb’ iMount-Database -Identity ’CN=Executives,CN=Executives SG,CN=InformationStore, iCN=HNLEX03,CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), iCN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange, iCN=Services,CN=Configuration,DC=volcanosurfboards,DC=com’



Figure 12.8

An error may occurwhen a newly createddatabase is mounted.

Notice that when the database was mounted, the distinguished name was used. The followingcommand would also work:

Mount-Database ‘Executives Mailboxes’

I created the database in the default path so I could illustrate the process of moving it. Using theEMC, you can move the database by choosing the Move Database Path task in the actions pane.The only detail that needs to be provided in the Move Database Path Wizard is the new locationof the database file.



When you specify that you are about to move the database, you are warned that the databasewill be dismounted while the files are being copied and that it will be inaccessible.

The amount of time that it takes to move the database file will depend on both the size of thedatabase file and the speed of the disk subsystem. Once the file is moved, the Completion page ofthe Move Database Path Wizard will show the EMS command that was used to move the databasefile. Here is an example:

Move-DatabasePath -Identity ’HNLEX03\Executives SG\Executives’ i-EdbFilePath ’D:\Executives-SG-DB\Executives.edb’

Note that the -Identity option is unnecessary, and if the mailbox database name is completelyunique (and hopefully it is!), then the following command would also move the database:

Move-DatabasePath ’Executives’ -EdbFilePath ’D:\Executives-SG-DB\Executives.edb’

Mailbox Database Properties

Now let’s look at some of the properties of a mailbox database. Figure 12.9 shows the General tabof the mailbox database properties. At the top is the display name of the mailbox database. Fromhere, you can rename the database if you need to conform to a new database naming standard.The page also shows the path to the database, but you cannot change the path here; you must usethe Move-DatabasePath cmdlet or the Move Database Path task. The database copy path is setwhen you configure local continuous replication.

The General property page of a mailbox database shows the following dynamic information:

◆ Last Full Backup indicates the last time a full or normal backup was run using an ExchangeAPI–based backup solution. Transaction logs would have also been purged at that time.

◆ Last Incremental Backup indicates the last time an incremental backup was run. Thisbackup type will back up the storage group’s transaction logs and then it purges them.

◆ Status indicates if the database is mounted or dismounted.

◆ The Modified field shows the date and time the database properties in Active Directorywere last changed.

The Journal Recipient option allows you to specify a journaling recipient for all mailboxeslocated on this mailbox database. If this is enabled, a copy of any message or delivery receipt sentor received by a mailbox on this system will be sent to the journal mailbox.

Tip

The online maintenance process is interrupted anytime a database in the same storage group is beingbacked up.



Figure 12.9

General property page ofa mailbox database

With the Maintenance Schedule drop-down list (or Customize button), you can specify whenonline maintenance is scheduled for this particular database. Online maintenance must completeperiodically, otherwise the database will become less and less efficient and the database file willcontinue to grow since the deleted items and mailboxes will never be completely purged. Onlinemaintenance includes the following tasks:

◆ Purging deleted items permanently from the mailbox database

◆ Purging deleted mailboxes permanently from the database

◆ Verifying that mailboxes on the database are all connected to an Active Directory account

◆ Cleaning up unused folder views

◆ Rearranging white space

The Do Not Mount This Database at Startup check box allows the administrator to prevent thedatabase from being mounted after the information store service is restarted. You might use thisoption to make the mailbox databases available one or two at a time rather than all at once.

This Database Can Be Overwritten by a Restore is used when you must restore a database filefrom an offline backup. An offline backup occurs when the database file itself is backed up, such



as to make a file copy of the database file. This option has no effect when you restore a databasebackup that was made from an online backup.

The next tab in the mailbox database properties is the Limits property page. The Limits prop-erties and concepts really have not changed since Exchange 2000/2003, but let’s do a quick reviewhere (see Figure 12.10).

Figure 12.10

Setting limits on a mail-box database

The Storage Limits section allows you to specify the amount of storage allowed for the mailbox.Figure 12.10 shows the storage limit defaults; administrators of previous versions will be surprisedto learn that newly created mailbox databases have defaults. Everyone will be surprised to see theactual default values:

◆ Issue Warning at (KB) is set to 1,991,680 KB. When a mailbox reaches this limit, the userwill be sent an e-mail message that informs them that they have reached a limit on theirmailbox and they should clean up some data in it.

◆ Prohibit Send at (KB) is set to 2,097,152 KB. Once the mailbox hits this limit, the user willbe unable to send new messages or reply to existing messages. Both Outlook and OutlookWeb Access will inform users if they try to send a message and they are over this limit.



◆ Prohibit Send and Receive at (KB) is set to 2,411,520 KB. When a mailbox exceeds this limit,the mailbox is closed or disabled. Even though the user can access the mailbox, the serverwill not allow the user to send new messages or reply to existing messages. In addition, themailbox will not receive any incoming mail from other Exchange users or from outside ofthe organization.

Outlook Web Access has a neat new feature that will inform the user of how close they are totheir limit or if they are over their limit. The user must simply move the mouse pointer over thetop of the mailbox in the folder listing pane and a pop-up box appears, similar to those shownbelow.

The limit that you see in these messages is the Prohibit Send at (KB) limit, not the Prohibit Sendand Receive at (KB) limit.

The Warning Message Interval drop-down list is the interval at which Exchange generates awarning message informing users that they are over their Issue Warning limit. By default, thismessage is sent once daily at 1:00 a.m. local time. You can customize this to another time, but becareful. The Schedule dialog box (shown in Figure 12.11) has a detail view option of either 1 houror 15 minutes.

When using any schedule box that has a 1 hour and a 15 minute view, switch to the 15 minuteview to set a schedule. If you select an entire hour, then whatever process you are scheduling willrun four times per hour. In this case, if you select an entire hour, a warning message will be sent toall mailboxes that are over their Issue Warning at (KB) limit four times per hour. The users wouldnot be amused. An example of the warning message is shown in Figure 12.12.

The Deletion Settings section of the Limits tab allows you to configure how long the serverwill retain deleted items for this mailbox and how long the server will retain a mailbox once it isdeleted. The Keep Deleted Items for (Days) options specifies how many days the Exchange serverwill keep items that have been deleted either from the Deleted Items folder or via a hard delete(Shift + Delete) from another folder. Once a message has been in the deleted item cache for longerthan this period (14 days by default for Exchange 2007), the user will no longer be able to retrievethe message using the Outlook Recover Deleted Items feature.

The Keep Deleted Mailboxes for (Days) option specifies how long the mailbox database willkeep a deleted mailbox before it is permanently purged. The default is 30 days and that is reason-able for most organizations. A mailbox can be recovered using the EMC’s Disconnected Mailboxfeature or via the EMS Connect-Mailbox cmdlet. If you are trying to reconnect a deleted mailboxbut it does not yet show up as deleted, you can run the Clean-MailboxDatabase cmdlet to tellExchange to check and make sure all mailboxes are still connected to user accounts.



Figure 12.11

Using the Schedule dia-log box

Figure 12.12

The warning messagea user receives whentheir mailbox exceedsthe Issue Warning at(KB) limit

The Do Not Permanently Delete Items Until the Database Has Been Backed Up check box tellsthe server that it should not permanently purge an item or a mailbox until the mailbox databasehas been backed up. This ensures that a copy of the deleted item or deleted mailbox could berecovered from backup media if necessary.

On the Client Settings tab of a mailbox store (shown in Figure 12.13), the administrator canspecify two configuration settings that affect the mailboxes on this store. The first is the DefaultPublic Folder Database setting; this field contains the name of the public folder database that



MAPI clients should connect to first when retrieving information about public folder hierarchy orcontent.

Figure 12.13

Client Settings prop-erties of a mailboxdatabase

The other setting affects clients that work in offline mode or local cache mode. This is the OfflineAddress Book setting; here you specify which offline address book (OAB) a MAPI client shoulddownload. The default is the default offline address book; this OAB contains the default globaladdress list and is sufficient for most small and medium-sized businesses.

You can also examine the mailbox database properties using the Get-MailboxDatabase cmdlet.The following is an example of retrieving mailbox database properties and sending them to aformatted list:

[PS] C:\>Get-MailboxDatabase ’’MBDB-HNLEX04-03’’ -Status | FL

JournalRecipient :MailboxRetention : 30.00:00:00OfflineAddressBook : \Default Offline Address BookOriginalDatabase :PublicFolderDatabase : HNLEX04\SG-HNLEX04-04\Public Folder DatabaseProhibitSendReceiveQuota : 2355MB



Recovery : FalseProhibitSendQuota : 2GBIndexEnabled : TrueAdministrativeGroup : Exchange Administrative Group (FYDIBOHF23SPDLT)AllowFileRestore : FalseBackupInProgress : FalseCopyEdbFilePath :DatabaseCreated : TrueDescription :EdbFilePath : C:\E2K7-Data\MBDB-HNLEX04-03\MBDB-HNLEX04-03.edbExchangeLegacyDN : /o=Volcano Surfboards/ou=Exchange AdministrativeGroup FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HNLEX04/cn=MicrosoftPrivate MDBHasLocalCopy : FalseDeletedItemRetention : 14.00:00:00SnapshotLastFullBackup : FalseSnapshotLastIncrementalBackup :SnapshotLastDifferentialBackup :SnapshotLastCopyBackup :LastFullBackup : 10/21/2007 2:48:58 PMLastIncrementalBackup :LastDifferentialBackup :LastCopyBackup :MaintenanceSchedule :{Sun.1:00 AM-Sun.5:00 AM, Mon.1:00 AM-Mon.5:00AM, Tue.1:00 AM-Tue.5:00 AM, Wed.1:00 AM-Wed.5:00 AM, Thu.1:00 AM-Thu.5:00 AM, Fri.1:00 AM-Fri.5:00 AM, Sat.1:00 AM-Sat.5:00 AM}MountAtStartup : TrueMounted : TrueOrganization : Volcano SurfboardsQuotaNotificationSchedule :{Sun.1:00 AM-Sun.1:15 AM, Mon.1:00 AM-Mon.1:15AM, Tue.1:00 AM-Tue.1:15 AM, Wed.1:00 AM-Wed.1:15 AM, Thu.1:00 AM-Thu.1:15 AM, Fri.1:00 AM-Fri.1:15 AM, Sat.1:00 AM-Sat.1:15 AM}RetainDeletedItemsUntilBackup : FalseServer : HNLEX04ServerName : HNLEX04StorageGroup : HNLEX04\SG-HNLEX04-03StorageGroupName : SG-HNLEX04-03IssueWarningQuota : 1945MBEventHistoryRetentionPeriod : 7.00:00:00Name : MBDB-HNLEX04-03AdminDisplayName : MBDB-HNLEX04-03ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=MBDB-HNLEX04-03,CN=SG-HNLEX04-03,CN=

InformationStore,CN=HNLEX04,CN=Servers,CN=Exchange Administrative



Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=comIdentity : HNLEX04\SG-HNLEX04-03\MBDB-HNLEX04-03Guid : 44475a10-5035-471a-a4b8-aa79c7a81a3fObjectCategory : volcanosurfboards.com/Configuration/Schema/ms-

Exch-Private-MDBObjectClass : {top, msExchMDB, msExchPrivateMDB}WhenChanged : 11/3/2007 10:16:58 AMWhenCreated : 9/1/2007 8:40:43 PMOriginatingServer : HNLDC02.volcanosurfboards.comIsValid : True

Not all of the properties that you see in the output of the Get-MailboxDatabase cmdlet canbe changed, of course. The mailbox database location must be changed using the Move-MailboxDatabase cmdlet, and some of these are system properties.

The properties that you are able to change can be changed through the EMS using the Set-MailboxDatabase cmdlet. For example, to change the Prohibit Send at (KB) quota to 100 MB, youwould type the following command:

Set-MailboxDatabase ’Executives’ -ProhibitSendQuota:100MB

SummaryAs I stated early in the chapter, storage is one of those things that you want to try really hard toget right the first time. It’s not the easiest thing in the world to do, so if you can’t get it right thefirst time, try to overestimate your storage needs. If you are dealing with direct attached storage,my opinion is that it is much easier and simpler to have a bit more storage capacity than you reallyneed than to go back later and add more disks and expand existing arrays.

However, for medium-sized and larger organizations, the use of storage area networks canhelp with storage growth issues since the SAN people can easily and quickly expand the amountof space allocated to your Exchange LUNs if you run out of disk space.

In the next chapter, I will introduce some of the new concepts of Exchange 2007 with respect tostorage and databases. Specifically, I will cover local continuous replication and standby continu-ous replication.

Chapter

5

Defining Policies and Security Procedures

MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

�

Plan the antivirus and anti-spam implementation

�

Plan the network layer security implementation

�

Plan the transport rules implementation

�

Plan the messaging compliance implementation

81461.book Page 189 Wednesday, December 12, 2007 4:49 PM

In this chapter we will look at how Exchange Server 2007 can help you manage message security. We will dive into the various alternatives available to help you meet regulatory and legal

requirements when designing your Exchange deployment. In addition we will highlight pro-cedures you can enable for content filtering and options that are available for ensuring secure messaging is deployed.

The main subjects in this chapter are as follows:�

Designing a solution to address regulatory and legal requirements�

Designing procedures for message content filtering�

Designing secure messaging

Designing a Solution to Address Regulatory and Legal Requirements

Email is a means of communication that is very easy to use. It’s also very easy to

abuse,

by exchanging business and private information that ought to be kept confidential. It is therefore very important that you as an Exchange administrator can control the message flow inside your organization, and the message flow between your Exchange organization and the out-bound messaging environments to prevent confidential information from being exposed. In this part of the chapter, we will first look at the various legal and company requirements that might encourage you to set up email policies, and we will then look at the policies that are available in Exchange Server 2007.

Legal-Compliance Requirements

Every country has its own legal system. In this chapter we will not be able to cover all legal-compliance requirements that exist in every country in the world, but we will cover the most commonly encountered laws and regulations.

United States

The United States has several laws and regulations that specify compliance requirements. This part of the chapter gives an overview of the most important ones.



191

Sarbanes-Oxley Act of 2002 (SOX)

The Sarbanes-Oxley Act of 2002 is a United States federal law, also known as the Public Com-pany Accounting Reform and Investor Protection Act of 2002, and commonly abbreviated as SOX. It was put in place to prevent new accounting and corporate scandals from popping up without control. SOX describes and enforces several rules to improve the accuracy and reliability of information that is disclosed to the general public. The following types of companies must comply with this Sarbanes-Oxley Act of 2002:�

U.S. public companies�

Foreign tax filers in U.S. markets�

Privately held companies with public debt

Since a lot of information is transferred using email, it is mandatory for a company to imple-ment a mail environment that enables them to be SOX-compliant. Section 404 of the Sarbanes-Oxley Act of 2002 covers the management assessment of internal controls, forcing management to be able to prove that they control the information flow. Companies can comply with the Sarbanes-Oxley Act of 2002 only by introducing a mail environment like Exchange 2007 that allow com-panies to control email by allowing transport rules, journaling rules, and messaging records man-agement (MRM) rules to be created and enforced in the organization. (We’ll talk more about this in the “Messaging Policies” section of this chapter.)

Gramm-Leach-Bliley Act (Financial Modernization Act of 1999)

The Gramm-Leach-Bliley Act is a 1999 act of the U.S. Congress. In short, it allows commercial and investment banks to consolidate. There are, however, two important rules in the Gramm-Leach-Bliley Act that require companies to enforce compliance rules in their organization:

The Financial Privacy Rule

regulates the collection and disclosure of customers’ personal financial information by financial institutions. This rule also applies to companies that receive such information, even if they are not financial institutions.

The Safeguards Rule

specifies that all financial institutions are required to design, imple-ment, and maintain safeguards to protect customer information. This rule also applies to financial institutions that receive customer information for other financial institutions, like credit-reporting agencies.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 not only requires the Depart-ment of Health and Human Services to establish national standards for electronic health care trans-actions and national identifiers for providers, health plans, and employers, but it also addresses the security and privacy of health data. HIPAA has led to a major improvement in the use of electronic data interchange for more industries as they also adopt the standards set by this act.

USA PATRIOT Act of 2001

The USA PATRIOT Act (officially called the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001), was signed into law by George W. Bush in 2001. This act expands the means that U.S. law-enforcement


192

Chapter 5 �


agencies are allowed to use to fight against terrorism in the United States and abroad. Among other things, the act states that U.S. law-enforcement agencies can be granted permission to monitor email communications.

Canada: The Personal Information Protection

and Electronic Documents Act

The first version of the Personal Information Protection and Electronic Documents Act was released in 2000 and was updated in April 2006. The act was created to support and promote electronic commerce by protecting personal information.

Australia: The Federal Privacy Act

The Federal Privacy Act contains the legislation, regulations, codes, determinations, and guidelines that affect private-sector business, health-service providers, and Commonwealth and Australian Capital Territory government agencies.

Europe: The European Union Data Protection Directive (EUDPD)

The European Union Data Protection Directive (EUDPD) standardizes the protection of data privacy for citizens of the European Union by providing baseline requirements that all member states must achieve through national regulations. These regulations apply not only to European Union member countries, but also to foreign countries that are doing business with European Union companies or that handle personal information about European Union citizens.

Japan: The Personal Information Protection Act

The Personal Information Protection Act of April 2005, specifies strict regulations for Japa-nese companies, and also affects companies that are doing business with Japanese companies by setting rules to protect data privacy for citizens of Japan.

Company-Compliance Requirements

A lot of companies configure their mail environment to comply with one or more of the pre-viously listed legal requirements. In addition to the legal requirements, additional policies may be specified to meet company-specific compliance requirements. The most common example of such a company-compliance requirement is the need to configure a disclaimer.

A disclaimer is text that provides you as a company with a form of protection against liability for damages that might result from mail sent from your mes-saging environment. Disclaimers are not only added to mail messages, but

are also often available on websites.



193

Messaging Policies

Exchange Server 2007 includes messaging polices that can be used to address most of the legal and corporate requirements for managing information. Exchange Server 2007 provides three different types of messaging policies:�

Transport policies�

Journaling policies�

Messaging records management policies

Transport Policies

Transport policies enable you to control the message flow for your Exchange organiza-tion. Transport policies can be deployed to control both inbound and outbound message flow, and you can create and enable transport rules on both the Hub Transport server and the Edge Transport server. You can create a transport rule by using either the Exchange Management Console or the Exchange Management Shell. To create a transport rule, you need to specify the following:�

To whom or to what messages the transport rules applies�

Actions that needs to be performed when the conditions are true for a message�

Any exception that would cause the transport rule not to be processed against the message

Table 5.1 lists the possible actions for Transport Rules you can configure on the Hub Transport server and on the Edge Transport server.

T A B L E 5 . 1

Hub Transport Server and Edge Transport Server Transport Rules

Action HUB EDGE

Log an event with message YES YES

Prepend the subject with string YES YES

Apply message classification YES NO

Append disclaimer YES NO

Set the spam confidence level to value YES YES

Set header with value YES YES

Remove header YES YES

Add a recipient in the To field addresses YES YES


194

Chapter 5 �


Transport rules are often used to add a disclaimer to email messages. As mentioned previ-ously, disclaimers are typically used to provide legal text or other text to messages that are sent outside the organization. Sometimes disclaimers are also used to add text to messages that enter the organization.

For more-detailed information on how to deploy Edge and Hub Transport

server rules, please refer to Chapters 12 and 15.

Journaling Policies

Journaling policies allow you as an Exchange administrator to keep track of email messages that are sent and received by users in your Exchange organization. In Exchange Server 2007 you can enable journaling for a mailbox database (Figure 5.1).

Journaling was possible in previous versions of Exchange, but Exchange Server 2007 also includes the possibility to create journaling policies that enable you as an administrator to enable journaling for just one user or for multiple users, or for one or multiple distribution groups. Enabling per-user or per-distribution-group journaling requires an Exchange Enter-prise Client Access License, as shown in Figure 5.2.

Copy the message to addresses YES YES

Blind carbon copy (bcc) the message to addresses YES YES

Drop connection NO YES

Redirect the message to addresses YES YES

Put message in spam quarantine mailbox NO YES

Reject the message with status code and response NO YES

Send bounce message to sender with enhanced status code YES NO

Silently drop message YES YES

T A B L E 5 . 1

Hub Transport Server and Edge Transport Server Transport Rules

(continued)

Action HUB EDGE



195

F I G U R E 5 . 1

Enabling journaling for a mailbox database in Exchange Server 2007

F I G U R E 5 . 2

Premium journaling in Exchange Server 2007


196

Chapter 5 �


Another difference from previous versions of Exchange is the way that messages are journaled. The journaling agent on the Hub Transport server will journal a message and will capture as much detail as possible about the original message in a journal report. That report will be then be sent to the journal mailbox (Figure 5.3).

F I G U R E 5 . 3

A journal report

For more detailed information on how to deploy journaling policies, please refer to Chapter 15.

Messaging Records Management Policies

With messaging records management policies, you can control the way messages are stored inside mailboxes in your mail organization. As an administrator, you can create policies that apply to the default mail folders, or you can create custom managed folders and define managed content settings for them. Messaging records management policies can help you as an Exchange administrator to achieve compliance requirements, because you can control what happens to items stored in a user’s mailbox.

Managed Default Folder

In Exchange Server 2007 you can set messaging records management policies for any or all of the existing default mail folders, like Inbox or Sent Items. It is also possible to create a new default managed folder. Figure 5.4 shows the default managed folders; a custom created folder, called MCITP, appears at the end of the list.

You can then set managed content settings for that new default managed folder, and use a managed folder policy to distribute the folder to a user. A user will only have one default man-aged folder for a given type of folder. For example, when you create a new Inbox, a user will still have only one Inbox.



197

F I G U R E 5 . 4

Default and custom-created default managed folders in Exchange

Server 2007

Managed Custom Folder

In Exchange Server 2007 you can also create custom managed folders that will appear to the users as a folder like Inbox, Sent Items, or any other folder, as shown in Figure 5.5. By using custom default folders, you can give your users an additional folder that they can use to archive items for legal requirements. If your company is required, for example, to keep track of all email communi-cation concerning a particular project, you can create a dedicated custom folder for that project and specify different retention settings for that folder compared to the other folders in a user’s mailbox.

F I G U R E 5 . 5

Managed custom folders in Outlook 2007


198

Chapter 5 �


Managed Content Settings

For both default and custom managed folders, you can specify managed content settings to control retention for items in the folder, as shown in Figure 5.6. You can even configure a kind of journaling that will allow a copy of the item to be sent to a specified mailbox, mail-enabled user, mail-enabled contact, or mail-enabled group, as in Figure 5.7.

F I G U R E 5 . 6

Managed content settings managed folders

Outlook Version

To be able to use all functionalities provided with managed folders, your clients should use Outlook 2007 or later. When you apply a message records management policy to a user, you will receive the warning message shown in Figure 5.8.

F I G U R E 5 . 7

Outlook version warning for managed folders



199

F I G U R E 5 . 8

Journaling in managed content settings

Exchange CAL Required

When you apply a managed folder policy to a user, you will see the notification that messaging records management is a premium feature that requires an Exchange Enterprise Client Access License. At the time of writing however, Microsoft has decided to allow messaging records management to be used against a client with a Standard Client Access License. For more-detailed information on how to deploy messaging records management policies, please refer to Chapter 13.

Message Classifications

Message classifications are new to Exchange Server 2007. After installing Exchange Server 2007, you can use the built-in message classifications outlined in Table 5.2. An Exchange administrator can change these descriptions using the Exchange Management Shell.

Outlook supports message classifications between users who run Exchange Server 2003 or earlier, but Exchange Server 2003 or earlier do not recognize

these message classifications.


200

Chapter 5 �


When a user sends an email and grants it a message classification, the message will be marked, and both sender and recipient will receive a description to notify them of this classi-fication, as seen in Figures 5.9 and 5.10.

F I G U R E 5 . 9

Message classification sender description

F I G U R E 5 . 1 0

Message classification recipient description



201

Using message classifications is possible when using Outlook Web Access. If you want to enable the use of message classifications in Outlook you will need to deploy on the client computer a local file (

Classifications.xml

) that contains the definitions of the message classifications. You will also need to create and deploy a registry key that will enable the use of message classifi-

cation by referencing the

Classifications.xml

file on the client computer.

For more-detailed information on how to deploy message classifications, please refer to Chapter 16.

T A B L E 5 . 2

Message Classifications, Sender and Recipient Description

Name Recipient Description Sender Description

A/C Privileged This message is either a request for legal advice from an attorney or a response by an attorney to a request for legal advice. It should be treated confidentially, should only be sent to people with a need to know, and should only be forwarded by an attorney.

This message is either a request for legal advice from an attorney or a response by an attorney to a request for legal advice. It should be treated con-fidentially, should only be sent to people with a need to know, and should only be forwarded by an attorney.

Attachment Removed An attachment was removed from this email message because the attachment was determined to pose a possible security risk.

A system-generated classifica-tion to inform users that an attachment was removed from this message.

Company Confidential This message contains propri-etary information and should be handled confidentially.

This message contains propri-etary information and should be handled confidentially.

Company Internal This message contains sensitive information that should only be delivered to internal recipients.

This message contains sensi-tive information that should only be delivered to internal recipients.

Originator Requested Alternate Recipient Mail

This message is an originator requested alternate recipient message.

This message is an originator requested alternate recipient message.

Partner Mail ~BC ~BC


202

Chapter 5 �


Designing Procedures for Message Content Filtering

When we talk about designing procedures for message content filtering, what we really mean is using the tools that are available to keep spam and viruses away from your Exchange organiza-tion. Before we dig into the myriad of antispam settings you can configure as an Exchange administrator when working with an Exchange Server 2007 organization, we will look at the possible antivirus and antispam approaches you as an administrator can take. After that we will investigate the options available for protecting your Exchange environment against viruses.

Managing antivirus and antispam solutions for your environment, including your messag-ing organization, requires more than just protecting your Exchange servers. You have to pro-vide security measures to defend every location and every level in your network. Coming back to your messaging environment, you should design and deploy a so-called

defense-in-depth model

in your messaging organization. Table 5.3 lists the solutions that you can include in your antivirus and antispam design.

T A B L E 5 . 3

Defense-in-Depth Model in a Messaging Organization

Security Challenge Security Measures

Network Deploy a firewall at the network edge.

Deploy host-based firewalls.

Implement network segments.

Physically secure servers and computers.

Client Install and maintain client-side antivirus software.

Enable antispam and antiphishing features available in messaging clients.

Educate your users.

Exchange server Install and configure server-side antivirus software on Mailbox and Hub Transport servers.

Install and configure antispam solutions on Hub Transport server, if needed.

Internet edge Install and configure antivirus and antispam software on an SMTP server that is directly accessible from the Internet.


Designing Procedures for Message Content Filtering

203

Exchange Hosted Services

If you want to add an additional layer of security to your messaging environment, you can use the services provided by Exchange Hosted Services. With Exchange Hosted Services you have all Internet mail destined for you mail environment screened (with antispam and antivirus) and then delivered to your Exchange organization. Using Exchange Hosted Services will make sure that most spam and viruses are stopped before they reach your SMTP gateway servers. You only need to change your Mail Exchanger (MX) record in DNS to point to the network of data centers located at numerous sites along the Internet backbone. There is no need to buy and configure additional hardware.

Exchange Hosted Services is a rebranding of Frontbridge Technologies, bought by Microsoft in August 2005.

Exchange Hosted Services is more than just antispam and antivirus. It is suite of products designed to make your life as an administrator easier. Table 5.4 lists the different solutions that are included with Exchange Hosted Services. You can choose which parts of the solution you want to take on for your messaging environment.

Antispam

Out of the box, Exchange Server 2007 provides quite a few interesting features that allow you as an administrator to protect your messaging environment against spam. In this part of the chapter we will define spam, and then we will look at the antispam features that you can con-figure within Exchange Server 2007.

T A B L E 5 . 4 Exchange Hosted Services Solutions Overview

Solution Explanation

Exchange Hosted Archive Messages that meet criteria defined by you as administrator can be archived at the Exchange Hosted Services data centers. Both internal and external mail can be archived.

Exchange Hosted Continuity Using this part of the Exchange Hosted Services allows your organization to have continuous access to messaging services in case of a failure of your Exchange organization.

Exchange Hosted Filtering Provides complete filtering services to block all unwanted email messages from entering your Exchange organization.

Exchange Hosted Encryption Provides the ability to send secured email messages to recipients outside your own Exchange organization. The Identity-Based Encryption (IBE) technology is used.


204 Chapter 5 � Defining Policies and Security Procedures

What Is Spam?

Spam is a phenomenon that has become more and more of a problem the last couple of years. A message can be classified as spam when it is clear that the recipient is not important to the con-tent of the mail, and even more, the recipient hasn’t done anything to make public that he/she wanted to receive the message. The biggest problem with spam is the number of messages that users receive every day, and the amount of time they lose while going through those messages. Besides that, your Exchange servers might be under pressure because they need to handle the workload as well.

What’s in a word? It is said that the word spam finds its origin in a Monty Python sketch called “Spam.” In the sketch, one table in a café is occupied by a group of Vikings wearing horned helmets. It develops into a semi-argument between the waitress who has a menu limited to having Spam in just about everything ("Spam, Spam, Spam, Spam, sausage, eggs and Spam"), and Mrs. Bun, who is the only one in the room who does not want it. Whenever the word Spam is repeated, the group of Vikings begin sing-ing and/or chanting.

Requirements of Antispam Features

When you start implementing one or multiple spam-filtering solutions, you should know the requirements that you as administrator have and that your clients have. As an administrator you have to investigate if the antispam features allow you to have the following:� Integration with existing administrative tools� Easy detection and recoverability of false positives� Reporting possibilities to enable tracking of spam senders, spam recipients, and the

amount of spam

Your clients might require the opportunity to define their own list of safe senders, and might request the ability to access the quarantined messages to decide themselves if a message is indeed spam. The Exchange Server 2007 antispam features meet the requirements in the pre-ceding list, both for the administrator and the client.

Enabling Antispam Features

To prevent productivity loss for your users and to make sure that your Exchange servers are not damaged, it is important to stop spam before it enters your Exchange organization. The Exchange Server 2007 Antispam features can be enabled and configured on the Edge Trans-port server or on a Hub Transport Server inside your Exchange organization. It is, however, advised to configure them on the Edge Transport server, given the general rule that it is better to stop spam and viruses before they enter the Exchange organization.


Designing Procedures for Message Content Filtering 205

Antispam Features in Exchange Server 2007

The following Antispam features can be enabled and configured on both the Hub Transport server and the Edge Transport server:� Connection filtering� Sender filtering� Recipient filtering� Sender ID filtering� Content filtering� Sender reputation filtering

Connection Filtering

You can enable and configure connection filtering by specifying IP addresses on the IP Allow list or IP Block list, or by entering an IP Block list provider. Whenever an SMTP session is ini-tiated against your Edge or Hub Transport server, your server will first check to see if the con-necting IP address is listed on the IP Allow list. If it is, the mail will be accepted and no other filtering will be applied to his message. If it isn’t listed on the IP Allow list, the local IP Block list will be examined. If the IP address is found, the message will be rejected. If it is not found, your Exchange server will check the Real-Time Block (RBL) lists of any IP Block list provider you have specified. Depending on the reply, the mail will be accepted or rejected. Figure 5.11 shows the configuration options for connection filtering.

F I G U R E 5 . 1 1 Connection filtering configuration options



Sender Filtering

Enabling and configuring sender filtering allows you to list email addresses from which your organization does not want to accept mail. If the sender’s email address is blocked or its domain is blocked, your server can reject the connection, or your server can be configured to accept the message with the blocked sender information. The message will be processed but the blocked sender information will be included as one of the criteria when content filtering processes the email message. Figure 5.12 shows the configuration options for sender filtering.

F I G U R E 5 . 1 2 Sender Filtering

Recipient Filtering

Enabling and configuring recipient filtering, allows you to specify a list of email addresses your organization does not want to accept mail for. You can even filter mail that is sent to recipients that are not in the directory but are enabled on the Edge Transport server role; this requires EdgeSync to be configured. Figure 5.13 shows the configuration options for recipient filtering.

Sender ID Filtering

Sender ID Filtering can be configured to accept, reject, or delete a message when the sender ID validation fails. When you choose to accept the message, the message will be processed but the sender ID status will be included as one of the criteria when content filtering processes the email message. Figure 5.14 shows the configuration options for sender ID filtering.



F I G U R E 5 . 1 3 Recipient Filtering

F I G U R E 5 . 1 4 Sender ID filtering



Sender ID filtering was introduced with Exchange Server 2003 Service Pack 2 an antispam feature. Sender ID filtering will check if the sender (or most probable sender) is sending the mail using the SMTP services of a server that is authorized to send mail from that sender’s domain. Sender ID filtering can provide you with a valid result only if the sender’s domain has a Sender Policy Framework (SPF) record registered in DNS. The registration of an SPF record is not mandatory. For more information about the usage and purpose of the SPF record, please refer to RFC 4408.

Content Filtering

Unless the sender is known as a safe sender for the intended recipient, content filtering will process the message and assign it a spam confidence level (SCL). Depending on the value of the SCL, the message can be deleted, rejected, quarantined, or put in the recipient’s Junk E-Mail folder. Figure 5.15 shows the configuration options for Content Filtering.

F I G U R E 5 . 1 5 Content filtering

Sender Reputation Filtering

Sender reputation filtering can cause an IP address to be listed on the IP Block list that is checked during connection filtering. Sender reputation filtering will filter messages based on information about recent email messages received from particular senders. A sender will be assigned a sender reputation level (SRL), and if the sender appears to be a known spammer, the sender’s IP address will be added for a configurable time to the IP Block list.

Figures 5.16 and 5.17 show the configuration options for sender reputation filtering.



F I G U R E 5 . 1 6 Sender reputation properties: Sender Confidence tab

F I G U R E 5 . 1 7 Sender reputation properties: Action tab



Bypassing Spam-Filtering Rules

It is possible to bypass all spam-filtering features you have configured for a specific recipient by changing the value of the AntiSpamBypassEnabled property from False to True using the Exchange Management Shell, as can be seen in Figure 5.18.

F I G U R E 5 . 1 8 Bypassing all spam-filtering features

For more information about enabling and configuring the Exchange Server 2007 antispam features, please refer to Chapter 14.

Antivirus

Exchange Server 2007 does not provide a complete antivirus solution out of the box, but it does offer you several possibilities to protect your messaging organization against disruptions caused by malware or viruses. In this part of the chapter we will provide an overview of the antivirus options Exchange Server 2007 has in store for you as an Exchange administrator.

Antivirus API

The first antivirus API was released by Microsoft for Exchange Server 5.5 Service Pack 3. The introduction of this API meant that antivirus software vendors no longer needed to use MAPI to scan and protect mailboxes and public folders against viruses. With this antivirus API they received the ability to gain access to the information store without jeopardizing the data integrity of the database files. Exchange Server 2007 has the Exchange Virus Scanning API, also called VSAPI, that a lot of third-party vendors integrate closely with to provide seamless protection.

Microsoft Forefront Security for Exchange Server

In 2005 Microsoft acquired Sybari and its Antigen products. Microsoft has rebranded and extended the functionalities of the Antigen product line into Forefront. Microsoft Forefront Security for Exchange Server uses the Exchange Virus Scanning API, and is, according to Microsoft, uniquely suited for Exchange Server 2007 environments.



Microsoft Forefront Security for Exchange Server not only provides advanced protection by providing multiple scan engines at multiple layers, but it also provides a very simple and cost-effectively manageable security interface for your messaging environment. Thanks to its tight integration with Exchange 2007, implementing Microsoft Forefront Security for Exchange will, in addition, improve availability and performance of your messaging organization.

Transport Rules

As you have already covered in this chapter, transport rules are rules that enable you to control the message flow for your Exchange organization. Transport rules can be deployed to control both inbound and outbound message flow. You can create and enable transport rules both on the Hub Transport server and on the Edge Transport server. You can create a transport rule by using the Exchange Management Console or the Exchange Management Shell. To create a transport rule, you need to specify the following:� To whom or what messages the transport rules apply� Action that needs to be performed when the conditions are true for a message� Any exception that would cause the transport rule to not be processed against the message

Transport rules can be used to help you protect your organization from viruses. Once you have determined the characteristics that allow you to uniquely identify a virus, you can define actions on it. You can choose to drop the SMTP connection, delete the message, or reject the message. If you want to have a copy of the message to investigate it further, you can choose to deliver the message to a quarantine mailbox.

Attachment Filtering

Attachment filtering allows you to block attachments from entering your Exchange organization, by attachment content type or by attachment file name. By configuring attachment filtering you can block viruses from entering your production environment.

Attachment filters can be managed by using the Exchange Management Shell. After install-ing the Edge Transport server role, the Attachment Filtering Agent will by default be enabled, as seen in Figure 5.19.

F I G U R E 5 . 1 9 Default attachment-filtering configuration



Exercise 5.1 outlines the steps for configuring the attachment-filtering agent to block attachments by MIME type and file name.

You can configure on the Edge Server a RejectResponse that will be mailed to the sender when their message has been rejected by the Edge Transport server attachment-filtering agent. In addi-tion to rejecting the message, you can also configure the Edge Transport server attachment-filtering

E X E R C I S E 5 . 1

Configuring Attachment Filtering to Block Attachments by MIME Type and File Name

Attachment filtering by content type or file name can be configured only on the Exchange Server 2007 Edge Transport server role.

1. Log on the Edge Transport server with an account that is a member of the local Admin-istrators group.

2. Start the Exchange Management Shell.

3. Check if the attachment-filtering agent is enabled on the Edge Transport server role by entering the cmdlet Get-TransportAgent. You will get an output like the one shown here.

If the attachment-filtering agent were not enabled, you would need to issue the com-mand Enable-TransportAgent -Identity “Attachment Filtering Agent”.

To add a new attachment filter that filters email attachments that have the specific MIME content type of JPEG, you need to enter the following cmdlet: Add-AttachmentFilterEntry -Name image/jpeg -Type ContentType.

To add a new attachment filter that filters email attachments based on a file name or file name extension, like .XYZ, run the following command: Add-AttachmentFilterEntry -Name *.XYZ -Type FileName.



agent to strip the attachment and to deliver the mail to the intended recipient without the blocked attachment. The recipient will see a note in the email message that a particular attachment has been blocked. The attachment itself is not available for recovery. Next to stripping and rejecting the email message, you can also configure the email message to be silently deleted whenever it meets any of the predefined criteria. Neither the sender nor the recipient will get a message to warn them about the nondelivery.

As an administrator, you can also configure exceptions for particular connectors. Attach-ment filters are not applied to email messages that are received through these connections. All these settings can be configured using the Exchange Management Shell by making changes to the AttachmentFilterListConfig (Figure 5.20).

F I G U R E 5 . 2 0 AttachmentFilterListConfig

Forefront Security for Exchange Server extends the attachment-filtering agent’s capabilities. Using Forefront allows you as administrator to scan and block more file types, like RAR archives, and it also allows you to check if files have been renamed that are compressed as Zip or LZH files. Without Forefront, the attachment filtering checks if a file has been renamed, but is not able to perform this test against files that are compressed as Zip or LZH files. Furthermore, Forefront Security for Exchange Server enables you to quarantine blocked attachments and to customize the warning message that is sent to the sender and/or the recipient.



Designing Secure MessagingWhen you are designing your messaging environment, you will have to include security in your design. In this chapter we have already covered what policies you have available in Exchange Server 2007 to help you comply with any legal requirement that is set for your country of ori-gin. We have also seen what antispam and antivirus features are configurable within Exchange Server 2007 to make sure that your mail environment is protected as soon as it is in produc-tion. In this part of the chapter, we will have a closer look at how you can make your mail envi-ronment even more secure by taking into account administrative security, options to secure SMTP email, using Information Rights Management, and implementing procedures to enable signing and sealing of messages.

Administrative Security

When designing and deploying your Exchange organization it is important to make sure that all of your administrators have the rights they need to do what they are supposed to do. You should also make sure that people are not allowed to perform any administrative tasks against your Exchange organization that they shouldn’t be able to execute; you always want to avoid creating overprivileged users. Second to physically securing your Exchange servers is making sure that you delegate adequate administrative permissions.

Delegating administrative permissions can be done using the Exchange Management Console or the Exchange Management Shell. Using the delegation wizards in the Exchange Management Console will make sure that a user is granted the necessary permission within Active Directory to perform the required tasks. You can delegate Exchange permissions by giving a user a predefined Exchange Administrator role. Exchange Server 2007 offers four built-in Exchange Administrator roles you can delegate, as outlined in Table 5.5.

T A B L E 5 . 5 Exchange Administrator Roles

Exchange Administrator Role Associated Rights

Exchange Organization Administrator Full control over every property and every object in the Exchange organization

Exchange Recipient Administrator The ability to modify properties and objects associ-ated with Exchange recipients, including users, con-tacts, groups, dynamic distribution groups, and public-folder objects

Exchange View-Only Administrator The ability to view configuration of Exchange, but not the permission to make changes

Exchange Server Administrator Full control over the specified server or multiple servers’ configuration data


Designing Secure Messaging 215

Exercise 5.2 outlines the steps for delegating the Exchange Server Administrator role to a new administrator, Andy, using the Exchange Management Console.

E X E R C I S E 5 . 2

Delegating the Exchange Server Administrator Role to a New Administra-tor Using the Exchange Management Console

1. Open the Exchange Management Console.

2. In the console tree, click Organization Configuration.

3. Right-click Organization Configuration and select Add Exchange Administrator.

4. On the Add Exchange Administrator page, click Browse to select Andy, the new user to whom you want to delegate an Exchange Administrator role.

5. Under Select the Role and Scope of this Exchange Administrator, select the Exchange Server Administrator role, and select the Exchange server, Exchange2007, to which Andy will have access, as shown here. Click Add.

6. On the Completion page, click Finish to complete the task.



Securing SMTP Email

Almost every email message that is sent on the Internet is sent using SMTP. SMTP is an acronym for Simple Mail Transfer Protocol, and it is not secure. SMTP messages can be captured and read by using a network sniffer, protocol analyzer, or network analyzer. Because of the inherent lack of security with SMTP email, you should implement technologies that will provide additional security. The following options are available to implement the required level of security:� Authentication � Transport Layer Security� IPSec� S/MIME

In this part of the chapter, we will provide an overview of different technologies that are available to increase SMTP security.

After finishing, you will notice that Andy has been granted the Exchange Server Administra-tor role and the Exchange View-Only Administrator role as can be seen in the Exchange Man-agement Console.

By granting Andy the Exchange Server Administrator role, you have added Andy to the universal security group Exchange View-Only Administrators, and you have explicitly granted Andy full control on the Exchange Server configuration of the Exchange server named Exchange2007.

E X E R C I S E 5 . 2 ( c o n t i n u e d )



Authentication

Requiring authentication on your SMTP Send and/or Receive connectors will enable you to configure who is allowed to send mail to and from your Exchange organization.

If you require authentication on your default SMTP Receive connector, you will block almost all email from the Internet since almost all SMTP servers use anonymous connections when sending email. It is best practice to only enable authentication to provide additional security for email sent from orga-nizations you’re associated with.

Table 5.6 lists the different authentication options that are available for both Send connec-tors and Receive connectors.

T A B L E 5 . 6 Receive and Send Connector Authentication Options

Connector Type Authentication Options

Receive Connector Transport Layer Security (TLS)

Domain security (mutual authenticated TLS)

Basic authentication

Basic authentication over TLS

Exchange Server authentication

Integrated Windows authentication

Externally secured (for example, with IPSec) authentication

Send Connector None

Basic authentication

Basic authentication over TLS

Exchange Server authentication

Externally secured authentication



You can specify who is authorized to send SMTP email messages to your Exchange Hub Transport server by configuring which permission groups your Hub Transport Server is allowed to receive email messages from, as can be seen in Figure 5.21.

F I G U R E 5 . 2 1 Permission groups configured with a Receive connector

Transport Layer Security

Transport Layer Security, as defined by RFC 2246, is a protocol that establishes a secure connec-tion between a client and a server. TLS requires both client and server to have a valid certificate. TLS uses the certificates to authenticate client and server, and to encrypt all data that is exchanged between client and server. Configuring and enabling TLS will ensure that in your Exchange orga-nization every SMTP connection that is initiated will be authenticated and encrypted.

IPSec

Internet Protocol Security, IPSec, is a method to secure application traffic between a client and a server. IPSec can use certificates, Kerberos authentication, or a preshared key to authenticate client and server, and create the necessary encryption keys.

S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) enables digital signing and sealing for email messages. Using digital certificates enables users to allow recipients to validate them as a sender, and it also allows them to make sure that the email-message content can be read only by the intended recipient(s).



Signing

By digitally signing an email message, you will allow for the recipient to validate the message sender, and you will allow for the recipient to be ensured that the message hasn’t been mod-ified in transit. If you want to allow your users to digitally sign their email messages, you need to provide them with a digital certificate.

Sealing

Sealing an email message will allow you to make sure that only the sender and the intended recipient of the email message can decrypt the content of the email message. If you want to allow your users to send encrypted email messages, you need to provide your users with a dig-ital certificate, and you need to ensure that your users can access the certificate and the public key of the intended recipients of the sealed email message.

Sealing your email messages means that those email messages cannot be scanned for policy compliance, viruses, or spam.

Exchange Server 2007 does not yet support S/MIME for Outlook Web Access, nor does it support S/MIME for Windows Mobile 6.0 devices. This functionality should be included, however, with Exchange Server 2007 Service Pack 1.

PKI Requirements to Implement SMTP Security

To enable signing, sealing, Transport Layer Security, and IPSec, you need to have digital cer-tificates. You can use a public key infrastructure (PKI) to create, deploy, and manage digital certificates. When you implement a PKI, you can choose to implement your own private cer-tificate authority (CA), or you can choose to obtain certificates from a commercial CA. Obtaining a certificate from a commercial CA has one major advantage against using your own private CA: the certificate issuer will be trusted by external clients by default. Deploy-ing your own CA has other advantages, since it will allow you to automate certificate dis-tribution via group policies, but external clients will not trust your CA by default.

It is possible to integrate your private CA with a commercial CA by purchasing a certificate from the commercial CA and using that certificate when creating the private CA. This way you will be able to create, deploy, and manage your own certificates that will be trusted by external clients.

Information Rights Management

Both Microsoft Office 2003 and Microsoft Office 2007 provide users with the ability to safe-guard their digital information from unauthorized use by restricting permissions to content in documents, workbooks, and presentations by using Information Rights Management (IRM).



Requirements IRM

Before your clients can use Information Rights Management to restrict permissions, you are required to have Microsoft Windows Rights Management Services (RMS) for Win-dows Server 2003 within the organization or via a Microsoft service.

Microsoft also hosts a limited-time trial IRM service for customers who do not host their own RMS server. This service enables users to share protected doc-uments and email messages using Microsoft Passport instead of Active Directory as the authentication mechanism. You will not be able to create cus-tom rights templates when using this Microsoft service.

In addition, your clients also need to deploy the Windows Rights Management client. At the time of writing, you have to make sure all your clients that are working with a computer running Windows XP have the Windows Rights Management Services (RMS) client Service Pack 2 (SP2) installed. Computers running Windows Vista already have Windows Rights Management Services installed.

Securing Email Content with IRM

Imagine that you are an Exchange administrator responsible for an Exchange Server 2007 organization that houses mailboxes for 120 users. You have received from the legal depart-ment the request to increase mail security for mail that is sent between your company and a particular customer, since it seems that confidential email messages have been forwarded by them to your competitors.

Your options to eliminate this security breach are limited: you could disallow mail traffic between your company and the customers, or you could implement a system that sets per-missions on mail sent by your company to the customer.

Accordingly, you decide to implement your own Windows Rights Management Services server, and you create a custom template that users can use to mark an email message as con-fidential, thereby disabling the ability to forward and/or print the email message. Since you know that the customer also uses an RMS solution, you make sure that the customer receives the necessary rights to be able to read email messages that are sent by your sales department.

The disadvantage of your solution is that users need to mark messages themselves as confi-dential. However, you have agreed with the legal department that this problem is outweighed by the fact that the messages cannot be forwarded to your competitors.



Outlook and IRM

Deploying RMS for Windows Server 2003 within your organization or via a Microsoft service allows you to protect confidential email messages, enforce document rights, pro-tect sensitive intranet content, and it configure protection for content stored at the server level. To provide these abilities, you need to use RMS-aware applications like Microsoft Office 2003 or Microsoft Office 2007.

IRM can be used in Microsoft Office Outlook 2003 and Microsoft Office Outlook 2007 to prevent email forwarding, copying, editing, or printing. To deploy IRM in Outlook you just need to follow a few steps, as can be seen in Figure 5.22.

F I G U R E 5 . 2 2 Steps to enable IRM in Microsoft Office Outlook

Exercise 5.3 outlines the steps to use IRM in Microsoft Office Outlook 2007.

E X E R C I S E 5 . 3

Steps to Restrict Permissions in Microsoft Office Outlook 2007 Using IRM

To restrict permissions, follow these steps:

1. Compose a new email message using Microsoft Office Outlook 2007.

Deploy Rights Management Server in your organization or select the

Microsoft Service.

Prepare the client computer by deploying the Windows Rights

Management client (if needed) and, in case of an organization RMS,

activate the client computer.

Educate your users on obtaining an account certificate, either by

enrolling using their .NET Passport, or via NT Authentication.



2. To restrict permissions for the email message, click the Office button and select Permis-sion � Manage Credentials.

3. If your computer does not have the Windows Rights (RM) Management client installed, you will be prompted to deploy this client, as shown here.

4. When the Windows Rights Management client is installed, you will be prompted to sign up for the service. You can choose to log in to a Rights Management server deployed in your organization, or if it is unavailable you can choose to sign up for the free trial IRM service offered by Microsoft (we’ve done the latter in this exercise).

5. Sign in to .NET Passport by typing your email address and password for your Microsoft .NET Passport, MSN email account, or Hotmail email account. If you don’t have a .NET Passport, create one.

6. Type the email address that you used to sign in to the Microsoft .NET Passport; this will be used to create the Rights Management account certificate. Click Next. You can then select whether you want to create a standard, or temporary certificate, as shown here.




7. Close the Windows RM Account Certification wizard.

8. Click the Office button again, and select Permission � Manage Credentials. You will be requested to select a user account that you want to use to create content with restricted permission, as shown here. Select the account that you just enabled, and click OK.

9. You will see that your email message is now secured. Your email message can be read only by recipients that successfully authenticate against the Microsoft RMS server, and recipients will not be able to forward, print, or copy content.




In Outlook 2007, a recipient would do the following to read an email message with restricted permissions:

10. When receiving an email message that has restricted permissions, the user won’t see the content of the message immediately, and will have to authenticate himself or herself against the RMS server. (In the example shown in the following graphic, it’s the Microsoft RMS server.)

11. If the user doesn’t have a RM account certificate, they will be offered the chance to get one.

12. Once the user has an RM account certificate, they will be validated against the Microsoft RMS server, as seen here.



Summary 225

SummaryIn this chapter we have looked at all features that Exchange Server provides to you as an Exchange administrator to secure your messaging environment to comply with your com-pany’s requirements and with those required by law.

First we looked at some legal-compliance requirements that are widely known, including requirements in the United States, Canada, Australia, Europe, and Japan. Then we went over the three types of messaging policies that Exchange Server 2007 provides to comply with any legal or corporate requirement: transport policies, journaling policies, and messaging records management policies.

If you want to design a secure messaging environment, you need to include procedures for message content filtering, and we covered that in the second part of the chapter. We investigated the antispam and antivirus abilities that Exchange Server 2007 offers. We also mentioned two new parts of the Microsoft family that can help you provide more security: Exchange Hosted Services and Microsoft Forefront for Exchange Server.

13. The email message will made readable, but the user won’t be able to overcome the restricted permissions. Here’s what happens when the user tries to employ the Windows Vista Snipping Tool to grab the email message:




Finally, we covered some additional tweaking you should do to make your Exchange organi-zation as secure as possible. We investigated how you can secure your environment by delegating Exchange Administrator roles and by securing SMTP email. To finish we covered Information Rights Management.

Exam EssentialsLegal and company requirements for messaging policies There are both legal and company requirements that force you to configure messaging policies to control mail flow and mail storage. You need to know the difference between transport rules and journaling rules. You might also receive a question about client licensing requirements, and about the archiving possibilities trans-port rules offer. A lot of questions on the exam ask you about the possible configuration options for messaging records management and about message classifications.

Antispam in Exchange Server 2007 The exam focuses very hard on the antispam options in Exchange Server 2007, and what is added if you introduce Exchange Hosted Services and Microsoft Forefront for Exchange to your Exchange environment. Make sure that you know what the different antispam filtering options entail.

Exchange Administrative Permissions The exam will check if you know about the new Exchange Administrator roles; make sure that you can list them and that you know what rights users will get when they are delegated an Exchange Administrator role. You have to know the advantages and possible disadvantages of securing SMTP email traffic, and what Information Rights Management can offer your Exchange organization.


Review Questions 227

Review Questions1. You are an Exchange administrator, and you have a single Exchange Server 2007 server with

250 mailboxes. Your management wants you to implement what is needed to make sure that messages they send cannot be read by anyone other than the intended recipient. What should you implement?

A. Sender filtering

B. Recipient filtering

C. Content filtering

D. Message encryption

E. Digital signatures

2. You are an Exchange administrator, and you have an Exchange Server 2007 organization with one Client Access server/Hub Transport server Exchange Server 2007 instance, and one Exchange Server 2007 Mailbox server with 250 mailboxes. Your Exchange server receives more spam messages than legitimate emails, and you want to reduce the number of spam mes-sages that reach your messaging environment, but you do not want to invest in new hardware or software. What are your options?

A. Deploy antispam agents on the Mailbox server.

B. Deploy antispam agents on the Hub Transport server.

C. Deploy the Edge Transport server role in your environment.

D. Use Exchange Hosted Services.

3. You are an Exchange administrator, and you have an Exchange Server 2007 organization with one Client Access server/Hub Transport server Exchange Server 2007 instance and one Exchange Server 2007 Mailbox server with 250 mailboxes. Your Exchange server receives more spam messages than legitimate mails, and you want to reduce the number of spam mes-sages that reach your users’ mailboxes, but you do not want to invest in new hardware or soft-ware. What are your options?

A. Deploy antispam agents on the Mailbox server.

B. Deploy antispam agents on the Hub Transport server.

C. Deploy the Edge Transport server role in your environment.

D. Use Exchange Hosted Services.



4. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You would like to keep track of the emails that are sent and received by the legal department in your organization. You are using a Standard Edition license of Exchange Server 2007, and you currently have five stores in use. What should you do? Choose two answers; each part presents part of the solution.

A. Create a mail-enabled universal distribution group, U_Legal_Department, and make every user of the legal department a member of that group.

B. Create a journaling rule that will journal every email sent and received by members of the mail-enabled universal group U_Legal_Department.

C. Move all mailboxes of users in the legal department to a new mailbox store, Store_Legal.

D. Enable journaling on the new store, Store_Legal.

5. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your company recently acquired an Exchange 2007 organization. You do not intend to merge the two companies, but it is important that you secure all mail flow between the two organizations that have a dedicated T1 Line to link them together. What should you do?

A. Create a dedicated SMTP Send connector and require authentication.

B. Create a dedicated SMTP Send connector.

C. Install and configure MIIS.

D. Install and configure the Exchange organization’s connector.

6. You are an Exchange administrator responsible for a single Exchange Server 2007 organiza-tion. You’ve received a request that when other SMTP servers perform Sender ID filtering your domain name cannot be spoofed by nonauthorized users. What should you create?

A. Register an SPF record in DNS.

B. Create an SPF record in the registry of your Exchange server.

C. Register an MX record in DNS.

D. Register an MX record in the registry of your Exchange server record in DNS.

7. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your legal department requests that you include a disclaimer with all messages that are sent out from your Exchange organization. How can you accomplish this with the least amount of administrative effort?

A. Create and register a transport event sink on your Exchange Hub Transport server.

B. Create a transport rule that adds a disclaimer to all messages that are sent outside the organization.

C. Create a transport rule that adds a disclaimer to all messages that are sent inside the organization.

D. Educate your users to add a signature to all messages they send outside.



8. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your management would like you to investigate if it is possible to prepend the word SPAM to every message that is delivered to a user’s Junk E-Mail folder. How can you accom-plish this with the least amount of administrative effort?

A. Configure a transport rule to prepend the subject of an email with SPAM when a message reaches a predefined SCL.

B. Configure a journaling rule to prepend the subject of an email with SPAM when a message reaches a predefined SCL.

C. Create and register a transport event sink to prepend the subject of a mail with SPAM when a message reaches a predefined SCL.

D. Create and deploy a group policy to prepend the subject of an email with SPAM when a message reaches a predefined SCL.

9. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your management requests that you keep the size of your database files under control. You have reached an agreement with your management to control the size of the mailboxes by managing the amount of time messages are retained in the Deleted Items folder. You are required to create two kinds of policies; the first one enables a user to keep items in the Deleted Items folder for 7 days, the second one for 60 days. What should you do to successfully con-figure these requirements? Select three; each answer is a part of the solution.

A. Create two mailbox stores.

B. Create two new managed default folders, type Deleted Items.

C. Move users to the mailbox store that is configured with the required deleted item reten-tion time.

D. Create two new managed folder policies, each one responsible for a different managed default folder, both called Deleted Items, and attach it to the users needed.

E. Create managed content settings that reflect the specified criteria for each new managed default folder, type Deleted Items.

F. Configure the required deleted item retention time for the mailbox stores.

10. You are an Exchange administrator, and you have a single Exchange Server 2007 that houses 300 mailboxes. You have recently deployed an Exchange Server 2007 Edge Transport server, and you need to configure a way to reject any mail that is coming from any known relayers. What should you configure?

A. Sender filtering



D. Connection filtering



11. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You have recently deployed an Exchange Server 2007 Edge Transport server, and you need to configure a way to reject as much mail as possible from domain spoofers. What should you configure?

A. Sender filtering


C. Sender ID filtering

D. Connection filtering

12. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You would like to grant your network administrator the permission to give existing users a mailbox on your Exchange servers. What role should you delegate to your network administrator?

A. Exchange Organization Administrator

B. Exchange Recipient Administrator

C. Exchange View-Only Administrator

D. Exchange Server Administrator

13. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You recently hired a new Exchange administrator and added her to the Domain Admins group, but you need to grant her all permissions to the entire Exchange organization. What role should you delegate to your new colleague?





14. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. All your users use Microsoft Office Outlook 2007. Your management has decided that it has to be possible for users to mark every email they send to a customer as A/C Confidential. What should you do? Select two; each option is part of the solution.

A. Deploy a local file (Classifications.xml) on the client computers.

B. Create and deploy a registry key on the client computers that enables the use of message classifications.

C. Deploy a local file (Classifications.xml) on the Exchange Mailbox servers.

D. Create and deploy a registry key on the Exchange Mailbox servers that enables the use of message classifications.



15. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. A single user in your organization asks you if there is a way to restrict permissions on an email message he’s sending to a customer. He wants to prevent the customer from forwarding or copying the contents of the email message. The user in question uses Microsoft Office Outlook 2007. What can you offer him?

A. Digital signatures

B. Message encryption

C. Information Rights Management

D. A secure SMTP connection to that customer’s mail organization

16. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your users use either Microsoft Office Outlook 2000 or Microsoft Office Outlook XP to open their mailboxes. All your clients are running Windows XP Professional SP2. Your management wants you to deploy and configure a Rights Management server. What should you do first so that your clients can use the abilities offered by IRM? Select two; each answer is a complete solution.

A. Upgrade to Windows Vista

B. Upgrade Microsoft Office Outlook to Microsoft Office 2003

C. Upgrade Microsoft Office Outlook to Microsoft Office 2007

D. Deploy Windows Rights Management server

17. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. Your management wants customers to be sure that messages they receive from your organization are sent by your organization. In addition, your management wants to make sure that in case someone outside your organization altered the message, the recipient knows about this. What should you implement?

A. Sender filtering



D. Message encryption

E. Digital signatures

18. You are an Exchange administrator responsible for an Exchange 2007 organization that contains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You recently hired a new Exchange administrator who will be responsible for your Hub Transport server and your Client Access server. What role should you delegate to your new colleague?







19. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You recently deployed an Edge Transport server role. You would like to configure your Edge Transport server to block all messages that contain attachments with an extension .XYZ. What should you do?

A. Enable and configure attachment filtering on your Exchange Server 2007 server.

B. Enable and configure attachment filtering on your Edge Transport server.

C. Enable and configure content filtering on your Hub Transport server.

D. Enable and configure content filtering on your Edge Transport server.

20. You are an Exchange administrator responsible for an Exchange 2007 organization that con-tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You would like to enable attachment filtering, and you choose to deploy an Edge Trans-port server. You would like to have blocked attachments sent to a quarantine mailbox; what should you do?

A. Enable and configure attachment filtering.

B. Enable and configure content filtering.

C. Enable and configure recipient filtering.

D. Enable and configure Microsoft Forefront Security for Exchange Server.


Answers to Review Questions 233

Answers to Review Questions1. D. Encrypting messages will make sure that only the intended recipient can view the contents.

Sender filtering, recipient filtering, and content filtering are used to prevent spam from entering the exchange organization. Digital signatures will allow the recipient of the message to be sure the sender actually sent the message but the message itself will not be encrypted when sent.

2. D. You don’t want to invest in new hardware and software, so you cannot go for the Edge Transport server role. You want to stop spam before it reaches your messaging environment, thereby eliminating the possibility of deploying the antispam agents on the Hub Transport server. It is not possible to deploy antispam agents on the Mailbox server. You can only choose to use Exchange Hosted Services.

3. B. You don’t want to invest in new hardware and software, so you cannot go for the Edge Transport server role. Since you want to reduce the amount of spam that reaches your users’ mailboxes, you should enable the antispam transport agents on your Hub Transport server. You don’t want to stop spam from entering your organization, you just want to stop spam from reaching the user’s mailboxes, thereby there is no requirement to go for Exchange Hosted Services.

4. A and B. Because you are using the Standard Edition version of Exchange Server 2007, you are not able to create an additional store since you already have the maximum number of stores in use. The Standard Edition version of Exchange only supports the creation of five stores. You can, however, create a new universal distribution group and use a new feature available in Exchange Server 2007: per-distribution-group journaling.

5. A. It is best practice to enable authentication to provide additional security for email sent from associated organizations. Creating a dedicated SMTP Send Connector does not provide secure mail flow if you don’t require authentication. Installing and configuring MIIS would enable directory synchronization which is not asked for in this scenario. The Exchange organization’s connector does not exist.

6. A. Sender ID filtering can provide you with a valid result only if the sender’s domain has a Sender Policy Framework (SPF) record registered in DNS.

7. B. You can use the Exchange Management Console or Exchange Management Shell to con-figure disclaimers on computers that have the Hub Transport server role installed. Creating and registering a transport event sink is not recommended. Educating your users will require more effort than creating a transport rule. You shouldn’t apply a transport rule to messages that are sent inside your organization, because you only want messages that go outside the organization to receive a disclaimer.

8. A. You can configure a transport rule to prepend a subject with a string, and you can specify the value of the SCL as a condition. A journaling rule is used to journal messages, and therefore not valid for changing a message subject. Creating a transport event sink would require admin-istrative effort to create and deploy it. Group policies cannot be used to change the subject of a mail.



9. B, C, and E. Deleted item retention time is the amount of time that messages that are deleted from the mailbox are available for recovery. We are covering the messages that are still in the mailbox, in the Deleted Items folder, so deleted item retention time doesn’t matter here. Instead, it is feasible to create two new Deleted Items managed folders and specify for each one different managed content settings, and use managed folder policy to hand them out to the users that need those settings.

10. D. You can configure connection filtering to check with real-time Block lists if the connecting SMTP server is a known relaying server.

11. C. Sender ID filtering will check if the sender (or most probable sender) is sending the mail using the SMTP services of a server that is authorized to send mail from that sender’s domain. If there is an SPF record configured for the SMTP mail domain, you can check if domain spoofing is done. Sender filtering only provides the ability to block mail from specific domains, without checking if it’s spoofed or not. Recipient filtering is used to filter mail sent to specified recipients, and Connection filtering is used to check if the connection was initiated from a valid IP address.

12. B. A user needs to have the Exchange Recipient Administrator role in order to be able to give users a mailbox.

13. A. To be able to fully manage an Exchange organization, a user needs to be delegated the Exchange Organization Administrator role.

14. A and B. If you want to enable the use of message classifications in Outlook, you need to deploy on the client computer a local file (Classifications.xml) that contains the defini-tions of the message classifications. And you also need to create and deploy a registry key that will enable the use of message classification by referencing the Classifications.xml file on the client computer. You don’t need to add a registry key on the Exchange Mailbox servers, and you don’t need to deploy a local file on the Exchange Mailbox servers.

15. C. Information Rights Management can be used in Microsoft Office Outlook 2003 and Microsoft Office Outlook 2007 to prevent email forwarding, copying, editing, or printing. Implementing signing and sealing will not prevent a user from forwarding or copying the con-tents of an email message. A secure SMTP connection only secures the SMTP mail flow, but does not imply that the email message is not able to be forwarded or copied.

16. B and C. You need at least Microsoft Office Outlook 2003 to be able to use the services pro-vided by IRM. You can use the abilities offered by IRM by running Office Outlook 2003 (or later) on XP Professional. You don’t need to have Windows Rights Management server, since you can use the limited-trial version offered by Microsoft.

17. E. Digital signatures provide authentication, nonrepudiation, and data integrity. By digitally signing your email messages, you enable recipients to verify if the email message has been sent by the person or organization that claims to have sent the message, and you enable recipients to verify if the message has been altered.

18. D. You need to delegate the role of Exchange Server Administrator since you want your new colleague to have full control over the specified servers’ configuration data.



19. B. Attachment filtering allows you to block attachments from entering your Exchange orga-nization, by attachment content type, or by attachment file name. You can enable and config-ure attachment filtering only on the edge Transport server. Content filtering is set as an SCL value for messages so you can configure your Edge or Hub Transport server to block them, quarantine them, or deliver them to a user’s junk mail folder.

20. D. Forefront Security for Exchange Server enables you to quarantine blocked attachments. Attachment filtering, content filtering, and recipient filtering do not allow you as an adminis-trator to have blocked attachments sent to a quarantine mailbox.


Chapter

10

Planning a Backup and Recovery Solution for Exchange Server 2007


�

Plan a backup solution implementation.

�

Plan a recovery solution implementation.


Planning Backup and Recovery

I was once told that backups are not important and that the only important thing was recov-ery. Although the statement may be considered absurd it highlights the idea that if you cannot restore there is no sense in doing backups. It is essential to completely understand the backup and recovery process to be a successful Exchange professional. In this chapter we will cover the variety of backup options for both Mailbox and non-Mailbox servers as well as methods to recover from each of them.

When determining what type of backups meet your restore needs, it’s important to first know what your business requirements are. Once the needs have been documented it will be much easier to determine what backup solution to use and it will be much easier to justify the cost of the solution to the business.

To determine your needs it’s good to start with a list of questions:�

How long can it take to restore each group of users and still meet the Service Level Agreements?

�

How long can it take before service is restored?�

What services are essential to restore, and in what order?�

How long can it take before all email is restored?�

What is the maximum amount of data that can be lost?�

How long can backups take to complete without affecting end user and other processes?�

What budget has been allocated for backup and recovery?

This list can be summarized into three industry-standard acronyms: SLA, RPO, and RTO. The

Service Level Agreement

or

SLA

will determine how long a mail service can be down before it has to be restored. The

recovery-point objective

or

RPO

will determine how much data can be lost. The

recovery-time objective

or

RTO

will determine the maximum times allowed for recovering each service. Each business will decide upon each of these metrics. Sometimes differ-ent business units within an enterprise may have different requirements for each of these, making it even more difficult to come up with a good solution. Often these standards are devised by the business using financial analysis of the effects of these services being offline to see how much it costs the company. These standards are covered in an entire set of courses and books that cross many business disciplines.

Once these standards have been set, a messaging professional can begin to determine the best design that meets these needs.


Planning and Implementing Backup Solutions for Mailbox Server Roles

419


The Mailbox server role has to be the most important Exchange role. Without the Mailbox role no one is able to read email. There are several options when it comes to backing up the mailbox data; however there are a few other things that need to be backed up in order to be fully pro-tected. The Mailbox server should have a system-state backup completed periodically to be recovered from a backup. Also, a file-system backup of the [Install Directory]\ExchangeOAB should be backed up on the Mailbox server that is set to generate the offline address book to keep the organization from having to rebuild it. Much of the Exchange configuration is stored in Active Directory. It is important to properly back up the domain controllers regularly to be able to recover from corruption and user error. Table 10.1 shows the main components that need to be backed up on a Mailbox server.

Another key component for recovery is to avoid having a disaster in the first place. Having redundant hardware, proper patching procedures, change control, and all of the other Microsoft Operations Framework components in place will go a long way toward reducing the need to enact a recovery procedure. Another key way to avoid restoring data needlessly is to set the deleted item and deleted mailbox retention times. Properly config-uring deleted item retention will allow items to be recovered after being hard-deleted by the users. The user will have the ability to recover hard-deleted items from within Office Outlook’s deleted item recovery feature without having to restore any data from a backup. The deleted mailbox retention time will allow deleted mailboxes to be retained for a period of time before being purged from the database. This will allow an administrator to reconnect a mailbox to a user account during that retention period to recover the entire mailbox. It is important to set the retention period for both mailbox items and mailboxes

T A B L E 1 0 . 1

Backup Components for the Mailbox Server Role

Data Type Backup Type

Exchange and service configura-tion in the registry

System state of the Mailbox server and system state of the Active Directory

Exchange offline address book File-system backup of [Install Directory]\Exchange OAB

Mailbox Exchange-aware backup

Public Folder Exchange-aware backup or replication to other public-folder servers


420

Chapter 10 �

Planning a Backup and Recovery Solution for Exchange Server

for a period long enough to minimize the number of times restores would need to be com-pleted. You might think that setting the retention period for both the mailbox and the mailbox items to 999 days might be the answer (so that the only time a restore would be nec-essary is in the event of corruption). Be aware, however, that a longer retention period will consume more disk space, which will also increase the amount of space that backups will consume.

A problem with Microsoft Office Outlook 2003 when used with Outlook Anywhere may keep hard-deleted items from being restorable. A registry setting on the client computers is required to work around this issue. For more information on the change, please see the Microsoft Knowledge

Base article 886205 at

http://support.microsoft.com/kb/886205/

.

Implementing Streaming Backups

Streaming Exchange backups have been available for Exchange since its initial release. The Microsoft Exchange Server 2007 documentation officially calls these backups “legacy stream-ing backups.” Over the years improvements in speed, flexibility, and the number of features have been introduced. Software-based backups use the streaming backup API to back up the online Exchange databases and copy them to either disk or a tape drive.

It is important to remember that you can have only a single simultaneous backup or restore operation in each storage group. To be able to perform backups or restores on multiple databases, the databases need to be separated into multiple storage groups. After splitting up the databases into separate storage groups, you’ll be able to perform multiple operations simultaneously (as shown in Figure 10.1). Where possible, put only one database in each storage group, as this simplifies and streamlines both the backup and the restore pro-cedures. Be aware that performing multiple operations simultaneously may have a signifi-cant performance impact on the server CPU, memory, and disk systems. It would be good to determine the effects of both single operations and multiple operations before attempting to schedule backups and before performing multiple restores, especially during production hours. Streaming backups can be done against all types of Mailbox servers. Performing a backup of the active copy on both clustered and nonclustered Mailbox servers is supported. Streaming backups can never be done against the passive copies of the databases, such as those that exist on an local continuous replication (LCR) or cluster continuous replication (CCR) Mailbox server.

A streaming backup can be done using NTBackup from a machine with the Exchange management tools installed or by using an agent installed on the Exchange server with a third-party backup application.

A number of types of backups can be completed. The available types of legacy streaming backups are full, copy, incremental, and differential, as shown in Table 10.2. It is essential to understand each of these types of backups and how they affect transaction log files.



421

F I G U R E 1 0 . 1

Only one backup can be done for each storage group

Full Streaming Backups

A full streaming backup will copy the entire database and the required log files to the backup media and then will purge all of the committed transaction logs. The advantage of a full backup is that you can use this backup to restore the database to a consistent state and not need any additional backup sets. The main disadvantages of this backup type are that it can take a long time to complete and that the entire database is backed up to tape including the white space within the database.

When would you use a full backup? If possible, you should always do a full backup. With ever-shrinking backup windows and increasing amounts of data, however, it is often not prac-tical to complete a full backup each time.

T A B L E 1 0 . 2

Available Types of Legacy Streaming Backups

Type of Backup Description

Full Complete database backup that purges all committed transaction logs.

Copy Complete database backup and does not purge any transaction logs.

Differential Transaction logs are not purged.

Incremental All available transaction logs are purged.

Backup Server

Storage Group 1

Storage Group 2

Backup 2

Backup 1


422

Chapter 10 �


Copy Streaming Backups

A copy streaming backup will back up the entire database and will not purge any of the trans-action logs. The advantage of a copy backup is that you can use this backup to restore the data-base to a consistent state and not need any additional backup sets. The main disadvantages of this backup type are that it can take a long time to complete and that the entire database is backed up to tape including the white space within the database. The other disadvantage is that it does not purge the committed transaction logs.

When would you use a streaming copy backup? An excellent use of streaming copy backup is when you need to make an additional backup for archival without affecting the standard backup rotation. As an example, the standard schedule for backups includes a full backup once a week and a differential backup on the remaining days. In the middle of the week you need to create a backup that will be sent offsite to your disaster-recovery site. Running a copy backup to create the backup set to be sent offsite will not affect your ability to use the media onsite to restore service in the case of an outage, since the transaction logs will still be intact.

Differential Streaming Backups

A differential streaming backup will back up the transaction logs that have been generated since the last full or incremental backup. This form of backup does not delete any of the com-mitted transaction logs. Using differential backups minimizes the number of backup sets that would be required for a restore since the last differential backup set would include all of the transaction logs generated. Differential backups cannot be run against storage groups that have circular logging enabled.

When would you use a differential backup? You could use it if you are not able to perform a full backup every day. This would keep all of the log files until the next full backup. You would use differential backup if the server had enough space to hold the log files between full backups.

Incremental Streaming Backups

An incremental streaming backup will back up the logs and then purge them. This form of backup deletes all of the committed transaction logs. Using incremental backups minimizes the number of transaction logs that are kept on the server. It also increases the number of backup sets that would be required for a restore since all the incremental backup sets would need to be restored to recover all of the transaction logs generated. Incremental backups cannot be run against storage groups that have circular logging enabled.

When would you use an incremental backup? When there is not enough space to keep all of the transaction logs between full backup jobs.

Implementing Restores Using Streaming Backups

Legacy streaming restores are fairly straightforward. Restores can be executed back to the original location of the database while it is dismounted, or to a recovery storage group.



423

Restoring a Streaming Backup

A streaming restore is the simplest restore and does not differ greatly from the process in pre-vious versions of Exchange. You would restore to the original location if a database has been damaged to the point that it cannot be mounted.

Although the actual process will vary slightly depending on your backup software, the pro-cedure to restore to the original location is basically as follows:

1.

Dismount the current database.

2.

Mark the database able to allow for restore.

3.

Perform the full restore.

4.

Perform any differential or incremental restores.

5.

Perform a hard recovery to apply restored transaction logs.

You can also restore the database to a different server. To complete that process you would follow these steps:

1.

Create the new database on the new server.

2.

Mark the database able to allow for restore.

3.

Perform the full restore to the alternate location.

4.

Perform any differential or incremental restores.

5.

Perform a hard recovery to apply restored transaction logs.

6.

Use database portability to update user objects to the new database location. (More infor-mation about database portability can be found in Chapter 8, “Planning a Highly Avail-able Exchange Server 2007 Implementation.”)

Hard recovery can be triggered by choosing Last Backup Set in the restore options of the last restore set that you plan to restore, or can be done manually with

ESEUTIL /C

. Performing a hard recovery can take a long time depending on the number of transaction log files that need to be applied. It is important to consider this amount of time in the recovery schedule. Once a hard recovery has been performed, no other log files can be applied to the database.

Streaming backups can also be used to restore public folders to their original location. Public folders rely on having replicas stored on multiple servers to reduce the requirement for restores. To perform single-item or folder restores for a public folder for items that have passed the deleted item retention period, the data restore would need to be done in an alternate forest. After restoring the public-folder data to the alternate forest, Office Outlook would need to be used to export the public-folder data to a personal folders (

.pst

) file that would be used to import the data back into the production public folders.

Restoring to a Recovery Storage Group

Recovery storage groups provide for a very flexible recovery process. They can be used to restore individual mailboxes or specific mailbox items, or for dial-tone recoveries. A recovery storage group can be on any Mailbox server in the Exchange organization and can be used to recover Exchange 2007, Exchange 2003 Service Pack 1 or later, or Exchange 2003 Service Pack 3 or later databases.


424

Chapter 10 �


Dial-tone recoveries are covered in detail in Chapter 8 of this book.

To perform a restore to a recovery storage group and recover a specific mailbox, the pro-cedure is as follows:

1.

Create a recovery storage group.

2.

Add the database that you will be recovering to the storage group.

3.

Set the database to allow it to be overwritten by a restore.

4.

Restore the database and all transaction log files.

5.

Mount the recovered database.

6.

Use the

restore-mailbox

cmdlet to merge data into mailboxes.

The

restore-mailbox

cmdlet is a very powerful tool, it also provides the ability to recover mail to alternate mailboxes and recover only items selected by date, keyword, or location in the original mailbox.

Implementing Volume Shadow Copy

Service (VSS) for Backups

VSS-based backups were first introduced in Microsoft Exchange Server 2003. The Volume Shadow Copy Service (VSS) provides an interface for specialized hardware to be able to create a consistent copy of the database. A consistent copy can be created only if all database writes are

quiesced

, which means

quieted

. The VSS process includes quiescing the writes to the data-base. As indicated by its name, VSS is volume-based, meaning it does not back up individual files. This means that storage-group placement and database placement are extremely impor-tant in an environment that is being planned to implement VSS backups.

You cannot mix VSS and legacy streaming backup types against the same

storage group.

What sort of hardware is required to complete VSS backups? As mentioned, specialized hardware is required, as a standard SCSI or SATA RAID controller is not supported. Typically a Fibre Channel or iSCSI Storage Area Network (SAN) is required to deliver this functionality. The hardware needs to be able to support the ability to create two copies of the data rapidly. Creating these copies is typically handled in two different ways even if the hardware manu-facturer uses different names and methodologies.

The two basic methods are

clones

or

snapshots

. The clones start out as two synchronized copies of the data and that are split at the point the backup is taken. This leaves one copy inac-tive as a backup and the other copy continues to be used in production. The snapshot method uses fewer disks and essentially stores a map of the disk data and only keeps track of data that



425

has changed since the snapshot was taken. Although VSS does take less time to complete than streaming backups, the amount of work that goes on at the disk level can be significant. When using clones it could be that the two sets of disk have to synchronize. This synchronization can be likened to the rebuilding of a RAID set and can take a considerable amount of time and resources on the storage hardware. The load that these processes take should be considered when scheduling backups, especially during production hours.

The clone process will vary with each technology vendor and with each VSS hardware pro-vider, but the four main steps typically taken during a clone process are as follows:

1.

The two volumes are synchronized during normal database operations, as shown in Figure 10.2.

F I G U R E 1 0 . 2

Synchronization

2.

Database writes are quiesced and the two volumes are fractured to create a backup, as shown in Figure 10.3.

F I G U R E 1 0 . 3

Pausing the database writes and fracturing the volumes

3.

The checksum is verified on the copy and is completed by the requestor, as shown in Figure 10.4.

1. Volume Synchronization

Database Volume

Log Volume

Clone

Clone

=

=

Database Volume

Log Volume

Clone

Clone

2. Database writes paused and clones are fractured


426

Chapter 10 �


F I G U R E 1 0 . 4

The checksum is verified and copy is completed

4.

The transaction logs are truncated when applicable, as shown in Figure 10.5.

F I G U R E 1 0 . 5

Transaction logs are truncated

The snapshot process is slightly different from the clone process. Rather than making a full second copy of the data, the snapshot contains only pointers to the data. When data is changed on the active volume, the original data is copied into the snapshot and the changed data is writ-ten to the active volume. The benefit of using snapshots is that they don’t require the synchro-nization step. The drawback of using snapshots is that activity done against the snapshot will affect the active volume, since all of the unchanged data is still located on the active volume disks. When streaming backups or other I/O-intensive actions are performed against a snap-shot, it can affect the performance of the active volume. Figure 10.6 shows how a snapshot is just a pointer to the original data plus a copy of the original data that has been changed since the snapshot.

The process for creating a VSS snapshot generally follows these three steps:

1.

Database is quiesced and writes are paused on the database; a snapshot map is created.

2.

Verification of the checksum on the copy is completed by the requestor.

3.

The transaction logs are truncated when applicable and writes are resumed to the active database.

Database Volume

Log Volume

Checksum OK

3. Checksum verification by requestor

Database Volume

Log Volume

4. Transaction log truncation and writes resume onactive volumes



427

F I G U R E 1 0 . 6

A logical view of a snapshot backup

Configuring the VSS Volumes for Restores

In order for VSS backups to provide value, one of the following would need to be true:

�

VSS backups are able to have multiple copies made.

�

Copies are saved to other media.

Many companies will keep several VSS backups on disk. After several days, they will copy the backups to tape media. Because backups and restores are done at a storage-group level, it would make sense that each storage group should have separate volumes as a VSS backup and will include all data on the volume. To provide smooth incremental and differential back-ups (and more importantly, restores) the database and transaction logs would also need to be on separate volumes.

Snapshot

Snapshot

1. Snapshot taken

Active Volume

2. Changes made to active volume and copied to snapshot

Changed

Active Volume

Copy of original data

+


428

Chapter 10 �


Table 10.3 describes the components in a VSS backup.

With many storage solutions, the snapshot and clone volumes also need to be either licensed or at a minimum pre-allocated. This means that for each full backup, a second copy of the vol-ume will be needed. Most companies will choose to keep at least one backup copy online at all times.

But what happens if one of the backup snapshots is corrupt and is unusable? Would you want to have to pull the backup from a tape? Many companies work around this pitfall by assigning two or three sets of backups or volumes so that there will be two full backup copies on disk at all times. They then rotate out each backup set successively.

Here’s an example:

�

On Monday backup set #1 is used.

� On Tuesday backup set #2 is used. Meanwhile, during business hours on Tuesday backup set #1 can have a file-level backup run to tape.

This system has two advantages:

� If the backup on Tuesday is unsuccessful for any reason, then the backup located on the first set can still be used should it be needed.

� The Tuesday backup set volumes can be synchronizing to the production volumes well before the backup needs to be started.

In all, VSS backups allow for an extremely flexible backup solution. When designing the volume layout be sure to configure them in a way that will meet the backup and restore requirements.

T A B L E 1 0 . 3 Components in a VSS Backup

Component Description

Requestor This is typically the backup software.

Writer Makes sure that Exchange has been quiesced and that the database is in a consistent state.

Provider Manages communication between the operating system, the backup writer, and the VSS-enabled hardware.


Planning and Implementing Backup Solutions for Mailbox Server Roles 429

There are four steps for completing a VSS backup:

1. The requestor starts the backup by initiating the writer.

2. When the writer has completed its tasks, it notifies the requestor it can back up the data set.

3. The requestor instructs the provider to notify the hardware to complete the backup.

4. Once the backup has completed, the requestor will notify the writer so that the writer can allow database activity to resume and then the VSS backup process completes.

Just like streaming backups, there are four types of backups that can be done with VSS. Also like streaming backups, they can be done against the active copy of the database. Unlike streaming backups, however, VSS allows for backups to be made against the passive copy of the database, such as those that exist in an LCR or CCR server. VSS backups are disk-based and will usually need to be copied to tape or another medium that can be archived. A simple file-level backup of the VSS snapshot volumes can be made to the offline media.

Now let’s discuss the four types of backups and how they work when used with a VSS backup.

Full VSS Backups

A full VSS backup will copy the entire database and the required log files to the backup media and then will purge all of the committed transaction logs. The advantage of a full backup is that you can use this backup to restore the database to a consistent state and not need any additional backup sets. The main disadvantage of this backup type is that it can take a long period of time to complete and it takes the entire volume that the database is located on.

When would you use a full backup? If possible, always. However, with ever-shrinking backup windows and increasing amounts of data it is often not practical to complete a full backup each time.

Copy VSS Backups

A copy VSS backup will back up the entire database and will not purge any of the transaction logs. The advantage of a copy backup is that you can use this backup to restore the database to a consistent state and not need any additional backup sets. The main disadvantage of this backup type is that it takes the entire size of the database volume on disk. The other disadvantage is that it does not purge the committed transaction logs.

When would you use a VSS copy backup? An excellent use of the streaming copy backup is when you need to make an additional backup for archival purposes without affecting the standard backup rotation.

Differential VSS Backups

A differential VSS backup will back up the transaction logs that have been generated since the last full or incremental backup. This form of backup does not delete any of the committed transaction logs. Using differential backups minimizes the number of backup sets that would be required for a restore, since the last differential backup set would include all of the trans-action logs generated. Differential backups cannot be run against storage groups that have cir-cular logging enabled.


430 Chapter 10 � Planning a Backup and Recovery Solution for Exchange Server

When would you use a differential backup? You could use a differential backup if you are not able to perform a full backup every day. This will keep all of the log files until the next full backup. You would use the differential backup if the server had enough space to hold the log files between full backups.

Incremental VSS Backups

An incremental VSS backup will back up the logs and then purge them. This form of backup deletes all of the committed transaction logs. Using incremental backups minimizes the num-ber of transaction logs that are kept on the server. This will increase the number of backup sets that would be required for a restore since the all incremental backup sets would need to be restored to recover all of the transaction logs generated. Incremental backups cannot be run against storage groups that have circular logging enabled.

When would you use an incremental backup? You could use an incremental backup if there is not enough space to keep all of the transaction logs between full backup jobs. Table 10.4 has a list and description of the different types of VSS backups.

Restoring a VSS Backup

A VSS restore is the simplest restore and does not differ greatly from previous versions of Exchange. Restoring to the original location would be used if a database has been damaged to the point where it cannot be mounted.

Often the backup software will manage the entire restore process. The general process of the restore would have the following key components:

1. Dismount all databases in the storage group.

2. Present or copy the VSS snapshot with the original drive and directory names. This would either be both the database and the transaction logs or just the transaction logs if this were a differential or incremental restore.

3. Mark the database able to allow for restore.

4. Perform a soft recovery to apply restored transaction logs.

T A B L E 1 0 . 4 VSS Backup Types

Type of Backup Description

Full Complete database backup that purges all committed transaction logs.

Copy Complete database backup that does not purge any transaction logs.

Differential All available transaction logs are not purged.

Incremental All available transaction logs are purged.


Planning and Implementing Backup Solutions for Mailbox Server Roles 431

You can also restore the database to a different server. To restore to another server a few steps would need to be completed in addition to restoring the data:

1. Create the new database on the new server.

2. Set the database so that it can be overwritten by a restore.

3. Restore the data to the new database location.

4. Use database portability to update user objects to the new database location.

More information about database portability can be found in Chapter 8.

Restoring Backups to a Recovery Storage Group

Typically the Exchange VSS-aware backup software will perform all of the tasks of a restore automatically. The procedure for restoring to a recovery storage group and recovering a specific mailbox has the following main tasks:

1. Restore the database and all required transaction log files by presenting or copying the clone to the location of the recovery storage group.

2. Create a recovery storage group.

3. Add the database that you will be recovering to the storage group.

4. Set the database to allow it to be overwritten by a restore.

5. Mount the recovered database.

6. Use the restore-mailbox cmdlet to merge data into mailboxes.

The restore-mailbox cmdlet is a very powerful tool; it also provides the ability to recover mail to alternate mailboxes and recover only items selected by date, keyword, or location in the original mailbox.

Implementing Backup Schedules

After determining how long you have to perform restores based on your RTO, RPO, and your SLA, you now need to determine when to schedule your backups.

The first question you need to answer is how long backups are going to take. This can vary greatly and will depend on the type of backups that you are doing as well as how much data will be backed up. Also, you will need to keep in mind the type of load your particular backup solution will put on the server. You would not want to perform a full backup on a heavily loaded Mailbox server during peak usage times (causing end users’ performance to suffer) unless there was no alternative.

As mentioned earlier, it is recommended that a full database backup be completed whenever possible. This, of course, has to be balanced against the business’s RPO, RTO, and SLAs. If the RPO for a particular server is only four hours, a backup will need to be done during business hours



assuming a typical eight-hour workday to allow for recovery of data. In many instances, it will not be possible to run a full backup every night on all of the storage groups. This makes completing a full backup every four hours during the day even more unlikely due to both server load and the amount of space each full backup will consume. To reduce server load and space requirements, a differential or incremental backup can be done every four hours during the day.

When you schedule backups it is important to note that all database maintenance is halted dur-ing backup and restore procedures. Since it is essential to complete online maintenance tasks for defragmentation and deleted-item cleanup, it is important to schedule each of these tasks during different time periods. The rule of thumb is that you should schedule enough online maintenance time during the week to allow for a complete defragmentation cycle to complete on each of the databases.

Once you’ve determined the length of time backups will take and how long database main-tenance will need to run, a schedule can be created. Often companies that are unable to fit in full backups every night due to backup-window contention will perform full backups on a select number of storage groups each night while scheduling differential backups on the remaining storage groups.

After completing your backup schedule it is recommended that you also schedule periodic recovery tests. Completing recoveries will continue to validate your recovery plan, validate that your backup hardware is functioning, and improve your recovery skills. After each restore test, it is important to generate an action plan for how to improve the current plan so that any issues that arise can be ironed out for the next test.

Planning and Implementing Backup and Recovery Solutions for Non-Mailbox Server RolesTo recover non-Mailbox server roles, different methods have to be used for each of the server role types. Let us discuss the methods for backup and recovery for each role.

Backup and Recovery for Edge Transport Servers

Edge Transport servers provide external email messaging service for companies that choose to deploy it. A cloned configuration file can be obtained by running the ExportEdgeConfig.ps1 PowerShell script to export the user-modified configuration from each Edge Transport server. This xml-based configuration file that was exported can be imported on the recovered server to set the user-customized settings. If message tracking or SMTP transport logs need to be recovered they will need to be restored from tape or from the original server and placed in the \TransportRoles\Logs folder.


Planning and Implementing Backup and Recovery Solutions for Non-Mailbox Server 433

Certain configuration settings are not exported using the cloned configuration process and must be reset manually or with a custom-written PowerShell script. Certain settings are not exported, such as the servers exempt from connection filtering and maximum send and receive size. Table 10.5 shows the key data types and methods for backing up each Edge Transport server.

Performing a recovery requires that the data listed in Table 10.5 has been backed up and includes the following steps:

1. Perform a new install of the Edge Transport server on a new server with the same name as the original.

2. Validate and import the XML-based cloned configuration exported from the original server.

3. Run the EdgeSync process to configure the recovered server to establish configuration replication.

4. Restore logs and message queue if required.

5. Reset any customizations that are not included in the XML-based cloned configura-tion file.

Backup and Recovery for Hub Transport Servers

Hub Transport servers are probably the second most important server role in the environment since they provide mail-delivery services. As far as recovery order, one of these servers should be recovered early in the process.

To enable you to recover from server failures, specific items will need to be backed up. Much of the configuration of the Hub Transport role is stored in Active Directory, so recovery of the server is fairly straightforward. A recovery can be completed in a very short period of time. Table 10.6 shows the key data types and methods for backing up each Hub Transport server.

T A B L E 1 0 . 5 Edge Transport Data Protection


Active Directory Application Mode data

Use ExportEdgeConfig.ps1 script

Message queues Databases must be offline to back up, so backup is not feasible. To recover data, mount the databases on the recovered server.

Message logs File-system backup of [Install]\TransportRoles\Logs.

Content-filtering database Use ExportEdgeConfig.ps1 script.

Service configuration System state or registry key export.



Performing a recovery for a Hub Transport server includes the following steps, assuming all the appropriate information has been backed up:

1. Run setup.com /mode:RecoverServer on a server with the same name as the server that is being recovered.

2. Restore message logs and queues, if required.

More information on recovering message queues from failed severs can be found at the Microsoft TechNet website: http://technet.microsoft.com/en-us/library/b6904662-d1f1-4ad5-bbc1-5a7791aa2d75.aspx.

Backup and Recovery for Client Access Servers

To provide for recovery, specific things need to be saved for each function that the Client Access server provides.

The Office Outlook Web Access website has configuration information stored in the ClientAccess\Owa directory. The Client Access directory should be backed up with a file-system backup to retain any customizations. This directory can be restored after the server is recovered to reapply customizations.

The IMAP4 and POP3 protocol settings are stored in the \ClientAccess\PopImap directory. This directory should be backed up using a file-system backup to retain configuration settings. Most of the configuration settings are stored in Active Directory, so regular backups of Active Directory are also recommended.

The Availability service configuration is primarily stored in Active Directory as well; how-ever, it is also important to perform a backup of the \ClientAccess\exchweb\ews directory to capture user-customized configuration settings that would be stored in the web.config file.

The Autodiscover virtual directory settings are stored in the IIS metabase, and the service configuration settings (such as the service connection point) are stored in Active Directory. It is important to back up or export the IIS metabase information as well as perform a backup of Active Directory.

T A B L E 1 0 . 6 Hub Transport Data Protection


Message queues Databases must be offline to back up, so backup is not feasible. To recover, mount the databases from the failed server on a recovered server.

Message logs File-system backup of [Install]\TransportRoles\Logs.

Service configuration System state or registry key export.


Planning and Implementing Backup and Recovery Solutions for Non-Mailbox Server 435

Exchange ActiveSync has configuration information stored in Active Directory, in the IIS metabase as well as the web.config file in the \ClientAccess\Sync directory. Table 10.7 shows the key data types and methods for backing up each Client Access server.

You can recover a Client Access server in two ways. The server can be recovered by restor-ing the server with the same name and running setup.com /mode:RecoverServer and then restoring the customized settings for each service. The second method of recovering a Client Access server is by installing a new server with a new name and installing the Client Access role. After the role is installed, the customized settings and certificates can either be restored or reconfigured.

T A B L E 1 0 . 7 Client Access Data Protection


Office Outlook Web Access File-system backup of [Install]\ClientAccess\OWA

IMAP4 and POP3 File-system backup of [Install]\ClientAccess\Poplmap

Availability Active Directory backup and file-system backup of [Install]\ClientAccess\exchweb\ews

Autodiscover System-state backup or export of the IIS metabase

Exchange ActiveSync File-system backup of [Install]\ClientAccess\Sync and backup or export of the IIS metabase

SSL certificates System-state backup or export of the SSL certificates and private keys

Doing a Reality Check

In the real world it is usually easier to rebuild an Edge Transport, Hub Transport, or Client Access server provided any customization is documented and stored elsewhere rather than to restore it from a backup. If during your planning and testing it takes about an hour to rebuild a server with all of its customizations and it takes two hours to rebuild the server and then restore from tape, it would seem to make more sense to just go ahead and rebuild the server from scratch. It is always important to do a reality check when developing a recovery strategy; and ask yourself, “Does it really make sense to spend all these resources configuring backups when I can spend less time just documenting or even scripting the original install steps?”



Backup and Recovery for Unified Messaging Servers

Performing backups to quickly recover Unified Messaging servers is important so that config-uration of Outlook Voice Access and of auto-attendants can be restored quickly. Table 10.8 shows the key data types and methods for backing up each Unified Messaging server.

So, how can you shorten your time to deploy, restore, or rebuild an Exchange server? Easy. Windows PowerShell.

The new Exchange Server 2007 command shell built on top of PowerShell provides features that will allow you to script out the installation and configuration of new and rebuilt servers. We have seen an engineer use a PowerShell script that will, with a little base preparation, rebuild an entire SCC cluster.

Why else is automation a great idea? One reason is that especially when servers are down, administrators tend to miss critical steps, which is the last thing that needs to be done when messaging services are already in a degraded state. Another reason is that if the scripts are properly written they can be executed by lower-level engineers that are following a standard operating procedure without having to be concerned that they are going to miss a step. This will also reduce the likelihood of your getting a frantic call to help figure out why the server is not working.

So be sure when designing your recovery plan to weigh the costs of backups and restores, and the troubleshooting work that leads up to the restores. Then look for ways to reduce the complexity and time involved to rebuild the servers.

T A B L E 1 0 . 8 Unified Messaging Data Protection


Custom auto-attendant and Outlook Voice Access files

File-system backup of [Install]\UnifiedMessaging\Prompts if servers is a distribution point.

Server configuration Active Directory backup.

Service configuration System-state backup or export of the registry.

Incoming call email Cannot be backed up; must be salvaged from failed server.

Outlook Voice Access Global Address List (GAL) grammar

File-system backup [Install]\UnifiedMessaging\Grammars; if backup is not completed, the GAL Grammar configura-tion will be rebuilt automatically.


Exam Essentials 437

The process for recovering a Unified Messaging server includes these steps:

1. Run setup.com /mode:RecoverServer on a server with the same name as the server that is being recovered.

2. Restore custom prompts and audio files back to \UnifiedMessaging\Prompt if required.

3. Restore the GAL grammar configuration files back to \UnifiedMessaging\Grammars.

SummaryMuch work goes into planning a backup and recovery solution for your messaging environ-ment. After having the RPO, RTO, and SLAs defined, the ability to design the recovery solu-tion for each of the Mailbox roles begins.

With Mailbox server roles there are two main options for backups: legacy streaming and VSS. These two differ greatly in the technology that enables them, and quite often in complexity in how they are configured and administered. Both types of backups offer the ability to leverage recovery storage groups that facilitate dial-tone recovery as well as mailbox and item recovery. Each non-Mailbox server requires a slightly different backup process to be successful.

Once each service has a defined method of backup and recovery that meets the RPO, RTO, and SLA, it is important to document and test this process at regular intervals to validate the process and keep the administrative staff familiar with the process.

Exam EssentialsKnow the keys for designing a backup and recovery solution. Backup and recovery solu-tions are driven by business requirements. Business requirements will typically fall into one of three categories: recovery-point objective (RPO), recovery-time objective (RTO), and Service Level Agreement (SLA). Each of these requirements will need to be fully defined in order to scope backup schedule and types.

Know the difference between full, copy, incremental, and differential backups. You must be able to differentiate between the types of backups and know when you would use each. Always remember that both full and incremental backups purge log files, and that copy and differential backups do not. It is also important to know the reasons you would use each type of backup.

Each server role has different requirements. Each of the Exchange server roles has different requirements for what needs to be backed up, what will need to be restored, and what will need to be configured manually. Be sure to review the different methods for backing up specific role configurations.



Review Questions1. You have been asked to design a backup solution. The business requires that the design tolerate

only eight hours of lost data with a minimal number of restore sets. Which schedule would meet this need?

A. Full backup nightly and incremental backups every four hours

B. Full backup nightly and differential backups every four hours

C. Copy backup nightly and incremental backups every four hours

D. Copy backup nightly and differential backups every four hours

2. You have been asked to design a backup solution. The business requires that a backup be created during the middle of the week to be shipped to the disaster-recovery site for a test restore. Only one full backup is currently scheduled each week. What type of backup should be done to test a restore and not affect the local backup rotation?

A. A full backup

B. An incremental backup

C. A copy backup

D. A differential backup

3. Which of the following business requirements defines for how long a service must be available during a given time?

A. Recovery-point objective

B. Service Level Agreement

C. Recovery-time Objective

D. Standard operating procedure

4. Which of the following can be recovered using a recovery storage group? (Choose all that apply.)

A. Mailbox data

B. Mailbox items

C. Public-folder items

D. Unified Messaging data

5. Which of the following is not a component of an Exchange-aware VSS solution?

A. Writer

B. Provider

C. Requestor

D. Coordinator



6. Which of the following would you need to do to complete a restore of an Edge Transport server? (Choose all that apply.)

A. Run setup.com /mode:RecoverServer on a server with the original name.

B. Import an XML-based configuration file.

C. Re-establish the EdgeSync.

D. Set up a fresh install of the Edge Transport role on a server with the original name.

7. You have been asked to design a VSS backup solution. You need to be able to restore each storage group individually with both differential and full backups. The server will have 10 storage groups. What is the minimum number of volumes that will be required to sup-port the storage groups?

A. 2

B. 5

C. 10

D. 20

8. A user deleted a critical contact two hours ago and requires it to be restored. What options are available?

A. Use deleted mailbox retention to restore the mailbox with Exchange Management Console.

B. Use deleted item retention to restore the item with Outlook.

C. Restore the last differential backup to the production database.

D. Restore the last full backup to a recovery storage group and restore the missing item.

9. Your server has three different business units that have mailboxes hosted on one Mailbox server. You need to maintain separate SLAs for each of the business units. Assuming that the restore speed is not a problem, what is the minimum number of storage groups and databases should your design include?

A. 1

B. 2

C. 3

D. 4

10. To be able to recover a failed Edge Transport server, at a minimum which of the following things would need to be done?

A. System-state backup of the Edge Transport server

B. File-system backup of the message queues

C. Manual export of the Edge Transport configuration to an XML-based file

D. Backup of the IIS metabase



11. To be able to recover a failed Hub Transport server, at a minimum which of the following things would need to be done?

A. Backup or export of the IIS metabase

B. System-state backup of the Hub Transport server

C. File-system backup of the message queues

D. Backup of the \TransportRoles\logs directory

12. To be able to recover a failed Client Access server, at a minimum which of the following things would you need to do?

A. File-system backup of \ClientAccess\OWA

B. File-system backup of \ClientAccess\exchweb\ews

C. File-system backup of \ClientAccess\Sync

D. Backup or export of the metabase

13. To be able to recover a Unified Messaging server, at a minimum which of the following things would need to be done?

A. Backup of \UnifiedMessaging\Prompts

B. File-system backup of the temporary messages

C. Backup of \UnifiedMessaging\Grammars

D. Backup of \UnifiedMessaging\Config

14. You can use a recovery storage group to recover which of the following?

A. Email messages in a mailbox

B. Calendar items in a mailbox

C. Email messages in a public folder

D. Contact items in a public folder

15. Which of the following backup strategies will result in a lowest RPO?

A. Full backup nightly, and incremental backups every four hours

B. Full backup nightly, and differential backups every eight hours

C. Copy backup nightly and incremental backups every two hours

D. Copy backup nightly and differential backups every eight hours

16. To ensure that user mailbox configurations were backed up, which of the servers would need to be backed up?

A. Mailbox server

B. Active Directory server

C. Client Access server

D. Hub Transport server



17. Which of the following will result in the lowest RTO?

A. Full nightly backup and incremental backups every four hours

B. Full nightly backup and differential backups every five hours

C. Copy backup nightly and incremental backups every eight hours

D. Copy backup nightly and differential backups every two hours

18. You restored your last full backup and accidentally left the Last Full Backup Set option enabled. You have a differential backup that also needs to be restored. What steps would you need to take to restore the differential backup?

A. Restore the full backup again without the Last Full Backup Set option enabled.

B. Use ESEUTIL to perform a hard recovery.

C. Use ESEUTIL to perform a soft recovery.

D. Dismount the mailbox store, check the Allow Database to Be Overwritten by Restore box.

19. When planning for disaster recovery of a Mailbox server role that is configured with LCR, which of the following are viable options for backup? (Choose all that apply.)

A. Streaming backup of the active databases

B. Streaming backup of the passive databases

C. VSS backup of the active databases

D. VSS backup of the passive databases

20. When planning for disaster recovery for a Mailbox server role configured as a cluster contin-uous replication cluster, which are viable options for restore? (Choose all that apply.)

A. Streaming restore of the active databases

B. Streaming restore of the passive databases

C. VSS restore of the active databases

D. VSS restore of the passive databases



Answers to Review Questions1. B. A full backup every night will purge the logs and then the differential backup every four

hours will capture the changes since the full backup. The restore would require two backup sets: the full backup and the last differential backup that was made. A full backup nightly with incremental backups every four hours will result in a minimum of three restore sets. Copy backups do not truncate transaction logs so a copy backup with incremental backups requires the last full backup as well as all of the incremental backups since that point. Even when dif-ferential backups are used a full backup would still be required.

2. C. A copy backup will create a backup that can be restored at the remote site and it will not purge any logs, leaving the current backup schedule unchanged. Both incremental and differ-ential backups are not able to be used to do a restore without providing a full backup as well. If a full backup were completed, this would truncate the logs and modify the backup schedule already in place.

3. C. A Service Level Agreement defines for how much time a service must be available during a period of time. A Recovery Point Objective defines how much data can be lost in a failure inci-dent. A Recovery Time Objective defines how long the recovery should take to complete and a Standard operating procedure defines the steps a process would take.

4. A, B, D. A recovery storage group can be used to recover all mailbox data—either the entire mailbox or specific mailbox items, including voicemail messages. Recovery storage groups cannot be used to recover any public-folder data.

5. D. The coordinator is not a part of the VSS backup process, but the Writer, Provider, and Requester are all VSS components

6. B, C, D. To recover an Edge Transport server the process is to complete a fresh install of Exchange Edge Transport role, and then import the XML-based configuration file, and then re-establishing the EdgeSync process. Running setup.com with the /mode:recoverserver is not a supported way to restore an Edge Transport server.

7. D. Each storage group will require two volumes: one for transaction logs and one for data-bases. None of the other options have enough volumes to allow restoring the databases individually.

8. A, D. The deleted item retention feature will have kept the deleted items until the retention period has expired. Messages are purged from the deleted item retention only after mainte-nance is run. Also, it would be possible to use the recovery storage group to retrieve the item; however, it is a considerable amount of work.

9. C. Three storage groups would need to be created so that backups and restores for each of the business groups would not affect any of the other storage-group activities.

10. A, C. A system-state backup will be beneficial in restoring service after a failure. An export of the Edge Transport configuration is required to recover most of the customizations of Edge Trans-port role. Performing a file system backup of the message queues is not possible, as the message queues will be in use and the IIS metabase is not used by the Edge Transport server.



11. B, D. A system-state backup and a backup of the transport logs will allow for a restore of the server. The Hub Transport does not use IIS, thus a backup is not required. It is not possible to backup the message queues with a file system backup.

12. A, B, C, D. Each of the directories under the Client Access is needed to restore customizations. Since much of the customizations are stored in the IIS metabase, this too should be backed up.

13. A. The only item that needs to be backed up is \UnifiedMessaging\Prompts. The \UnifiedMessaging\Grammars can be backed up; however, it can be rebuilt after the Unified Messaging server is rebuilt. The temporary messages cannot be backed up and the \UnifiedMessaging\Config folder does not need to be backed up.

14. A, B. A recovery storage group can be used for recovering only data from within mailboxes. Public folders must be recovered in whole, with deleted item retention or by using a recovery forest.

15. A. A full backup on a nightly basis with incremental backups every four hours will allow the server to be recovered to a point within four hours of a failure. Doing a full backup nightly with differential backups every eight hours would result in a restore point of up to eight hours from a failure. Copy backups cannot be used incremental or differential backups.

16. B. Active Directory contains the configuration of each of the users’ mailboxes. Performing backups on Active Directory is essential for any Exchange recovery plan. None of the other servers types store mailbox configuration data.

17. B. Differential backups reduce the number of backup sets that would need to be applied, as they are cumulative since the last full backup. After restoring the full backup only one differential would need to be restored. Even though the incremental backups are run more often, more of them would need to be restored, which would lengthen the RTO. The copy backups never trun-cate the transaction logs, so all backups since the last full backup would need to be restored.

18. A. After a hard recovery is performed, no additional transaction logs will be able to be applied to the database. To apply the additional differential backup, the full backup would need to be restored again before the differential backup could be used.

19. A, C, D. Any of these three options can be valid as VSS backups can be done against either the active or passive database in both LCR and CCR solutions. Streaming backups can be done only against the active databases.

20. A, C. Restores can be done only to active databases or to a recovery storage group.


Chapter

15

Planning Exchange Server 2007 Security


�

Plan the network layer security implementation

�

Plan the transport rules implementation

81461c15.fm Page 621 Wednesday, December 12, 2007 5:55 PM

Planning Exchange security is becoming more of a requirement in an Exchange 2007 messaging professional’s life. To plan a secure messaging environment for a larger organization, you

need to understand the security concepts. This chapter introduces you to many of the security concepts of Exchange 2007, such as network-based protection, email encryption, and trans-port rules. It also includes a discussion about the role of Internet Security and Acceleration (ISA) Server 2006.

In-depth understanding is not required in every area, but it is important to understand how these concepts work on Exchange Server 2007 and what to configure where.

The main subjects of this chapter are as follows:�

Defining firewall rules for every Exchange server role�

Network-based secure communication using Internet Protocol Security (IPSec) or Virtual Private Network (VPN)

�

Session-based secure communication using Transport Layer Security (TLS)�

Implementing transport rules and edge rules�

Implementing Secure Multipurpose Internet Mail Extensions (S/MIME)�

Implementing message journaling�

Protecting Exchange Server 2007 with ISA Server 2006

Planning the Network Layer Security Implementation

This section covers the requirements for planning the network layer security for an Exchange Server 2007 implementation. We’ll start with firewall rules and then continue with an over-view of secure communications solutions using IPSec, VPN, and TLS.

Defining Firewall Rules

When the first versions of Exchange came out, security was not a major consideration. Obvi-ously, this has changed in recent years and a firewall became part of the base system of a Win-dows 2003 server. This section covers what’s important when defining firewall rules and which ports and protocols must be allowed to enable certain types of services between servers and clients.



623

When defining your firewall ports, you should always consider the concept of “less is more.” The fewer ports you allow to open, the more secure your

system will be.

To provide an easy overview of the masses of ports, this section is organized according to the Exchange server roles. The tables are sorted according the required ports so you can recognize what ports are used for what services or data paths.

The most important ports are always the ones frequently used. You should

remember the key services for each server role and what ports they require.

Mailbox Server

The Mailbox server role hosts the mailbox and public-folder databases and, therefore, must be accessible to the clients. Table 15.1 shows which ports are required for services or data paths from and to the Mailbox server role. It’s important to understand that Remote Proce-dure Call (RPC) traffic is always encrypted.

T A B L E 1 5 . 1

Mailbox Server Ports

Data Path Required Ports

Encrypted

by default?

Messaging application programming interface (MAPI) access, Availability web service, Content indexing, Recipient Update Service RPC access,Microsoft Exchange Active Directory Topology Service access, Microsoft Exchange System Attendant service legacy access (MAPI client), Offline address book (OAB) accessing Active Directory

135/TCP (RPC) Yes

Clustering, mailbox assistants, Admin remote access (remote registry), Microsoft Exchange System Attendant service (listen)

135/TCP (RPC) No


624

Chapter 15 �


Transport Servers

The Hub Transport server takes care of messages that are routed within an organization; the Edge Transport server role routes messages inside and outside of the organization. Table 15.2 explains which ports are required for services or data paths from and to the Hub Transport and the Edge Transport server roles.

Active Directory access 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC Netlogon)

Yes

Microsoft Exchange System Attendant service legacy access to Active Directory, Recipient update to Active Directory, DSAccess to Active Directory

389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC Netlogon)

Yes

Admin remote access (SMB/File) 445/TCP (SMB) No

Cluster nodes communication (intranode) 3343/UDP + randomly high TCP ports

No

T A B L E 1 5 . 2

Hub and Edge Transport Server Ports


Encrypted

by default?

Hub Transport server to Hub Transport server 25/TCP (SSL), 587/TCP (SSL)

Yes

Hub Transport to Edge Transport and vice versa 25/TCP (SSL) Yes

Active Directory access from Hub Transport server 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC Netlogon)

Yes

T A B L E 1 5 . 1

Mailbox Server Ports

(continued)


Encrypted

by default?



625

As the table shows, encryption is the default in many situations. Hub Transport to Hub Transport is encrypted by default using Exchange 2007’s certificates. If there are no machine certificates available for your Exchange 2007 server, the system will use self-signed certificates for encrypting the communication. This is the same for Hub Transport to Edge Transport communication.

Traffic between Edge Transport servers in two different organizations is opportunistic Transport Layer Security (TLS). This means that if both servers offer a valid server certificate, traffic will be encrypted. If only their self-signed certificate is available, traffic will not be encrypted. (Additional security can be added using a feature called Domain Security, as dis-cussed in the “Implementing Domain Security” section of this chapter.)

As the Edge Transport server is designed to be located in the perimeter network or demilitarized zone (DMZ), it is assumed that only the commu-nication between Hub Transport and Edge Transport needs to be protected by firewalls. Of course, Edge Transport communication to the Internet also should be protected if the Edge Transport server is located in the

perimeter network.

Client Access Server

Table 15.3 describes which ports are required for services or data paths from and to the Client Access server (CAS) role.

Edge Transport to Edge Transport server 25/TCP (SSL), 389/TCP/UDP, 80/TCP (certificate authentication)

No

Microsoft Exchange EdgeSync service 50636/TCP (SSL) Yes

Active Directory Application Mode (ADAM) local access on Edge Transport server

50389/TCP (No SSL) No

Mailbox server to Hub TransportHub Transport to Mailbox server via MAPI

135/TCP (RPC) Yes

T A B L E 1 5 . 2

Hub and Edge Transport Server Ports

(continued)


Encrypted

by default?


626

Chapter 15 �


When your Exchange 2007 Client Access server is communicating with an Exchange 2003 server, it is a best practice to use Kerberos authentication and

disable NTLM and basic authentication.

Unified Messaging

Table 15.4 explains which ports are required for services or data paths from and to the Unified Messaging server role.

T A B L E 1 5 . 3

Client Access Server Ports


Encrypted

by default?

Autodiscover service, Availability service,Outlook Web Access (OWA), Outlook Anywhere (formerly known as RPC over HTTP ), Exchange ActiveSync application, Client Access server to a Mailbox server that is running an earlier version of Exchange Server, CAS to CAS for Exchange ActiveSync and OWA, WebDAV

80/TCP, 443/TCP (SSL) Yes

POP3 110/TCP (TLS), 995/TCP (SSL)

Yes

IMAP4 143/TCP (TLS), 993/TCP (SSL)

Yes

CAS to Unified Messaging server 5060/TCP, 5061/TCP, 5062/TCP, One dynamic port

Yes

CAS to Exchange 2007 Mailbox server RPC with many ports Yes

T A B L E 1 5 . 4

Unified Messaging Server Ports


Encrypted

by default?

Unified Messaging to Hub Transport 25/TCP (SSL) Yes

Unified Messaging server to Mailbox server 135/TCP (RPC) Yes



627

Defining Secure Communication Solutions

Using IPSec, VPN, and TLS

Secure messaging in Exchange 2007 can be separated into three categories: network-based, SMTP-based, and client-based.

In the first part of this section, you will read about the network-based approach using IPSec or VPN protocol. The second part covers the session-based approach using TLS for authenti-cation and encryption. This section also introduces a new concept called Domain Security that is based on mutual TLS as the protocol.

Client-based security using Secure MIME (S/MIME) is covered in the “Imple-

menting S/MIME” section later in this chapter.

Network-Based Secure Communication Using IPSec or VPN

IPSec provides a set of extensions to the basic IP protocol and is used to encrypt server-to-server communication. It can be used to tunnel traffic or peer-to-peer to secure all IP communications natively. Because it operates on the transport layer, applications like Exchange 2007 don’t need to be aware of IPSec. The same applies to VPN, which also operates on the transport layer and very often uses IPSec as the underlying protocol.

You use IPSec normally to secure server-to-server or client-to-server communication. VPN is used to connect site to site or client to site. Both operate as mentioned on the transport layer, which can be an advantage over application-layer protocols such as S/MIME because they do not require the application on both ends to know about the protocol.

Because Exchange 2007 by default encrypts its network traffic using TLS and self-signed certificates (if you do not by default roll out server certificates), the requirements for network-based security are less. In Exchange 2003 for example, you wanted to implement IPSec for communication between Exchange 2003 front-end and back-end servers. Front-end servers were often placed in the perimeter network or directly in the Internet, but needed to commu-nicate with the back-end servers quite heavily (they were members of the domain). Having this traffic encrypted provides more protection.

Unified Messaging Web Service 80/TCP, 443/TCP (SSL)

Yes

Unified Messaging fax,Unified Messaging private branch exchange (PBX)

5060/TCP, 5061/TCP, 5062/TCP, One dynamic port

Yes

T A B L E 1 5 . 4

Unified Messaging Server Ports

(continued)


Encrypted

by default?


628

Chapter 15 �


Of course, Exchange 2007 also has an advantage if you have already implemented network-based secure communication. You don’t need to do anything to make Exchange 2007 work; however, to optimize performance, you should consider a few points when you have network-based security in place.

Let’s assume that you configured IPSec for all the Exchange servers in your organization. (Con-figuring IPSec is beyond the scope of this book and of the exam, so this section focuses only on the settings you need to configure in Exchange 2007.) You now need to access the Receive connectors of your Hub Transport server and enable Externally Secured on the Authentication tab as shown in Figure 15.1. Externally Secured means that the connection is considered secured by a security mechanism that is external to Exchange 2007. In the Exchange Management Shell (EMS), Exter-nal Secured is referred to as

ExternalAuthoritative

.

F I G U R E 1 5 . 1

The Receive connector’s Authentication tab

Normally you don’t need any other authentication method. You’re able to add Transport Layer Security (TLS) only on top of your network security, but this will decrease the perfor-mance of message transfers, since the communication gets encrypted several times. Other options like Exchange Server authentication do not work with Externally Secured and, there-fore, should be disabled.

Additionally, you need to configure Exchange Servers on the Permission Groups tab of the Receive connector because this group is used to permit a connection to the server. You can see the configuration in Figure 15.2.

Using network-based security is a work-intensive solution. Unless you have already implemented IPSec or other network-based protocols, you may want

to consider other options for Exchange 2007.



629

F I G U R E 1 5 . 2

The Receive connector’s Permission Groups tab

Session-Based Secure Communication Using TLS

The TLS protocol is the default protocol used in an Exchange 2007 organization to encrypt server communication. It uses Exchange 2007 self-signed certificates that are created during the setup for encryption.

This means self-signed certificates provide novice or lazy Exchange 2007 administrators a way to have OWA or other services automatically secured. Also, self-signed certificates are used to automatically encrypt messages between Hub Transport and Edge Transport servers to encrypt traffic. They also are used to encrypt traffic between two Edge Transport servers located in differ-ent organizations.

If you’re planning to implement Exchange 2007 Domain Security to provide secured mes-sage paths between Exchange 2007 Edge Transport servers over the Internet, you need a more thorough certificate implementation. Self-signed certificates do not work when you want to implement Domain Security.

Domain Security uses TLS with mutual authentication (mutual TLS) to provide session-based authentication and encryption. Standard TLS is used to provide confidentiality by encrypting but not authenticating the communication partners. This is typical of Secure Sockets Layer (SSL), which is the HTTP implementation of TLS.

We’ll start by taking a look at the different types of certificates. Then we’ll cover the obstacles you must consider when requesting a certificate. Finally, we’ll discuss implementing Domain Security for Exchange 2007.

Types of Certificates

Three different types of certificates are available: self-signed certificates, Windows public key infrastructure (PKI)–generated certificates, and third-party certificates. Table 15.5 provides you with an overview of these types of certificates and their uses.


630

Chapter 15 �


You cannot use self-signed certificates for mutual TLS or Domain Security communication to and from the Internet in Exchange 2007—only Windows PKI–generated certificates or third-party certificates are supported there.

If you decided to use Windows PKI–generated certificates for your external traffic, you have to make sure that your partners’ servers trust your root CA

(by importing your root certificate).

Exchange 2007 certificates need to have a certain format to work correctly with the TLS protocol. Because the Exchange servers in the perimeter network, namely your Edge Transport servers, have multiple domain names or service connection points (SCPs), you have two options:�

Use a single certificate on your server(s) with Subject Alternative Names (SAN Certificate) support, also known as Unified Communications Certificates.

�

Use individual certificates.

T A B L E 1 5 . 5

Types of Certificates

Certificate Type Description

Self-signed certificates When Exchange 2007 is installed, a new certificate is generated automatically. This certificate is used by default to encrypt all communication inside and outside the Exchange organization. If you access your OWA using a web browser, you need to con-firm the server’s certificate is correct because you do not trust this certificate by default.

Windows PKI–generated certificates These certificates are issued by a Windows certificate authority (e.g., Windows Server 2003), and you can request them at no extra cost and install them imme-diately. They are not trusted publicly, so you need to make sure that the root certificate is imported at every server, client, and device that does not belong to your Active Directory. In your Active Directory, the informa-tion is distributed automatically.

Third-party certificates This type of certificate is automatically trusted within the Internet and can be purchased by a third-party certificate authority (CA) such as VeriSign. It is the easiest and least time-consuming way to imple-ment certificates, but you need to buy them. Thus, you probably won’t have an official certificate for every Exchange server in your environment.



631

Microsoft recommends using a SAN certification because it’s simpler to administer on the servers. Unfortunately, it is also more expensive than a

normal certificate if purchased from a third-party CA.

For example, if you have a domain called Exchange2007.com and an Edge Transport server called ED01, you should configure at least the following domains as Subject Alternative Names on which TLS works correctly:�

ED01.Exchange2007.com�

Exchange2007.com

Requesting and Installing a Certificate

To request a SAN certificate, you can use the Exchange Management Shell (EMS) to create a request. Use the following cmdlet to issue a request that you then can send to your Windows CA or a third-party CA to receive a certificate for your TLS communication in Exchange 2007:

Net-ExchangeCertificate -GenerateRequest -FriendlyName “Internet” -Path c:\edge.req -SubjectName “DC=com,DC=Exchange2007,CN=ed01.exchange2007.net” -

DomainName exchange2007.com

The name of the server is ED01 and it is part of the domain Exchange2007.com and is the Edge Transport server for the inbound domain Exchange2007.com.

Once you receive the certificate, you can use the following cmdlet to import the certificate and enable it for the Service SMTP. It imports the certificate that is available at

c:\certnew.cer

and enables it automatically for SMTP.

Import-ExchangeCertificate -Path c:\certnew.cer | Enable-ExchangeCertificate -

Services SMTP

Once you receive the certificate, you can use the certificates snap-in in Microsoft Manage-ment Console to verify that all SAN domains have been included accordingly. Figure 15.3 shows the SAN configuration for the certificate that we requested.

As you see, the SAN includes Exchange2007.com, for which this server can receive mutual TLS connections. The server FQDN is part of the normal subject, and so is not shown as a SAN.

Implementing Domain Security

Domain Security in Exchange 2007 is a new feature that provides a relatively low-cost alter-native to S/MIME or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity of the other server by validating the certificate that is provided by the other server. It is an easy way for administrators to manage secured message paths between domains over the Internet.

Domain Security is manually enabled for every domain by an Exchange organization administrator, so you must coordinate with the communication partner to make it work. It cannot be enabled just on one side, but must be configured in domains.


632

Chapter 15 �


F I G U R E 1 5 . 3

The Subject Alternative Name configuration

Typically, Domain Security is enabled only on an Edge Transport server because the server needs to reside in the perimeter network or directly on the Internet to communicate with the other domains. However, you also can

enable Domain Security on a Hub Transport server if needed.

The high-level steps to implement Domain Security are as follows:�

Request and install a SAN certificate on the Edge Transport server(s) where you want to enable mutual TLS.

�

Configure outbound and inbound Domain Security.�

Test mailflow.

The tricky part in this configuration is understanding where to configure the set-tings. The certificate is directly installed on the Edge Transport server; the out-bound and inbound Domain Security is configured on the Hub Transport server

in your Exchange organization.

REQUESTING AND INSTALLING A SAN CERTIFICATE

As noted earlier, the requirements for the certificate are as follows:�

It must be a certificate that was either issued by a trusted party (by importing their root certificate) or by a third-party CA.

�

The certificate must be valid.



633

�

The certificate must match the domain. For example, if you’re sending an email from Exchange2007.com, the certificate must include the domain name Exchange2007.com as the subject or SAN.

�

The certificate must be enabled for SMTP on the Edge server(s).

Verify that the certificates are enabled by using the following command in the

EMS:

Get-ExchangeCertificate |fl

.

To verify that your Edge Transport server is ready to serve mutual TLS requests, you should use the command

TELNET <servername> SMTP

and verify that when you enter the command

EHLO you see STARTTLS listed (see Figure 15.4). If it is not listed, check your Event Viewer’s application log to find out what is wrong.

F I G U R E 1 5 . 4 Edge Transport server that supports mutual TLS

Don’t forget to check your partner’s domain to verify that it supports mutual TLS before configuring outbound and inbound Domain Security. It will stop all message traffic if a mutual TLS connection cannot be made.

CONFIGURING OUTBOUND AND INBOUND DOMAIN SECURITY

After you ensure that the certificate is working correctly, the next step is to implement Domain Security for your business partners by specifying their domains. You can decide whether you want to enable it for one way (e.g., sending to your partner domain) or both directions.

Make sure you understand the impact of this decision. If Domain Security is not correctly enabled on both your side and the partner side, you may stop all message traffic between your domains. For example, if your partner domain’s administrator forgets to configure the domain security but you already configured it, no messages can flow between the domains until either you remove the domain from the list or the other administrator configures your domain as secure.


634 Chapter 15 � Planning Exchange Server 2007 Security

To configure domain security, you need to connect to a Hub Transport server and run the following commands in the EMS:� To enforce domain security on an outbound connection, use the following command:

Set-TransportConfig -TLSSendDomainSecureList <DomainList>

� To enforce domain security on an inbound connection, run this command:

Set-TransportConfig -TLSReceiveDomainSecureList <DomainList>

You need to configure this on a per-domain level. The domain list is not additive, so new domains are not automatically added, but replaced. You have to separate the domains using a comma. For example, you can use the following command to configure outbound domain security for the domains partner.net and acme.net:

Set-TransportConfig -TLSSendDomainSecureList acme.net, partner.net

Your last task is to make sure that the Send connectors and Receive connectors are enabled for Domain Security (Mutual Auth TLS). This is the default configuration, which is enabled if you do not change anything. The Send connector must be configured on the Hub Transport server; the Receive connector must be configured directly on the Edge Transport server.

As you are performing this configuration on your Hub Transport servers, it takes a cycle before your Edge servers will recognize it. To speed up this process, you can use the Start-EdgeSynchronization cmdlet in Exchange Management Shell.

TESTING MAIL FLOW

Testing the mail flow between your Exchange organization and your partner domain might be obvious, but it is the only way to find out if domain security is working correctly.

To test, you must use an Outlook 2007 client because OWA does not yet display the Domain Secured icon. Send a message to your partner and let them respond if you configured in both directions. If you receive a message that was sent over a domain-secured path, you should see a green check icon on the top right side of the message. Double-click to see the information, as shown in Figure 15.5.

F I G U R E 1 5 . 5 Domain Security information in Outlook 2007


Planning the Transport Rules Implementation 635

If the test does not work correctly, check the following on your Edge Transport server to find the problem:� Event Viewer’s application log� The Queue Viewer in the Exchange Management Console’s toolbox� Protocol logging (if enabled)

Planning the Transport Rules ImplementationExchange Server 2007 makes it easy to apply certain message policies to email messages flowing through your Exchange organization by using transport rules. You can think of transport rules as similar to Microsoft Outlook’s email rules. Using a wizard, you can define what happens to an email that meets certain conditions.

This is an improvement over earlier Exchange versions, in which you had to programmati-cally create transport sinks that few programmers had experience writing code for. In Exchange 2007, you also can write custom code using the Exchange 2007 software development kit (SDK). However, for the most common scenarios, using the SDK is unnecessary because you can use the Transport Rule wizard to configure Exchange 2007.

As mentioned before, every message inside the Exchange organization must pass a Hub Transport server, so this is the place where the Hub Transport rules (or transport rules) are processed. Transport rules also can be applied to Edge Transport servers. The differences between them are as follows:

Hub Transport rules are used to apply compliance and policy-based rules to all messages in your Exchange organization. For example, they are used to add a disclaimer to the body of every message.

Edge rules are used to manage antispam and antivirus protection for your organization. For example, you can use them to easily prevent a certain message from entering the Exchange organization.

For the exam, it is important to understand the difference between a transport rule and an edge rule. You must understand when you use a transport rule and why you do not use an edge rule in the same situation. For example, if you add a disclaimer, you always use a transport rule but never an edge rule. For more information, see Table 15.6, “Examples of Differences between Transport Rules and Edge Rules.”

The EMC and EMS do not differ between transport rules and edge rules. You configure them either as a transport rule directly on the Hub Transport server or directly on the Edge Transport server. We use the terms to differentiate between these two types of rules, as they have a different scope for usage.



Using Transport Rules

Transport rules on Hub Transport servers are important for applying message policies for your Exchange organization. In general, they are used to apply compliance and policy-based rules to messages. Many organizations require message policies because they are forced by law, regulatory requirements, or company policies to limit the interaction between certain departments or people. For example, certain workers may be allowed to communicate with their colleagues, but not with external recipients on the Internet. In general, you can use trans-port rules to perform the following tasks:� Filtering confidential information� Preventing confidential/company-sensitive information from leaving the organization� Redirecting messages for inspection or preventing receipt of inbound and outbound messages� Adding disclaimers to messages� Applying an ethical firewall where people are not allowed to communicate with each other

The transport rules on the Hub Transport servers are managed centrally using the EMC. They are stored in Active Directory and are applied to every Hub Transport server once Active Directory replication takes place. Therefore, you only can apply a transport rule globally to all Hub Transport servers. Applying it to a single server is not possible.

Using Edge Rules

You use edge rules to prevent unwanted messages (such as spam or viruses) from entering or leaving your Exchange organization. Think about the last virus attack you had from the Inter-net, especially when message storms were generated. Edge rules can identify and screen out these messages by using the subject of the message) before they enter the organization. Edge rules would have prevented some disasters when the Melissa virus showed up years ago.

Some examples of situations in which you should consider using edge rules are as follows:

Virus outbreaks. You can react to an email virus even before the antivirus software can provide updates.

Spam attacks. Similar to virus outbreaks, but spam attacks are probably harder to identify. You can identify such messages and prevent them from entering the organization.

Denial of service attacks. If your organization experiences a denial of service (DoS) attack, you may be able to identify a way to drop the SMTP connections immediately so you’re able to lower the attack’s impact.

Because the Edge Transport server is not part of your Active Directory infrastructure, edge rules are stored in the Active Directory Application Mode (ADAM) instance on each server.



The drawback is that edge rules cannot be managed centrally but must be managed separately on every Edge Transport server.

Applying edge rules to each Edge Transport server separately allows you to define a granular approach to rules for your servers. For example, if you want to set rules based on the Edge Transport server’s address, you can do so. On the other hand, you can distribute edge rules easily by using the EMS’s cmdlet Export-TransportRuleCollection and Import-TransportRuleCollection.

Implementing Transport Rules

Now that you know the key differences between transport rules on a Hub Transport server and on an Edge Transport server, let’s take a look at how these rules are implemented.

Each transport rule consists of the following components:

Conditions. Conditions are used to select the messages that will be subject to the transport rule action. If you do not select any condition, it will be applied to all messages.

Exceptions. Exceptions are used to identify messages to which the transport rule action should not be applied. You don’t need to configure exceptions if you don’t require them.

Actions. Actions are what will happen to the mail you specified using conditions and exceptions. You must have at least one action configured for every rule.

Additionally, when you create multiple rules, each rule will receive a priority. Using these priorities, you can control which rule will act on a message first. Rules with a lower priority will be processed first. For example, say you have two rules that apply for the same recipient; one rule is priority zero and the other rule is priority one. The priority-zero rule will first pro-cess the message, then the priority-one rule will process that same message. You may want to modify this if there are two rules that contradict or influence each other.

The transport rules differ from the edge rules in the areas of conditions, excep-tions, and actions used: the transport rules are focused on organizational policy and compliance, whereas the edge rules are focused on protecting your organi-zation from unwanted or harmful messages.

Table 15.6 provides an overview of how the transport rules differ from the edge rules. Not every condition, exception, or action is included, but it provides examples to give you an over-view of the differences.



Rules can be applied to all messages apart from signed or encrypted mes-sages. Signed or encrypted messages (e.g., S/MIME) are not changed because Exchange 2007 would break the digital signature or encryption. Only rules based on the client side are capable of applying rules to signed or encrypted messages.

In Exercise 15.1, you will use the EMC to configure a company disclaimer for every mes-sage that is sent outside the Exchange organization. Also, you will configure an exclusion rule to define users who do not have a disclaimer automatically added to their messages.

T A B L E 1 5 . 6 Examples of Differences between Transport Rules and Edge Rules

Area Transport Rules Edge Rules

Examples of common conditions

From people From a member of distribution list Sent to users inside or outside the organizationMarked with classification

When a subject field contains specific wordsWhen a message header contains specific wordsWhen any recipient address contains specific words

Examples of common actions

Apply message classification Append disclaimer text using font, size color, with separator and fall-back to action if unable to apply

Drop connectionPut message in spam quarantine mailboxReject the message with status code and response

Examples of common exceptions

Except when the message is from member of distribution list Except when the message is marked as classification Except when the message is marked as important

Except when the from address contains text patternsExcept when text-specific words appears in any recipient addressExcept when text patterns appear in any recipient address

E X E R C I S E 1 5 . 1

Implementing a Company Disclaimer

To configure a company disclaimer, follow these steps:

1. Open the EMC on one of your Hub Transport servers.

2. Expand Organization Configuration and click on Hub Transport.

3. Select New Transport Rule on the Actions pane (right side).



4. Fill in the transport rules name and a comment (provide some information about when and why this rule was created). Click Next.

5. On the Conditions window, select Sent to Users Inside or Outside the Organization and choose Outside in the Edit the rule pane. Click Next.

6. In the Actions window, select Append Disclaimer Text Using Font, Size, Color, with Sep-arator and Fallback to Action If Unable to Apply.

E X E R C I S E 1 5 . 1 ( c o n t i n u e d )



7. In the Edit rule, you can add a disclaimer text and select other options, such as font. For this exercise, simply add some disclaimer text and then click Next.

8. In the Exceptions window, select Except When the Message Is from People. You can now define which people you want to exclude from this rule, meaning that no disclaimer will be added for them. Click Next.

9. The next window shows the configuration summary. Click Next.

10. The completion window will be displayed. Click Finish to end the wizard.



Implementing S/MIME 641

Implementing S/MIMES/MIME is a standard for public-key encryption and signatures of email messages. Encryption is used to protect the content of a message so only the intended recipients can read it. Signing a message means that the recipient can verify whether the message has been changed on the way from the sender to the recipient.

S/MIME is an important security topic in Exchange Server 2007 and is included here to provide a complete discussion of message security. However, it’s not a part of the Microsoft exam.

11. You will see the new transport rule that is part of the Transport Rules tab in your organi-zation configuration. If you have multiple rules, you also can apply priorities. Remember that this rule is first stored to the Active Directory, so it takes some time until the Hub Transport servers will act on it.




S/MIME is a client-based encryption and signing protocol that provides end-to-end secu-rity, from the sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the transport layer (like TLS), the message also remains encrypted and signed within the mailbox. Even administrators cannot decrypt it if their digital certificate does not allow them to do so. Implementing S/MIME offers the following abilities:� Use digital signatures as a way to prove to your communication partners that the content

was not altered.� Authenticate messages (especially for crucial functions such as when your boss approves

your travel requests).� Encrypt messages to prevent accidental disclosure of the content.

By default, Exchange Server 2007 fully supports S/MIME for message encryp-tion and signatures. Unlike in previous versions, where you had to configure every mailbox database, you do not need to configure any server-side setting to support S/MIME.

Because S/MIME provides end-to-end security, it is important that the email application you use to read and write S/MIME messages meets the following two requirements:� It must support S/MIME encryption and signatures.� The digital signature must be configured in the email application.

Table 15.7 provides an overview of the email access S/MIME included in Exchange Server 2007.

OWA will support S/MIME encryption when Exchange Server Service Pack 1, is applied. This feature is not available in the release version of Exchange Server 2007.

T A B L E 1 5 . 7 S/MIME Support in Exchange 2007

Email Access S/MIME Support

Outlook 2003 Yes

Outlook 2007 Yes

OWA in Exchange 2007 No

Mobile devices using Exchange ActiveSync No


Implementing S/MIME 643

To implement S/MIME in your Exchange organization, you need to follow these steps:

1. Set up a CA that issues certificates for your users or buy user certificates from a third-party CA such as VeriSign. If you set up your own CA, make sure that the communication partner of your company trusts your root CA, and have your users’ public keys available, either stored in their contacts or in the directory.

2. Provide the certificates to your users either manually or automatically by publishing the certificate to the Active Directory.

3. Install certificates on your users’ workstations.

4. Enable certificates in Outlook. You must select the correct certificate in the security settings to be able to use them.

Signing and encrypting messages also means that your antivirus or spam protection will not act upon these messages because they might destroy the digital signature. Also, Exchange 2007 transport rules ignore S/MIME messages.

In your S/MIME implementation plan, you also should consider these business questions:� Should everybody in the organization be allowed to encrypt messages? Especially in com-

pliance areas where archiving is a mandatory requirement, you should discuss this with your legal department.

� Are encrypted messages allowed to leave the organization? If so, confidential information could be sent to an unauthorized recipient, including a competitor, and no evidence will be available.

Exercise 15.2 shows you how to enable S/MIME in Outlook 2007 for the user Carola Mechelke who installed a certificate to her workstation using Internet Explorer. You can verify whether the certificate was installed correctly using the Internet Explorer options Content tab and clicking on Certificates. You should see at least one certificate for the local user.

E X E R C I S E 1 5 . 2

Manually Enable S/MIME Encryption in Outlook 2007

To manually enable S/MIME encryption in your Outlook 2007 client, follow these steps:

1. Click Start � All Programs � Microsoft Office � Microsoft Office Outlook 2007.

2. Click Tools � Trust Center.

3. On the left pane, select Email Security.

4. Click on Settings.



5. If your certificate is the only one installed on the local computer, you should have all the con-figuration options preconfigured. You just need to confirm the settings by clicking on OK.

6. Confirm your default settings by clicking OK.



Implementing Message Journaling 645

Implementing Message JournalingMessage journaling is becoming more important for companies. Whereas archiving refers to reducing the amount of data by moving it to other (usually cheaper) storage, journaling means recording all communications in an organization for use in the organization’s archival strategy. Journaling is a part of security because it enables you to satisfy company or governmental policies about storing and keeping sensitive information for later lookup.

Journaling is required in certain industries or regions because of governmental regulations such as the Sarbanes-Oxley Act of 2002 (SOX), Securities and Exchange Commission Rule 17a-4 (SEC Rule 17a-4), and the European Union Data Protection Directive (EUDPD). It is important to talk to your company’s compliance or security people to determine the journal-ing requirements for the messaging system you’re planning.

Exchange 2007 provides two different options for journaling: standard and premium. But before we jump into the details of these two options, we will first explore some basics about journaling—journal reports and journaling mailboxes.

Journal Reports

When journaling is enabled, any message that is stored to a journaling mailbox is called a journal report. In Exchange 2003, a journal message was a copy of the message, the results being similar to adding the journal mailbox as BCC (blind carbon copy) to every email. In Exchange 2007 this changed to the envelope journaling format.

7. Once you compose a new message, you the encryption buttons will be available in Outlook 2007. Confirm your default settings by clicking OK.




A journal report using the envelope journaling format includes the following:� The original message is included unaltered as an attachment in Transport Neutral Encapsu-

lation Format (TNEF). TNEF is a richer format that maintains higher fidelity of the original message. For example, information such as voting buttons or read receipts is retained.

� The body of the journal report contains the sender email address, subject, message ID, and recipient email addresses from the original message.

Figure 15.6 shows an example of a journal report message.

F I G U R E 1 5 . 6 A journal report message

When you move from Exchange 2003 to Exchange 2007, make sure your archiving software supports journal report envelopes. If not, you need to wait until you get Exchange 2007 SP1 because it will include functionality to down-convert journal reports to the old format.

Journaling Mailboxes

Journaling mailboxes are used to store journal reports. You can create a single mailbox for all your company and journal rules or create a mailbox for each rule. How you configure it depends on your special requirements.

Because journaling mailboxes contain company-sensitive information, you should clearly define who will be able to access them. You should limit access to only those individuals who have a direct need to access the journal mail-boxes. Directly add each user account to the mailbox, and make sure that you closely monitor who accesses that mailbox.



Many laws require that messages remain tamer-free (meaning nobody is allowed to log in and modify the messages), but how can you prevent the journaling mailbox from being mis-takenly addressed by others? The best practice is to limit access to itself only. You can achieve this by using the following EMS command on a mailbox (“Journal” is used here as an example mailbox name):

Set-Mailbox “Journal” -AcceptMessagesOnlyFrom “Journal” -RequireSenderAuthenticationEnabled $True

Standard Journaling

Standard journaling in Exchange 2007 refers to the journaling concept of Exchange 2003. That is, you can define a journal mailbox on every mailbox database that saves every message sent from or received by recipients from this mailbox database.

This means that you can configure journaling based on a mailbox database. All messages that flow through this store are copied to the journal mailbox. You can control journaling by moving mailboxes between certain mailbox stores on an Exchange server or between Exchange servers.

It is easy to implement standard journaling. Just open your Mailbox server in Server Con-figuration of the Exchange Management Console, and click on Properties in your mailbox database. You’ll see a window that is similar to the one shown in Figure 15.7, where you can define the journal recipient for this specific mailbox database.

F I G U R E 1 5 . 7 Server properties for journaling



To enable or disable journaling on a mailbox database, you need to be either an Exchange Server Administrator for that server or an Exchange Organiza-tion Administrator.

Premium Journaling

Standard journaling is sufficient for small to medium companies that do not have hundreds of databases on their Exchange servers. However, in large companies with many Exchange Mailbox servers hosting multiple databases each, it can be difficult to configure and main-tain each and every database. Remember—if compliance requires archiving all the messages for a specific person or group, you better make sure it is happening!

For that reason Microsoft added a feature called premium journaling or journal rules to Exchange 2007. Using this feature you can create one or more rules that match your specific journaling needs. Journal rules can be defined on the following parameters:� Journal messages for recipient� Journal rule scope� Journal Unified Messaging

Journal Messages for Recipient

New in Exchange 2007 is the journal feature that allows you to select specific mailboxes, con-tacts, or distribution lists to journal. This object must belong to your Exchange organization, so you cannot use an SMTP address without creating a contact for journaling. However, dis-tribution lists are a very flexible way to control journaling.

For example, you can create a company-wide journal distribution group to which you add all mailboxes that you need to journal because they may be subject to the regulatory require-ments. Management is simplified because you can simply assign permission for this distribu-tion list to your company’s compliance department so they can manage it themselves.

If you do not select any recipient or disable Journal Message for Recipient, all messages sent to or from your Exchange organization are considered by journaling.

Because every Hub Transport server maintains a recipient cache to look up recipient and distribution group information, changes to journal rule recipients might take up to four hours (when the recipient cache is refreshed on a Hub Transport server).

Journal Rule Scope

You also can define journaling based on a scope that you can set for each journal rule. This is especially important if you need to control the message flow in a certain way, outbound or internal. You can select one of the following three scopes:

Global. All messages that pass through Hub Transport servers



Internal. Messages that are sent or received by recipients inside your Exchange organization

External. Messages that are sent to recipients or from senders outside your Exchange organization

For example, a journal rule scope could be used to journal all messages for all stock traders that are sent to or received from external recipients. Another example is to journal all internal message traffic for a specified period of time when the audit department requires it.

Journal Unified Messaging

Journaling by default also includes any Unified Messaging message like voicemail and missed-call notifications. You may decide not to journal such messages in your Exchange organization (for example, to preserve hard disk space). You can enable or disable journaling for voicemail by using the following command in the EMS:

Set-TransportConfig -VoicemailJournalingEnabled $False

This command will disable journaling for voicemails and missed-call notifications for your entire Exchange organization. Unfortunately, there is no way to define this on a per-server or per-user scope; you can only enable or disable it globally.

When you decide to disable voicemail journaling, remember that this only applies to voice messages and missed-call notifications, but not to faxes or messages received from the Unified Messaging server—they will always be part of journaling.

Managing Premium Journaling

Because all journal rules are configured in the Organization Configuration section of the Exchange Management Console, you need to be an Exchange Organization Administrator to create and modify them. As you know, the Organization Configuration is automatically rep-licated to all Exchange servers within your Exchange organization. This makes it easy to con-figure journal rules on your Hub Transport servers: Just configure them once, and they are applied to all servers automatically using replication.

If you create multiple journal rules that include the same mailbox, you will end up journal-ing multiple copies of the journal reports. For example, if you created a journal rule that includes all mailboxes and journals all internal messages and you create a journal rule for a mailbox called Trader; all messages from and to the mailbox Trader will be send to both the first and the second journal mailbox. To prevent message journaling redundancy, you should plan your journaling rules clearly.

Premium journaling requires an Exchange 2007 Enterprise Client Access License (CAL). If you’re planning to use this feature, don’t forget to mention it when buying the licenses for your company. Otherwise you should only use standard journaling.



To practice premium journaling, you will now create a journal rule that will journal all messages (scope: Global) for [email protected] to the journal mailbox called Journal. Exercise 15.3 takes you through the steps.

E X E R C I S E 1 5 . 3

Configuring a Journal Rule

To configure a journal rule to journal all messages for the Administrator mailbox, follow these steps:


2. Expand Organization Configuration.

3. Select Hub Transport and click on the Journal tab.

4. On the Action pane, click New Journal Rule to bring up the New Journal Rule window.

5. Configure all settings as shown below, then click New to create the rule.

Don’t forget that the rules are first stored in the Configuration partition of the Active Directory and will not immediately be applied to your Hub Transport servers.


Protecting Exchange Server 2007 with ISA 2006 651

Protecting Exchange Server 2007 with ISA 2006Internet Security and Acceleration (ISA) Server 2006 is a security gateway that helps to protect your applications from Internet-based threats. You can think of ISA Server 2006 as an enhanced firewall system for your perimeter network. It is not part of Exchange 2007 and has to be pur-chased separately from Microsoft if you want to use it.

ISA 2006 is not a part of the exam. We’ve included this information because it will be useful to you as an Exchange Server administrator.

ISA Server 2006 and Microsoft Exchange Server 2007 are designed to work together to provide you with a secure messaging environment. Microsoft lists the following new features for ISA Server 2006, which are designed specifically for Exchange 2007:

Web publishing load balancing. ISA Server 2006 balances the request from the client to an array of published servers. This eliminates the need to deploy Network Load Balancing (NLB) on the published array.

Link translation. Some published web sites may include references to internal names of com-puters. Because only the ISA Server 2006 firewall and external namespaces are available to

The Practical Case for Journaling

Financial institutions such banks are required to journal all the communications of their stock-brokers. Imagine if you were an administrator using Exchange 2003 at such an institution. You’d have to put these mailboxes on a specific mailbox database and enable journaling for that database. If the brokers were spread throughout your organization on a global basis, this would be quite some effort to implement. Either you’d end up with many mailbox databases just for the purpose of journaling, or you’d enable journaling for too many mailboxes. This, of course, would increase your hard-disk space requirements tremendously.

Now imagine using Exchange 2007 instead. In Exchange 2007, implementation of such a rule is made quite easy for the messaging professional. You just create a distribution list that includes all your stockbrokers and apply this to a journal rule. Only the messages from mail-boxes on the distribution list would be journaled. This way, you would optimize your archiving volume immediately with just a few steps.

Your finance department will be happy about that!



external clients, these references appear as broken links. ISA Server 2006 includes a link-translation feature that you can use to create a dictionary of definitions for internal com-puter names that map to publicly known names.

Secure Sockets Layer (SSL) bridging support. For authenticated and encrypted client access, ISA Server 2006 provides end-to-end security and application layer filtering by using SSL-to-SSL bridging.

Client Access for Exchange 2007. ISA Server 2006 is designed to work specifically with the client access methods like Outlook Anywhere available in Exchange 2007.

Although ISA Server 2006 offers several other features; this section provides only an overview of the Exchange-related features focused on routing SMTP messages and managing client access.

Routing SMTP Messages

You can configure an ISA Server 2006 to route SMTP messages before they reach an Exchange server. In previous versions of Exchange, this functionality was more important, but with the introduction of the Exchange server role concept, especially with the Edge Transport server role, you might want to consider directly routing messages to your Edge Transport server rather than using the ISA Server 2006 for that task.

However, you can still configure it, and this section explains the steps you need to consider when you want to route your inbound and outbound SMTP email traffic through your ISA Server 2006. Namely, for ISA Server 2006, you publish your SMTP mail server.

You have to meet the following DNS requirements before you can publish your SMTP server:� You need to have an A record pointing to the external IP address of your ISA Server 2006.� Your mail domain’s public Mail Exchanger (MX) record must point to that A record.

Don’t forget to verify that the MX record only includes the A record of your ISA Server 2006; otherwise the message might skip ISA Server and go directly to an Exchange server.

Additionally, you must take the following steps to configure the ISA Server 2006 to route messages to and from your Exchange organization correctly. You have to perform the following steps in Firewall Policy using the Microsoft ISA Server 2006 snap-in:

1. Publish mail servers to configure inbound email communication to be forwarded from the ISA server to your Edge Transport server.

2. Create a computer object for all your sending Edge Transport servers.

3. Create an access rule and add all the created computer objects to configure outbound communication so your Edge Transport servers are able to send emails to the Internet.

After you’ve configured all the steps, you should verify that the message flow to and from the Internet is working correctly. Don’t forget to check the message paths and connections to verify that the message communication is passing the ISA Server 2006.



Configuring Client Access

One of the key benefits of the ISA Server 2006 is to provide Internet-based client access. It does not support placing a Client Access Server in the perimeter or on the Internet. But many companies still want to provide their users with access to their mailboxes when they are outside their corporate LAN. You need to use an advanced firewall server to securely publish client access. ISA Server 2006 provides you with an easy way to publish client access because it includes a new Exchange Publishing Rule wizard (found in the ISA Server under Firewall Policy tasks). The wizard helps you to configure the ISA Server 2006 for access to the following features:� Outlook Web Access� Exchange ActiveSync� Outlook Anywhere� POP3 and IMAP4 access

To understand the complete process, the following sections will walk you through the requirements for configuring client access, including installing a certificate on your server, choosing your client authentication, configuring your Client Access server, and implementing publishing rules.

Installing a Certificate on the ISA Server

You should start by installing a server certificate on the ISA Server 2006. The differences between the various certificates are described in the “Types of Certificates” section earlier in this chapter.

One of the basic requirements for the ISA Server 2006 is to have a certificate from a CA that is trusted by your clients. Therefore, you either should get a third-party CA or install your root certificate on all of the devices that will use your ISA Server 2006 to access their Exchange mailboxes. If you forget this task, your clients will receive a message to confirm the certificate of your ISA Server 2006 every time they access it.

Deciding Which Client Authentication to Use

Before configuring your ISA Server 2006, you need to decide how clients will authenticate. The following table provides you with a list of the most common and recommended client-authentication methods.

T A B L E 1 5 . 8 Client Authentication for ISA Server 2006

Client Authentication

Method

Authentication

Validation

Authentication

Delegation Access Methods

HTML forms-based authentication

Windows (AD) LDAP RADIUS

Basic Negotiate (Kerberos / NTLM)

OWA (see the impor-tant note below) Outlook Anywhere Microsoft ActiveSync (only basic)



Configuring Your Client Access Server

Before continuing, make sure that the following steps are configured on your Client Access Server:

1. Make sure that forms-based authentication is not enabled on your CAS and basic authen-tication is used.

2. Enable Outlook Anywhere.

3. Install a server certificate on your CAS.

4. Configure the default website on your CAS to require secure sockets layer (SSL).

Implementing Exchange Publishing Rules

Before you create Exchange web Client Access publishing rules, you need to create a web listener. You must have Microsoft ISA Server 2006 installed. Remember: ISA 2006 is not part of the exam. The following sections simply offer you real-world examples of how to combine the two products.

Creating a Web Listener

The web listener is used to indicate the IP address and port to which a client connects, and then the IP address is assigned to publishing rules. Web listeners can be used by more than one publishing rule. This means if you do not have any business requirements to divide up the IP addresses or ports for your clients, you can use a single web listener for all our Exchange publishing rules.

The following are the web listener properties:� IP addresses and ports used for listening for web requests� Server certificates to use with IP addresses� Authentication method to use� Number of concurrent connections that are allowed

HTML forms-based authentication

RSA SecurID RSA SecurID OWA Microsoft ActiveSync (requires RSA SecurID component installed on Exchange servers)

SSL client certificate authentication

Windows (Active Directory)

Kerberos constrained delegation

OWA Microsoft ActiveSync

T A B L E 1 5 . 8 Client Authentication for ISA Server 2006 (continued)

Client Authentication

Method

Authentication

Validation

Authentication

Delegation Access Methods



To create a web listener in your ISA Server 2006, follow these steps:

1. Click Start � All Programs � Microsoft ISA Server � ISA Server Management.

2. Click on Firewall Policy.

3. Click on the right pane access Toolbox tab and select New � Web Listener in Network Objects, as shown in Figure 15.8.

F I G U R E 1 5 . 8 Selecting New � Web Listener

4. On the Welcome page, provide a web listener name (e.g., Exchange Client Access).

5. As shown in Figure 15.9, select Require SSL Secured Connections with Clients and click Next.

6. Select External in the Listen for Incoming Web Requests frame and click on Select IP Addresses.

7. Check Specified IP addresses on the ISA Server, and add your IP address to Selected IP Addresses. Click OK.

8. As shown in Figure 15.10, continue with Next and select Use a Single Certificate for this Web Listener. Select the server certificate you installed on the ISA server using the Select Certificate button, and click Next.



F I G U R E 1 5 . 9 Client Connection Security page

F I G U R E 1 5 . 1 0 Listener SSL Certificates page

9. On the Authentication Settings page, select HTML Form Authentication to enable forms-based authentication and select which client credentials the ISA server uses. Click Next to continue.

10. On the Single Sign On Settings page (Figure 15.11), add your Active Directory domain name and click Next.

11. On the Summary page, verify your settings and click Finish to create the web listener.



F I G U R E 1 5 . 1 1 Single Sign On Settings page

The web listener should be available in the Network Objects area of your toolbox.

Creating Exchange Publishing Rules

An Exchange publishing rule is used to configure your ISA Server 2006 to fully support Exchange client requests from the Internet. There will be no direct connect of a client to your CAS, but all the clients will connect to the ISA Server 2006 first, which then forwards the request to the CAS according to the conditions of your publishing rule.

Because ISA Server 2006 includes an Exchange Publishing Rule wizard that is optimized for Exchange 2007, this task is not very difficult.

You cannot publish multiple access methods at the same time when using the Exchange Publishing Rule wizard; you have to create one rule for every access method, such as OWA or Outlook Anywhere.

To create an Exchange publishing rule for OWA, follow these steps:

1. Click Start � All Programs � Microsoft ISA Server � ISA Server Management.

2. Click on Firewall Policy.

3. On the right pane, access the Tasks tab and click on Publish Exchange Web Client Access.

4. Enter a name for the Exchange publishing rule (e.g., Exchange OWA) and click Next.

5. Select your Exchange version (Exchange Server 2007) and the client access method you want to configure. For this exercise, check Outlook Web Access, as shown in Figure 15.12, and click Next.

6. On the next page, you have to select the publisher type. Select Publish a Single Website or Load Balancer, and continue with Next.

7. Select Use SSL to Connect to the Published Web server or Server Farm, and click Next.



F I G U R E 1 5 . 1 2 Select Services page

8. On the Internal Publishing Details page, you have to enter the internal site name, which is normally the FQDN of your CAS, and click Next. (See Figure 15.13.)

9. Next add the public name that your users will type to access the ISA server, as shown in Figure 15.14. Remember that this must match the FQDN of the certificate you selected when you created the web listener. Choose Next to continue.

10. Select the web listener for the publishing rule and click Next.

11. On the Authentication Delegation page, select the authentication method ISA Server uses for the published web server. Select Basic authentication, and click Next.

F I G U R E 1 5 . 1 3 Internal Publishing Details page


Summary 659

F I G U R E 1 5 . 1 4 Public Name Details page

12. Finally, define the user set that this rule applies to. Leave the default (All Authenticated Users), and choose Next to continue.

13. On the summary page, verify your settings and click Finish to create the Exchange publishing rule.

14. Click on Apply in the Details pane to update the configuration.

You have now created a single Exchange publishing rule for OWA. If you want to enable the other access methods, you must create more rules for Outlook Anywhere and Exchange ActiveSync.

ISA Server 2006 attachment blocking with Exchange Server 2007 is not supported. If you want to block attachments, you need to configure attach-ment blocking on the Exchange 2007 server.

SummaryPlanning for security is quite a complex (and, hopefully, interesting) task. It touches many different areas, such as the network, Windows Active Directory, certificates, and transport rules, making it one of the most complex topics in Exchange server design.



By now you should understand the basics of certificates and which protocols to use to achieve certain security results. Good security design also should consider the differences between network-based, session-based, and client-based encryption and when to use each. But communication encryption and authentication are not the only aspects of security. You also need to consider the use of journaling to archive messages and the use of transport rules to act on specific messages.

All these topics together, combined with a solid understanding of what Exchange Server 2007 can offer your company in terms of security, provide a good way to create a thorough plan. And that is exactly what is required of an excellent Exchange Messaging IT professional.

Exam EssentialsKnow about firewall rules and what Ports need to be considered. In a secure environment, you need to understand what is required and what can be shut down, especially when considering the firewall ports. Here you should see the interaction between the different server roles and what service requires what ports to be opened at the firewall. Don’t forget to recognize when the server communication is encrypted and when it is not.

Understand the different security protocols of Exchange 2007. Exchange 2007 supports various security protocols, but the most important are IPSec, VPN, and TLS. You should understand the differences among these protocols and how Exchange 2007 uses TLS to estab-lish domain security. Mutual TLS is one of the key topics in this chapter that you should be able to describe and configure. Also, you should recognize the different types of certificates to be used and their requirements.

Transport rules make a major difference. Transport rules are another key topic. They pro-vide an easy way to set rules on the message flow. You need to understand the differences between Hub Transport rules and Edge Transport rules and when to configure a rule where. Hub Transport rules are configured once for all Hub Transport servers, but Edge Transport rules have to be configured at every single Edge server.

Understand S/MIME support in Exchange 2007. By default, Exchange Server 2007 supports S/MIME and you do not need to configure anything on the server side. But you need to understand what S/MIME is about, how you can implement it for your organiza-tion, and what it requires.

Know about message journaling. You should understand the differences between standard and premium journaling and how to configure journaling. Don’t forget about the license requirements for the premium journaling features and the new journal report format that might cause some problems with your existing archiving software.



Review Questions1. You want to open access on your firewall to a Mailbox server. What ports do you need to open

for MAPI access? (Select all that apply.)

A. 25/TCP (SSL)

B. 53/TCP/UDP (DNS)

C. 135/TCP (RPC)

D. 445/TCP (SMB)

2. On your Edge Transport server, you did not install any other certificates after running Exchange 2007 setup. Your partner in a different Exchange organization that also has also an Edge Transport server in the perimeter network did the same. Will the communication between both Edge Transport servers be encrypted by default?

A. Yes

B. No

3. What firewall ports do you need to open to let an ISA Server 2006 sitting in the perimeter net-work communicate to the CAS role sitting in your LAN for Outlook Web Access or Outlook Anywhere? (Select all that apply.)

A. 80/TCP (HTTP)

B. 443/TCP (SSL)

C. 110/TCP (TLS)

D. 995/TCP (SSL)

4. Carola is system administrator of a highly secured messaging environment. She has to make sure that server-to-server traffic is fully encrypted even when Exchange is not sending the data. What protocol should Carola use to satisfy her requirements? (Choose one.)

A. S/MIME

B. TLS

C. SSL

D. IPSec

5. You implemented IPSec as the protocol to encrypt server-to-server traffic as part of your Exchange Server 2007 implementation plan. What configuration steps do you need to consider on the Exchange Server 2007 Receive connector? (Select all that apply.)

A. Enable Exchange Servers on the Permission Groups tab.

B. Enable Legacy Exchange Servers on the Permission Groups tab.

C. Enable Externally Secured on the Authentication tab.

D. Enable Exchange Server Authentication on the Authentication tab.



6. You want to implement a secured message path over the Internet to some of your partners who also have Exchange 2007 and have Internet-facing Edge Transport servers. What do you need to do to gain the required functionality? (Choose one.)

A. You have to make sure that all Edge Transport servers from you and your partners have server certificates installed and you configured Domain Security for your partners’ domains on your side.

B. You have to make sure that your Edge Transport server has a server certificate installed and that you and your partners configured Domain Security for your domains.

C. You have to make sure that your Edge Transport server has a server certificate installed and that you configured Domain Security for your partners’ domains on your side.

D. You have to make sure that all Edge Transport servers from you and your partners have server certificates installed and that you and your partners configured Domain Security for your domains.

7. What types of certificates support Exchange 2007 Domain Security using mutual TLS? (Select all that apply.)

A. Exchange 2007 self-signed certificates

B. Third-party certificates such as certificates from VeriSign

C. Windows PKI–generated certificates

D. Paper certificates

8. Andy is administrator of a large messaging environment that has the address space Exchange2007.com. He set up an Edge Transport server called Edge.Exchange2007.com and now wants to request a server certificate for his Edge Transport server that supports TLS and mutual TLS. What information does he need to provide to the CA? (Select all that apply.)

A. The server name, Edge.Exchange2007.com, which should be added as the subject name

B. The domain name, Exchange2007.com, which has to be added as a Subject Alternative Name (SAN) to the certificate

C. The domain name, Exchange2007.com, which has to be added as an Alternative Name to the certificate

D. The server name, Edge.Exchange2007.com, which should be added as an Alternative Name (AN) to the certificate

9. You installed a server certificate to your Edge Transport server. After a reboot, you use TELNET <servername> SMTP and the command EHLO to verify that the TLS is working correctly. Unfortunately, the command STARTTLS is not displayed in the command list. What could be the possible reasons for this? (Select all that apply.)

A. The certificate installed is not valid anymore.

B. The certificate was not enabled for SMTP.

C. The certificate does not match to the domain.

D. The certificate was issued by a third-party CA.



10. Jan is thinking about implementing transport rules for providing a company disclaimer. On what Exchange Server role does he need to configure the rule? (Choose one.)

A. Mailbox server

B. Hub Transport server

C. Client Access server

D. Edge Transport server

11. On Monday morning, you notice an awful lot of emails floating on your Exchange servers from and to the Internet. You realize that it is a mail storm and that all the emails have some words in the subject line in common. What can you do to prevent a further increase in the flow of those emails? (Choose one.)

A. Configure a transport rule on every Edge Transport server to filter the floating messages based on the subject line and delete them before they can be forwarded to the Exchange organization.

B. Configure a transport rule on one Edge Transport server to filter the floating messages based on the subject line and delete them before they can be forwarded to the Exchange organization.

C. Configure a transport rule on one Hub Transport server to filter the floating messages based on the subject line and delete them.

D. Configure a transport rule on every Hub Transport server to filter the floating messages based on the subject line and delete them.

12. You have been informed by the legal department that sensitive information (such as an employee’s Social Security number) was sent to the Internet without their knowledge. You must make sure that this does not happen again. How can you do this in Exchange 2007? (Choose one.)

A. Create a rule on an Edge Transport server to filter any information based on keywords.

B. Create a rule on a Hub Transport server to filter any information based on keywords.

C. Send information to all of the users informing them that sensitive information is not allowed to be sent anymore.

D. Create a rule on a Hub Transport server and add a company disclaimer.

13. You want to make sure that edge rules on all Transport servers are the same. How can you make sure? (Select all that apply.)

A. Configure them as Hub Transport rules so they are automatically replicated everywhere.

B. Use the EMS command Export-TransportRuleCollection on the Edge Transport server that you use to create edge rules.

C. Configure the Edge Transport rule on one Edge Transport server; they will be applied to all other Edge Transport servers automatically using EdgeSychronization.

D. Use the EMS command Import-TransportRuleCollection on all Edge Transport servers to import rules either manually or automatically.



14. Which of the following applications support S/MIME encryption and signatures? (Select all that apply.)

A. Outlook 2003

B. OWA in Exchange 2007

C. Outlook 2007

D. Mobile devices using Exchange ActiveSync

15. What is the best definition of S/MIME? (Choose one.)

A. S/MIME is a network-based security mechanism to provide server-to-server encryption.

B. S/MIME is used to provide end-to-end security for encrypting and signing email messages.

C. S/MIME is a session-based security protocol that is used in Exchange Server 2007.

D. S/MIME is a client-based encryption format in which the Exchange Server 2007 server encrypts all messages automatically.

16. For what features of journaling in Exchange Server 2007 do you need an Exchange Enterprise Client Access License (CAL)? (Select all that apply.)

A. Journal messages for an Exchange database

B. Journal messages for recipients or distribution groups

C. Journal rule scope (e.g., Global)

D. Journal Unified Messaging

17. Robert is planning the archiving solution for messaging. He met with his financial department and the legal department to gather the requirements for the solution. He recognized that the people who are required by law to archive their message communications are spread through-out the Exchange organization. What would be the steps to implement the best journaling solu-tion for his company, providing the least maintenance time? (Select all that apply.)

A. Enable journaling on all message databases where people who need to journal their messages are located.

B. Create a distribution group that includes all people who need to journal their messages.

C. Create a journal rule that includes the distribution group containing all the people who need to journal their messages.

D. Create a mailbox as a target for journaling.

18. When you enabled journaling, you found that all journal messages are in a journal report envelope format that is not supported by your archiving software. What can you do? (Choose one.)

A. Switch from the journal report envelope format to the old format so your archiving soft-ware does not have any problems handling it.

B. Upgrade your archiving software to support journal reports.

C. Define a target mailbox on an Exchange 2003 server.

D. Use standard journaling based on Exchange databases.



19. For which of the following areas can you use the ISA Server 2006 to provide you with enhanced security features by protecting and monitoring the network? (Select all that apply.)

A. Encrypting server-to-server traffic

B. Routing SMTP messages

C. Signing messages with a corporate certificate

D. Client access (e.g., OWA)

20. The ISA Server 2006 can be configured to secure what types of client access methods? (Select all that apply.)

A. Outlook Anywhere

B. Outlook Web Access

C. Outlook MAPI

D. Exchange ActiveSync



Answers to Review Questions1. C. The only port that needs to be accessed for MAPI is 135/TCP (RPC) because remote pro-

cedure calls are used. The rest refer to server-side protocols such as SMTP, DNS, and SMB that are not used in a MAPI connection.

2. B. On both Edge Transport servers, the local one and the partner one, only self-signed certificates are installed by default. This is enough to support encryption by default between the Hub Trans-port and the Edge Transport server. However, to support Edge Transport-to-Edge Transport encryption, both machines need to install valid server certificates including their domain names.

3. A, B. You need to open the ports 80/TCP and 443/TCP to enable communication between the ISA Server 2006 located in the perimeter network and the Client Access Server located in your LAN. Because the CAS will forward the request to the appropriate mailbox server, no other ports have to be opened. Ports 110/TCP and 995/TCP belong to POP3 communication and need to be enabled only when you want to use the POP3 protocol.

4. D. S/MIME is end-to-end security that provides authentication and encryption. In this case, server-to-server communication is required to be encrypted, so A is not the correct answer. TLS and SSL can be used to encrypt server-to-server traffic, but they are session-based and therefore initiated in Exchange Server 2007. The only protocol that is server-to-server and independent from the application is IPSec because it is network-based and encrypts any traffic, no matter which application it comes from.

5. A, C. You need to enable Exchange Servers on the Permission Groups tab and Externally Secured on the Authentication tab on your Receive connectors to optimize the configuration for the IPSec protocol. Enabling Legacy Exchange Servers on the Permission Groups tab is not needed because the question did not mention any server other than Exchange 2007. Exchange Server Authentica-tion on the Authentication tab cannot be enabled when you enable Externally Secured.

6. D. A secured message path points to Domain Security in Exchange 2007. Therefore, you need to know the requirements for Domain Security: the Edge Transport server in the local and remote site has a server certificate installed and both sides are configured with Domain Security for your domain. If one side is not configured for Domain Security, you will get TLS but not a secured message path.

7. B, C. Self-signed certificates do not support mutual TLS because a CA must issue the certificate and both sides must verify that the certificate is valid. Only an official (but expansive) third-party certificate or a Windows PKI–generated certificate can be used for mutual TLS. If you use a Windows-generated certificate, you also have to make sure that your partner trusts your root certificate; otherwise it will not work. Paper certificates are useless in this scenario.

8. A, B. A certificate for TLS and mutual TLS must include the domain name of the Edge Trans-port server and additional information such as domain name added as a Subject Alternative Name (SAN) to the certificate. An Alternative Name (AN) is not available in any certificate.

9. A, B, C. The STARTTLS command is only available when a valid certificate is installed on the Exchange server that includes the local domain name and that is enabled for SMTP. Thus, you have to verify if the certificate is expired, if the certificate is enabled for SMTP and if the domain name was added to it as the Subject Alternative Name (SAN). It does not matter where the cer-tificate was issued, as long as it was a trusted third-party CA, thus this must be a wrong option.



10. B. Transport rules on Hub Transport servers are for company policy and compliance rules. Edge Transport rules do not support disclaimers because they are intended for a different pur-pose. Mailbox servers and Client Access servers do not have message-routing capabilities and, therefore, do not provide any rules. The only possible answer is Hub Transport server.

11. A. This question requires you to understand two perspectives of transport rules: First, you need to use Edge Transport rules to prevent mail storms like the one in this scenario. Second, you have to configure an Edge Transport rule on every Edge Transport server separately because it does not automatically replicate like a Hub Transport rule. Using Hub Transport rules to prevent mail storms is a bad idea because you would be trying to fight the problem inside the Exchange organization.

12. B. Edge rules should not be used for filtering sensitive information out of messages. Informing your users would be good, but does not provide the required result because it already happened and the users probably already had been informed about not including sensitive information in messages. Adding a company disclaimer also does not provide the desired result.

13. B, D. Edge Transport rules do not automatically synchronize with other Edge Transport servers. The only way is to export all edge rules is to the EMS command Export-TransportRuleCollection on the Edge Transport server where the rules have been created and then to import them on all Edge Transport servers using the command Import-TransportRuleCollection. You cannot configure edge rules on a Hub Transport server.

14. A, C. Currently, only Outlook 2003 and Outlook 2007 support S/MIME encryption. OWA and mobile devices using Exchange ActiveSync cannot read S/MIME using the release version of Exchange Server 2007.

15. B. S/MIME is a client-based protocol that provides end-to-end security by encrypting and signing email messages. It is client-initiated, but fully supported with Exchange 2007.

16. B, C, D. Normal journaling that is based on Exchange databases does not require an Enterprise Client Access License (CAL), but the CAL is required by premium features such as journaling messages based on recipients, scope, or Unified Messaging.

17. B, C, D. Configuring journaling on multiple Exchange databases and journaling every message to and from these databases might be overkill. The best solution is to create a mailbox to store all journal reports, create a distribution group for all the people who need to journal their mes-sages, and then create a journal rule that includes this distribution list. It is easy to manage just using the group membership. Only the required people will journal their messages, which means you preserve hard-disk space.

18. B. Currently, the only way to solve this problem is by upgrading your archiving software to support the journal report envelope format. There is no way to switch to the old format, nor does it help to put the journal mailbox on an Exchange 2003 server. Standard journaling creates journal reports, so it does not help, either.

19. B, D. The ISA Server 2006 can be used as a single entry point to protect Internet-based client access such as OWA and to route SMTP messages. It cannot encrypt server-to-server traffic on systems where it is not involved, nor can it sign messages with a corporate certificate.

20. A, B, D. The ISA Server 2006 can be used to secure OWA, Outlook Anywhere, and Exchange ActiveSync traffic. Outlook MAPI is not supported.


Chapter

10

Creating, Managing Highly Available Exchange Server Solutions


�

Installing and Configuring Microsoft Exchange Servers

�

Install Exchange.

�

Configuring Disaster Recovery

�

Configure high availability.

68199c10.fm Page 475 Saturday, August 11, 2007 3:20 PM

High availability (HA)

is discussed often, but few administrators understand what it really means. Administrators have been con-ditioned by article after article to think high availability means the

same thing as clustering. In fact, many administrators think high availability is a code word for clustering technologies. High availability is much more than what most administrators think it is. Although Microsoft server clustering and network load balancing are highly available plat-forms for applications, they do not provide high availability by themselves. Every administrator should understand that clustering is only a piece of high availability.

High availability requires the implementation of strong management processes, proper test-ing procedures, and well-planned implementation processes. An organization cannot achieve high availability just by implementing clustering technologies. The most important require-ment in achieving high availability is implementing a high-availability philosophy or spirit within the organization where administrators stop, think, evaluate, collaborate, and then decide what to do in the event of a major failure or when changing the configuration of an application or server. Proper change control, for example, is part of that spirit.

Many organizations go through a process called

risk management

or

risk identification

where they list everything that could possibly go wrong or that would cause Exchange Server 2007 services to not be available. For example, an organization may list disk failure as a pos-sible risk and then take steps to mitigate that risk by using redundant array of inexpensive disks (RAID) controllers and configuring all disks in fault-tolerant arrays. Another example would be where an organization lists main board failure as a risk and then decides to imple-ment a server clustering solution to mitigate that risk.

In a nutshell,

high availability

is the combination of well-defined, planned, tested, and implemented processes, software, and fault-tolerant hardware focused on supplying and maintaining application availability.

As a high-level example, consider messaging in an organization.

A poor implementation of Exchange is usually slapped together by purchasing a server that the administrator thinks is about the right size and installing Exchange Server 2007 on it. Messaging clients are installed on network-connected desktops, and profiles are created. The Exchange server might even be successfully configured to connect to the Internet. It is possible to install an Exchange messag-ing environment over a short business week and even overnight in some cases. It is easy to do it fast and get it done, but lots of important details are missed.

By contrast, in a high-availability environment, the deployment of messaging is well designed. Administrators research organizational messaging requirements. Users are brought into discus-sions with administrators and managers. Messaging is considered a possible solution to many company ills. Research may go on for an extended period while consultants are brought in to



477

help build a design and review the design of others. Vendors are brought in to discuss how their products (antivirus and content management solutions, for example) will keep the messaging environment available and not waste messaging resources processing spam and spreading viruses. Potential third-party software is tested and approved after a large investment of admin-istrator and end user time. Hardware is sized and evaluated based on performance requirements and expected loads. Hardware is also sized and tested for disaster recovery and to meet service-level agreements for both performance and time to recovery in the event of a disaster. Hardware selected will often contain fault-tolerant components such as redundant memory, drives, net-work connects, cooling fans, power supplies, and so on. A high-availability environment will incorporate lots of design, planning, and testing. A high-availability environment will often, but not always, include additional features such as server clustering, which decreases downtime by allowing for rolling upgrades and allowing for a preplanned response to failures. A top-notch high-availability messaging environment will also consider the messaging client software and its potential configurations that lead to increased availability for users. For example, Outlook 2003 offers a cache mode configuration that allows users to create new messages, respond to existing mail in their Inboxes, and manage their calendars (amongst many other tasks) without having to maintain a constant connection to the Exchange server. Cache mode allows users to continue working even though the Exchange server might be down for a short time, and it also allows for the more efficient use of bandwidth.

All critical business systems have to be analyzed to understand the cost incurred when they are unavailable. If there is a significant cost, then the organization should take steps to mini-mize downtime. Taking this view to the extreme, the goal is really to provide

continuous avail-ability (CA)

of applications and resources for the organization. Doesn’t everyone want email to always be available for processing messaging traffic and helping the people in the organi-zation collaborate? Of course, that is what we want. We want applications and their entire environment to continue running forever. We strive for continuous availability, and we settle for high availability.

Obviously, continuous availability just isn’t possible over extremely long periods of time. Hardware will always fail; it is just a matter of when. Software becomes obsolete over time, too. You should understand that high availability includes not just the hardware and software solu-tion but also the backup/restore solution and failover processing. Most high-availability experts will also add that a true high-availability environment includes a well-documented development, test, and production migration process for any changes made in production environments. All and all, there is much to achieving high availability, but you can achieve high levels of applica-tion availability through well-designed, planned, tested, and implemented processes, software, and hardware.

Another example is if you use

network load balancing (NLB)

to provide application availability to your users. In Exchange Server 2007, you can use NLB for the Edge Transport server role and for the Client Access server role. NLB helps keep the applications available to your users. The same can be said for server clustering; however, you need to take into account the nonavailability during the actual failover of your application in the event of hardware or software failures. Sometimes, failover is a matter of seconds; in other cases, it can be several minutes. In all cases, a clustering


478

Chapter 10 �


solution will significantly drive down nonavailability and increase the uptime of your application as run on your servers. Many experts state that for any application or system to be highly available, the parts need to be designed around availability, and the individual parts need to be tested before being put into production. As an example, if you are using third-party products with your Exchange environment that have not been properly tested, you may find that they are a weak link that results in the loss of availability. Implementing a cluster will not necessarily result in high availability if there are problems with the software, as was discussed previously.

High availability is so much more than just slapping a couple of servers together in a cluster. Please keep in mind all the details behind a top-notch high-availability environment.

Exchange Server 2007 includes many new features that enhance availability.

Local continuous replication (LCR)

,

cluster continuous replication (CCR)

, and

single copy cluster (SCC)

are three features that increase the reliability and thus the availability of Exchange Server 2007 services.

This chapter covers an extremely large amount of material. Microsoft Windows server clustering and NLB require complete books to cover them properly. In this chapter, you’ll learn what high availability really is, some of the basics of configuring NLB, and some of the basics of configuring server clustering. The main subjects of this chapter are as follows:�

Local continuous replication�

Cluster continuous replication�

Single copy cluster

Installing Server Clustering

The topic of server clustering will be a significant portion of this chapter because a basic understanding of server clustering for Windows Server 2003 is vital. Without a properly built and configured server cluster, it is not possible to properly install Exchange Server 2007 in the cluster and have it be reliable. Installing server clustering requires several steps:

1.

Installing and configuring the hardware, which includes installing and configuring the server nodes, configuring the network, setting up the disk structure, and making sure all the firmware is up-to-date.

2.

Installing and configuring the operating system. This step includes some basics of server hardening (which won’t be covered in detail here because this is best covered in a Win-dows Server 2003 book) and includes some other steps to prepare for clustering.

3.

Configuring the

cluster service

. This step is where you find out whether your hard-ware and operating system will work for you. Once this step is complete, you will have a cluster, but nothing running on it.

4.

Installing and configuring applications. This step will be covered in detail later in the chapter.



479

Installing and Configuring Cluster Hardware

To build a Microsoft Windows

server cluster

, you must first provide all the hardware com-ponents. This is not a simple task in Windows Server 2003 since the

hardware compatibility list

that administrators know so well is not really used to identify supported hardware. In fact, the support model actually requires a much more stringent hardware requirement. The Windows Server Catalog (

www.windowsservercatalog.com

) lists entire cluster solutions. Approved cluster solutions include hardware that has been tested as a complete solution along with the operating system. To receive full support for Windows Server 2003 clusters, you must purchase a complete solution from the list; this includes the following:�

The operating system, which will be either Windows Server 2003 Enterprise, Windows Server 2003 Enterprise R2, Windows Server 2003 Datacenter, or Windows Server 2003 Datacenter R2

�

The server nodes, which will include the brand, model number, and CPU configuration�

The

host bus adapter (HBA)

brand and model number for each server�

The fiber switch or hub�

The storage, which is usually the most expensive part of server clustering

Some server clusters do not require storage, so it is much cheaper and easier to purchase the hardware in those cases since the HBA, switch (or hub), and storage device will not be required. This will be important to note later when we cover CCR.

Hooking Up the Hardware

The hardware has been purchased and now is ready to be hooked up. This is not a difficult step. You must build each server node, install the network cards, install the HBAs, and put the servers into the server rack. The following tips will be useful in this process:

Network

Each node of the cluster is connected to two different networks for clustering purposes. Each node is connected to the public network, which is where clients can connect to the cluster nodes and attach to applications and services running on the cluster as if the virtual servers were normal servers. The second network is the private network, also referred to as the

heartbeat network

. This network connects all nodes of the cluster so they can keep track of the availability of the nodes in the cluster. It is through this heartbeat network that a passive server node can detect whether the active server node has failed and then take action to start the virtual servers on it. It is possible that other networks also are used for such things as dedicated backups, but they are not used for cluster purposes.

Many organizations use network adapter teaming software to improve net-work adapter reliability. If teaming software is used on the public network adapters, it should be configured for fault-tolerant mode only and should never be configured for load balancing. Network teaming software is not

supported on the heartbeat network.


480

Chapter 10 �


Disk

Disk hardware is usually the largest investment when it comes to clustering. Although you can use SCSI devices, we do not recommend SCSI because

iSCS

I and fiber are much bet-ter choices and are capable of providing more flexibility in the disks that they can provide to the nodes. Future versions of clustering will not support directly attached and shared par-allel SCSI devices. Only iSCSI and fiber connections, along with serially attached SCSI devices, will be supported in the future.

Multipathing

configurations are an area of dispute when discussing disk environments. Many organizations will install two fiber adapters to connect to the SAN device in their networks. While multipathing can increase performance, it adds another layer of complexity to the environment that may not be worth it. Keep in mind that each of the clustered disks should be a

logical unit number (LUN)

on a

storage area network (SAN)

. If you are carving them up yourself, we highly recommend using RAID-1 sets for the transaction logs, Simple Mail Transfer Protocol (SMTP) queues, and RAID-5 for the mailbox stores. Do not create physical disk resources that are partitions on the same physical drives.

When it comes to disk sizing, we highly recommend reading Nicole Allen’s blog entry at

http://blogs.technet.com/exchange/archive/2004/10/11/240868.aspx

. She does a fantastic job of explaining how to size disks for Exchange. You can also see similar information on storage optimization at

www.microsoft.com/technet/prodtechnol/exchange/2003/library/

optimizestorage.mspx

.

One of the disks provided by the storage environment is the

quorum

disk. This disk is required for most server clustering environments. The quorum and disks for the database and transaction logs are needed for Exchange

Server 2007 for SCC configurations.

Redundant and fault-tolerant hardware components

Another hardware concern is that you should use redundant and fault-tolerant hardware components when possible. For example, all nodes should be connected to an uninterruptible power supply and should have redundant power supplies, redundant fans, and internal RAID drives for the operating system.

“Two of three” rule

Once the nodes and the external SCSI device are running and clustering is not configured, it is a good idea to limit situations where the two nodes both attempt to access the external storage. To do this, you should implement the “two of three” rule. This rule means that only two of the three devices (node1, node2, and external storage) should be powered up and running at the same time. After the cluster service is installed, then all three can run at once without any issues.



481

Installing and Configuring the Operating System

Windows Server 2003 Enterprise Edition will be the main operating system most people use when implementing clustering. Although clustering can be configured using the Datacenter Edition of Windows, it is extremely rare. Windows Server 2003 is also available in an x64 edition, and the R2 version will be released shortly. Clustering is installed on all these operating systems when installed on new hardware out of the box. Clustering, although it is installed, is not configured.

You should have a complete infrastructure already installed and in place before installing cluster nodes and then clustering. Cluster nodes should be treated as highly valued systems and should not have unnecessary extra software installed on them. The high-availability philosophy dictates a “keep it simple” principle.

When it comes to clustering, people are usually interested in achieving high availability. To achieve high availability, you need to follow best practices and not shortcut anything because that would reduce the uptime of the environment in most cases. High availability is a philos-ophy, and if you are embracing it for an application, the cost of a separate domain controller should not dissuade the organization from achieving its goals. Domain controllers are highly available in that with multiple domain controllers you will have a writable copy of Active Directory (AD) as long as one is up and available.

This chapter will not cover the basics of server hardening because that is best covered in a book about Windows Server 2003. The basics of server hardening do apply, though, for cluster nodes. As with all servers, patches, service packs, firmware updates, driver updates, antivirus updates, and other tools must be properly tested before putting them into a pro-duction cluster environment. A failure because of lack of testing can result in significant downtime, which defeats the whole goal of clustering.

TCP/IP Configuration for the Public Network

At a minimum, as part of properly configuring the hardware, a cluster must have a public net-work that is accessible by clients. All networks used in clustering should be forced to a setting, such as 100MB Full Duplex, and not allowed to be set to automatically sense the speed. The following are other concerns:

IP address

IP addresses for cluster nodes should always be statically mapped. Although Microsoft does not support DHCP-provided addresses for the nodes or for any cluster resources, Microsoft does support permanent DHCP leases and static IP addresses. There is some risk involved in depending on DHCP, so subscribing to the high-availability philoso-phy, you should look for ways to remove or mitigate the risk. It is a best practice to use static IP addresses only.

Subnet mask

The subnet mask will, of course, be dependent on the public network segment used for the public network adapter. Note that all public network adapters must be on the same network segment.

Default gateway

The public network interface should be configured with a default gateway; otherwise, it will be able to communicate only with computers in the same network segment.


482

Chapter 10 �


DNS

The public network interface should be configured with a primary and a secondary DNS server to provide proper host name resolution.

WINS

The public network interface should be configured with a primary and a secondary WINS server to provide proper NetBIOS name resolution.

It is important to note that the Cluster Administrator MMC uses NetBIOS naming to make con-nections, so WINS can be very valuable. Also, even though the tool requires WINS, it is possible to connect to an individual node of a cluster using the remote desktop protocol and manage the Cluster Administrator on a node of the cluster, so WINS is not necessarily required. In fact, clus-ter security best practices call for removing NetBIOS dependencies for all nodes of the cluster.

Basically, yes, NetBIOS is needed for the Cluster Administrator tool to be used for remote management, but it is not supposed to be used for security reasons. Since we are talking about an Exchange Server 2007 cluster that might be using email clients that require NetBIOS, then we will want to implement WINS.

Network priority

It is important that the network binding order be set correctly for cluster-ing so it does not have a negative impact on performance. To set the network priority, open the Network Connections applet in Control Panel, and select the Advanced menu item. On the Adapters and Bindings tab, make sure the public network is listed first, with the private net-work after it, as shown in Figure 10.1.

F I G U R E 1 0 . 1

Network priority configuration

TCP/IP Configuration for the Private Network

At a minimum, as part of properly configuring the hardware, a cluster must have a private net-work that handles the heartbeat traffic between the nodes. As mentioned previously, all networks used in clustering should be forced to a setting, such as 100MB Full Duplex, and not be set to automatically sense the speed. Here are some additional tips:

IP address

IP addresses should always be statically mapped. DHCP is not an option since the private network will contain the network adapters for cluster nodes for private communica-tion only. The network segment used should be nonroutable and should not exist anywhere else in the organization.



483

The recommended ranges, per RFC 1918, include the following:

�

From 10.0.0.0 to 10.255.255.255 (10/8)�

From 172.16.0.0 to 172.31.255.255 (172.16/12)�

From 192.168.0.0 to 192.168.255.255 (192.168/16)

Subnet mask

The subnet mask will, of course, depend on the private network segment used for the private network adapter.

Default gateway

The private network interface should not be configured. Heartbeat traffic has no need to exist anywhere but in the private network.

DNS

DNS information is not needed for the private network. However, it is important to go to the DNS tab in the TCP/IP properties. On the DNS tab, make sure the Register This Con-nection’s Address in DNS check box is not selected.

WINS

The private network interface does not require any name resolution at all, so there is no need for WINS entries. However, it is important that the Disable NetBIOS Over TCP/IP radio button is selected on the WINS tab in the TCP/IP properties.

Services

To keep the private network as clean as possible, the Client for Microsoft Networks and the File and Printer Sharing for Microsoft Networks options should be removed from the connection properties.

Service Account for Server Cluster

The cluster service account must be a domain account so that each of the nodes of the cluster can use the account to start the cluster service once clustering is configured. The wizard used to con-figure clustering will ask for the account information during the configuration of clustering.

The cluster service account must have the following permissions associated with it:�

The account must include these permissions for all nodes of the cluster:�

Log on as a service�

Act as part of the operating system�

Adjust memory quotas for a process�

Backup files and directories�

Restore files and directories�

Increase scheduling priorities�

The account should be limited for security so it can log onto the nodes only and not onto any other computers.

�

The password should be a complex password, and it should not be set to expire. As with any service account, it is also a good idea to configure it so that its password cannot be changed, although this won’t prevent an administrator from changing the password if need be.

�

The account must be a local administrator on each of the nodes of the cluster.


484

Chapter 10 � Creating, Managing Highly Available Exchange Server Solutions

� The account must be a member of the domain (Windows NT 4.0, Windows 2000 AD, or Windows 2003 AD), but it does not need to be a domain administrator.

� The account must have the proper permissions for installing the application.

Cluster Disk Configuration

Using the two of three rule discussed earlier, keep the cluster disks unavailable until the oper-ating systems are installed on all cluster nodes, and then all nodes should be turned off once they are fully installed and all hardening processes have been run. Once it is time to configure clustering, then configure the disks so they are available to each and every node. Turn on one node, and make sure the node can see the disks in disk manager. Do not format the disks at this time. After the first node is verified, perform the same test on the second node. Again, do not partition or format the disks at this time.

Once all nodes have been tested to make sure they can see the disks properly, use the first node of the cluster and partition and format the disks. Leave the disks as basic disks, and do not change them to dynamic disks. If they are converted to dynamic disks, they will not be usable for clustering.

Configuring the Cluster Service

Unlike previous versions of Windows, the server cluster service is installed by default. Nothing needs to be done to install it. All that is required is that the cluster is configured using the tools available. Exercise 10.1 shows how to install and configure a cluster service.

E X E R C I S E 1 0 . 1

Installing and Configuring the Cluster Service

1. Click Start � Administrative Tools � Cluster Administrator to start the Cluster Administra-tor MMC. Once the Cluster Administrator is open, it will automatically provide a drop-down box and request what action you want to take. In this case, select Create a New Cluster, and then click OK, as shown here. This step will start the New Server Cluster Wizard.


Installing Server Clustering 485

2. In the New Server Cluster Wizard, you are presented with several options. The first option is to enter the cluster name and domain for the cluster, as shown here.

3. The Domain entry is the easy part. All that needs to be entered here is the domain name of the Active Directory domain (or NT 4.0 domain name) where the nodes and the server cluster will live. The cluster name is a bit tougher. This name is really used only to address the entire cluster using the Cluster Administrator (for connecting to the cluster, for example) or when using the cluster.exe command-line utility to create, configure, and maintain a server cluster. After you enter the name information, click Next.

4. The next step in the wizard is to collect the computer name of the first computer to be added to the cluster. You can manually enter the name, or you can use the Browse button to browse for the node name. Of course, using the Browse button requires using NetBIOS naming, so if you have locked down your nodes so they can’t use NetBIOS, it will be best if you just manually enter the name. You can click the Advanced button to select whether you want to perform a typical (full) configuration of the cluster, which is the default option. If you select Typical, then the wizard will try to configure the cluster completely without any interference or prompts for information. The other option is the Advanced (minimum) con-figuration, which will enable you to manually enter the location of all storage to be man-aged by the server, including the quorum. Once the first computer name (or node name) is entered, click Next. At this point, the wizard will analyze the node and its hardware con-figuration, and it will then do the following:

� Check for existing cluster.

� Establish node connection(s).

� Check node feasibility.



486 Chapter 10 � Creating, Managing Highly Available Exchange Server Solutions

� Find common resources on nodes.

� Check cluster feasibility.

5. After the tasks are complete, you will get a green bar if everything passes feasibility test-ing. You may see some caution signs. You should always check the caution signs to make sure it is nothing that will cause the installation to fail, as shown here. In this case, there is a caution sign for the Finding Common Resources on Nodes item. Expanding the cau-tion sign will show, in this case, that the wizard has found a suitable quorum device but it does not meet size requirements for best practices. This warning is a common one. Microsoft best practices say that the quorum must be at least 500 megabytes (MB) and formatted using NTFS. If you actually select 500MB when creating the logical unit num-ber, it will be slightly less than 500MB after it is formatted.

6. Click Next to enter the IP address of the cluster. This IP address will correspond to the cluster name provided earlier, and the cluster name will resolve to this IP address in DNS if it is entered dynamically or manually. Enter the IP address, and click Next.

7. Enter the Cluster Service Account information on the next page of the New Server Cluster Wizard. This account, as discussed earlier, must be a domain account and must be a local administrator account on each node of the cluster. Enter the account name, password, and domain name, and then click Next.



Installing Server Clustering 487

8. You should read the information on the Proposed Cluster Configuration page, as shown here, and verify that all the information you entered is entered without mistakes and ver-ify that the proper drives have been identified as managed drives (drives that will be managed by the cluster service and shared between the nodes for clustered applications) and the quorum. In this case, you can see that Q was selected to be the quorum and that the S, T, and W drives were identified as shared drives that will be managed by the cluster service. Click Next.

9. If the cluster configuration found extra physical disks, each one of the extra disks will be put into a new cluster group. You can easily move the disks later, and you can delete the cluster groups to clean up the interface.

10. Finally, the New Server Cluster Wizard will run a verification process, and then you can click Finish after it is completed.

11. At this point, the cluster is built, but it is only a single-node cluster. Opening the Cluster Administrator MMC will show the completed cluster configuration, as shown here.




12. To add another node, open the Cluster Administrator, and right-click the cluster name. Select New � Node, as shown here, and then use the Add Node Wizard to join another node to the cluster.

13. After entering the new node name, or multiple node names if it is a large cluster, click Next to run through the Analyzing Configuration tool. The tool will check the cluster to make sure everything is visible and able to connect. Once the green bar appears again, click Next, and enter the cluster service account information again. Click Next a few more times, and then click Finish. The cluster is completed, as shown here.

At this point, the cluster is built and fully configured. You can test it to make sure the cluster service properly fails over the default cluster group. Once the cluster has been fully tested and documented, then you can install applications such as Exchange Server 2007.



Installing and Configuring Network Load Balancing 489

Installing and Configuring Network Load BalancingMany organizations have applications that are critical to daily operations such as databases, mes-saging systems, and file/print services. There are some places where technologies such as NLB are more appropriate than using server clustering to achieve high availability for those applications.

Internet server programs supporting mission-critical applications and services must run 24 hours a day, 7 days a week. In addition, network applications and servers need the ability to scale performance to handle large volumes of client requests without creating unwanted delays. Net-work load balanced clusters enable you to manage a group of independent servers as a single system for higher availability, easier manageability, and greater scalability.

NLB is a fully distributed, software-based solution and does not require any specialized hardware or network components. At this time, there are not even any additional licensing costs associated with using NLB. All members of the Windows Server 2003 family have NLB built into their operating systems at no additional cost. NLB doesn’t require a centralized device because all hosts receive inbound packets, and redundancy is provided according to the number of hosts within the cluster.

Exchange Server 2007 is somewhat limited in its use of NLB. The Edge Transport server role and the Client Access server role can both use NLB and are fully supported for NLB. However, since the Client Access server role is usually combined with other roles, there is seldom a need for it in production messaging environments. The Edge Transport server role is a good example of where we would use NLB in Exchange Server 2007 because no other roles can be hosted on an Edge Transport server and because of its need for high availability for handling large amounts of inbound and outbound traffic.

A typical NLB cluster looks much like the one shown in Figure 10.2. Two or more nodes are connected to the perimeter network with a separate connection for server management. The management network is used to patch or perform other maintenance on the NLB nodes.

F I G U R E 1 0 . 2 NLB architecture



In NLB, the network adapters that are configured to be part of the NLB cluster all share the same IP address as well as the same MAC address. It just isn’t possible to use the NLB network interface and predictably attach to a specific node to perform maintenance.

What makes NLB clustering work is the NLB driver. NLB is configured on all the NLB cluster nodes so it is identical with the exception of the priority number, which runs from 1 to 32 (thus, there is a limit of 32 nodes per NLB cluster). With the NLB driver enabled and configured alike on all the nodes, the nodes go through a process called convergence where they all agree on an algorithm that divides up the network traffic. At that point, clients, as shown in Figure 10.3, connect to the NLB cluster, and because of issues with the nodes having the same IP address and same MAC address, the switch floods all of its ports, and each node then receives the same packets. The NLB driver, which sits right before the TCP/IP stack, then decides whether it should process the packet or drop it based upon the algorithm. The filtering process for NLB is very efficient in the way it handles packets in comparison to a centralized device that has to process them and then retransmit them. Because of the way the NLB driver works, NLB provides higher bandwidth on similar network configurations that use a centralized device.

If the NLB driver decides it is supposed to process the packet and the packet meets the port rules for the NLB cluster, then it passes the packet to the TCP/IP layer and through the rest of the network model.

The biggest problem with NLB, though, is that it is not capable of looking into the indi-vidual nodes and testing to see whether an application or service is running properly. If an application or service (such as the World Wide Web Service) fails, NLB will continue to include the node in the NLB cluster, and some connections will fail.

F I G U R E 1 0 . 3 Network load balancing behavior

Packet

Packet

Packet

Packet

Node1

Node2

Node3

Public Network

Public Network

Public Network

Private Network

Private Network

Hub/Switch



Installing and Configuring the Network

Load Balancing Driver

Since the driver is installed on all Windows Server 2003 family members, it just needs to be enabled. In Control Panel, open Network Connections, and select the properties of the net-work card that will be part of the NLB cluster.

Enabling NLB requires selecting the check box shown in Figure 10.4.

F I G U R E 1 0 . 4 Enabling NLB behavior

Now, there are a few more steps to perform. At this point, highlight Network Load Bal-ancing, as shown in Figure 10.4, and then click the Properties button. It is here that NLB is configured. You’ll see three tabs: Cluster Parameters, Host Parameters, and Port Rules.

Cluster Parameters

On this tab, you need to enter several pieces of information, and they all need to be alike for every node in the NLB cluster. The IP address is the address of the entire NLB cluster. This is the shared IP address that will be configured for each node. This IP address will need a DNS record created that matches the Full Internet Name field, as shown in Figure 10.5.

The full Internet name could be something as simple as smtp.wiley.com (if your company domain name is Wiley). After creating the DNS name, a MX record could also be created for the DNS name so email could be sent to this address once it is fully configured. Obviously, this is how an Edge Transport server is deployed and used with NLB.

The Unicast and Multicast radio buttons are key when it comes to network behavior and the use of IP addresses and MAC addresses.



F I G U R E 1 0 . 5 Cluster Parameters tab

Unicast

When you enable unicast support, the unicast mode changes the cluster adapter’s MAC address to the cluster MAC address that is shown on the tab. It can be hard to read because it is grayed out. This cluster address is the same MAC address that is used on all cluster hosts. When this change is made, clients can no longer address the cluster adapters by their original MAC addresses.

Multicast

When you enable multicast support, NLB adds a multicast MAC access to the cluster adapters on all the cluster hosts. At the same time, the cluster adapters retain their original MAC addresses. You cannot change the MAC addresses on some network adapters; check the hardware specifica-tions for your network adapter.

Internet Group Management Protocol

Internet Group Management Protocol (IGMP) establishes host membership to a multicast group. If routers or switches support RFC 1112, it is possible to configure NLB to use IGMP and prevent port flooding.

Almost all packets are sent as unicasts or broadcasts. Unicasts have a single-destination IP address pointing to a single recipient. Broadcasts are destined for all hosts on a subnet.

Multicast packets also must fit the model for either unicast or broadcast. The big differ-ence between multicast packets and unicast (or broadcast) packets is that the destination IP address includes a group of hosts rather than a single host or a network segment. When the application sends multicast traffic, you need to check the destination IP address—the only way to distinguish that traffic—that identifies the specific multicast group for which the dat-agram was meant.



A multicast-aware router or switch, when using IGMP, will track which ports are members of the multicast group. So, a properly configured (and aware) environment can use IGMP and not experience port flooding.

The problem with NLB is that it does not use multicast IP ranges (Class D addresses, from 224 to 239), so many devices refuse to treat it like a standard multicast. So, using IGMP in those cases will not work and will not prevent switch flooding.

HOST COMMUNICATION

For unicast, there is no host-to-host communication within the NLB cluster.For multicast, host-to-host communication is possible.

MAC ADDRESSES

When configuring NLB, part of the process includes adding or replacing MAC addresses on a network adapter in each NLB host. � Unicast changes the network adapter’s MAC to the NLB cluster MAC, and it is shared by

all nodes in the NLB cluster.� Multicast adds another MAC to its existing MAC so it has two MACs on the network

adapter.

You can easily see the MAC being used by NLB by pinging the NLB IP address and then run-ning arp -a to display the MACs associated with IP addresses that have recently been resolved.

For example, you might see 02-bf-c0-a8-1e-fa. This breaks down as follows:� The first number is the type: 01 = IGMP, 02 = Unicast, 03 = Multicast.� The second number (bf) is unknown in origin.� The next four numbers are the IP address in hexadecimal: c0 = 192, a8 = 168, 1e = 30,

fa = 250, which comes to 192.168.30.250.

In this case, if the cluster IP address was configured to be 192.168.30.250, then the MAC address for the cluster would be 02-bf-c0-a8-1e-fa. Of course, this is assuming that unicast was selected.

Host Parameters

Entering the information for the host parameters is pretty simple. This is the IP address config-uration information for the NLB cluster node that is being configured. The hardest part of enter-ing this information is remembering to do an IPConfig command, write down the results, and then enter them. The next hardest part is to enter the priority number so it is unique for each host that will be part of the NLB cluster. You can also, as shown in Figure 10.6, set the default state. Almost all the time, it will be set to Started because you want to join the NLB cluster.

Port Rules

NLB uses port rules to differentiate between the types of traffic that are to be load balanced and those traffic types that can be ignored. NLB configures all ports for load balancing by default, but you can modify the configuration of the NLB driver that determines which incom-ing traffic is load balanced on a per-port basis by creating port rules for each group of ports



or individual ports. These rules set load balancing for clients requesting a port covered by the port range parameter. How an application is load balanced is determined by the port rules, which are created on each host. Figure 10.7 shows the default configuration.

F I G U R E 1 0 . 6 Host Parameters tab

F I G U R E 1 0 . 7 Port Rules tab



In the case of an Edge Transport server, for example, port 25 would be configured for inbound SMTP traffic. Other ports might be needed depending on the applications that are run on the NLB cluster.

You can apply port rules to a specific IP address (if the NLB cluster supports multiple IP addresses), and you can configure them to either accept a port or disable a port or port range. You can also use port rules based on TCP or UDP, as shown in Figure 10.8.

F I G U R E 1 0 . 8 Adding or editing port rules

You can add port rules or update parameters by taking each host out of the cluster in turn, updating its parameters, and then returning it to the cluster. Remember, the host joining the cluster handles no traffic until convergence is complete. If a rule is added, it does not take effect until all hosts have been updated and have rejoined the cluster.

NLB preserves session state through client affinity settings for each port rule. These settings direct all TCP connections from a given client address or class of client addresses to the same cluster host. Unless the client changes its IP address or the NLB cluster node fails, the client will continue to use the same server. Directing the connections to the same cluster host allows the server applications in the designated host memory to correctly maintain the session state.

Affinity is important for web applications using session state to provide “stickiness” for client connections, and it is vital for SSL connectivity.

Affinity can be set to None, Single, or Class C. When set to None, affinity is not kept, and clients may visit multiple servers instead of being tied to a single server. In single affinity, the affinity is based on the single IP address of the client. The clients of the NLB cluster will con-tinue to go to the same node so long as their IP addresses don’t change or there is a failure of



a node or a new node is added to the cluster that would require a reconvergence and a selection of a new algorithm for distribution. When set to Class C, affinity sends all clients from the same Class C address to a single node. This rule is often used because of the large number of proxy servers around the Internet. If Single is selected, then a proxy server would appear as a single IP, and one NLB cluster node might get hammered because there are many hundreds of clients behind the proxy server while other servers are lightly used.

Network Load Balancing Host TCP/IP Properties

Once you have made all the changes for the NLB configuration and clicked the OK button, a message will appear stating that you must add the NLB cluster IP address to the TCP/IP con-figuration for the host. Click the Advanced button from the TCP/IP properties, and manually enter the IP address for the NLB cluster in the IP Settings tab.

Network Concerns/Switch Flooding

In many networks where collapsed backbone switching technology is used, large port counts are available. Typically in these environments individual computers are allocated a single switch port to provide maximum possible bandwidth to the computer.

If NLB cluster hosts are directly connected to a switching hub or combined switch/router to receive client requests, the switch is unable to properly map the MAC address to a single port so it is forced to flood all ports to find the right port (which includes all ports that are con-nected to NLB cluster hosts) and will continue to do that until it is able to find one port where the MAC address exists (which it can’t).

After a switch has identified which port a particular host (recognized by its MAC address) is connected to, it will no longer duplicate inbound traffic to all the ports. The NLB service pre-vents a switch from identifying the host’s port by masking the source MAC address by using a different MAC address in reply. Masking the source MAC address results in the switch continu-ing to send inbound data to all the ports, which is called switch flooding. If the switch has ports associated with computers other than cluster hosts, these ports will also have the inbound traffic reflected on them, consuming bandwidth on ports where the traffic will be discarded.

Switch flooding can be limited by the following:� Using a hub between all NLB cluster hosts� Setting up a VLAN and putting all NLB cluster hosts in the VLAN� Using port mirroring

When using a hub, if a hub is placed between the switch and the NLB ports and all NLB connections are hooked up to the hub, then the switch will see that the MAC address belongs to a single port on the switch and will send all NLB traffic to the hub. This creates a couple of problems, though:� A hub typically cannot be managed or monitored, thus failures will be harder to proac-

tively detect and react to.� Hubs all run at half duplex, and there can and will be collisions.


Configuring Local Continuous Replication 497

When using a VLAN, if all the ports are combined into a VLAN, then port flooding will not impact any ports other than those that participate in the NLB cluster. The issues here are as follows:� Now you have a new network segment and need routes to it.� Another administrator might screw up the VLAN when working on other parts of the

switch configuration.

Port mirroring is a rather new technology available in limited switch and router models. Basically, a network administrator can configure the switch so any traffic that comes in for one port is mirrored on other ports. This will eliminate flooding problems, too. The problems with this configuration are as follows:� Limited support. Less than a handful of ports can be mirrored per switch fabric.� Administrators have limited knowledge of the technology.

Using DNS Round-Robin

In DNS round-robin, there are multiple entries for the same name. For example, DNS would have a host record entry for Server1 with an IP address of 192.168.2.50, and there would be a second server providing the same services that would have a host record entry in DNS for Server1 with an IP address of 192.168.2.51.

Users of Server1 would be alternated between the two IP addresses and thus load bal-anced between the two addresses. If the two Server1s were overloaded, another server could be installed, and DNS could be configured with another Server1 host record with an IP or 192.168.2.52. What happens is that the first client receives the first address, the second client receives the second address, the third client receives the third address, the fourth client receives the first address, and they continue to loop. Using DNS round-robin, it is possible to spread the load among multiple servers.

The problem with round-robin DNS is that it is completely unable to handle a down server. In the event one of the servers fails, its address will continue to be given to clients, and a por-tion of the clients will basically be pointed to an invalid address so a portion of the clients will fail to connect.

Configuring Local Continuous ReplicationLCR is not really a high availability solution. LCR does, however, provide mitigation against several possible failures. LCR provides mitigation against database disk failure and database corruption.

LCR uses a process called log shipping to send logs of completed transactions from the disk where the production storage group exists to another disk that holds a copy. The copy is updated by replaying the logs to maintain an exact copy of the production storage group and to keep it updated, as in Figure 10.9.



F I G U R E 1 0 . 9 LCR overview

In the event of a disk failure or problems with database corruption, you can use LCR to sig-nificantly reduce the time it would take to restore the storage group from tape and return the Exchange Server 2007 server to production. In an LCR environment, you can use a manual process to remove the broken disk or corrupted storage group and replace the failed disk or storage group with the copy.

LCR improves availability and reduces total cost of ownership by doing the following:� It reduces the time it takes to recover from a failed disk or corrupted database.� It reduces the number of backups that must be taken of the storage group, although it is

probably a good idea to continue with daily backups.� It improves performance during the backup process by using the copy for the backup instead

of the production so the production storage group is not impacted by the backup process.

You can stream backups using the production database only. You can create VSS backups using either the production database or the copy databases. Backups done using the copy database will truncate only the log files that have been written into the copy database. Transactions not committed to the database will be left in their existing transaction logs.

Overall, LCR is an excellent feature for organizations requiring quick recovery of disk and database failures. However, because moving to the copy from production requires downtime, the organization must be able to handle the outage time. LCR is an inexpensive solution, in most cases, and is highly recommended when not using a server clustering solution because of the following:� Recovery to the copy storage group is a fairly quick process.� Although there is an increase in I/O requirement, it is minimal. � It is possible to run backups against the copy and not impact the production storage group

at all during the backup process.� Users requiring the additional protection can be grouped in the same storage group.� Administration is available via the Exchange Management Console or the Exchange

Management Shell.

Replication to Additional Hard Drive

Exchange

Server 2007



Preparing for Local Continuous Replication

Preparing for LCR requires building the proper storage group and database structure. To detect disk or database failure, a monitoring solution should be in place so the failure can be identified quickly and the downtime is reduced. Microsoft Operations Manager (MOM), NetIQ, Tivoli, OpenView, and other monitoring and management tools can provide monitor-ing services. Proper disk, memory, and CPU should be provided to meet the performance service-level agreements for Exchange services.

Microsoft recommends disk structures that are capable of handling the additional input/output for LCR. Since LCR generates more I/O through the copy of the log information and the writing of the log information on the target, keeping the databases a reasonable size is important. Also, since the copy is often used to capture backups, the disks used for the copy should be similar to the disks used for the production storage group. Any supported type of storage can be used with LCR, including direct-attached storage, serially attached SCSI, and iSCSI. You can also use volume mount points instead of using drive letters. Using mount points may be a better solution for LCR because you can then just take the disk used for the copy and mount it to the same point as the production storage group after it is removed.

Disk recommendations and restrictions exist for LCR and include the following: � Each storage group can contain only one database. This is a limitation for CCR as well

as SCC. However, it is not really a big limitation since you can have up to 50 storage groups under Exchange Server 2007.

� If you have more than one public folder database in the Exchange organization, you will not be able to use LCR because if you have two or more public folder databases, then the public folders use public folder replication. Replication is always occurring even if they are not configured to replicate.

� Use RAID-0 or create your disk partitions so they are spread over multiple disks. This will increase performance for I/O, which is always something you should consider with Exchange Server 2007. It is also considered a best practice to separate the log files from the database by putting them on separate physical disks. Microsoft recommends you par-tition your disks and your data to improve performance and fault tolerance. To make troubleshooting easier, you should spread out your data so it is located on separate disks as follows:

� The operating system files should be on RAID-1.� The Exchange binaries should be on either RAID-5 or RAID-1.� The database files for the production storage group should be on their own set of disks.� The transaction logs for the production storage group should be on another set of disks.� The database files for the copy should be on another set of disks.� The transaction logs for the copy should also be on another set of disks.

� Size the copy disks so they are approximately the same size as the production storage group disks. Both the production disks and the copy disks should be sized to allow for defragmen-tation and to allow for growth of the databases. Microsoft recommends a maximum database size of 100 gigabytes (GB) for servers running LCR. For other mailbox servers not running LCR, Microsoft recommends a maximum of 200GB for the database.



Memory requirements for Exchange Server 2007 and LCR will need to be increased to handle the additional processing of LCR since both the production storage group and the copy are on the same server. To make sure there is enough RAM to provide for the increased requirements, Microsoft recommends an additional 1GB of RAM for servers running LCR.

CPU requirements for Exchange Server 2007 and LCR will also need to be increased to han-dle the additional processing of LCR. Microsoft recommends increasing CPU by 20 percent over similar systems with similar loads that are not using LCR.

Enabling Local Continuous Replication

There are two main scenarios you could have when implementing LCR:� Existing storage group � New storage group

In each scenario, the account used must have the appropriate Exchange Server 2007 per-missions, and the account must be an Exchange Server administrator as well as a local admin-istrator for the Exchange server that will be enabled for LCR.

Existing Storage Group

You can configure LCR for an existing storage group using the Exchange Management Con-sole or the Exchange Management Shell (PowerShell). In Exercise 10.2, you’ll configure an existing Exchange Server 2007 server with an existing storage group to start using LCR and generate the copy in the location entered using the Exchange Management Console.

E X E R C I S E 1 0 . 2

Using the Exchange Management Console to Configure LCR for an Existing Storage Group

1. Start the Exchange Management Console.

2. Expand Microsoft Exchange � Server Configuration, and select Mailbox.

3. Select the Mailbox server containing the target storage group for LCR.

4. Right-click the target storage group, and select Enable Local Continuous Replication to start the Enable Storage Group Local Continuous Replication Wizard.

5. Click Next on the Introduction page.

6. On the Set Paths page, set the locations for the LCR log files and LCR system files by clicking Browse. Click Next.

7. On the database page, use Browse to set the path for the LCR database file. Click Next.

8. Verify the information on the Configuration Summary on the Enable page. Click Enable.

9. Click Finish to close the wizard upon completion.



In Exercise 10.3, you’ll configure an existing Exchange Server 2007 server with an existing storage group to start using LCR and generate the copy in the location entered by using the Exchange Management Shell.

New Storage Group

You can configure LCR for a new storage group using either the Exchange Management Con-sole or the Exchange Management Shell (PowerShell). In Exercise 10.4, you’ll configure an existing Exchange Server 2007 server to create a new storage group, to configure it for LCR, and to generate the copy in the location entered by using the Exchange Management Console.

E X E R C I S E 1 0 . 3

Using the Exchange Management Shell (PowerShell) to Configure LCR for an Existing Storage Group

1. Configure the database copy: Enable–DatabaseCopy - Identity <Server>\<StorageGroup>\<Database> -CopyEDBFilePath:

<FullPathWithDatabaseFileNameAndExtension>.

2. Configure the storage group copy: Enable-StorageGroupCopy -Identify <Server>\<StorageGroup> -CopyLogFolderPath:<FullPath -

CopySystemFolderPath:<FullPath>.

E X E R C I S E 1 0 . 4

Using the Exchange Management Console to Create a Storage Group and Enable It for LCR



3. Right-click the target server for the new storage group, and select New Storage Group to start the New Storage Group Wizard.

4. On the New Storage Group page, enter the name for the new storage group in the Storage Group Name box.

5. Select the location for the log files and system files using the Browse buttons.

6. Select the Enable Local Continuous Replication for This Storage Group check box.

7. Set the locations for the copy of the log files and system files using the Browse buttons, and click New.

8. Click Finish to close the wizard.



In Exercise 10.5, you’ll configure an existing Exchange Server 2007 server to create a new storage group, to configure it for LCR, and to generate the copy in the location entered by using the Exchange Management Shell.

Disabling Local Continuous Replication

Sometimes it is necessary to disable replication. In some cases, it is necessary for maintenance purposes. In other cases, it is necessary to disable LCR so that the production database can be replaced with the copy. To disable LCR, the account used must have the appropriate Exchange Server 2007 permissions. The account must be an Exchange Server administrator and must be a local administrator for the Exchange server that is currently enabled for LCR.

After disabling LCR, you have to manually delete the files in the copy storage group and all the databases, as shown in Exercise 10.6.

You can also use the Exchange Management Shell (PowerShell) to disable LCR on an Exchange Server 2007 server, as shown in Exercise 10.7. In many cases, using the Exchange Management Shell is preferred once administrators become familiar with it.

E X E R C I S E 1 0 . 5

Using the Exchange Management Shell (PowerShell) to Create aStorage Group and Enable It for LCR

1. Run the following command: New-StorageGroup -server <Server> -name <StorageGroupName> -HasLocalCopy:$true - CopyLogFolderPath

<PathforLCRLogFiles> -CopySystemFolderPath <PathforLCRSystemFiles>.

E X E R C I S E 1 0 . 6

Using the Exchange Management Console to Disable LCR



3. Select the Mailbox server that contains the production storage group you want to disable for LCR.

4. Right-click the target storage group, and then click Disable Local Continuous Replication.

5. Click Yes to confirm.

6. Click OK to acknowledge the Microsoft Exchange warning.

7. Manually delete the LCR storage group and database files.



Seeding a Local Continuous Replication Copy

Seeding is the process of creating a blank database for the copy or making a copy of the pro-duction database and then initiating the copy process to update the seeded database with the live production database. When configuring LCR initially, seeding is not needed. However, seeding is required in the following situations:� When Exchange Server 2007 has discovered corrupted log files that cannot be replayed

into the database copy� When running an offline defragmentation of the production database� When page scrubbing a database on the production database occurs and you want to push

the changes to the copy

The time needed to seed the copy depends on the size of the production database, the available bandwidth, and the overall load on the server. You can seed the copy using any of these methods:� Use Run Update-StorageGroupCopy to make a copy backup of the storage group. After

the copy process is done, it can be moved to the LCR database folder.� Using Running Enable-StorageGroupCopy on the server will seed the copy database by

default. You can use the -SeedingPostponed option to stop the automatic seeding. The Enable-StorageGroupCopy command includes the steps of the Update-StorageGroupCopy command. When the Enable-StorageGroupCopy cmdlet is run on a Mailbox server, it seeds the database by default, unless the -SeedingPostponed option is used.

� The copy database can also be manually copied from the production database by taking the database offline or stopping all Exchange services. Of course, by using this process, the Exchange server will not be able to process messages until the production database is brought back online.

In Exercise 10.8, you’ll use the Exchange Management Shell to suspend the copy process, clean up files in the copy location, seed the copy location, and then restart the replication process.

E X E R C I S E 1 0 . 7

Using the Exchange Management Shell to Disable LCR

1. Run the following command: Disable-StorageGroupCopy -Identity <StorageGroup>.

2. Manually delete the LCR storage group and database files.

E X E R C I S E 1 0 . 8

Seeding the LCR Database Using the Exchange Management Shell

1. Open the Exchange Management Shell.

2. Run Suspend-StorageGroupCopy -Identity:<Server>\<StorageGroupName> -SuspendComment:”Seeding” to suspend replication.



In Exercise 10.9, you’ll use the Exchange Management Console to dismount the copy data-base, suspend replication, delete the copy information, copy the production database to the copy location, and resume replication.

Once the previous exercise is complete, the replication process should start up. Log ship-ping and replay will start automatically.

3. Delete all the database and log files as well as all the checkpoint files from the LCR loca-tion. Delete all *.log, *.jrs, and *.chk files, as well as the .edb file, from the LCR folder.

4. Run Update-StorageGroupCopy -Identity:<Server>\<StorageGroupName> to seed the LCR location. This command will automatically restart replication. Use the -ManualResume parameter to stop the copy from starting automatically.

5. If the replication was not resumed automatically, run Resume-StorageGroupCopy -Identity:<Server>\<StorageGroupName>.

6. After the Update-StorageGroupCopy command is complete and the storage group copy is resumed, verify that replication is working correctly by using the Get-StorageGroupCopyStatus cmdlet.

E X E R C I S E 1 0 . 9

Seeding the LCR Database Using the Exchange Management Console



3. Select the server containing the LCR copy, right-click the storage group containing the LCR copy, and select Dismount Database.

4. Suspend the replication process by right-clicking the storage group containing the LCR copy, selecting Suspend Local Continuous Replication, and then selecting Yes to confirm.

5. Remove the database files, log files, and checkpoint files from the copy, and delete the *.log, *.jrs, and *.chk files, as well as the .edb file, from the LCR database folder.

6. After dismounting the database and deleting the files in the LCR database folder, copy the database file from the production storage group to the copy location.

7. Once the copy process is complete, right-click the database, and select Mount Database.

8. Right-click the copy database and select Resume Local Continuous Replication.




Testing the Health of the Local Continuous Copy Process

A standard practice for general maintenance should be to test the health of the LCR process. After all, if it isn’t keeping up and is taking too long to catch up during peak hours, then it becomes less useful or even useless. In Exercise 10.10, you’ll test the health of LCR.

Getting the same information using the Exchange Management Shell is pretty simple. From the shell, enter the command Get-StorageGroupCopyStatus -Identity <Server>\<StorageGroup>, and then view the resulting information.

They key information for the copy status includes the following:� Summary status� Copy queue length� Replay queue length

It is important to capture this information on a regular basis. Administrators can use this information to establish baselines for times of the day, for weeks, and for months. With solid baseline information, administrators can easily tell whether processes are possibly problem-atic and need additional attention.

Switching to the Copy Database

The whole point of implementing LCR is to mitigate against the failure of the production data-base or the corruption of the database. Once failure of the database has been identified through monitoring or through user reports, it is up to administrators to run a manual process to switch the Exchange server to the copy database and make it the production database.

With quick notification and rapid response, it is possible to recover using the copy database in ten minutes or less.

You can make this change in many ways, as is true for most processes. In this case, there are Exchange Management Shell commands that Microsoft supports but does not neces-sarily recommend. For example, the Restore-StorageGroupCopy command includes a ReplaceLocations parameter. Instead of using this process and changing the location that Exchange uses for the database, Microsoft recommends that the database be changed

E X E R C I S E 1 0 . 1 0

Testing Health of LCR Using Exchange Management Console



3. Select the Mailbox server containing that copy.

4. Right-click the storage group, and select Properties.

5. Click the Local Continuous Replication tab to view the status of LCR.



to the old location by resetting the letter of the drive so that it equals the old production drive letter.

Exercise 10.11 covers the steps required to switch to the copy database and make it the pro-duction database.

The steps to recover from a failed production disk or corrupt database take only a few minutes to run. Since there is no need to copy data, the process is not constrained by the size of the database.

Configuring Single Copy ClusterA single copy cluster is just like the cluster technology used for Exchange Server 2003 server clustering with a few minor exceptions. One big exception is that with Exchange Server 2007 it is possible to have an extremely large number of databases. Exchange Server 2007 allows for 50 storage groups of up to 5 stores per storage group. However, for SCC, storage groups are limited to a single store per storage group, but that still allows for up to 50 separate databases. That is a significant amount of data storage available.

In Exchange Server 2003, it was possible to use server clustering for everything except for the front-end role, which used NLB to provide scalability and high availability. In Exchange Server

E X E R C I S E 1 0 . 1 1

Recovering from Corrupt Database to the Copy

1. Identify the source of the corruption if possible. Some simple things to check include making sure the log and database drives are online. If the log drive is not available at the time of failure, it is possible that data might be lost. If the log files are still available, and they should be if they were properly deployed on a separate disk from the actual data-base, then there should be no loss of data.

2. Dismount the corrupt production database in the production storage group using the Dismount-Database cmdlet in the Exchange Management Shell or using the Dismount option from the context menu for the database in the Exchange Management Console.

3. Use the Exchange Management Shell to activate the copy. An Exchange administrator can run the Restore-StorageGroupCopy -Identity:<Server>\<StorageGroupName> cmdlet. This command will disable LCR for the production storage group.

4. Use the disk management tool or other tools to change the drive letter and possibly the folder structure so that the copy database is in the same logical location as the previous production database.

5. Once everything is properly placed, mount the copy database, and it will now become the production database.


Configuring Single Copy Cluster 507

2007, there are now five roles: Mailbox Server, Client Access, Hub Transport, Unified Messaging, and Edge Transport. The only role that can be used for server clustering in Exchange Server 2007 is the Mailbox role. To install the clustered mailbox environment, you need to have both a Hub Transport role and a Client Access server role in the same site. Exchange now requires more hard-ware for large environments that want to take advantage of high availability.

The basic architecture of an SCC looks like Figure 10.10. In a typical SCC there are two nodes, but there can be as many as eight nodes. In between each node is a private network that handles the heartbeat traffic and a public network used by clients to access the nodes and the virtual server(s) running in the cluster. In the case of Figure 10.10, there is only one virtual server. Client machines connect to the cluster using the virtual server’s name and IP address.

F I G U R E 1 0 . 1 0 SCC overview

One of the big differences between server clustering in Exchange Server 2003 and Exchange Server 2007 is that Exchange Server 2007 no longer supports active/active clustering where there are two virtual servers with one running on each node. In Exchange Server 2007 there must be a passive node whether it is a two-node cluster or whether it is an eight-node cluster.

Meeting Basic Requirements for Single Copy Cluster

The following are the basic requirements for SCC.

Domain

You can install SCC only in a domain that supports Exchange Server 2007. All nodes of SCC must belong to the same Active Directory domain. SCC nodes cannot be members of a workgroup or belong to different domains. Exchange Server 2007 is not supported if the nodes for SCC are domain controllers. The nodes must be member servers.

Node1

Node2

Public Network

Public Network

Hub/Switch

Exchange VS1

Switch

Quorum Store1 Log1



Compatibility

Although you can install Exchange Server 2007 in an Exchange Server 2003 environment, the cluster cannot contain both versions of Exchange, and it cannot contain Exchange 2000. It must solely be Exchange Server 2007. Also, an Exchange Server 2007 cluster cannot contain any version of Microsoft SQL Server.

Exchange Server 2007 requires 64-bit hardware and 64-bit operating system versions. Exchange Server 2003 and Exchange 2000 both use 32-bit hardware and operating systems. It is not possible to mix 32-bit hardware and 64-bit hardware in a cluster.

Software

The SCC cluster must be installed on a 64-bit version of Windows Server 2003 Enterprise or Windows Server 2003 Enterprise R2. The operating system files need to be installed in the same locations. The boot and system files need to be in the same locations on all nodes. The Exchange binaries must be installed on the same locations on all nodes.

Network and Disk

We covered the network requirements and disk requirements for server clustering earlier in this chapter. You must follow the basic requirements for server clustering.

Installing SCC

You can install SCC the command line or the graphical interface. We’ll show both here.In Exercise 10.12, you’ll install SCC on an existing Windows Server 2003 server cluster.

E X E R C I S E 1 0 . 1 2

Installing SCC on Active Node and on Passive Node Computers Using the Exchange Management Shell

1. Log onto the first node of the cluster.

2. Open a command prompt, navigate to the source code for Exchange Server 2007, and run setup /r:mailbox to make sure the Active Directory schema is updated and all the proper Exchange server files for the mailbox role are copied onto the first node.

3. At the command prompt, change to the location of the bin folder on the first node’s hard drive. By default, the location will be <systemdrive>:\Program files\Microsoft\Exchange Server\bin. From this location, run the following (all on one line):

Setup /newcms /CMSname:<NameofClusteredMailboxServer>

/CMSIPAddress:<ClusteredMailboxServerIPAddress>

/CMSSharedStorage /CMSDataPath:<PathToSharedStorageForDatabase>



If Exchange Server 2007 needs to be installed in another location on each node, make sure to specify the location. To change the location, run setup /r:mailbox /targetdir:<filepath>, and make sure the same file path is used on all nodes.

In Exercise 10.13, you’ll install SCC using the setup command and using the graphical setup interface. The process is a little more complex; however, it is important to go through the process to see the individual steps taken when using the GUI.

4. In Cluster Administrator, create the proper physical disks inside the new SCC group or move them from another location if they were previously created.

5. Log onto the second node of the cluster.

6. Open a command prompt, navigate to the source code for Exchange Server 2007, and run setup /r:mailbox to make sure the Active Directory schema is updated and all the proper Exchange server files for the mailbox role are copied onto the second node. If there are multiple nodes, perform the same step on each.

E X E R C I S E 1 0 . 1 3

Installing SCC on Active Node and on Passive Node Computers Using the Exchange Management Console

1. Connect to the installation media, and run setup from a command line to start the Exchange install on the active node of the cluster. During the Exchange setup wizard, click Next on the Introduction page, click Next to accept the license agreement, click Next on the Error Reporting page, select the Custom Exchange Server Installation option, and click Next, as shown here.

E X E R C I S E 1 0 . 1 2 ( c o n t i n u e d )



2. On the Server Role Selection page, select Active Clustered Mailbox Role, select the file installation path, and click Next. The file installation path needs to point to the drive letter of one of the shared disks in the cluster that already exists or that will be created later.

3. Select the Single Copy Cluster option on the Cluster Setting Selection page, and enter the following information for the virtual server for the SCC installation:

� Clustered mailbox server name

� IP address

� Shared storage location for the database files

4. On the Client Settings page, click Yes or No depending on whether your organization will have Outlook 2003 or Entourage clients. Click Next to start the checks and the installation.

5. Click Install once all the checks are completed on the Readiness Checks page, as shown here.

6. The Progress page will show the steps being performed, and once they are completed, click Finish.

7. The next step will be to click Step 5: Get Critical Updates for Microsoft Exchange, which must be run to download any updates. Once all updates are completed, click Close to complete the installation.




It is important that the information in step 3 be correct. It is easy to mistakenly give the information for the default cluster group that was created when the cluster was built. This is not correct. This information must be unique because it will be used for the new virtual server that will be created for the SCC installation.

Installing the passive node will follow the same steps as the active node. Once it is complete, the end result will be two nodes in an SCC. You can see the results of the work in the Cluster Administrator MMC, as shown in Figure 10.11.

8. Create the physical disk resources for the new Exchange cluster group, or move the disks from another location in the Cluster Administrator MMC. Make sure the Affect the Group check box is cleared while setting up the disk resources.

9. Install the passive node using steps 1–7, but in step 2, select the Passive Clustered Mail-box Role during installation, as shown here.




F I G U R E 1 0 . 1 1 Cluster Administrator MMC

The SCC can manage many more users than an Exchange Server 2003 cluster of similar node size. Of course, capacity depends upon the user types, how much data they require, how often they send and receive mail, and the equipment. With increased scalability from increased RAM utilization that leads to increased caching, it is not unusual to see more than 5,000 mail-box users on a single SCC implementation.

After installation, use the Exchange Server 2007 command shell, and use the following com-mand to move the mailbox role from the active node to the passive node: Move-Clustered MailboxServer.

It is possible to use the Cluster Administrator console to perform the move, or handoff as it is called for Exchange Server 2007; however, the Cluster Administrator console is not Exchange 2007 aware. As a best practice, you should always move the mailbox role in as SCC using the command shell.

Configuring Cluster Continuous ReplicationMany organizations in the past tended to shy away from server clustering for a few reasons. A single point of failure concern around the SAN environment and the disks provided by the SAN, which include the quorum and the cluster disks used for database and transaction log storage, is one major concern. Another major concern is related to geographically dispersed clustering, also called geoclustering.

CCR is capable of providing high availability in a single data center or in two datacenters by using geographically dispersed clustering. In either case, CCR provides a solution with the following attributes:� Has no single point of failure. With majority node set quorum and the replication capa-

bility provided in Exchange Server 2007, the cluster has no single point of failure.� Has no special hardware requirements for a complete solution like in the Windows Server

Catalog. Each node should be similar in capability and must have the same general disk


Configuring Cluster Continuous Replication 513

structures, but there is no requirement to use the clustering solutions or geographically dispersed clustering solutions from the Windows Server Catalog. Each piece of hardware should still be purchased from the hardware compatibility list, though.

� Has no special disk infrastructure requirements such as a SAN or multiple SANs with rep-lication capabilities. The biggest change is that with log shipping capabilities CCR does not require a SAN to provide shared disks and doesn’t need multiple SANs for a geocluster.

� Can be used to reduce backup times, the load on production during backup times, and the recovery time to return to full production. The copy location, the passive node, can be used to perform backups. This takes the load off of the production environment and increases the performance of backups. Volume shadow copy (VSS) backups are supported for the passive node, but streaming backups will not work.

Many organizations that depend on email want the capability of having clusters that span distance locations so in the event of the loss of a datacenter, it is still possible for email users to access their email and continue doing business. To make a geocluster work, both sites must have purchased an approved solution from the Windows Server Catalog, and those solutions are extremely expensive because they involve multiple SANs and software to manage the SANs for replication and for locking.

Figure 10.12 best illustrates the challenges. In this figure, there are two sites with one node for the cluster in each site. Geoclustering has a few issues that make the implementation a challenge:� The quorum disks must remain replicated over the sites.� The quorum disks must maintain locks so that only the active node is able to access its

quorum disks.� The data disks must remain replicated over the sites.� The data disks must maintain locks so that only the active node is able to access its data disks.� The network latency must be less than 500 milliseconds round-trip.� The public network for all nodes must be in the same network segment, and doing this

over remote locations requires using virtual local area networks (VLANs).

� The private network for all nodes must be in the same network segment, and doing this over remote locations requires using VLANs.

Configuring Majority Node Set

Microsoft implemented majority node set (MNS) quorums to address the first two issues. Instead of selecting a shared physical disk to host the quorum, it is possible to select the MNS option to create a server cluster. From the perspective of Windows, MNS looks just like a single quorum disk, but the quorum data is actually stored on multiple disks across the cluster. MNS is designed and built so it ensures that the cluster data stored remains consistent across the dif-ferent disks. Since MNS can use locally attached disks, nodes do not require expensive shared disks to maintain clustering information in the quorum. Locally attached disks can be internal to the node or external and directly attached. There is no requirement for a SAN fabric or arbi-trated loop.



F I G U R E 1 0 . 1 2 Geographically dispersed cluster

MNS has several limitations, including the following:� Covers only quorum. One of the biggest concerns with MNS is that although it provides

a nice geographically dispersed method to handle the quorum, it doesn’t provide anything for data that would normally be shared by nodes.

� Requires a minimum of three nodes or two nodes and a file share witness (FSW).

� Uses file sharing technology, which in turn uses server messenger blocks.

The limitations of MNS are minor compared to the new capabilities it brings to clustering and Exchange Server 2007 CCR in particular.

Building a cluster using MNS is similar to building a standard cluster with a shared disk quorum. To properly install CCR, the cluster must first be configured using an MNS quorum. After the cluster is established using the first node, the second node must be installed, and then the cluster will be ready to install CCR for Exchange Server 2007.

Exercise 10.14 shows how to install a two-node MNS cluster.

E X E R C I S E 1 0 . 1 4

Installing a Two-Node MNS Cluster

1. Open the Cluster Administrator MMC, and then click File � New � Cluster. Click Next to start the New Cluster Wizard.

2. Enter the domain name and the cluster name. Click Next.

Node1

SAN

Quorum

Data

Node2

SAN

Quorum

Data

Replication

Replication



Once the MNS cluster is built and configured, then it is possible to install CCR with Exchange Server 2007. However, at this point, if there is a node failure, MNS will not be able to provide for Majority, so the cluster service will fail. After all, one out of two is not greater than 50 percent. This is where the FSW comes in.

File Share Witness

To allow for the failure of a node in a MNS quorum, there must be enough surviving nodes to constitute more than one half of the number of original nodes. In a two-node MNS imple-mentation, there is no room for failure. In the past, another node had to be installed to provide

3. Enter the name of the first node, or use the Browse button to select the name. Click Next.

4. The Analyzing Configuration step will take place. Since there are no shared disks, there will be a couple of warnings stating that a suitable quorum device could not be found and that a local quorum will be created.

5. Enter the IP address, and click Next.

6. Enter the cluster service account information, and click Next.

7. On the Proposed Cluster Configuration page, click the Quorum button, select Majority Node Set from the drop-down box, and click OK. Click Next.

8. Once the tasks are completed on the Creating the Cluster page, click Next.

9. Click Finish on the last page of the wizard to complete the installation of the cluster with the first node.

10. In the Cluster Administrator, expand the group, and then select the default cluster group to show the resources.

11. Right-click Cluster Group, and select New � Node to open the Add Nodes Wizard. Click Next.

12. Enter the name of the second node in the Select Computers page, click Add to select the node, and then click Next.

13. Once the Analyzing Configuration process completes, click Next.

14. Enter the password for the Cluster Service account, and click Next.

15. Click Next on the Proposed Cluster Configuration page.

16. Click Next once the Adding Nodes to the Cluster process is complete.

17. Click Finish to close the Add Nodes Wizard and complete the process.




at least three production nodes. However, since the MNS quorum really is nothing more than a file share, somebody had the bright idea to actually use a file share to provide the third piece of the MNS so that there could be a failure of one of the three and the cluster would still con-tinue running.

The file share witness, as defined in KB 921181, requires a hotfix to be installed on both cluster nodes if running Service Pack 1. The hotfix is included in Service Pack 2. Microsoft rec-ommends using a Hub Transport server for the FSW, but any number of servers will work just fine as long as they are running the server service. Microsoft also recommends that the FSW be in a different site than either of the two CCR nodes if implementing geoclustering.

Exercise 10.15 shows how to implement FSW.

Introducing CCR

In a basic CCR implementation, two nodes are used along with a file share witness. With two nodes and the file share witness, then you can use MNS to provide a redundant quorum for the cluster. One of the drawbacks of MNS is that it does not address the data requirements for a cluster. Using CCR, which has its own replication capability for Exchange mailbox data, removes any issues of clustering with MNS. In a CCR implementation, such as the one shown in Figure 10.13, there is no requirement for a SAN environment to provide shared disk access. In CCR, the active node uses its own local disks to provide Exchange mailbox services, and it uses replication in the form of log shipping to send updated transactions from the active server to the passive server. The passive server then receives the logs and replays them into its data-base. The process is pretty much like LCR, but now the copy is being sent to another server in a cluster.

The replication process is asynchronous. This means it is possible that the failure of the pro-duction environment could result in loss of messages. This potential for lost messages led to another technology to overcome any lost message. The transport dumpster is a feature of the Hub Transport service.

E X E R C I S E 1 0 . 1 5

Implementing File Share Witness

1. Download and install the hotfix from the link in MS KB 921181 and run it on both nodes if running Service Pack 1; skip this step if running Service Pack 2. Once it is completed, restart the node.

2. Create a share on the server to be used for the FSW. The share should be named some-thing along the lines of FSW-CCRClusterName. The share should be configured for Everyone with Full Control.

3. From one of the nodes, it does not matter which one is used, run Cluster.exe res “Majority Node Set” /priv MNSFileShare=\\FSWServerName\FSW-CCRClusterName, and press Enter. The resource name for the MNS might be different. Refer to the Cluster Administrator MMC to see what the resource is named.



F I G U R E 1 0 . 1 3 CCR

Transport Dumpster

Since all messages must be handled by the Hub Transport role so that messages can be scanned properly to meet corporate hygiene requirements and so that all transport rules are applied evenly throughout the Exchange organization, this seems like a logical place to do some message caching. The transport dumpster is a required component for CCR implementations. The queue size in the Hub Transport role is controlled by time/space limitations that the Exchange admin-istrator can set. When a failover is experienced in CCR, the surviving clustered mailbox server automatically requests every Hub Transport server in the Active Directory site to resubmit mail from the transport dumpster cache/queue. As the messages are received by the mailbox server, the information store deletes any duplicates and redelivers only the mail that was lost.

The transport dumpster is used only for CCR implementations. It is not used in LCR or in SCC because neither of these implementations use asynchronous replication. CCR is the only technol-ogy that is susceptible to lost messages without the transport dumpster functionality. The transport dumpster is configured to be used automatically in CCR implementations, and its default settings are a MaxDumpsterSizePerStorageGroup setting of 18MB and a MaxDumpsterTime setting of seven days. These settings are usually sufficient for the vast majority of organizations, but you can modify them.

Microsoft recommends that you set the default size limit to 1.5 times the maximum mes-sage size. For example, if your organization sets a limit on message size at 5MB, then you should set the transport dumpster to a maximum of 7.5MB. Exercise 10.16 shows how to identify the current settings.

E X E R C I S E 1 0 . 1 6

Identifying Current Transport Dumpster Settings


2. Run Get-Transportconfig.

FSW Node1 Node2

Hub/Switch

Switch

Quorum Store Log

Quorum Store Log

Replicate



Exercise 10.17 shows how to set the transport dumpster configuration using the Exchange Management Shell.

The size should be listed as number of megabytes, as in 20MB. The duration should be listed as days.hours:minutes:seconds, with days being a two-digit number, such as 07.00:00:00.

Other Issues and Limitations of CCR

CCR is a new technology; however, it has been well tested, and several issues were discovered during the testing and development periods. It is important to note that there are several lim-itations when deploying CCR:� Just like in LCR, there can be only a single database in each storage group so that there

is a direct mapping from the database to the transaction logs for the database. However, since Exchange Server 2007 is now capable of handling 50 storage groups, the limitations are not drastic.

� There are several limitations of public folders in a CCR implementation because of con-flicts between CCR replication and standard public folder replication:

� If there is only one mailbox server (the CCR cluster), then it can host a public folder store because public folder replication is disabled.

� If there are multiple mailbox servers and only one hosts a public folder store (the CCR cluster), then it can host it because public folder replication is disabled.

� If there are multiple mailbox servers and there are multiple public folder stores, then no public folders can be hosted on the CCR cluster.

� Mailbox server names are limited to 15 characters or less to provide down-level support for email clients.

� CCR cannot be hosted in the same cluster as Exchange Server 2003, Exchange 2000, or any version of SQL Server.

� CCR nodes are not supported on nodes that are also domain controllers or global cat-alog servers.

� The same version of Exchange Server 2007 must be installed on all nodes, and all nodes must use the same drives and paths for the Exchange binary files, the databases, and the transaction logs.

E X E R C I S E 1 0 . 1 7

Setting Transport Dumpster Settings


2. Run Set-transportconfig -MaxDumpsterSizePerStorageGroup <size> -MaxDumpsterTime <time>.



� The performance of the network will be important when configuring the disk structures. Microsoft recommends using Gigabit Ethernet for connections between nodes. However, this is not always possible, especially when configuring CCR for geoclustering. The net-work speed is extremely important if there is a failure of the production server such that its drive must be replaced. In this case, the new production server must reseed the new pas-sive server. The faster the network, the faster the reseeding process.

Installing CCR Cluster

Now that the biggest steps have been completed, installing the cluster service using MNS and configuring the FSW, it is time to actually create the CCR cluster.

Exercise 10.18 will walk through the steps to configure the CCR cluster.

E X E R C I S E 1 0 . 1 8

Installing a CCR Cluster

1. Install the preliminary components: .NET Framework 2.0 or higher, Microsoft Manage-ment Console (MMC) 3.0, and Microsoft Windows PowerShell.

2. Connect to the installation media, and run setup from a command line to start the Exchange install on the active node of the cluster. During the Exchange setup wizard, click Next on the Introduction page, click Next to accept the License Agreement, click Next on the Error Reporting page, select the Custom Exchange Server Installation option, and then click Next, as shown here.



3. On the Server Role Selection page, select Active Clustered Mailbox Role, select the file installation path, and click Next. The file installation path needs to point to the drive letter and path for where the Exchange binaries will be installed.

4. On the Cluster Settings page, select the Continuous Copy Replication option, and enter the following information for the virtual server for the CCR installation:

� Clustered mailbox server name

� IP address

� Storage location for the database files, which will be a local hard drive

5. On the Client Settings page, click Yes or No depending on whether the organization will have Outlook 2003 or Entourage clients. Click Next to start the checks and the installation.

6. Click Install once all the checks are completed on the Readiness Checks page, as shown here.

7. The Progress page will show the steps being performed, and once they are completed, click Finish.

8. The next step will be to click Step 5: Get Critical Updates for Microsoft Exchange, which must be run to download any updates. Once all updates are completed, click Close to complete the installation.




Exchange Server 2007 does not support placing the databases or the transac-tion logs at the root of a drive. A directory must be created to hold these files.

Dealing with CCR Outages

There are basically two types of outages regarding CCR, and the behaviors are a bit different for each type of outage. The two main types of outages are scheduled and unscheduled.

Scheduled Outage

The architecture of CCR allows for extended scheduled outages of a specific node without an extended outage of the clustered mailbox server. Because one node can be offline, the other node is capable of providing mailbox services while the offline node is repaired or undergoes ordinary maintenance. Scheduled outages make sure that all log data on the active node is successfully copied to the passive node before the active node is allowed to take itself offline. Scheduled out-ages should never result in the loss of data even though the replication is asynchronous.

9. Install the passive node using steps 1–7, but in step 2, select the Passive Clustered Mail-box Role during installation, as shown here.




In a two-node CCR solution, only one node can be taken offline at a time. A second node being taken offline or failing will cause the mailbox services provided by the cluster to stop, and clients will no longer be able to access their email. With the redundancy built into MNS with the file share witness, either the file share witness or the passive node can be taken offline for main-tenance, updates, and repairs without the entire cluster failing. Of the two nodes and the file share witness, only one can be down at a time for maintenance. If two of the three are brought down, then the entire cluster will fail. It is a best practice to check moving the clustered mailbox to the passive node before doing maintenance on the active node. It is easy to identify the active node using the Cluster Administrator MMC. It is also easy to check using the Exchange Man-agement Shell by running the Get-ClusteredMailboxServerStatus cmdlet.

The standard process of shutting down a Windows server node in a CCR clus-ter does not automatically handle moving the clustered mailbox from an active CCR mailbox node to the passive node. It is important to manually move the clustered mailbox before shutting down the active server node.

Setting AutoDatabaseMountDial

Microsoft has implemented controls to handle the behavior in the case of an active mailbox server failing. CCR has an attribute that can be used to control unscheduled failures. The attribute, AutoDatabaseMountDial, has three possible values: � Lossless: When set to Lossless, the passive node waits for the failed node to come back

online before its databases are mounted. In this mode, it is vital that there is no loss of messages. For the process to succeed, the failed node must come back online with all logs available. When the unscheduled outage occurs, the passive node becomes the active node, and the Information Store is brought online using standard clustering technologies. The new active node then checks to see whether all the databases can be mounted without any lost data. If it is possible to mount the databases without any lost data, then the infor-mation store will mount the databases and make sure the clustered mailbox is available to clients. If the databases cannot be mounted without lost data, then the active node of the CCR cluster will look to the other node and try to copy logs from it to bring itself fully up-to-date. If the failed server comes back online with all its logs available, then this pro-cess will eventually update the active node. If the failed node comes back online and its logs are not available, then the database will not mount. In this environment, it is possible for the Exchange administrator to manually mount the databases.

� Good Availability: When set to Good Availability, the cluster provides fully automatic recovery if replication is working properly and the logs are replicating as fast as they are being created.

� Best Availability: Best Availability is the default setting. It allows automatic recovery even if replication has some latency. In this case, in a failure, the new active node might be slightly behind the state of the old active node after the failover and some loss experienced.



The Move-ClusteredMailboxServer cmdlet checks and verifies the health of the passive node to make sure it has a good copy of the database and it is relatively current. If, for some reason, the passive node is missing a significant amount of data, the time for the move is increased to allow the rest of the replication that is out of sync to catch up.

Scheduled moves are sometimes used to force the update of the passive copy and to move to the passive copy to perform maintenance on a cor-rupted database.

The Move-ClusteredMailboxServer cmdlet prompts the Exchange administrator for information regarding the move. This information is then copied to the event logs. The cmdlet requires the Exchange administrator to specify the server node for the new location. This step is used to prevent the clustered mailbox from being moved when it is already running in the correct location.

Do not use cluster.exe or the Cluster Administrator MMC to move Exchange Server 2007 clustered mailboxes. These tools can cause serious problems with replication.

Restoring Replication Activity After a Scheduled Outage

Once the scheduled outage is complete, moving the clustered mailbox to its original location is often part of the testing of the changes made. After making all the changes and performing the scheduled maintenance, the node should be restarted. There are two scenarios:� Successful outage: The Scheduled outage was completely successful, no problems were

found during the move of the clustered mailboxes, and the database came online and mounted without any problems. In this situation, both nodes had consistent storage groups and databases. Once the outage is complete, and the old passive node has become active, then it will begin replicating to the old active node, which is now passive. Once rep-lication is caught up, then the clustered mailbox can be moved to its original location, and maintenance can be performed on the other node if necessary.

� Partially successful outage: In this case, the scheduled outage was not completely success-ful. It is possible that there was database corruption prior to the outage. The outage could not verify that all logs on the source were made available to the target before mounting the database. CCR can automatically recover from some inconsistencies. Replication will start and process any available logs. If replication cannot recover automatically, the copy is marked as broken and creates an event in the event log identifying the issue. If the data-base can be used, then reseeding might be required.

Unscheduled Outage

Unscheduled outages happen because of failures of the dependent services or the resources. CCR minimizes failures based on items that are not likely to be real issues that would normally



have caused a failover in Exchange Server 2003 server clustering. CCR focuses its automatic recovery on situations where there is a high degree of confidence that the clustered mailbox would experience improved performance and reliability. In an unscheduled outage, the clus-tered mailbox is moved to the passive node, and the database is mounted. After mounting, the clustered mailbox becomes the active databases, and all updates and new information are pro-cessed. The formerly active node becomes the passive node, and all updates are sent to the new passive node and read into its database.

Since CCR uses asynchronous replication, unscheduled outages result in some data loss. The lost data will include, at a minimum, the active logs being written to by the active server. To address this lost information, CCR controls the failover behavior and provides the ability to recapture the transactions that would be most likely lost. The process evaluates whether database on the passive node will be mounted and used. The options include the following:� Lossless: When set to Lossless, the passive node waits for the failed node to come back

online before its databases are mounted. In this mode, it is vital that there is no loss of messages. For the process to succeed, the failed node must come back online with all logs available. When the unscheduled outage occurs, the passive node becomes the active node, and the Information Store is brought online using standard clustering technologies. The new active node then checks to see whether all the databases can be mounted without any lost data. If it is possible to mount the databases without any lost data, then the infor-mation store will mount the databases and make sure the clustered mailbox is available to clients. If the databases cannot be mounted without lost data, then the active node of the CCR cluster will look to the other node and try to copy logs from it to bring itself fully up-to-date. If the failed server comes back online with all of its logs available, then this process will eventually update the active node. If the failed node comes back online and its logs are not available, then the database will not mount. In this environment, it is pos-sible for the Exchange administrator to manually mount the databases.

� Good Availability: When set to Good Availability, the cluster provides fully automatic recovery if replication is working properly and the logs are replicating as fast as they are being created.

� Best Availability: Best Availability is the default setting. It allows automatic recovery even if replication has some latency. In this case, in a failure, the new active node might be slightly behind the state of the old active node after the failover and some loss experienced.

The default configuration is Good Availability. When set to Good Availability, the node will mount all databases that are synchronized. In most cases, Good Availability will bring a database online if, during the time it took to generate a new log, the last generated log was rep-licated. This means Good Availability will mount the database if changes are being applied as fast as they are being generated on the production server before the failure. Best Availability allows for more variation in the inconsistency between the two copies. Lossless guarantees the copy is not brought online unless it can be confirmed that there will be no data loss. If Lossless is used, automatic recovery will occur only when the original server is operational again and all log data is available and not corrupted.


Exam Essentials 525

The Lossless setting can result in long outages. In some cases, it does not make sense to use Lossless because the downtime will cause major impacts on organizational production. After all, why would an organization use high-availability platforms but still allow for long outages?

As in the scheduled outage, if the databases are not automatically mounted in a failover, an Exchange administrator can still manually mount the databases. The administrator must check the state of the copy and then issue two commands.

SummaryExchange Server 2007 has taken some great strides toward filling in some of the holes that pre-vious versions of Exchange did not address for high availability. In particular, several different levels of high availability are provided for in Exchange Server 2007, including local continu-ous replication to cluster continuous replication.

Local continuous replication provides the protection from database corruption that admin-istrators have been looking for since the release of Exchange. Previous high-availability solu-tions did not address the concern of administrators when it came to database corruption. Now, it is fairly inexpensive to protect an organization against database corruption or against a complete drive failure of the messaging database.

Single copy clustering is a fine solution and meets most organizations’ needs of high avail-ability. However, like the legacy server cluster solution for Exchange Server 2003, this solution also has problems related to the corruption of the database and the clustered disk architecture providing single points of failure for the solution. SCC provides for clusters from two to eight nodes with up to seven virtual servers hosting clustered mailboxes.

Cluster continuous replication clustering is a definite step in the right direction. With CCR, there are no longer single points of failure around the disk architecture like those found in a typical server clustering configuration. Combining the file share witness with the capabilities of the transport dumpster, CCR is a fairly inexpensive and extremely trustworthy solution.

Exchange Server 2007 has definitely taken some large steps forward in helping to keep messaging up and running so it is available for users around the clock.

Exam EssentialsUnderstand the differences between LCR, SCC, and CCR. While all these are considered high-availability components when talking about Exchange Server 2007, each one fits a par-ticular need.



Know how to implement LCR, SCC, and CCR. Knowing how to install these components is only part of the process. It is also important to understand how to recover from a failure in each situation. You should also understand how server clustering works in general with Win-dows Server 2003 Enterprise Edition. There are many changes to clustering in Windows Server 2008, but it has not yet been released.

Know which roles can be used in LCR, SCC, and CCR. It is important to understand how the different roles are supported or not supported when it comes to high availability.



Review Questions1. You are planning to upgrade your current Exchange Server 2003 organization to Exchange

Server 2007. Your company uses public folders extensively and is not ready to move them into Microsoft Office SharePoint Server (MOSS) just yet. What are your options regarding creating a CCR cluster of mailbox servers in Exchange Server 2007? (Choose all that apply; each answer presents a complete solution.)

A. Create one or more Exchange Server 2007 mailbox servers that house public folders only, without any mailbox databases. Create a CCR cluster with additional Exchange Server 2007 mailbox servers that have only mailbox databases.

B. Leave the public folders on Exchange Server 2003 servers. Create a CCR cluster with addi-tional Exchange Server 2007 mailbox servers that have only mailbox databases.

C. Move all public folders to an Exchange Server 2007 mailbox server, configuring no replicas for the public folders. Create a CCR cluster that includes this server.

D. Move all public folders to an Exchange Server 2007 mailbox server, configuring multiple replicas for the public folders. Create a CCR cluster with additional Exchange Server 2007 mailbox servers that have only mailbox databases.

2. You moved your file server from its switch to another switch that also hosts network load bal-anced web servers. Users report that the file server is extremely slow. What should you do?

A. Move the file server to another switch.

B. Add another NIC to the file server, and implement network teaming.

C. Create a special VLAN for all file server clients.

D. Defragment the hard drives on the file server.

3. Your company has had problems with Exchange databases becoming corrupted. In each case, the lost data has caused management to become very upset. What technology should you implement to mitigate against corruption of mailbox data?

A. Single copy clustering

B. Local continuous replication

C. Network load balancing

D. RAID-5 drives for databases



4. Your company has two identical servers. You have installed Windows Server 2003 Enterprise Edition on the first one and installed Exchange Server 2007 on it as well. You install Windows Server 2003 Enterprise on the second server, but you are unable to configure single copy clus-tering. What should you do?

A. Select the Custom installation method on the second node, select the Passive Cluster Mail-box Role, select Single Copy Cluster, and run the installation to completion.

B. Rerun the Exchange install on top of the existing server, select the role for Active Cluster Mailbox, install the second node, select the Passive Cluster Mailbox Role, then select Single Copy Cluster, and run the installation to completion.

C. Uninstall all roles other than the mailbox role on the first computer, then rerun the installation, select the role for Active Cluster Mailbox, then install the second node, select the Passive Clus-ter Mailbox Role, select Single Copy Cluster, and run the installation to completion.

D. Reformat and rebuild the first server so that it has just the operating system on it, configure clustering, and then install Exchange Server 2007 using SCC.

5. You need to provide high availability for an Edge Server. What technology should you use?

A. Network load balancing

B. Local continuous replication

C. DNS round-robin

D. Single copy clustering

6. You intend to configure two server nodes into a single copy cluster for Exchange Server 2007. Which of the following are required? (Choose all that apply.)

A. A minimum of two network adapters

B. A minimum of two identical nodes

C. Windows Server 2003 Enterprise for both nodes

D. Shared disk architecture such as a storage area network

7. You are configuring the network for a two-node continuous copy replication cluster. You con-figure the public network for Node1 with 192.168.2.20/24, and you configure the public net-work for Node2 with 192.168.3.35/24 in a remote site. You configure the private network for Node1 with 10.10.10.1/24 and the private network for Node2 with 10.10.10.2/24. When you try to create the cluster, you are unable to make it work. What should you do to make it work properly? (Choose all that apply.)

A. Put the two public adapters in the same network segment.

B. Configure the public network with a VLAN.

C. Configure the private network with a VLAN.

D. Implement a shared disk quorum using the letter Q.



8. You need to patch the current single copy cluster that you have running. What should you do?

A. Apply the patch to the active node, and restart the active node. Then apply the patch to the other node, and restart it.

B. Apply the patch to both nodes, and restart them at the same time.

C. Apply the patch to both nodes, and restart them by restarting the active node first and waiting for it to fully restart before restarting the other node.

D. Patch the passive node, use the PowerShell command to move the clustered mailbox, then patch the other node, and use the PowerShell command to move the clustered mailbox to its original location.

9. You need to move the clustered mailbox from Node1 to Node2 for maintenance. What should you do?

A. Use the Cluster Administrator MMC, right-click the clustered mailbox cluster group, and select Move.

B. Use the Cluster Administrator MMC, right-click the clustered mailbox cluster group, and select Take Offline.

C. Use PowerShell, and run Move-Clustered MailboxServer.

D. Use cluster.exe, and run Cluster Group <groupname> /Move.

10. You are designing a two-node single copy cluster for Exchange Server 2007. How many IP addresses do you need for the public network?

A. 2

B. 3

C. 4

D. 5

11. You are configuring a Windows Server 2003 cluster for Exchange Server 2007 CCR. You must create a service account for the cluster service. Which of the following should you do? (Choose all that apply.)

A. Create a standard domain user account.

B. Make the account a local administrator on all cluster nodes.

C. Configure the account so it can log onto the cluster nodes only.

D. Let the cluster installation set the rest of the rights during configuration.

12. You have configured your cluster, but you find that there is not enough bandwidth between the cluster nodes and the storage area network. What should you do? (Choose all that apply.)

A. Add another HBA to each server node, and use multipathing software.

B. Add another network adapter to each server node, and implement load balanced network adapter teaming.

C. Add another HBA to the SAN device itself, and configure multipathing.

D. Implement RAID-1+0 instead of RAID-5 for databases.



13. What are the different control levels that can be implemented in Exchange Server 2007 for CCR to manage potential data loss during a failover?

A. Lossless

B. Good Availability

C. Best Availability

D. Fast Failover

14. Under which situations can you install public folders on a clustered mailbox?



� If there are multiple mailbox servers and multiple public folder stores, then no public folders can be hosted on the CCR cluster.

A. If there is only one mailbox server (the CCR cluster)

B. If there are multiple mailbox servers and only one hosts a public folder store (the CCR cluster)

C. If there are multiple mailbox servers and there are multiple public folder stores

D. If there is one mailbox servers other than the CCR cluster

15. Which of the following properties can be configured with a public store system policy? (Choose all that apply.)

A. The public folder tree associated with the store

B. Support for S/MIME signatures

C. The database associated with a store

D. Storage limits

E. Replication intervals

16. The file share witness hotfix needs to be run where? (Choose all that apply.)

A. Active node of the cluster

B. Passive node of the cluster

C. On the server to host the file share witness

D. On the domain controller

17. You have just run the command in PowerShell to view the status of LCR. Which of the fol-lowing are available to view? (Choose all that apply.)

A. Data copied in last hour

B. Summary status

C. Copy queue length

D. Replay queue length



18. You have implemented network load balancing for your Edge Transport servers in the perimeter network. You need to limit the port flooding so it does not impact other servers. What should you do?

A. Configure a VLAN on a switch, and put all the NLB cluster nodes in that VLAN only.

B. Set up a hub and connect all NLB cluster nodes to the hub, and then connect the hub to the switch environment.

C. Implement port mirroring on the switch device.

D. Manually change the MAC addresses on the NLB cluster nodes.

19. What address range is usually used for multicasting?

A. Class A, from 1 to 126

B. Class B, from 128 to 191

C. Class C, from 192 to 223

D. Class D, from 224 to 239

20. What is the best practice configuration for network load balancing?

A. One network adapter and multicast

B. Two network adapters and multicast

C. One network adapter and unicast

D. Two network adapters and unicast



Answers to Review Questions1. A, B, C. There are several limitations related to public folders in a CCR implementation

because of conflicts between CCR replication and standard public folder replication, including the following:



� If there are multiple mailbox servers and multiple public folder stores, then no public folders can be hosted on the CCR cluster.

2. A. NLB clusters cause port flooding that can cause other devices on the same switch as NLB nodes to degrade in performance as they try to process all the packets sent to them.

3. B. Local continuous replication (LCR) copies the database to another physical disk using log shipping. Since it is not using block-level replication, the corruption itself should never be cop-ied to the LCR location.

4. D. You cannot install an application in a cluster until clustering has been installed first.

5. A. Network load balancing or DNS round-robin will work for Edge Transport. However, DNS round-robin does not provide high availability.

6. A, B, C, D. All of the options are required for a single copy cluster.

7. A, B, C. A requirement for all Windows Server 2003 clusters is that all public network con-nections be in the same network segment, and the only way to get that to work is to use VLANs. The same is true of the private network.

8. D. It is always a best practice to patch the passive node first; that way, if for some reason the clustered mailbox does not start up properly on the patched node, it can be restarted in its orig-inal location until troubleshooting reveals the problem.

9. C. When permissions are not specifically configured for a user or group on an object, they will be inherited from the parent object.

10. C. You need a minimum of four IP addresses for the public network. You need one for each server node for a total of two. You also need one for the cluster itself, and then you need one more during the setup of Exchange Server 2007 for clustering. That’s a total of four.

11. A, B, C, D. All the options are considered to be best practices for configuring the cluster service account.

12. A, C. The only way to increase bandwidth to the disk structure is to add more paths and con-figure multipathing.

13. A, B, C. Lossless, Good Availability, and Best Availability are the three levels for controlling potential data loss during a failover of a CCR cluster.



14. A, B, C. The clustered mailbox can host a public folder only in situations where public folder replication is not run.

15. B, D, E. The General, Database, Replication, Limits, and Full-Text Indexing pages of a public store are available for configuration, but not all the properties on those pages are available. You cannot configure a public folder tree or the database associated with a store because these are parameters that apply only to a specific store and cannot be applied to multiple stores using a policy.

16. A, B. The hotfix is run on all nodes of the cluster, but it is not run on the server hosting the file share witness.

17. B, C, D. Get-StorageGroupCopyStatus retrieves the summary status, copy queue length, and replay queue length.

18. A, B, C. Manually changing the MAC address would actually break NLB. It also is not an option through the GUI; you would have to do it through the netsh command.

19. D. Usually, multicasting is done using the address ranges found in Class D.

20. D. The best practice for NLB is to use two NICs, one for the NLB network and the other for a management network, and to configure the NLB network for unicast.


red gate exchange e book

Business

informationserious skills